tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Seema Patel <seema...@hotmail.com>
Subject RE: java.net.UnknownHostException: Failed to negotiate with a suitable domain controller for xxx
Date Thu, 01 Aug 2013 11:02:34 GMT


> Date: Thu, 1 Aug 2013 12:06:39 +0200
> From: aw@ice-sa.com
> To: users@tomcat.apache.org
> Subject: Re: java.net.UnknownHostException: Failed to negotiate with a suitable domain
controller for xxx
> 
> Seema Patel wrote:
> > Hi,
> >  
> > I am not sure if this is the right List to post this on, please advise if it isn't
and let me know where is best to post.
> >  
> > I am getting the following error on one of our applications running on our intranet:
> >  
> > 2013-07-31 17:15:11,180 [http-xxx.xxx.x.xxx-xx-x] ERROR org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/forms].[action]
- Servlet.service() for servlet action threw exception
> > java.net.UnknownHostException: Failed to negotiate with a suitable domain controller
for xxx.LOCAL
> > at jcifs.smb.SmbSession.getChallengeForDomain(SmbSession.java:187)
> > at jcifs.http.NtlmHttpFilter.negotiate(NtlmHttpFilter.java:150)
> > at jcifs.http.NtlmHttpFilter.doFilter(NtlmHttpFilter.java:114)
> > at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)
> > at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
> > at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
> > at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:172)
> > at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:465)
> > at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
> > at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117)
> > at org.apache.catalina.authenticator.SingleSignOn.invoke(SingleSignOn.java:393)
> > at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:108)
> > at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:174)
> > at org.apache.coyote.http11.Http11AprProcessor.process(Http11AprProcessor.java:837)
> > at org.apache.coyote.http11.Http11AprProtocol$Http11ConnectionHandler.process(Http11AprProtocol.java:640)
> > at org.apache.tomcat.util.net.AprEndpoint$Worker.run(AprEndpoint.java:1287)
> > at java.lang.Thread.run(Unknown Source)
> >  
> 
> I believe that you should read this page carefully, in particular the blue text at the

> beginning : http://jcifs.samba.org/src/docs/ntlmhttpauth.html
> 
> Can you have a look at the WEB-INF/web.xml file *of your application*, and check if there

> is a servlet filter configured there, which matches the name above ?
> 
> If so, make a backup copy of that web.xml file, and then edit it to remove that filter

> from it, and try again.
> I am not quite sure, but it looks possible to me that you have a duplicate authentication

> mechanism in use : one at the container (Tomcat) level, and one at the application level.
> And the one used at the application level is obsolete, unsupported, unmaintained etc..
> 

I have found out that JCIFS is no longer supported, but it will take a lot of time, development
and resources to update it to the recommended Jespa.  In my web.xml file I have the following:

<filter>
        <filter-name>NtlmHttpFilter</filter-name>
        <filter-class>jcifs.http.NtlmHttpFilter</filter-class>
           
        <!--
            always needed for preauthentication / SMB signatures
        -->
        <init-param>
            <param-name>jcifs.smb.client.domain</param-name>
            <param-value>xxx</param-value>
        </init-param>
        <!-- SMB message signing requires a valid existing login -->
        <init-param>
            <param-name>jcifs.smb.client.username</param-name>
            <param-value>xxx</param-value>
        </init-param>
        <init-param>
            <param-name>jcifs.smb.client.password</param-name>
            <param-value>xxx</param-value>
        </init-param>
        <!-- Set the logging level -->
        <init-param>
            <param-name>jcifs.util.loglevel</param-name>
            <param-value>3</param-value>
        </init-param>
        <!--  allow non-IE browsers to use basic auth -->
        <init-param>
            <param-name>jcifs.http.insecureBasic</param-name>
            <param-value>true</param-value>
        </init-param>
    </filter>
    <filter>
        <filter-name>HRADGroupFilter</filter-name>
        <filter-class>xxx.ADGroupFilter</filter-class>
        <init-param>
            <param-name>AllowedGroups</param-name>
            <param-value>G-HR,G-MIS</param-value>
        </init-param>
    </filter>
        <filter>
        <filter-name>SuggestionsGroupFilter</filter-name>
        <filter-class>xxx.ADGroupFilter</filter-class>
        <init-param>
            <param-name>AllowedGroups</param-name>
            <param-value>xxx, xxx</param-value>
        </init-param>
    </filter>
    
    <filter-mapping>
        <filter-name>NtlmHttpFilter</filter-name>
        <url-pattern>/suggestions/*</url-pattern>
    </filter-mapping>
    <filter-mapping>
        <filter-name>SuggestionsGroupFilter</filter-name>
        <url-pattern>/suggestions/*</url-pattern>
    </filter-mapping>
    <filter-mapping>
        <filter-name>NtlmHttpFilter</filter-name>
        <url-pattern>/xxx/*</url-pattern>
    </filter-mapping>
    <filter-mapping>
        <filter-name>HRADGroupFilter</filter-name>
        <url-pattern>/xxx/xxx.do</url-pattern>
    </filter-mapping>


So, are you saying to just remove the following from the above?:
       <filter-name>NtlmHttpFilter</filter-name>
       <filter-class>jcifs.http.NtlmHttpFilter</filter-class>

Is there anything else in there that needs to be removed?  Sorry for my lack of understanding,
but this was all developed by previous developers, who are no longer working here and have
left no documentation.

Thanks

> 
> > In my tomcat/conf/server.xml file I have:
> >  
> > <Realm className="com.viatel.tomcatrealms.ADJNDIRealm"
> > debug="01" resourceName="ActiveDirectory"
> > connectionURL="ldap://xxx:xxx"
> > alternativeURL="ldap://xxx:xxx"
> > connectionName="LDAP@xxx.local" connectionPassword="xxx"
> > referrals="follow" userBase="dc=vtlwavenet,dc=local"
> > userSearch="(sAMAccountName={0})" userSubtree="true"
> > roleBase="dc=xxx,dc=local" roleSearch="(member={0})"
> > roleName="cn" roleSubtree="true" />
> >  
> > I have 2 .war files running from this tomcat - 1) intranet portal A, 2) intranet
helpdesk page and also another intranet portal B (both run from slightly different URLs).
> > When tomcat was restarted the intranet portal A runs, intranet portal B runs but
the intranet helpdesk portal doesn't run.  For this we get the error message shown above.
> >  
> > I don't know if it is the java code, some setting in the tomcat catalina base or
if it is a tomcat network issue.
> >  
> > We are running Tomcat 5.5.29.
> > java version "1.5.0_22"
> > Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0_22-b03)
> > Java HotSpot(TM) Client VM (build 1.5.0_22-b03, mixed mode, sharing) 
> > It is on a Windows Server 2003 R2 SP2 VM box.
> >  
> > Any help on this is appreciated.
> > Thanks in advance
> >  
> > Seema
> >  
> >  
> >  
> >  		 	   		  
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 
 		 	   		  
Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message