> Date: Thu, 1 Aug 2013 15:55:37 +0200
> From: a...@ice-sa.com
> To: users@tomcat.apache.org
> Subject: Re: java.net.UnknownHostException: Failed to negotiate with a
> suitable domain controller for xxx
>
> Seema Patel wrote:
> >
> >> Date: Thu, 1 Aug 2013 12:06:39 +0200
> >> From: a...@ice-sa.com
> >> To: users@tomcat.apache.org
> >> Subject: Re: java.net.UnknownHostException: Failed to negotiate with a
> >> suitable domain controller for xxx
> >>
> >> Seema Patel wrote:
> >>> Hi,
> >>>
> >>> I am not sure if this is the right List to post this on, please advise if
> >>> it isn't and let me know where is best to post.
> >>>
> >>> I am getting the following error on one of our applications running on
> >>> our intranet:
> >>>
> >>> 2013-07-31 17:15:11,180 [http-xxx.xxx.x.xxx-xx-x] ERROR
> >>> org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/forms].[action]
> >>> - Servlet.service() for servlet action threw exception
> >>> java.net.UnknownHostException: Failed to negotiate with a suitable domain
> >>> controller for xxx.LOCAL
> >>> at jcifs.smb.SmbSession.getChallengeForDomain(SmbSession.java:187)
> >>> at jcifs.http.NtlmHttpFilter.negotiate(NtlmHttpFilter.java:150)
> >>> at jcifs.http.NtlmHttpFilter.doFilter(NtlmHttpFilter.java:114)
> >>> at
> >>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)
> >>> at
> >>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
> >>> at
> >>> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
> >>> at
> >>> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:172)
> >>> at
> >>> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:465)
> >>> at
> >>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
> >>> at
> >>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117)
> >>> at
> >>> org.apache.catalina.authenticator.SingleSignOn.invoke(SingleSignOn.java:393)
> >>> at
> >>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:108)
> >>> at
> >>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:174)
> >>> at
> >>> org.apache.coyote.http11.Http11AprProcessor.process(Http11AprProcessor.java:837)
> >>> at
> >>> org.apache.coyote.http11.Http11AprProtocol$Http11ConnectionHandler.process(Http11AprProtocol.java:640)
> >>> at
> >>> org.apache.tomcat.util.net.AprEndpoint$Worker.run(AprEndpoint.java:1287)
> >>> at java.lang.Thread.run(Unknown Source)
> >>>
> >> I believe that you should read this page carefully, in particular the blue
> >> text at the
> >> beginning : http://jcifs.samba.org/src/docs/ntlmhttpauth.html
> >>
> >> Can you have a look at the WEB-INF/web.xml file *of your application*, and
> >> check if there
> >> is a servlet filter configured there, which matches the name above ?
> >>
> >> If so, make a backup copy of that web.xml file, and then edit it to remove
> >> that filter
> >> from it, and try again.
> >> I am not quite sure, but it looks possible to me that you have a duplicate
> >> authentication
> >> mechanism in use : one at the container (Tomcat) level, and one at the
> >> application level.
> >> And the one used at the application level is obsolete, unsupported,
> >> unmaintained etc..
> >>
> >
> > I have found out that JCIFS is no longer supported, but it will take a lot
> > of time, development and resources to update it to the recommended Jespa.
