[jcifs] Logon failure: unknown user name or bad password

Michael B Allen ioplex at gmail.com
Wed Jul 27 12:10:38 MDT 2011 

On Wed, Jul 27, 2011 at 10:17 AM, Jason Millard <jsm174 at gmail.com> wrote:
>> Well that explains it. The server simply does not offer NTLM.
>>
>> However I have NEVER heard of a server that does not support NTLM.
>> Kerberos does not work if the client does not have access to a DC, if
>> DNS isn't exactly right or if time is not synchronized on all
>> machines. And this is not a complete list of requirements for Kerberos
>> to work. So I'm mildly shocked that this server does not do NTLM.
>>
>> What is the server? Is it Windows? Or is it some kind of appliance?
>>
>
> You're right it's an appliance. I just found out that it's a F5 ARX
> file virtualization server. And... NTLM has not been enabled on it by
> choice.
>
> So, from what I understand, there maybe a shift towards Kerberos where
> I work, so I'll need to start preparing.

Hi Jason,

NTLM and Kerberos are not mutually exclusive so even though your
network clearly already fully supports Kerberos, NTLM or some kind of
non-third party authentication system is required if any of the
aforementioned requirements for Kerberos to function are not
satisfied. So I am somewhat surprised that the operator of said
appliance chose to disable NTLM (maybe it's old and does not support
NTLMv2 - that would make sense). But otherwise, because no version of
Windows supports any non-third party authentication mechanism other
than NTLM, I would imagine connecting to said appliance is not
reliable even for Windows clients (as evidenced by your XP machine
failing to connect because it was not joined to the domain).

> I'm assuming I could try jcifs-krb5 once I figure out the KDC and
> Realms settings? I looked through KerberosAuthExample. Am I on the
> right path?

Unfortunately no. The jcifs-krb5 branch was contributed by another
party with the hope that it would catalyze the integration of Kerberos
into the main JCIFS codebase. However, the core JCIFS API based on the
SmbFile class has not changed much in almost 10 years and as such it
has NtlmPasswordAuthentication class references littered throughout.
All of these NTLM specific credential references will need to be
factored out and that is not something that can happen in 1.x. So
Kerberos is a 2.0 feature and there are currently no plans for working
on a 2.0. Even though technically the jcifs-krb5 codebase works, it
has numerous problems that would make it difficult to work with.
Credential management being one of the main problems. I'm not sure
that anyone really uses it seriously. Ultimately it is a
proof-of-concept package.

Mike

-- 
Michael B Allen
Java Active Directory Integration
http://www.ioplex.com/

More information about the jCIFS mailing list