JCIFS Pops up dialog box for Authenticating certain users

Hi,

We need to configure JCIFS for single sign on silently passing the credentials. For this we have configured the NtlmHttpFilter in the following manner in our web.xml file. The problem we are facing is that for certain users it works perfectly fine but for certain users it pops up a dialog box for the credentials . if the user provides the correct credentials then user gets authenticated.

But we would like every user to be authenticated silently.

can some one suggest what is wrong in the below configuration that it doesn't work for all users ?

    <filter-name>NtlmHttpFilter</filter-name>
        <filter-class>jcifs.http.NtlmHttpFilter</filter-class>
        <init-param>
        <param-name>jcifs.smb.client.domain</param-name>
        <param-value>DOMAIN</param-value>
        </init-param>
    <init-param>
        <param-name>jcifs.http.domainController</param-name>
        <param-value>IP</param-value>
        </init-param>
    <init-param>
        <param-name>jcifs.util.loglevel</param-name>
        <param-value>2</param-value>
        </init-param>
    <init-param>
        <param-name>jcifs.smb.lmCompatibility</param-name>
        <param-value>3</param-value>
        </init-param>
    </filter>

 
Thanks

Vivek

Thanks & Regards,

Vivek Mehtani

Perhaps the problem is with the browser settings for those users?
How's the log looks like for those users?

----- Original Message -----

From: asaf.mesika@...

To: vivek.mehtani@...

Cc: jcifs@...

Sent: Saturday, July 05, 2008 8:06 AM

Subject: Re: [jcifs] JCIFS Pops up dialog box for Authenticating certain users

Perhaps the problem is with the browser settings for those users?
How's the log looks like for those users?

On Fri, Jul 4, 2008 at 8:31 PM, Vivek Mehtani <vivek.mehtani@...> wrote:

Hi,

We need to configure JCIFS for single sign on silently passing the
credentials. For this we have configured the NtlmHttpFilter in the following
manner in our web.xml file. The problem we are facing is that for certain
users it works perfectly fine but for certain users it pops up a dialog box
for the credentials . if the user provides the correct credentials then user
gets authenticated.

But we would like every user to be authenticated silently.

can some one suggest what is wrong in the below configuration that it
doesn't work for all users ?

   <filter-name>NtlmHttpFilter</filter-name>
       <filter-class>jcifs.http.NtlmHttpFilter</filter-class>
       <init-param>
       <param-name>jcifs.smb.client.domain</param-name>
       <param-value>DOMAIN</param-value>
       </init-param>
   <init-param>
       <param-name>jcifs.http.domainController</param-name>
       <param-value>IP</param-value>
       </init-param>
   <init-param>
       <param-name>jcifs.util.loglevel</param-name>
       <param-value>2</param-value>
       </init-param>
   <init-param>
       <param-name>jcifs.smb.lmCompatibility</param-name>
       <param-value>3</param-value>
       </init-param>
   </filter>


Thanks

Vivek

Thanks & Regards,

Vivek Mehtani
--
View this message in context: http://www.nabble.com/JCIFS-Pops-up-dialog-box-for-Authenticating-certain-users-tp18283528p18283528.html
Sent from the Samba - jcifs mailing list archive at Nabble.com.

Hi,

I am receiving the following exception

NtlmHttpFilter: IP\username: 0xC000006D: jcifs.smb.SmbAuthException: Logon failure: unknown user name or bad password.

Thanks,

Vivek Mehtani

Vivek Mehtani wrote:

Hi,

We need to configure JCIFS for single sign on silently passing the credentials. For this we have configured the NtlmHttpFilter in the following manner in our web.xml file. The problem we are facing is that for certain users it works perfectly fine but for certain users it pops up a dialog box for the credentials . if the user provides the correct credentials then user gets authenticated.

But we would like every user to be authenticated silently.

can some one suggest what is wrong in the below configuration that it doesn't work for all users ?

    <filter-name>NtlmHttpFilter</filter-name>
        <filter-class>jcifs.http.NtlmHttpFilter</filter-class>
        <init-param>
        <param-name>jcifs.smb.client.domain</param-name>
        <param-value>DOMAIN</param-value>
        </init-param>
    <init-param>
        <param-name>jcifs.http.domainController</param-name>
        <param-value>IP</param-value>
        </init-param>
    <init-param>
        <param-name>jcifs.util.loglevel</param-name>
        <param-value>2</param-value>
        </init-param>
    <init-param>
        <param-name>jcifs.smb.lmCompatibility</param-name>
        <param-value>3</param-value>
        </init-param>
    </filter>

 
Thanks

Vivek

Thanks & Regards,

Vivek Mehtani

http://lists.samba.org/archive/jcifs/2008-June/007955.html

 

http://lists.samba.org/archive/jcifs/2008-June/007993.html

 

On 7/9/08, Ti Lian Hwang <lian_hwang.ti@...> wrote:
>
> Sorry, I gotta keep refering to this ...
>
> http://lists.samba.org/archive/jcifs/2008-January/007602.html
>
> which has worked for me ever since.

