JCIFS on a cluster

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

JCIFS on a cluster

Abhijeet Sarwate
Hi
 
I use JCIFS for transparent authentication for my web app deployed on a cluster on Linux (RHEL)
 
Transparent login works for some windows desktops but for some of the desktops, it keeps popping the network password dialog. I changed the IE settings so that the my web site is part of local intranet. But it keeps popping up the network password dialog some or the other time. What is the best way to debug this? If I use the network sniffer, what would I look for?
 
Secondly,
 
This does not happen if the app is deployed on a single server,
 
abhijeet
 
 
Reply | Threaded
Open this post in threaded view
|

Re: JCIFS on a cluster

Richard Caper
Not sure if it is possible to run it in a cluster this way.  If a
given client will always be directed to the same backend server then
it may work.  But if they are bounced between servers you will have
the issue that the challenge is issued by server A and the response
goes to server B.

On 2/17/06, Abhijeet Sarwate <[hidden email]> wrote:

> Hi
>
> I use JCIFS for transparent authentication for my web app deployed on a
> cluster on Linux (RHEL)
>
> Transparent login works for some windows desktops but for some of the
> desktops, it keeps popping the network password dialog. I changed the IE
> settings so that the my web site is part of local intranet. But it keeps
> popping up the network password dialog some or the other time. What is the
> best way to debug this? If I use the network sniffer, what would I look for?
>
> Secondly,
>
> This does not happen if the app is deployed on a single server,
>
> abhijeet
>
>
Reply | Threaded
Open this post in threaded view
|

Re: JCIFS on a cluster

Christopher R. Hertel
On Fri, Feb 17, 2006 at 10:38:21AM -0500, Richard Caper wrote:
> Not sure if it is possible to run it in a cluster this way.  If a
> given client will always be directed to the same backend server then
> it may work.  But if they are bounced between servers you will have
> the issue that the challenge is issued by server A and the response
> goes to server B.

If you can synchronize authentication between all of the members of the
cluster then you can mitigate this problem.  That is, however, an issue
for the cluster folk.

I assume that you are running Samba on the RHEL server.  What type of
cluster is it?

Chris -)-----

> On 2/17/06, Abhijeet Sarwate <[hidden email]> wrote:
> > Hi
> >
> > I use JCIFS for transparent authentication for my web app deployed on a
> > cluster on Linux (RHEL).
> >
> > Transparent login works for some windows desktops but for some of the
> > desktops, it keeps popping the network password dialog. I changed the IE
> > settings so that the my web site is part of local intranet. But it keeps
> > popping up the network password dialog some or the other time. What is the
> > best way to debug this? If I use the network sniffer, what would I look for?
> >
> > Secondly,
> >
> > This does not happen if the app is deployed on a single server,
> >
> > abhijeet
> >
> >
>

--
"Implementing CIFS - the Common Internet FileSystem" ISBN: 013047116X
Samba Team -- http://www.samba.org/     -)-----   Christopher R. Hertel
jCIFS Team -- http://jcifs.samba.org/   -)-----   ubiqx development, uninq.
ubiqx Team -- http://www.ubiqx.org/     -)-----   [hidden email]
OnLineBook -- http://ubiqx.org/cifs/    -)-----   [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: JCIFS on a cluster

Michael B Allen-4
On Fri, 17 Feb 2006 12:34:02 -0600
"Christopher R. Hertel" <[hidden email]> wrote:

> On Fri, Feb 17, 2006 at 10:38:21AM -0500, Richard Caper wrote:
> > Not sure if it is possible to run it in a cluster this way.  If a
> > given client will always be directed to the same backend server then
> > it may work.  But if they are bounced between servers you will have
> > the issue that the challenge is issued by server A and the response
> > goes to server B.
>
> If you can synchronize authentication between all of the members of the
> cluster then you can mitigate this problem.  That is, however, an issue
> for the cluster folk.
>
> I assume that you are running Samba on the RHEL server.  What type of
> cluster is it?

Samba isn't needed for JCIFS. JCIFS communicates directly with the domain controller which is very likely a different host.

