Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm
Precedence: bulk
Reply-To: "Tomcat Users List" <users@tomcat.apache.org>
Received-SPF: pass (athena.apache.org: domain of seema165@hotmail.com
 designates 157.55.1.166 as permitted sender)
Message-ID: <DUB119-W78BB475BBBB4D1848CFB882500@phx.gbl>
Content-Type: multipart/alternative;
	boundary="_42eede95-e22f-42f9-8211-b4bcd73e48ce_"
From: Seema Patel <seema165@hotmail.com>
To: Tomcat Users List <users@tomcat.apache.org>
Subject: RE: java.net.UnknownHostException: Failed to negotiate with a
 suitable domain controller for xxx
Date: Thu, 1 Aug 2013 16:00:08 +0100
Importance: Normal
In-Reply-To: <51FA68D9.6060601@ice-sa.com>
References: <DUB119-W44CE670430613755F2097582570@phx.gbl>
 <DUB119-W17879920BA8D54F8A0034582500@phx.gbl>,<51FA332F.2000702@ice-sa.com>
 <DUB119-W153427149B110FA43D5C2B82500@phx.gbl>,<51FA68D9.6060601@ice-sa.com>
MIME-Version: 1.0

--_42eede95-e22f-42f9-8211-b4bcd73e48ce_
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable


