Return-Path: X-Original-To: apmail-tomcat-users-archive@www.apache.org Delivered-To: apmail-tomcat-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id DF96D10F09 for ; Thu, 1 Aug 2013 13:56:20 +0000 (UTC) Received: (qmail 69318 invoked by uid 500); 1 Aug 2013 13:56:17 -0000 Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org Received: (qmail 69234 invoked by uid 500); 1 Aug 2013 13:56:16 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 69218 invoked by uid 99); 1 Aug 2013 13:56:15 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 01 Aug 2013 13:56:15 +0000 X-ASF-Spam-Status: No, hits=-0.0 required=5.0 tests=SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of aw@ice-sa.com designates 212.85.38.228 as permitted sender) Received: from [212.85.38.228] (HELO tor.combios.es) (212.85.38.228) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 01 Aug 2013 13:56:10 +0000 Received: from [192.168.245.129] (HSI-KBW-37-49-53-194.hsi14.kabel-badenwuerttemberg.de [37.49.53.194]) (Authenticated sender: andre.warnier@ice-sa.com) by tor.combios.es (Postfix) with ESMTPA id 3488A3C1561 for ; Thu, 1 Aug 2013 15:56:14 +0200 (CEST) Message-ID: <51FA68D9.6060601@ice-sa.com> Date: Thu, 01 Aug 2013 15:55:37 +0200 From: =?ISO-8859-1?Q?Andr=E9_Warnier?= Reply-To: Tomcat Users List User-Agent: Thunderbird 2.0.0.24 (Windows/20100228) MIME-Version: 1.0 To: Tomcat Users List Subject: Re: java.net.UnknownHostException: Failed to negotiate with a suitable domain controller for xxx References: ,<51FA332F.2000702@ice-sa.com> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org Seema Patel wrote: > >> Date: Thu, 1 Aug 2013 12:06:39 +0200 >> From: aw@ice-sa.com >> To: users@tomcat.apache.org >> Subject: Re: java.net.UnknownHostException: Failed to negotiate with a suitable domain controller for xxx >> >> Seema Patel wrote: >>> Hi, >>> >>> I am not sure if this is the right List to post this on, please advise if it isn't and let me know where is best to post. >>> >>> I am getting the following error on one of our applications running on our intranet: >>> >>> 2013-07-31 17:15:11,180 [http-xxx.xxx.x.xxx-xx-x] ERROR org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/forms].[action] - Servlet.service() for servlet action threw exception >>> java.net.UnknownHostException: Failed to negotiate with a suitable domain controller for xxx.LOCAL >>> at jcifs.smb.SmbSession.getChallengeForDomain(SmbSession.java:187) >>> at jcifs.http.NtlmHttpFilter.negotiate(NtlmHttpFilter.java:150) >>> at jcifs.http.NtlmHttpFilter.doFilter(NtlmHttpFilter.java:114) >>> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215) >>> at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188) >>> at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213) >>> at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:172) >>> at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:465) >>> at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) >>> at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117) >>> at org.apache.catalina.authenticator.SingleSignOn.invoke(SingleSignOn.java:393) >>> at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:108) >>> at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:174) >>> at org.apache.coyote.http11.Http11AprProcessor.process(Http11AprProcessor.java:837) >>> at org.apache.coyote.http11.Http11AprProtocol$Http11ConnectionHandler.process(Http11AprProtocol.java:640) >>> at org.apache.tomcat.util.net.AprEndpoint$Worker.run(AprEndpoint.java:1287) >>> at java.lang.Thread.run(Unknown Source) >>> >> I believe that you should read this page carefully, in particular the blue text at the >> beginning : http://jcifs.samba.org/src/docs/ntlmhttpauth.html >> >> Can you have a look at the WEB-INF/web.xml file *of your application*, and check if there >> is a servlet filter configured there, which matches the name above ? >> >> If so, make a backup copy of that web.xml file, and then edit it to remove that filter >> from it, and try again. >> I am not quite sure, but it looks possible to me that you have a duplicate authentication >> mechanism in use : one at the container (Tomcat) level, and one at the application level. >> And the one used at the application level is obsolete, unsupported, unmaintained etc.. >> > > I have found out that JCIFS is no longer supported, but it will take a lot of time, development and resources to update it to the recommended Jespa. In my web.xml file I have the following: > > > NtlmHttpFilter > jcifs.http.NtlmHttpFilter > > > > jcifs.smb.client.domain > xxx > > > > jcifs.smb.client.username > xxx > > > jcifs.smb.client.password > xxx > > > > jcifs.util.loglevel > 3 > > > > jcifs.http.insecureBasic > true > > > > HRADGroupFilter > xxx.ADGroupFilter > > AllowedGroups > G-HR,G-MIS > > > > SuggestionsGroupFilter > xxx.ADGroupFilter > > AllowedGroups > xxx, xxx > > > > > NtlmHttpFilter > /suggestions/* > > > SuggestionsGroupFilter > /suggestions/* > > > NtlmHttpFilter > /xxx/* > > > HRADGroupFilter > /xxx/xxx.do > > > > So, are you saying to just remove the following from the above?: > NtlmHttpFilter > jcifs.http.NtlmHttpFilter > > Is there anything else in there that needs to be removed? Sorry for my lack of understanding, but this was all developed by previous developers, who are no longer working here and have left no documentation. > Neither I nor the other contributors on this list knows what your application(s) really do, nor how your whole system really fits together. In addition, this list is for the support of Tomcat, and your issue is not really with Tomcat, but seems to be really at the application level and how this application a) performs user authentication b) later uses the results of the user authentication The fact that there is no documentation and that the relevant delevelopers have left is a pity, but not really something we can do anything about. What I really suggest, if this application is important for you (and apart from what Chuck already mentioned) is this : get in touch with the Jespa authors, at www.ioplex.com (email : support@ioplex.com) , present the issue to them, and ask them how they could help. Maybe first though : download the Jespa Operator's Guide from their website, and read it. That will already tell you a lot of what you need to know. Replacing the jCIFS HTTP filter by Jespa is not very hard, and mostly consists of installing Jespa and modifying the web.xml to use the Jespa filter instead of the jCIFS filter. That would be the following sections of your current web.xml : > > NtlmHttpFilter > jcifs.http.NtlmHttpFilter > > > > jcifs.smb.client.domain > xxx > > > > jcifs.smb.client.username > xxx > > > jcifs.smb.client.password > xxx > > > > jcifs.util.loglevel > 3 > > > > jcifs.http.insecureBasic > true > > and > > NtlmHttpFilter > /suggestions/* > and > > NtlmHttpFilter > /xxx/* > The sections above have a direct equivalent with Jespa, and there should in principle not be any code changes to make in your applications. Just the parameters in web.xml differ somewhat. Both the jCIFS filter and the Jespa filter are servlet filters, and they basically do the same thing : - authenticate the current user of the application with the Windows Domain Controllers (and whatever is used as their back-end authentication mechanism) - "set" the internal "Tomcat user" to this user-id Then, after that, runs the other filters that are configured above, and your application. What they do with whatever information the authentication filter (jCIFS or Jespa) has passed to Tomcat, we do not know, and there could be a problem there (but more likely not). If there was a problem, then the people most likely to be able to help you are the Jespa guys. In theory, there could be another way : replace this "application-level" filter-based authentication by a container-level authentication (and get rid of the filters), but in your current situation, I believe that the Jespa solution is really the simplest one. And, really, consider upgrading your Tomcat version. Nothing which you are currently using is supported anymore. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org For additional commands, e-mail: users-help@tomcat.apache.org