That's not a "fix" for anything. It just disables reusing transports.
Setting jcifs.smb.client.ssnLimit = 1 would work equally well
(although we recently fixed a bug that caused an NPE when setting that
property to 1). But without transport reuse every authentication has
to build up and tear down a socket which completely obliterates
scalability and that is the greatest strength of the JCIFS NTLM HTTP
Filter.

The only known issue regarding the filter is the "hiccup bug" where
transports shutdown in the middle of the NTLM exchange thereby
invalidating any in-flight nonces. This is likely to be the issue that
you are seeing. It's just a bad interaction between the stateful
NTLMSSP and stateless HTTP protocols. The proposed fix for this issue
is discussed here:

  http://lists.samba.org/archive/jcifs/2008-June/008019.html

However this fix will likely never be incorporated. Is is more likely
that the NTLM HTTP Filter in general will be dropped with the release
of JCIFS 2.0 (assuming a 2.0 ever happens) because the Filter has
nothing to do with the CIFS protocol and, more important, the
man-in-the-middle hack the Filter uses will not work with NTLMv2 which
is gaining popularity (and it's at the center of the "hiccup" bug).

I believe that an OSS project can actually do harm to the community
because it can block the development of a proper solution. The JCIFS
NTLM HTTP Filter was an easy solution that was very popular and it
actually worked very well all things considered. But it's a hack, it's
giving JCIFS a bad name and it needs to be put down.

I reconnoiter that by removing the NTLM HTTP Filter from JCIFS the
community will be forced to act to create a proper SSO Filter for Java
Servlet containers. I would be happy to describe how a proper SSO
Filter should operate to anyone who is serious about starting such a
project.

Mike

--
Michael B Allen
PHP Active Directory SPNEGO SSO
http://www.ioplex.com/

Setting jcifs.smb.client.ssnLimit = 1

does not work when using jcifs.smb.client.username/password
It does NOT cause a NPE, but "Invalid access to memory location."

Please refer again to

http://lists.samba.org/archive/jcifs/2008-June/007993.html


NTLM HTTP Filter has been so popular and solves a great
problem; it would be sad to see it go.

OSS has always been about hacks, CIFS is a hack itself.


-----Original Message-----
From: Michael B Allen [mailto:ioplex@...]
Sent: Thursday, July 10, 2008 10:23 AM
To: Ti Lian Hwang
Cc: jcifs@...
Subject: Re: [jcifs] JCIFS Pops up dialog box for Authenticating certain
users


On 7/9/08, Ti Lian Hwang <lian_hwang.ti@...> wrote:
>
> Sorry, I gotta keep refering to this ...
>
> http://lists.samba.org/archive/jcifs/2008-January/007602.html
>
> which has worked for me ever since.

That's not a "fix" for anything. It just disables reusing transports.
Setting jcifs.smb.client.ssnLimit = 1 would work equally well
(although we recently fixed a bug that caused an NPE when setting that
property to 1). But without transport reuse every authentication has
to build up and tear down a socket which completely obliterates
scalability and that is the greatest strength of the JCIFS NTLM HTTP
Filter.

The only known issue regarding the filter is the "hiccup bug" where
transports shutdown in the middle of the NTLM exchange thereby
invalidating any in-flight nonces. This is likely to be the issue that
you are seeing. It's just a bad interaction between the stateful
NTLMSSP and stateless HTTP protocols. The proposed fix for this issue
is discussed here:

  http://lists.samba.org/archive/jcifs/2008-June/008019.html

However this fix will likely never be incorporated. Is is more likely
that the NTLM HTTP Filter in general will be dropped with the release
of JCIFS 2.0 (assuming a 2.0 ever happens) because the Filter has
nothing to do with the CIFS protocol and, more important, the
man-in-the-middle hack the Filter uses will not work with NTLMv2 which
is gaining popularity (and it's at the center of the "hiccup" bug).

I believe that an OSS project can actually do harm to the community
because it can block the development of a proper solution. The JCIFS
NTLM HTTP Filter was an easy solution that was very popular and it
actually worked very well all things considered. But it's a hack, it's
giving JCIFS a bad name and it needs to be put down.

