Problem with transparent autentication using the NtlmHttpFilter

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Problem with transparent autentication using the NtlmHttpFilter

João Mota
Hello,

I am having some problems getting transparent authentication to work
with NtlmHttpFilter jcifs-1.2.7, it seems that IE is failling the
negotiation.
The domain Controller is a windows 2003 server.

The error that shows in the log at the same time that the dialog box to
enter username/password shows up is (i replaced the sensitive data for a
meaningfull word in caps):
     NtlmHttpFilter: DOMAIN\USERLOGIN: 0xC0000022:
jcifs.smb.SmbAuthException: Access is denied.

Filling in the user and password in the dialog box, the authentication
works ok.

My questions are:
1) Is it possible to have transparent authentication with the
jcifs.http.domainController specified ?
2) Is my configuration wrong or incomplete?
3) Do i need to roll my custom version of the Filter to have transparent
authentication with this configuration?



The configuration I'm using is the following:

   <filter>
        <filter-name>NtlmHttpFilter</filter-name>
        <filter-class>jcifs.http.NtlmHttpFilter</filter-class>
        <init-param>
        <param-name>jcifs.smb.client.domain</param-name>
        <param-value>DOMAIN</param-value>
        </init-param>
    <init-param>
        <param-name>jcifs.smb.client.username</param-name>
        <param-value>USER</param-value>
        </init-param>
    <init-param>
        <param-name>jcifs.smb.client.password</param-name>
        <param-value>PASSWORD</param-value>
        </init-param>
    <init-param>
        <param-name>jcifs.http.domainController</param-name>
        <param-value>IP</param-value>
        </init-param>
    <init-param>
        <param-name>jcifs.util.loglevel</param-name>
        <param-value>2</param-value>
        </init-param>
    <init-param>
        <param-name>jcifs.resolveOrder</param-name>
        <param-value>DNS</param-value>
        </init-param>
    <init-param>
        <param-name>jcifs.smb.lmCompatibility</param-name>
        <param-value>3</param-value>
        </init-param>
    </filter>

thnak you very much for your time,

Joao Mota



DISCLAIMER: This message may contain confidential information or privileged material and is intended only for the individual(s) named. If you are not a named addressee and mistakenly received this message you should not copy or otherwise disseminate it: please delete this e-mail from your system and notify the sender immediately. E-mail transmissions are not guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete or contain viruses. Therefore, the sender does not accept liability for any errors or omissions in the contents of this message that arise as a result of e-mail transmissions. Please request a hard copy version if verification is required. Critical Software.


Reply | Threaded
Open this post in threaded view
|

Re: Problem with transparent autentication using the NtlmHttpFilter

Michael B Allen-4
On Thu, 19 Jan 2006 16:20:41 +0000
João Mota <[hidden email]> wrote:

> Hello,
>
> I am having some problems getting transparent authentication to work
> with NtlmHttpFilter jcifs-1.2.7, it seems that IE is failling the
> negotiation.
> The domain Controller is a windows 2003 server.
>
> The error that shows in the log at the same time that the dialog box to
> enter username/password shows up is (i replaced the sensitive data for a
> meaningfull word in caps):
>      NtlmHttpFilter: DOMAIN\USERLOGIN: 0xC0000022:
> jcifs.smb.SmbAuthException: Access is denied.

No doubt this is an SMB signing issue. You need "preauthentication".

>
> Filling in the user and password in the dialog box, the authentication
> works ok.
>
> My questions are:
> 1) Is it possible to have transparent authentication with the
> jcifs.http.domainController specified ?