> Date: Thu=2C 1 Aug 2013 15:55:37 +0200
> From: aw@ice-sa.com
> To: users@tomcat.apache.org
> Subject: Re: java.net.UnknownHostException: Failed to negotiate with a su=
itable domain controller for xxx
>=20
> Seema Patel wrote:
> >=20
> >> Date: Thu=2C 1 Aug 2013 12:06:39 +0200
> >> From: aw@ice-sa.com
> >> To: users@tomcat.apache.org
> >> Subject: Re: java.net.UnknownHostException: Failed to negotiate with a=
 suitable domain controller for xxx
> >>
> >> Seema Patel wrote:
> >>> Hi=2C
> >>> =20
> >>> I am not sure if this is the right List to post this on=2C please adv=
ise if it isn't and let me know where is best to post.
> >>> =20
> >>> I am getting the following error on one of our applications running o=
n our intranet:
> >>> =20
> >>> 2013-07-31 17:15:11=2C180 [http-xxx.xxx.x.xxx-xx-x] ERROR org.apache.=
catalina.core.ContainerBase.[Catalina].[localhost].[/forms].[action] - Serv=
let.service() for servlet action threw exception
> >>> java.net.UnknownHostException: Failed to negotiate with a suitable do=
main controller for xxx.LOCAL
> >>> at jcifs.smb.SmbSession.getChallengeForDomain(SmbSession.java:187)
> >>> at jcifs.http.NtlmHttpFilter.negotiate(NtlmHttpFilter.java:150)
> >>> at jcifs.http.NtlmHttpFilter.doFilter(NtlmHttpFilter.java:114)
> >>> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(A=
pplicationFilterChain.java:215)
> >>> at org.apache.catalina.core.ApplicationFilterChain.doFilter(Applicati=
onFilterChain.java:188)
> >>> at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapp=
erValve.java:213)
> >>> at org.apache.catalina.core.StandardContextValve.invoke(StandardConte=
xtValve.java:172)
> >>> at org.apache.catalina.authenticator.AuthenticatorBase.invoke(Authent=
icatorBase.java:465)
> >>> at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValv=
e.java:127)
> >>> at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValv=
e.java:117)
> >>> at org.apache.catalina.authenticator.SingleSignOn.invoke(SingleSignOn=
.java:393)
> >>> at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngine=
Valve.java:108)
> >>> at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.=
java:174)
> >>> at org.apache.coyote.http11.Http11AprProcessor.process(Http11AprProce=
ssor.java:837)
> >>> at org.apache.coyote.http11.Http11AprProtocol$Http11ConnectionHandler=
.process(Http11AprProtocol.java:640)
> >>> at org.apache.tomcat.util.net.AprEndpoint$Worker.run(AprEndpoint.java=
:1287)
> >>> at java.lang.Thread.run(Unknown Source)
> >>> =20
> >> I believe that you should read this page carefully=2C in particular th=
e blue text at the=20
> >> beginning : http://jcifs.samba.org/src/docs/ntlmhttpauth.html
> >>
> >> Can you have a look at the WEB-INF/web.xml file *of your application*=
=2C and check if there=20
> >> is a servlet filter configured there=2C which matches the name above ?
> >>
> >> If so=2C make a backup copy of that web.xml file=2C and then edit it t=
o remove that filter=20
> >> from it=2C and try again.
> >> I am not quite sure=2C but it looks possible to me that you have a dup=
licate authentication=20
> >> mechanism in use : one at the container (Tomcat) level=2C and one at t=
he application level.
> >> And the one used at the application level is obsolete=2C unsupported=
=2C unmaintained etc..
> >>
> >=20
> > I have found out that JCIFS is no longer supported=2C but it will take =
a lot of time=2C development and resources to update it to the recommended =
Jespa.  In my web.xml file I have the following:
> >=20
> > <filter>
> >         <filter-name>NtlmHttpFilter</filter-name>
> >         <filter-class>jcifs.http.NtlmHttpFilter</filter-class>
> >           =20
> >         <!--
> >             always needed for preauthentication / SMB signatures
> >         -->
> >         <init-param>
> >             <param-name>jcifs.smb.client.domain</param-name>
> >             <param-value>xxx</param-value>
> >         </init-param>
> >         <!-- SMB message signing requires a valid existing login -->
> >         <init-param>
> >             <param-name>jcifs.smb.client.username</param-name>
> >             <param-value>xxx</param-value>
> >         </init-param>
> >         <init-param>
> >             <param-name>jcifs.smb.client.password</param-name>
> >             <param-value>xxx</param-value>
> >         </init-param>
> >         <!-- Set the logging level -->
> >         <init-param>
> >             <param-name>jcifs.util.loglevel</param-name>
> >             <param-value>3</param-value>
> >         </init-param>
> >         <!--  allow non-IE browsers to use basic auth -->
> >         <init-param>
> >             <param-name>jcifs.http.insecureBasic</param-name>
> >             <param-value>true</param-value>
> >         </init-param>
> >     </filter>
> >     <filter>
> >         <filter-name>HRADGroupFilter</filter-name>
> >         <filter-class>xxx.ADGroupFilter</filter-class>
> >         <init-param>
> >             <param-name>AllowedGroups</param-name>
> >             <param-value>G-HR=2CG-MIS</param-value>
> >         </init-param>
> >     </filter>
> >         <filter>
> >         <filter-name>SuggestionsGroupFilter</filter-name>
> >         <filter-class>xxx.ADGroupFilter</filter-class>
> >         <init-param>
> >             <param-name>AllowedGroups</param-name>
> >             <param-value>xxx=2C xxx</param-value>
> >         </init-param>
> >     </filter>
> >    =20
> >     <filter-mapping>
> >         <filter-name>NtlmHttpFilter</filter-name>
> >         <url-pattern>/suggestions/*</url-pattern>
> >     </filter-mapping>
> >     <filter-mapping>
> >         <filter-name>SuggestionsGroupFilter</filter-name>
> >         <url-pattern>/suggestions/*</url-pattern>
