tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier ...@ice-sa.com>
Subject Re: java.net.UnknownHostException: Failed to negotiate with a suitable domain controller for xxx
Date Thu, 01 Aug 2013 13:55:37 GMT
Seema Patel wrote:
> 
>> Date: Thu, 1 Aug 2013 12:06:39 +0200
>> From: aw@ice-sa.com
>> To: users@tomcat.apache.org
>> Subject: Re: java.net.UnknownHostException: Failed to negotiate with a suitable domain
controller for xxx
>>
>> Seema Patel wrote:
>>> Hi,
>>>  
>>> I am not sure if this is the right List to post this on, please advise if it
isn't and let me know where is best to post.
>>>  
>>> I am getting the following error on one of our applications running on our intranet:
>>>  
>>> 2013-07-31 17:15:11,180 [http-xxx.xxx.x.xxx-xx-x] ERROR org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/forms].[action]
- Servlet.service() for servlet action threw exception
>>> java.net.UnknownHostException: Failed to negotiate with a suitable domain controller
for xxx.LOCAL
>>> at jcifs.smb.SmbSession.getChallengeForDomain(SmbSession.java:187)
>>> at jcifs.http.NtlmHttpFilter.negotiate(NtlmHttpFilter.java:150)
>>> at jcifs.http.NtlmHttpFilter.doFilter(NtlmHttpFilter.java:114)
>>> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)
>>> at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
>>> at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
>>> at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:172)
>>> at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:465)
>>> at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
>>> at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117)
>>> at org.apache.catalina.authenticator.SingleSignOn.invoke(SingleSignOn.java:393)
>>> at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:108)
>>> at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:174)
>>> at org.apache.coyote.http11.Http11AprProcessor.process(Http11AprProcessor.java:837)
>>> at org.apache.coyote.http11.Http11AprProtocol$Http11ConnectionHandler.process(Http11AprProtocol.java:640)
>>> at org.apache.tomcat.util.net.AprEndpoint$Worker.run(AprEndpoint.java:1287)
>>> at java.lang.Thread.run(Unknown Source)
>>>  
>> I believe that you should read this page carefully, in particular the blue text at
the 
>> beginning : http://jcifs.samba.org/src/docs/ntlmhttpauth.html
>>
>> Can you have a look at the WEB-INF/web.xml file *of your application*, and check
if there 
>> is a servlet filter configured there, which matches the name above ?
>>
>> If so, make a backup copy of that web.xml file, and then edit it to remove that filter

>> from it, and try again.
>> I am not quite sure, but it looks possible to me that you have a duplicate authentication

>> mechanism in use : one at the container (Tomcat) level, and one at the application
level.
>> And the one used at the application level is obsolete, unsupported, unmaintained
etc..
>>
> 
> I have found out that JCIFS is no longer supported, but it will take a lot of time, development
and resources to update it to the recommended Jespa.  In my web.xml file I have the following:
> 
> <filter>
>         <filter-name>NtlmHttpFilter</filter-name>
>         <filter-class>jcifs.http.NtlmHttpFilter</filter-class>
>            
>         <!--
>             always needed for preauthentication / SMB signatures
>         -->
>         <init-param>
>             <param-name>jcifs.smb.client.domain</param-name>
>             <param-value>xxx</param-value>
>         </init-param>
>         <!-- SMB message signing requires a valid existing login -->
>         <init-param>
>             <param-name>jcifs.smb.client.username</param-name>
>             <param-value>xxx</param-value>
>         </init-param>
>         <init-param>
>             <param-name>jcifs.smb.client.password</param-name>
>             <param-value>xxx</param-value>
>         </init-param>
>         <!-- Set the logging level -->
>         <init-param>
>             <param-name>jcifs.util.loglevel</param-name>
>             <param-value>3</param-value>
>         </init-param>
>         <!--  allow non-IE browsers to use basic auth -->
>         <init-param>
>             <param-name>jcifs.http.insecureBasic</param-name>
>             <param-value>true</param-value>
>         </init-param>
>     </filter>
>     <filter>
>         <filter-name>HRADGroupFilter</filter-name>
>         <filter-class>xxx.ADGroupFilter</filter-class>
>         <init-param>
>             <param-name>AllowedGroups</param-name>
>             <param-value>G-HR,G-MIS</param-value>
>         </init-param>
>     </filter>
>         <filter>
>         <filter-name>SuggestionsGroupFilter</filter-name>
>         <filter-class>xxx.ADGroupFilter</filter-class>
>         <init-param>
>             <param-name>AllowedGroups</param-name>
>             <param-value>xxx, xxx</param-value>
>         </init-param>
>     </filter>
>     
>     <filter-mapping>
>         <filter-name>NtlmHttpFilter</filter-name>
>         <url-pattern>/suggestions/*</url-pattern>
>     </filter-mapping>
>     <filter-mapping>
>         <filter-name>SuggestionsGroupFilter</filter-name>
>         <url-pattern>/suggestions/*</url-pattern>
>     </filter-mapping>
>     <filter-mapping>
>         <filter-name>NtlmHttpFilter</filter-name>
>         <url-pattern>/xxx/*</url-pattern>
>     </filter-mapping>
>     <filter-mapping>
>         <filter-name>HRADGroupFilter</filter-name>
>         <url-pattern>/xxx/xxx.do</url-pattern>
>     </filter-mapping>
> 
> 
> So, are you saying to just remove the following from the above?:
>        <filter-name>NtlmHttpFilter</filter-name>
>        <filter-class>jcifs.http.NtlmHttpFilter</filter-class>
> 
> Is there anything else in there that needs to be removed?  Sorry for my lack of understanding,
but this was all developed by previous developers, who are no longer working here and have
left no documentation.
> 

