tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Seema Patel <seema...@hotmail.com>
Subject RE: java.net.UnknownHostException: Failed to negotiate with a suitable domain controller for xxx
Date Thu, 01 Aug 2013 15:00:08 GMT


> Date: Thu, 1 Aug 2013 15:55:37 +0200
> From: aw@ice-sa.com
> To: users@tomcat.apache.org
> Subject: Re: java.net.UnknownHostException: Failed to negotiate with a suitable domain
controller for xxx
> 
> Seema Patel wrote:
> > 
> >> Date: Thu, 1 Aug 2013 12:06:39 +0200
> >> From: aw@ice-sa.com
> >> To: users@tomcat.apache.org
> >> Subject: Re: java.net.UnknownHostException: Failed to negotiate with a suitable
domain controller for xxx
> >>
> >> Seema Patel wrote:
> >>> Hi,
> >>>  
> >>> I am not sure if this is the right List to post this on, please advise if
it isn't and let me know where is best to post.
> >>>  
> >>> I am getting the following error on one of our applications running on our
intranet:
> >>>  
> >>> 2013-07-31 17:15:11,180 [http-xxx.xxx.x.xxx-xx-x] ERROR org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/forms].[action]
- Servlet.service() for servlet action threw exception
> >>> java.net.UnknownHostException: Failed to negotiate with a suitable domain
controller for xxx.LOCAL
> >>> at jcifs.smb.SmbSession.getChallengeForDomain(SmbSession.java:187)
> >>> at jcifs.http.NtlmHttpFilter.negotiate(NtlmHttpFilter.java:150)
> >>> at jcifs.http.NtlmHttpFilter.doFilter(NtlmHttpFilter.java:114)
> >>> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)
> >>> at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
> >>> at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
> >>> at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:172)
> >>> at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:465)
> >>> at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
> >>> at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117)
> >>> at org.apache.catalina.authenticator.SingleSignOn.invoke(SingleSignOn.java:393)
> >>> at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:108)
> >>> at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:174)
> >>> at org.apache.coyote.http11.Http11AprProcessor.process(Http11AprProcessor.java:837)
> >>> at org.apache.coyote.http11.Http11AprProtocol$Http11ConnectionHandler.process(Http11AprProtocol.java:640)
> >>> at org.apache.tomcat.util.net.AprEndpoint$Worker.run(AprEndpoint.java:1287)
> >>> at java.lang.Thread.run(Unknown Source)
> >>>  
> >> I believe that you should read this page carefully, in particular the blue text
at the 
> >> beginning : http://jcifs.samba.org/src/docs/ntlmhttpauth.html
> >>
> >> Can you have a look at the WEB-INF/web.xml file *of your application*, and check
if there 
> >> is a servlet filter configured there, which matches the name above ?
> >>
> >> If so, make a backup copy of that web.xml file, and then edit it to remove that
filter 
> >> from it, and try again.
> >> I am not quite sure, but it looks possible to me that you have a duplicate authentication

> >> mechanism in use : one at the container (Tomcat) level, and one at the application
level.
> >> And the one used at the application level is obsolete, unsupported, unmaintained
etc..
> >>
> > 
> > I have found out that JCIFS is no longer supported, but it will take a lot of time,
development and resources to update it to the recommended Jespa.  In my web.xml file I have
the following:
> > 
> > <filter>
> >         <filter-name>NtlmHttpFilter</filter-name>
> >         <filter-class>jcifs.http.NtlmHttpFilter</filter-class>
> >            
> >         <!--
> >             always needed for preauthentication / SMB signatures
> >         -->
> >         <init-param>
> >             <param-name>jcifs.smb.client.domain</param-name>
> >             <param-value>xxx</param-value>
> >         </init-param>
> >         <!-- SMB message signing requires a valid existing login -->
> >         <init-param>
> >             <param-name>jcifs.smb.client.username</param-name>
> >             <param-value>xxx</param-value>
> >         </init-param>
> >         <init-param>
> >             <param-name>jcifs.smb.client.password</param-name>
> >             <param-value>xxx</param-value>
> >         </init-param>
> >         <!-- Set the logging level -->
> >         <init-param>
> >             <param-name>jcifs.util.loglevel</param-name>
> >             <param-value>3</param-value>
> >         </init-param>
> >         <!--  allow non-IE browsers to use basic auth -->
> >         <init-param>
> >             <param-name>jcifs.http.insecureBasic</param-name>
> >             <param-value>true</param-value>
> >         </init-param>
> >     </filter>
> >     <filter>
> >         <filter-name>HRADGroupFilter</filter-name>
> >         <filter-class>xxx.ADGroupFilter</filter-class>
> >         <init-param>
> >             <param-name>AllowedGroups</param-name>
> >             <param-value>G-HR,G-MIS</param-value>
> >         </init-param>
> >     </filter>
> >         <filter>
> >         <filter-name>SuggestionsGroupFilter</filter-name>
> >         <filter-class>xxx.ADGroupFilter</filter-class>
> >         <init-param>
> >             <param-name>AllowedGroups</param-name>
> >             <param-value>xxx, xxx</param-value>
> >         </init-param>
> >     </filter>
> >     
> >     <filter-mapping>
> >         <filter-name>NtlmHttpFilter</filter-name>
> >         <url-pattern>/suggestions/*</url-pattern>
> >     </filter-mapping>
> >     <filter-mapping>
> >         <filter-name>SuggestionsGroupFilter</filter-name>
> >         <url-pattern>/suggestions/*</url-pattern>
> >     </filter-mapping>
> >     <filter-mapping>
> >         <filter-name>NtlmHttpFilter</filter-name>
> >         <url-pattern>/xxx/*</url-pattern>
> >     </filter-mapping>
> >     <filter-mapping>
> >         <filter-name>HRADGroupFilter</filter-name>
> >         <url-pattern>/xxx/xxx.do</url-pattern>
> >     </filter-mapping>
> > 
> > 
> > So, are you saying to just remove the following from the above?:
> >        <filter-name>NtlmHttpFilter</filter-name>
> >        <filter-class>jcifs.http.NtlmHttpFilter</filter-class>
> > 
> > Is there anything else in there that needs to be removed?  Sorry for my lack of
understanding, but this was all developed by previous developers, who are no longer working
here and have left no documentation.
> > 
> 
> Neither I nor the other contributors on this list knows what your application(s) really