> >     </filter-mapping>
> >     <filter-mapping>
> >         <filter-name>NtlmHttpFilter</filter-name>
> >         <url-pattern>/xxx/*</url-pattern>
> >     </filter-mapping>
> >     <filter-mapping>
> >         <filter-name>HRADGroupFilter</filter-name>
> >         <url-pattern>/xxx/xxx.do</url-pattern>
> >     </filter-mapping>
> >=20
> >=20
> > So=2C are you saying to just remove the following from the above?:
> >        <filter-name>NtlmHttpFilter</filter-name>
> >        <filter-class>jcifs.http.NtlmHttpFilter</filter-class>
> >=20
> > Is there anything else in there that needs to be removed?  Sorry for my=
 lack of understanding=2C but this was all developed by previous developers=
=2C who are no longer working here and have left no documentation.
> >=20
>=20
> Neither I nor the other contributors on this list knows what your applica=
tion(s) really=20
> do=2C nor how your whole system really fits together.
> In addition=2C this list is for the support of Tomcat=2C and your issue i=
s not really with=20
> Tomcat=2C but seems to be really at the application level and how this ap=
plication
> a) performs user authentication
> b) later uses the results of the user authentication
> The fact that there is no documentation and that the relevant deleveloper=
s have left is a=20
> pity=2C but not really something we can do anything about.
>=20
> What I really suggest=2C if this application is important for you (and ap=
art from what Chuck=20
> already mentioned) is this : get in touch with the Jespa authors=2C at ww=
w.ioplex.com (email=20
> : support@ioplex.com) =2C present the issue to them=2C and ask them how t=
hey could help.
>=20
> Maybe first though : download the Jespa Operator's Guide from their websi=
te=2C and read it.
> That will already tell you a lot of what you need to know.
>=20
> Replacing the jCIFS HTTP filter by Jespa is not very hard=2C and mostly c=
onsists of=20
> installing Jespa and modifying the web.xml to use the Jespa filter instea=
d of the jCIFS=20
> filter.  That would be the following sections of your current web.xml :
>=20
>  > <filter>
>  >         <filter-name>NtlmHttpFilter</filter-name>
>  >         <filter-class>jcifs.http.NtlmHttpFilter</filter-class>
>  >
>  >         <!--
>  >             always needed for preauthentication / SMB signatures
>  >         -->
>  >         <init-param>
>  >             <param-name>jcifs.smb.client.domain</param-name>
>  >             <param-value>xxx</param-value>
>  >         </init-param>
>  >         <!-- SMB message signing requires a valid existing login -->
>  >         <init-param>
>  >             <param-name>jcifs.smb.client.username</param-name>
>  >             <param-value>xxx</param-value>
>  >         </init-param>
>  >         <init-param>
>  >             <param-name>jcifs.smb.client.password</param-name>
>  >             <param-value>xxx</param-value>
>  >         </init-param>
>  >         <!-- Set the logging level -->
>  >         <init-param>
>  >             <param-name>jcifs.util.loglevel</param-name>
>  >             <param-value>3</param-value>
>  >         </init-param>
>  >         <!--  allow non-IE browsers to use basic auth -->
>  >         <init-param>
>  >             <param-name>jcifs.http.insecureBasic</param-name>
>  >             <param-value>true</param-value>
>  >         </init-param>
>  >     </filter>
>=20
> and
>=20
>  >     <filter-mapping>
>  >         <filter-name>NtlmHttpFilter</filter-name>
>  >         <url-pattern>/suggestions/*</url-pattern>
>  >     </filter-mapping>
>=20
> and
>=20
>  >     <filter-mapping>
>  >         <filter-name>NtlmHttpFilter</filter-name>
>  >         <url-pattern>/xxx/*</url-pattern>
>  >     </filter-mapping>
>=20
> The sections above have a direct equivalent with Jespa=2C and there shoul=
d in principle not=20
> be any code changes to make in your applications.
> Just the parameters in web.xml differ somewhat.
>=20
> Both the jCIFS filter and the Jespa filter are servlet filters=2C and the=
y basically do the=20
> same thing :
> - authenticate the current user of the application with the Windows Domai=
n Controllers=20
> (and whatever is used as their back-end authentication mechanism)
> - "set" the internal "Tomcat user" to this user-id
>=20
> Then=2C after that=2C runs the other filters that are configured above=2C=
 and your application.
> What they do with whatever information the authentication filter (jCIFS o=
r Jespa) has=20
> passed to Tomcat=2C we do not know=2C and there could be a problem there =
(but more likely not).
> If there was a problem=2C then the people most likely to be able to help =
you are the Jespa guys.
>=20
>=20
> In theory=2C there could be another way : replace this "application-level=
" filter-based=20
> authentication by a container-level authentication (and get rid of the fi=
lters)=2C but in=20
> your current situation=2C I believe that the Jespa solution is really the=
 simplest one.
>=20
> And=2C really=2C consider upgrading your Tomcat version.  Nothing which y=
ou are currently=20
> using is supported anymore.

When upgrading Tomcat from version 5.5 to 7=2C would I need to upgrade to v=
ersion 6 first and then to 7 or can I go straight from 5.5 to 7?
I will first try all this in a test environment.  Please bare with me=2C I =
may come back with further questions to your responses.
But thanks for all the feedback=2C its appreciated (especially as I'm a new=
bie to this).=20


> ---------------------------------------------------------------------
> To unsubscribe=2C e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands=2C e-mail: users-help@tomcat.apache.org
>=20
 		 	   		  =

--_42eede95-e22f-42f9-8211-b4bcd73e48ce_--