Neither I nor the other contributors on this list knows what your application(s) really 
do, nor how your whole system really fits together.
In addition, this list is for the support of Tomcat, and your issue is not really with 
Tomcat, but seems to be really at the application level and how this application
a) performs user authentication
b) later uses the results of the user authentication
The fact that there is no documentation and that the relevant delevelopers have left is a

pity, but not really something we can do anything about.

What I really suggest, if this application is important for you (and apart from what Chuck

already mentioned) is this : get in touch with the Jespa authors, at www.ioplex.com (email

: support@ioplex.com) , present the issue to them, and ask them how they could help.

Maybe first though : download the Jespa Operator's Guide from their website, and read it.
That will already tell you a lot of what you need to know.

Replacing the jCIFS HTTP filter by Jespa is not very hard, and mostly consists of 
installing Jespa and modifying the web.xml to use the Jespa filter instead of the jCIFS 
filter.  That would be the following sections of your current web.xml :

 > <filter>
 >         <filter-name>NtlmHttpFilter</filter-name>
 >         <filter-class>jcifs.http.NtlmHttpFilter</filter-class>
 >
 >         <!--
 >             always needed for preauthentication / SMB signatures
 >         -->
 >         <init-param>
 >             <param-name>jcifs.smb.client.domain</param-name>
 >             <param-value>xxx</param-value>
 >         </init-param>
 >         <!-- SMB message signing requires a valid existing login -->
 >         <init-param>
 >             <param-name>jcifs.smb.client.username</param-name>
 >             <param-value>xxx</param-value>
 >         </init-param>
 >         <init-param>
 >             <param-name>jcifs.smb.client.password</param-name>
 >             <param-value>xxx</param-value>
 >         </init-param>
 >         <!-- Set the logging level -->
 >         <init-param>
 >             <param-name>jcifs.util.loglevel</param-name>
 >             <param-value>3</param-value>
 >         </init-param>
 >         <!--  allow non-IE browsers to use basic auth -->
 >         <init-param>
 >             <param-name>jcifs.http.insecureBasic</param-name>
 >             <param-value>true</param-value>
 >         </init-param>
 >     </filter>

and

 >     <filter-mapping>
 >         <filter-name>NtlmHttpFilter</filter-name>
 >         <url-pattern>/suggestions/*</url-pattern>
 >     </filter-mapping>

and

 >     <filter-mapping>
 >         <filter-name>NtlmHttpFilter</filter-name>
 >         <url-pattern>/xxx/*</url-pattern>
 >     </filter-mapping>

The sections above have a direct equivalent with Jespa, and there should in principle not

be any code changes to make in your applications.
Just the parameters in web.xml differ somewhat.

Both the jCIFS filter and the Jespa filter are servlet filters, and they basically do the

same thing :
- authenticate the current user of the application with the Windows Domain Controllers 
(and whatever is used as their back-end authentication mechanism)
- "set" the internal "Tomcat user" to this user-id

Then, after that, runs the other filters that are configured above, and your application.
What they do with whatever information the authentication filter (jCIFS or Jespa) has 
passed to Tomcat, we do not know, and there could be a problem there (but more likely not).
If there was a problem, then the people most likely to be able to help you are the Jespa guys.


In theory, there could be another way : replace this "application-level" filter-based 
authentication by a container-level authentication (and get rid of the filters), but in 
your current situation, I believe that the Jespa solution is really the simplest one.

And, really, consider upgrading your Tomcat version.  Nothing which you are currently 
using is supported anymore.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message