[jcifs] JCIFS authentication: errorCode=The parameter is

Michael B Allen ioplex at gmail.com
Wed Sep 22 14:59:50 MDT 2010 

Hi Merlin,

I know I'm probably just going to confuse people by even trying to
answer an NTLM HTTP Filter question so let me prefix this by repeating
again that under no circumstances should anyone ever use the JCIFS
NTLM HTTP Filter (ever).

Anyway, the NTLM HTTP Filter in the latest version of JCIFS should
would as well as any previous version. However, as of JCIFS 1.3.0, the
default configuration properties are set to only use NTLMv2 which as
you well know by now simply is not and never will be supported by the
HTTP Filter. If you look at the news bullet for October 25, 2008, it
reads:

  "jcifs-1.3.0 released / NTLMv2 Support
  posted by Mike, Oct 25, 2008

  NTLMv2 has been fully implemented and will be used by default.

  To emulate the old behavior you must set jcifs.lmCompatibility = 0
and jcifs.smb.client.useExtendedSecurity = false (new defaults are 3
and true respectively).

  NTLMv2 and NTLMv1 over NTLMSSP has been fairly well tested with and
without SMB signing negotiated and various NTLMSSP flags (e.g.
NTLMSSP_NEGOTIATE_NTLM2).

  Note: The NTLM HTTP Filter does not and can never support NTLMv2 as
it uses a main-in-the-middle technique that is broken by NTLMSSP's
"target information" used in computing password hashes. However, the
existing Filter should continue to work [with NTLMv1]."

So it might be that you just need to set jcifs.lmCompatibility = 0 and
jcifs.smb.client.useExtendedSecurity = false.

Mike

-- 
Michael B Allen
Java Active Directory Integration
http://www.ioplex.com/

On Wed, Sep 22, 2010 at 10:16 AM, mbeedell <mbeedell at cryoserver.com> wrote:
> I understand this (NTLM1 -> NTLM2) - The original point that I was trying to
> make was that the jCifs 1.2.1 was working just fine with these Windows
> clients.  I then upgrade our application (including jCifs), and bingo.. the
> SSO component stops working – which is a shame really.  I was hoping that
> some configuration tweak was needed in this particular case, rather than a
> complete change.  The windows environment has not changed in this process.
>
>
>
> We already have Jespa in the application (as an alternative to jCifs), but
> it needs more set-up and a license for the planned number of users.  Hence
> the customer wishes to reverse the upgrade, or have a darn good explanation.

More information about the jCIFS mailing list