I reconnoiter that by removing the NTLM HTTP Filter from JCIFS the
community will be forced to act to create a proper SSO Filter for Java
Servlet containers. I would be happy to describe how a proper SSO
Filter should operate to anyone who is serious about starting such a
project.

Mike

--
Michael B Allen
PHP Active Directory SPNEGO SSO
http://www.ioplex.com/

On 7/9/08, Ti Lian Hwang <lian_hwang.ti@...> wrote:
> Setting jcifs.smb.client.ssnLimit = 1
>
>
> does not work when using jcifs.smb.client.username/password
>  It does NOT cause a NPE, but "Invalid access to memory location."
>
>  Please refer again to
>
>  http://lists.samba.org/archive/jcifs/2008-June/007993.html

So did you try 1.2.22+ with jcifs.smb.client.dfs.disabled = true?


--
Michael B Allen
PHP Active Directory SPNEGO SSO
http://www.ioplex.com/

Refer to

http://lists.samba.org/archive/jcifs/2008-June/007991.html

setting as you requested.
This was using 1.2.22c.

To be sure, I just downloaded the latest copy, jcifs 1.2.22
and it STILL has the problem (see below)

NtlmHttpFilter: CHEERS\test6: 0xC0000005: jcifs.smb.SmbAuthException: Invalid access to memory location.

