tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Allistair Crossley" <Allistair.Cross...@QAS.com>
Subject RE: jCIFS Jboss Tomcat IIS NTLM Authentication
Date Wed, 26 Oct 2005 10:41:59 GMT
if you're using IIS in front of your application you don't need to use jCIFs. All you do is
set the directory permissions on your website to Integrated Windows Authentication, then configure
your Tomcat AJP Connector element with tomcatAuthentication="false". Then request.getRemoteUser()
will return the Windows username.

> -----Original Message-----
> From: Scott Shaver [mailto:Scott.Shaver@mcdata.com]
> Sent: 25 October 2005 22:10
> To: tomcat-user@jakarta.apache.org
> Subject: jCIFS Jboss Tomcat IIS NTLM Authentication
> 
> 
> 
> Okay I've spent the last several days going over everything I 
> could find on the web about setting this up and I still can't 
> get it to work. I have the following setup:
> 
> jCIFS 1.2.6
> 
> JBoss 4.0.3 with Tomcat 5
> 
> Jakarta isapi_redirect 1.2.14
> 
> IIS 5.0
> 
> IE 6
> 
> Windows 2003 Domain Controller
> 
> 
> A win2k machine running a small web app, on Jboss, with the 
> jcifs.http.NtlmHttpFilter set up. An IIS box fronting the app 
> server using the isapi redirector to pass the requests 
> through to jboss. If I hit the app server directly with IE I 
> see the following output from jboss:
> 
> 14:06:24,692 INFO  [STDOUT] Transport1:   connect: state=0
> 
> 14:06:24,692 INFO  [STDOUT] New data read: 
> Transport1[MC4DC01<00>/999.16.11.10:0]
> 
> 14:06:24,692 INFO  [STDOUT] 00000: FF 53 4D 42 72 00 00 00 00 
> 98 03 C0 00 00 00 00  | SMBr......└....|
> 
> 00010: 00 00 00 00 00 00 00 00 00 00 73 59 00 00 06 00  
> |..........sY....|
> 
> 14:06:24,692 INFO  [STDOUT] byteCount=50 but 
> readBytesWireFormat returned 32
> 
> 14:06:24,692 INFO  [STDOUT] Transport1: run connected
> 
> 14:06:24,708 INFO  [STDOUT] Transport1: connected: state=3
> 
> 14:06:24,724 INFO  [STDOUT] treeConnect: 
> unc=\\MC4DCA01\IPC$,service=?????
> 
> 14:06:24,739 INFO  [STDOUT] New data read: 
> Transport1[MC4DC01<00>/999.16.11.10:0]
> 
> 14:06:24,739 INFO  [STDOUT] 00000: FF 53 4D 42 73 00 00 00 00 
> 98 03 C0 00 00 00 00  | SMBs......└....|
> 
> 00010: 00 00 00 00 00 00 00 00 07 20 73 59 00 40 07 00  
> |......... sY.@..|
> 
> 14:06:24,755 INFO  [STDOUT] NtlmHttpFilter: 
> MCDATACORPNT\sas1a780c successfully authenticated against 
> 0.0.0.0<00>/172.16.11.10
> 
> which is great, that is extacly what I wanted it to do. I was 
> authenticated against our domain controller. So it appears 
> jCIFS is working. However when I then go to the application 
> via the IIS server this happens:
> 
> 12:32:17,115 INFO  [STDOUT] treeConnect: 
> unc=\\MC4DCA01\IPC$,service=?????
> 
> 12:32:17,130 INFO  [STDOUT] New data read: 
> Transport1[MC4DCA01<00>/999.16.11.10:0]
> 
> 12:32:17,130 INFO  [STDOUT] 00000: FF 53 4D 42 73 6D 00 00 C0 
> 98 03 C0 00 00 00 00  | SMBsm..└..└....|
> 
> 00010: 00 00 00 00 00 00 00 00 00 00 73 59 00 00 05 00  
> |..........sY....|
> 
> 12:32:17,130 INFO  [STDOUT] NtlmHttpFilter: 
> MCDATACORPNT\sas1a780c: 0xC000006D: 
> jcifs.smb.SmbAuthException: Logon failure: unknown user name 
> or bad password.
> 
> 12:32:17,146 INFO  [JkCoyoteHandler] Response already committed
> 
> 
> So the question is: What is causing it to fail when going through IIS?
> 
> 
> I'm only using the jcifs.http.domainController and 
> jcifs.smb.client.domain settings in the web.xml for the filter.
> 
> 
> Is it IIS? Is it the isapi_redirect ISAPI filter on IIS? Is 
> it the AJP13 worker threads on the Jboss side? Is it 
> something happening between the worker threads and the 
> request hand-off to the tomcat server?
> 
> I have the entire list of instructions written down for how I 
> have set all of this up if anyone needs to see it. I can get 
> the logs from the ISAPI filter if that would help. I've seen 
> many many thread about people having issues with this but no 
> real answers and no configurations exactly like this. Any 
> help is greatly appreciated.
> 
> 
> 
> 
> 
> SPECIAL NOTICE
> 
> 
> All information transmitted hereby is intended only for the use of the
> addressee(s) named above and may contain confidential and privileged
> information. Any unauthorized review, use, disclosure or distribution
> of confidential and privileged information is prohibited. If 
> the reader
> of this message is not the intended recipient(s) or the 
> employee or agent
> responsible for delivering the message to the intended 
> recipient, you are
> hereby notified that you must not read this transmission and 
> that disclosure,
> copying, printing, distribution or use of any of the 
> information contained
> in or attached to this transmission is STRICTLY PROHIBITED.
> 
> Anyone who receives confidential and privileged information 
> in error should
> notify us immediately by telephone and mail the original 
> message to us at
> the above address and destroy all copies.  To the extent any 
> portion of this
> communication contains public information, no such 
> restrictions apply to that
> information. (gate01)
> 


<FONT SIZE=1 FACE="VERDANA,ARIAL" COLOR=BLUE> 
-------------------------------------------------------
QAS Ltd.
Registered in England: No 2582055
Registered in Australia: No 082 851 474
-------------------------------------------------------
</FONT> <FONT SIZE=1 FACE="VERDANA,ARIAL" COLOR=BLACK> 
Disclaimer:  The information contained within this e-mail is confidential and may be privileged.
This email is intended solely for the named recipient only; if you are not authorised you
must not disclose, copy, distribute, or retain this message or any part of it. If you have
received this message in error please contact the sender at once so that we may take the appropriate
action and avoid troubling you further.  Any views expressed in this message are those of
the individual sender.  QAS Limited has the right lawfully to record, monitor and inspect
messages between its employees and any third party.  Your messages shall be subject to such
lawful supervision as QAS Limited deems to be necessary in order to protect its information,
its interests and its reputation.  

Whilst all efforts are made to safeguard Inbound and Outbound emails, QAS Limited cannot guarantee
that attachments are virus free or compatible with your systems and does not accept any liability
in respect of viruses or computer problems experienced.
</FONT>


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message