Mike
Reply | Threaded
Open this post in threaded view
|

Re: JCIFS on a cluster

Michael B Allen-4
In reply to this post by Abhijeet Sarwate
On Fri, 17 Feb 2006 10:30:58 -0500
Abhijeet Sarwate <[hidden email]> wrote:

> Hi
>
> I use JCIFS for transparent authentication for my web app deployed on a
> cluster on Linux (RHEL)
>
> Transparent login works for some windows desktops but for some of the
> desktops, it keeps popping the network password dialog. I changed the IE
> settings so that the my web site is part of local intranet. But it keeps
> popping up the network password dialog some or the other time. What is the
> best way to debug this? If I use the network sniffer, what would I look for?
>
> Secondly,
>
> This does not happen if the app is deployed on a single server,

As Richard stated, due to the multi-step nature of the NTLM HTTP
authentication protocol it will not work all of the time. Your
easiest, quickest solution is to switch to Kerberos GSSAPI HTTP
authentication. That will work in a cluster environment because the
credential is sent in a single token.

Mike
Reply | Threaded
Open this post in threaded view
|

Re: JCIFS on a cluster

Oliver Schoett
Michael B Allen wrote:
> Your easiest, quickest solution is to switch to Kerberos GSSAPI
> HTTP authentication. That will work in a cluster environment
> because the credential is sent in a single token.
>  
Sounds nice, but are there free Java implementations of the client and
server side?

Most clusters will support "session affinity" in some way, which means
that requests from the same client go to the same server if possible.
This helps performance, for example, because the session data structures
do not need to be reconstructed on another server.

Regards,

Oliver Schoett

Reply | Threaded
Open this post in threaded view
|

Re: Re: JCIFS on a cluster

Michael B Allen-4
On Sun, 19 Feb 2006 21:17:13 +0100
Oliver Schoett <[hidden email]> wrote:

> Michael B Allen wrote:
> > Your easiest, quickest solution is to switch to Kerberos GSSAPI
> > HTTP authentication. That will work in a cluster environment
> > because the credential is sent in a single token.
> >  
> Sounds nice, but are there free Java implementations of the client and
> server side?

The jcifs-ext package on SourceForge. Note that the Kerberos
authentication part of that package doesn't really have anything to
do with jcifs. It would be a great project for someone to take the
Kerberos code from that and the NTLM code from jCIFS and bundle it into
an OSS Filter for Java that offers Negotiate, NTLM, and Basic/NTLM with
all the ammenties that people look for with login pages, multi-domain,
proper fallback etc. You could also extract the PAC from the ticket and
resolve the SIDs using LDAP to implement isInRole.

> Most clusters will support "session affinity" in some way, which means
> that requests from the same client go to the same server if possible.
> This helps performance, for example, because the session data structures
> do not need to be reconstructed on another server.
>
> Regards,
>
> Oliver Schoett
>
Reply | Threaded
Open this post in threaded view
|

Re: Re: JCIFS on a cluster

Abhijeet Sarwate
Folks
 
Thanks very much for such a nice analysis. I switched to single server authentication but users still complain about gettting the network password dialog box.
 
This is jboss application server cluster with apache presentation server at the front. I use JKMod for cluster management
 
abhijeet

 
On 2/19/06, Michael B Allen <[hidden email]> wrote:
On Sun, 19 Feb 2006 21:17:13 +0100
Oliver Schoett <[hidden email]> wrote:

> Michael B Allen wrote:
> > Your easiest, quickest solution is to switch to Kerberos GSSAPI
> > HTTP authentication. That will work in a cluster environment
> > because the credential is sent in a single token.
> >
> Sounds nice, but are there free Java implementations of the client and
> server side?

The jcifs-ext package on SourceForge. Note that the Kerberos
authentication part of that package doesn't really have anything to
do with jcifs. It would be a great project for someone to take the
Kerberos code from that and the NTLM code from jCIFS and bundle it into
an OSS Filter for Java that offers Negotiate, NTLM, and Basic/NTLM with
all the ammenties that people look for with login pages, multi-domain,
proper fallback etc. You could also extract the PAC from the ticket and
resolve the SIDs using LDAP to implement isInRole.

> Most clusters will support "session affinity" in some way, which means
> that requests from the same client go to the same server if possible.
> This helps performance, for example, because the session data structures
> do not need to be reconstructed on another server.
>
> Regards,
>
> Oliver Schoett
>