No, it was recently discoverd that preauthentication only works if
jcifs.http.domainController is NOT used. I would use:

>    <filter>
>         <filter-name>NtlmHttpFilter</filter-name>
>         <filter-class>jcifs.http.NtlmHttpFilter</filter-class>
>     <init-param>
>         <param-name>jcifs.netbios.wins</param-name>
>         <param-value>IP</param-value>
>         </init-param>
>     <init-param>
>         <param-name>jcifs.smb.client.domain</param-name>
>         <param-value>DOMAIN</param-value>
>         </init-param>
>     <init-param>
>         <param-name>jcifs.smb.client.username</param-name>
>         <param-value>USER</param-value>
>         </init-param>
>     <init-param>
>         <param-name>jcifs.smb.client.password</param-name>
>         <param-value>PASSWORD</param-value>
>         </init-param>
>     <init-param>
>         <param-name>jcifs.util.loglevel</param-name>
>         <param-value>2</param-value>
>         </init-param>

If you don't have wins then you could try setting jcifs.netbios.lmhosts
[1] to a file that maps the IP you had for domainController to DOMAIN.

Otherwise, we need to fix the code so that preauth works with
domainController. It's on The List.

Mike

http://jcifs.samba.org/src/docs/resolver.html
Reply | Threaded
Open this post in threaded view
|

Re: Problem with transparent autentication using the NtlmHttpFilter

João Mota
Hello Michael,

Just wanted to say that i got it to work with that configuration and
with the entry on the lmhosts file.

thank you very much,

Joao Mota

Michael B Allen wrote:

>On Thu, 19 Jan 2006 16:20:41 +0000
>João Mota <[hidden email]> wrote:
>
>  
>
>>Hello,
>>
>>I am having some problems getting transparent authentication to work
>>with NtlmHttpFilter jcifs-1.2.7, it seems that IE is failling the
>>negotiation.
>>The domain Controller is a windows 2003 server.
>>
>>The error that shows in the log at the same time that the dialog box to
>>enter username/password shows up is (i replaced the sensitive data for a
>>meaningfull word in caps):
>>     NtlmHttpFilter: DOMAIN\USERLOGIN: 0xC0000022:
>>jcifs.smb.SmbAuthException: Access is denied.
>>    
>>
>
>No doubt this is an SMB signing issue. You need "preauthentication".
>
>  
>
>>Filling in the user and password in the dialog box, the authentication
>>works ok.
>>
>>My questions are:
>>1) Is it possible to have transparent authentication with the
>>jcifs.http.domainController specified ?
>>    
>>
>
>No, it was recently discoverd that preauthentication only works if
>jcifs.http.domainController is NOT used. I would use:
>
>  
>
>>   <filter>
>>        <filter-name>NtlmHttpFilter</filter-name>
>>        <filter-class>jcifs.http.NtlmHttpFilter</filter-class>
>>    <init-param>
>>        <param-name>jcifs.netbios.wins</param-name>
>>        <param-value>IP</param-value>
>>        </init-param>
>>    <init-param>
>>        <param-name>jcifs.smb.client.domain</param-name>
>>        <param-value>DOMAIN</param-value>
>>        </init-param>
>>    <init-param>
>>        <param-name>jcifs.smb.client.username</param-name>
>>        <param-value>USER</param-value>
>>        </init-param>
>>    <init-param>
>>        <param-name>jcifs.smb.client.password</param-name>
>>        <param-value>PASSWORD</param-value>
>>        </init-param>
>>    <init-param>
>>        <param-name>jcifs.util.loglevel</param-name>
>>        <param-value>2</param-value>
>>        </init-param>
>>    
>>
>
>If you don't have wins then you could try setting jcifs.netbios.lmhosts
>[1] to a file that maps the IP you had for domainController to DOMAIN.
>
>Otherwise, we need to fix the code so that preauth works with
>domainController. It's on The List.
>
>Mike
>
>http://jcifs.samba.org/src/docs/resolver.html
>
>
>
>  
>


DISCLAIMER: This message may contain confidential information or privileged material and is intended only for the individual(s) named. If you are not a named addressee and mistakenly received this message you should not copy or otherwise disseminate it: please delete this e-mail from your system and notify the sender immediately. E-mail transmissions are not guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete or contain viruses. Therefore, the sender does not accept liability for any errors or omissions in the contents of this message that arise as a result of e-mail transmissions. Please request a hard copy version if verification is required. Critical Software.