-----------------------------

INFO: Undeploying context [/JcifsTest]
#JCIFS PROPERTIES
#Thu Jul 10 14:09:48 GMT+08:00 2008
java.vendor=Sun Microsystems Inc.
jcifs.smb.lmCompatibility=3
catalina.base=C\:\\Documents and Settings\\lianhwang\\.netbeans\\5.5\\apache-tomcat-5.5.17_base
sun.management.compiler=HotSpot Client Compiler
jcifs.netbios.cachePolicy=1200
catalina.useNaming=true
https.proxyHost=proxy.fairprice.com.sg
os.name=Windows 2000
sun.boot.class.path=C\:\\Program Files\\Java\\jdk1.5.0_06\\jre\\lib\\rt.jar;C\:\\Program Files\\Java\\jdk1.5.0_06\\jre\\lib\\i18n.jar;C\:\\Program Files\\Java\\jdk1.5.0_06\\jre\\lib\\sunrsasign.jar;C\:\\Program Files\\Java\\jdk1.5.0_06\\jre\\lib\\jsse.jar;C\:\\Program Files\\Java\\jdk1.5.0_06\\jre\\lib\\jce.jar;C\:\\Program Files\\Java\\jdk1.5.0_06\\jre\\lib\\charsets.jar;C\:\\Program Files\\Java\\jdk1.5.0_06\\jre\\classes
java.util.logging.config.file=C\:\\Documents and Settings\\lianhwang\\.netbeans\\5.5\\apache-tomcat-5.5.17_base\\conf\\logging.properties
sun.desktop=windows
java.vm.specification.vendor=Sun Microsystems Inc.
java.runtime.version=1.5.0_06-b05
http.proxyPort=8080
user.name=lianhwang
shared.loader=${catalina.base}/shared/classes,${catalina.base}/shared/lib/*.jar
tomcat.util.buf.StringCache.byte.enabled=true
jcifs.smb.client.domain=ZZZZZZ
user.language=en
java.naming.factory.initial=org.apache.naming.java.javaURLContextFactory
sun.boot.library.path=C\:\\Program Files\\Java\\jdk1.5.0_06\\jre\\bin
jcifs.smb.client.ssnLimit=1
java.version=1.5.0_06
java.util.logging.manager=org.apache.juli.ClassLoaderLogManager
user.timezone=GMT+08\:00
sun.arch.data.model=32
http.nonProxyHosts=localhost|127.0.0.1|IT24
java.endorsed.dirs=
jcifs.http.domainController=10.10.1.7
sun.cpu.isalist=
sun.jnu.encoding=Cp1252
file.encoding.pkg=sun.io
package.access=sun.,org.apache.catalina.,org.apache.coyote.,org.apache.tomcat.,org.apache.jasper.,sun.beans.
file.separator=\\
java.specification.name=Java Platform API Specification
java.class.version=49.0
user.country=US
java.home=C\:\\Program Files\\Java\\jdk1.5.0_06\\jre
java.vm.info=mixed mode, sharing
os.version=5.0
https.proxyPort=8080
jcifs.smb.client.soTimeout=5000
jcifs.smb.client.password=xxxxxxxxxxxxxxxxxxxxxxxxxxx
path.separator=;
java.vm.version=1.5.0_06-b05
user.variant=
jcifs.smb.client.username=yyyyyyyyyyyyyyyyyyyyyyyyyyy
java.awt.printerjob=sun.awt.windows.WPrinterJob
sun.io.unicode.encoding=UnicodeLittle
awt.toolkit=sun.awt.windows.WToolkit
jcifs.util.loglevel=3
package.definition=sun.,java.,org.apache.catalina.,org.apache.coyote.,org.apache.tomcat.,org.apache.jasper.
java.naming.factory.url.pkgs=org.apache.naming
user.home=C\:\\Documents and Settings\\lianhwang
java.specification.vendor=Sun Microsystems Inc.
java.library.path=C\:\\Program Files\\Java\\jdk1.5.0_06\\bin;.;C\:\\WINNT\\system32;C\:\\WINNT;C\:\\WINNT\\system32;C\:\\WINNT;C\:\\WINNT\\System32\\Wbem;C\:\\Program Files\\Microsoft SQL Server\\80\\Tools\\BINN;C\:\\Program Files\\Microsoft SQL Server\\80\\Tools\\Binn\\;C\:\\Program Files\\Microsoft SQL Server\\90\\DTS\\Binn\\;C\:\\Program Files\\Microsoft SQL Server\\90\\Tools\\binn\\;C\:\\Program Files\\Microsoft SQL Server\\90\\Tools\\Binn\\VSShell\\Common7\\IDE\\;C\:\\Program Files\\Microsoft Visual Studio 8\\Common7\\IDE\\PrivateAssemblies\\;C\:\\Program Files\\cvsnt;C\:\\Program Files\\Common Files\\GTK\\2.0\\bin;C\:\\Program Files\\Subversion\\bin;C\:\\oracle\\ora92\\bin;C\:\\Sun\\jwsdp-2.0\\jwsdp-shared\\bin;C\:\\tilh\\usr\\local\\wbin;C\:\\tilh\\bin;C\:\\cygwin\\bin
java.vendor.url=http\://java.sun.com/
java.vm.vendor=Sun Microsystems Inc.
common.loader=${catalina.home}/common/classes,${catalina.home}/common/i18n/*.jar,${catalina.home}/common/lib/*.jar
java.runtime.name=Java(TM) 2 Runtime Environment, Standard Edition
java.class.path=C\:\\Program Files\\Java\\jdk1.5.0_06\\lib\\tools.jar;C\:\\Program Files\\netbeans-5.5\\enterprise3\\apache-tomcat-5.5.17\\bin\\bootstrap.jar
java.vm.specification.name=Java Virtual Machine Specification
java.vm.specification.version=1.0
catalina.home=C\:\\Program Files\\netbeans-5.5\\enterprise3\\apache-tomcat-5.5.17
sun.cpu.endian=little
sun.os.patch.level=Service Pack 4
java.io.tmpdir=C\:\\Documents and Settings\\lianhwang\\.netbeans\\5.5\\apache-tomcat-5.5.17_base\\temp
java.vendor.url.bug=http\://java.sun.com/cgi-bin/bugreport.cgi
server.loader=${catalina.home}/server/classes,${catalina.home}/server/lib/*.jar
http.proxyHost=proxy.fairprice.com.sg
os.arch=x86
java.awt.graphicsenv=sun.awt.Win32GraphicsEnvironment
java.ext.dirs=C\:\\Program Files\\Java\\jdk1.5.0_06\\jre\\lib\\ext
user.dir=C\:\\Program Files\\netbeans-5.5\\enterprise3\\apache-tomcat-5.5.17\\bin
line.separator=\r\n
java.vm.name=Java HotSpot(TM) Client VM
jcifs.smb.client.dfs.disabled=true
file.encoding=Cp1252
java.specification.version=1.5
Jul 10, 2008 2:09:49 PM org.apache.catalina.core.StandardContext start
INFO: Container org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/JcifsTest] has already been started
NtlmHttpFilter: ZZZZZZ\test6: 0xC0000005: jcifs.smb.SmbAuthException: Invalid access to memory location.
>> Failed to negotiate NTLM for null /JcifsTest/test
NtlmHttpFilter: CHEERS\test6: 0xC0000005: jcifs.smb.SmbAuthException: Invalid access to memory location.

-----Original Message-----
From: Michael B Allen [mailto:ioplex@...]
Sent: Thursday, July 10, 2008 12:03 PM
To: Ti Lian Hwang
Cc: jcifs@...
Subject: Re: [jcifs] JCIFS Pops up dialog box for Authenticating certain
users


On 7/9/08, Ti Lian Hwang <lian_hwang.ti@...> wrote:
> Setting jcifs.smb.client.ssnLimit = 1
>
>
> does not work when using jcifs.smb.client.username/password
>  It does NOT cause a NPE, but "Invalid access to memory location."
>
>  Please refer again to
>
>  http://lists.samba.org/archive/jcifs/2008-June/007993.html

So did you try 1.2.22+ with jcifs.smb.client.dfs.disabled = true?