> do, nor how your whole system really fits together.
> In addition, this list is for the support of Tomcat, and your issue is not really with

> Tomcat, but seems to be really at the application level and how this application
> a) performs user authentication
> b) later uses the results of the user authentication
> The fact that there is no documentation and that the relevant delevelopers have left
is a 
> pity, but not really something we can do anything about.
> 
> What I really suggest, if this application is important for you (and apart from what
Chuck 
> already mentioned) is this : get in touch with the Jespa authors, at www.ioplex.com (email

> : support@ioplex.com) , present the issue to them, and ask them how they could help.
> 
> Maybe first though : download the Jespa Operator's Guide from their website, and read
it.
> That will already tell you a lot of what you need to know.
> 
> Replacing the jCIFS HTTP filter by Jespa is not very hard, and mostly consists of 
> installing Jespa and modifying the web.xml to use the Jespa filter instead of the jCIFS

> filter.  That would be the following sections of your current web.xml :
> 
>  > <filter>
>  >         <filter-name>NtlmHttpFilter</filter-name>
>  >         <filter-class>jcifs.http.NtlmHttpFilter</filter-class>
>  >
>  >         <!--
>  >             always needed for preauthentication / SMB signatures
>  >         -->
>  >         <init-param>
>  >             <param-name>jcifs.smb.client.domain</param-name>
>  >             <param-value>xxx</param-value>
>  >         </init-param>
>  >         <!-- SMB message signing requires a valid existing login -->
>  >         <init-param>
>  >             <param-name>jcifs.smb.client.username</param-name>
>  >             <param-value>xxx</param-value>
>  >         </init-param>
>  >         <init-param>
>  >             <param-name>jcifs.smb.client.password</param-name>
>  >             <param-value>xxx</param-value>
>  >         </init-param>
>  >         <!-- Set the logging level -->
>  >         <init-param>
>  >             <param-name>jcifs.util.loglevel</param-name>
>  >             <param-value>3</param-value>
>  >         </init-param>
>  >         <!--  allow non-IE browsers to use basic auth -->
>  >         <init-param>
>  >             <param-name>jcifs.http.insecureBasic</param-name>
>  >             <param-value>true</param-value>
>  >         </init-param>
>  >     </filter>
> 
> and
> 
>  >     <filter-mapping>
>  >         <filter-name>NtlmHttpFilter</filter-name>
>  >         <url-pattern>/suggestions/*</url-pattern>
>  >     </filter-mapping>
> 
> and
> 
>  >     <filter-mapping>
>  >         <filter-name>NtlmHttpFilter</filter-name>
>  >         <url-pattern>/xxx/*</url-pattern>
>  >     </filter-mapping>
> 
> The sections above have a direct equivalent with Jespa, and there should in principle
not 
> be any code changes to make in your applications.
> Just the parameters in web.xml differ somewhat.
> 
> Both the jCIFS filter and the Jespa filter are servlet filters, and they basically do
the 
> same thing :
> - authenticate the current user of the application with the Windows Domain Controllers

> (and whatever is used as their back-end authentication mechanism)
> - "set" the internal "Tomcat user" to this user-id
> 
> Then, after that, runs the other filters that are configured above, and your application.
> What they do with whatever information the authentication filter (jCIFS or Jespa) has

> passed to Tomcat, we do not know, and there could be a problem there (but more likely
not).
> If there was a problem, then the people most likely to be able to help you are the Jespa
guys.
> 
> 
> In theory, there could be another way : replace this "application-level" filter-based

> authentication by a container-level authentication (and get rid of the filters), but
in 
> your current situation, I believe that the Jespa solution is really the simplest one.
> 
> And, really, consider upgrading your Tomcat version.  Nothing which you are currently

> using is supported anymore.

When upgrading Tomcat from version 5.5 to 7, would I need to upgrade to version 6 first and
then to 7 or can I go straight from 5.5 to 7?
I will first try all this in a test environment.  Please bare with me, I may come back with
further questions to your responses.
But thanks for all the feedback, its appreciated (especially as I'm a newbie to this). 



> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 
 		 	   		  
Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message