[jcifs] JCIFS and Windows 7

André Warnier aw at ice-sa.com
Fri Apr 30 08:28:11 MDT 2010

Melinda wrote:
> André Warnier <aw <at> ice-sa.com> writes:
>> Sudhakar M Santhanam wrote:
>>> I am currently using JCIFS 1.3.14 and I am encountering this problem 'The
> parameter is incorrect.'  I am
>> using a Servlet filter to intercept request from browsers to authenticate
> users using JCIFS. While this
>> works perfectly fine on Windows XP without any problems, the filter fails to
> authenticate users if
>> requests come from browsers on Windows 7.
>>> I have given below the snap shot of the stack trace from the server logs.
>>> Does anyone know a solution to this problem?
>> There isn't any.
>> You apparently failed to read the notice at the top of the page for the 
>> jCIFS HTTP filter.
> Can you provide the link to the "page for the jCIFS HTTP filter" that you eluded
> to in your response above?  I went to the JCIFS home page: 
> http://jcifs.samba.org/ but cannot find this page and I could not find a search
> on this page to look for windows 7.  I am also having to find a way to make this
> work with Windows 7 by next month and wondered if that is not possible with
> jcifs or not.  A response would be appreciated.  Thanks.

To make a long story short, and really in the spirit of avoiding you all 
losing time on ultimately unproductive research :
Go to www.ioplex.com, download the Jespa filter and try it (that is 
free).  It is also free up to, as far as I recall, 25 Windows user-ids.
It is possible that there exist other similar modules out there, but I 
do not know any, and I am happy with Jespa and its support so far.
It is almost an out-of-the-box replacement for the jCIFS filter, it 
works with NTLMv2, it has additional features, it is developed and 
supported, and it is not expensive.

The reason (as also indicated in the top blue note on the above page) : 
most recent installations (or upgrades) of Windows networks by default 
use NTLMv2, which is a more secure version of the basic (v1) Windows 
NTLM authentication mechanism. By default, Windows Vista and Windows 7 
are set up to use the NTLMv2 version if available.
The jCIFS NTLM HTTP filter does not support NTLMv2, and never will, 
because it is no longer being developed/maintained.

To make the jCIFS filter work nowadays, you would need to have all of 
the following conditions in place :
- all workstations still support NTLMv1
- all Domain Controllers still support and admit NTLMv1
- you can convince the network admins to "force" NTLMv1 authentication 
if needed
If you can achieve that, fine. But the chances of achieving that are low 
and diminishing over time.

So, it is *possible*, if you have installed and are testing the jCIFS 
NTLM HTTP filter, that in the particular case of the Windows network and 
Windows workstations which you have been testing/using so far, NTLMv1 is 
still in use, and consequently that the jCIFS filter still works.  (I 
have still a couple of customers who use it, and so far it works for 
them; they are not yet using Vista or Windows 7.)
But it is unpredictable and you cannot count on it in the future : any 
future Windows update to the workstations, or to the Domain Controllers, 
or to the "network policies" in place at such a site, could make it so 
that it suddenly stops working.
And if that happens, there is nothing to do about it with the jCIFS 
filter, because there is nobody developing or supporting it anymore.

More information about the jCIFS mailing list