--
Michael B Allen
PHP Active Directory SPNEGO SSO
http://www.ioplex.com/

On Fri, Jul 4, 2008 at 11:31 AM, Vivek Mehtani <vivek.mehtani@...> wrote:
I was having this problem as well, until I enabled preauthentication
(described here:
http://jcifs.samba.org/src/docs/ntlmhttpauth.html#signing). Try adding
jcifs.smb.client.username and jcifs.smb.client.password init-params.
This is obviously not an ideal solution since you have to put a
plaintext domain password in your web.xml, so you'd have to get
creative if you wanted it to be more secure.

HTH,

Matt

Attached is a diff of the changes that I made to support a reference counter to avoid the "hiccup".  This diff was based on JCIFS 1.1.11 (the latest at the time).  These changes have been running in  a production environment for about 4 years now and have had some serious load testing thrown at them.






--
Kevin


>diff jcifs_1.1.11\src\jcifs\smb\SmbSession.java workspace\jcifs\source\jcifs\smb\SmbSession.java
83a84
>         trans.incrementReferenceCount();                                        //KGT
136a138
>         trans.incrementReferenceCount();                                        //KGT
158,164c160,170
<         if( LOGON_SHARE == null ) {
<             tree.treeConnect( null, null );
<         } else {
<             Trans2FindFirst2 req = new Trans2FindFirst2( "\\", "*", SmbFile.ATTR_DIRECTORY );
<             Trans2FindFirst2Response resp = new Trans2FindFirst2Response();
<             tree.sendTransaction( req, resp );
<         }
--- 42a43
> import java.util.Iterator;
124a126,127
>     private int refCount = 0;                                                   //KGT
>
167c170,171
<     LinkedList sessions;
---
> //KGT    LinkedList sessions;
>     HashMap sessions;                                                           //KGT
201c205,206
<         sessions = new LinkedList();
---
> //KGT        sessions = new LinkedList();
>         sessions = new HashMap();                                               //KGT
220,227c225,237
<         ListIterator iter = sessions.listIterator();
<         while( iter.hasNext() ) {
<             ssn = (SmbSession)iter.next();
<             if( ssn.matches( auth )) {
<                 ssn.auth = auth;
<                 return ssn;
<             }
<         }
--- <             iter = sessions.listIterator();
---
> //KGT            iter = sessions.listIterator();
>             Iterator iter = sessions.values().iterator();                       //KGT
245c256,257
<         sessions.add( ssn );
---
> //KGT        sessions.add( ssn );
>         sessions.put( auth, ssn );                                              //KGT
283c295,296
<         ListIterator iter = sessions.listIterator();
---
> //KGT        ListIterator iter = sessions.listIterator();
>         Iterator iter = sessions.values().iterator();                           //KGT
506c519,524
<                     tryClose( false );
---
>                     if( refCount == 0 ) {                                       //KGT
>                         tryClose( false );
>                     } else if( log.level > 1 ) {                                //KGT
>                         log.println( "soTimeout has occured but there are " +   //KGT
>                                 refCount + " references to this transport socket" ); //KGT
>                     }                                                           //KGT
523a542,549
>     synchronized void incrementReferenceCount() {                               //KGT
>         refCount++;                                                             //KGT
>     }                                                                           //KGT
>
>     synchronized void decrementReferenceCount() {                               //KGT
>         refCount--;                                                             //KGT
>     }                                                                           //KGT
>

>diff jcifs_1.1.11\src\jcifs\ntlmssp\Type3Message.java workspace\jcifs\source\jcifs\ntlmssp\Type3Message.java
573,574c573,577
<         // NTLMv2 issues w/cross-domain authentication; leave NT empty if >= 3
<         if (LM_COMPATIBILITY < 3) setNTResponse(ntResponse);
---
> //KGT        // NTLMv2 issues w/cross-domain authentication; leave NT empty if >= 3
> //KGT        if (LM_COMPATIBILITY < 3) setNTResponse(ntResponse);
>         // NTLMv2 issues w/cross-domain authentication; leave NT empty if NTLMv2 was sent by the client
>         // NTLM response will always be 24 bytes; NTLMv2 response will always be longer
>         if (ntResponse.length == 24) setNTResponse(ntResponse);                 //KGT