> > In my web.xml file I have the following:
> >
> > <filter>
> > <filter-name>NtlmHttpFilter</filter-name>
> > <filter-class>jcifs.http.NtlmHttpFilter</filter-class>
> >
> > <!--
> > always needed for preauthentication / SMB signatures
> > -->
> > <init-param>
> > <param-name>jcifs.smb.client.domain</param-name>
> > <param-value>xxx</param-value>
> > </init-param>
> > <!-- SMB message signing requires a valid existing login -->
> > <init-param>
> > <param-name>jcifs.smb.client.username</param-name>
> > <param-value>xxx</param-value>
> > </init-param>
> > <init-param>
> > <param-name>jcifs.smb.client.password</param-name>
> > <param-value>xxx</param-value>
> > </init-param>
> > <!-- Set the logging level -->
> > <init-param>
> > <param-name>jcifs.util.loglevel</param-name>
> > <param-value>3</param-value>
> > </init-param>
> > <!-- allow non-IE browsers to use basic auth -->
> > <init-param>
> > <param-name>jcifs.http.insecureBasic</param-name>
> > <param-value>true</param-value>
> > </init-param>
> > </filter>
> > <filter>
> > <filter-name>HRADGroupFilter</filter-name>
> > <filter-class>xxx.ADGroupFilter</filter-class>
> > <init-param>
> > <param-name>AllowedGroups</param-name>
> > <param-value>G-HR,G-MIS</param-value>
> > </init-param>
> > </filter>
> > <filter>
> > <filter-name>SuggestionsGroupFilter</filter-name>
> > <filter-class>xxx.ADGroupFilter</filter-class>
> > <init-param>
> > <param-name>AllowedGroups</param-name>
> > <param-value>xxx, xxx</param-value>
> > </init-param>
> > </filter>
> >
> > <filter-mapping>
> > <filter-name>NtlmHttpFilter</filter-name>
> > <url-pattern>/suggestions/*</url-pattern>
> > </filter-mapping>
> > <filter-mapping>
> > <filter-name>SuggestionsGroupFilter</filter-name>
> > <url-pattern>/suggestions/*</url-pattern>
> > </filter-mapping>
> > <filter-mapping>
> > <filter-name>NtlmHttpFilter</filter-name>
> > <url-pattern>/xxx/*</url-pattern>
> > </filter-mapping>
> > <filter-mapping>
> > <filter-name>HRADGroupFilter</filter-name>
> > <url-pattern>/xxx/xxx.do</url-pattern>
> > </filter-mapping>
> >
> >
> > So, are you saying to just remove the following from the above?:
> > <filter-name>NtlmHttpFilter</filter-name>
> > <filter-class>jcifs.http.NtlmHttpFilter</filter-class>
> >
> > Is there anything else in there that needs to be removed? Sorry for my
> > lack of understanding, but this was all developed by previous developers,
> > who are no longer working here and have left no documentation.
> >
>
> Neither I nor the other contributors on this list knows what your
> application(s) really
> do, nor how your whole system really fits together.
> In addition, this list is for the support of Tomcat, and your issue is not
> really with
> Tomcat, but seems to be really at the application level and how this
> application
> a) performs user authentication
> b) later uses the results of the user authentication
> The fact that there is no documentation and that the relevant delevelopers
> have left is a
> pity, but not really something we can do anything about.
>
> What I really suggest, if this application is important for you (and apart
> from what Chuck
> already mentioned) is this : get in touch with the Jespa authors, at
> www.ioplex.com (email
> : supp...@ioplex.com) , present the issue to them, and ask them how they
> could help.
>
> Maybe first though : download the Jespa Operator's Guide from their website,
> and read it.
> That will already tell you a lot of what you need to know.
>
> Replacing the jCIFS HTTP filter by Jespa is not very hard, and mostly
> consists of
> installing Jespa and modifying the web.xml to use the Jespa filter instead of
> the jCIFS
> filter. That would be the following sections of your current web.xml :
>
> > <filter>
> > <filter-name>NtlmHttpFilter</filter-name>
> > <filter-class>jcifs.http.NtlmHttpFilter</filter-class>
> >
> > <!--
> > always needed for preauthentication / SMB signatures
> > -->
> > <init-param>
> > <param-name>jcifs.smb.client.domain</param-name>
> > <param-value>xxx</param-value>
> > </init-param>
> > <!-- SMB message signing requires a valid existing login -->
> > <init-param>
> > <param-name>jcifs.smb.client.username</param-name>
> > <param-value>xxx</param-value>
> > </init-param>
> > <init-param>
> > <param-name>jcifs.smb.client.password</param-name>
> > <param-value>xxx</param-value>
> > </init-param>
> > <!-- Set the logging level -->
> > <init-param>
> > <param-name>jcifs.util.loglevel</param-name>
> > <param-value>3</param-value>
> > </init-param>
> > <!-- allow non-IE browsers to use basic auth -->
> > <init-param>
> > <param-name>jcifs.http.insecureBasic</param-name>
> > <param-value>true</param-value>
> > </init-param>
> > </filter>
>
> and
>
> > <filter-mapping>
> > <filter-name>NtlmHttpFilter</filter-name>
> > <url-pattern>/suggestions/*</url-pattern>
> > </filter-mapping>
>
> and
>
> > <filter-mapping>
> > <filter-name>NtlmHttpFilter</filter-name>
> > <url-pattern>/xxx/*</url-pattern>
> > </filter-mapping>
>
> The sections above have a direct equivalent with Jespa, and there should in
> principle not
> be any code changes to make in your applications.
> Just the parameters in web.xml differ somewhat.
>
> Both the jCIFS filter and the Jespa filter are servlet filters, and they
> basically do the
> same thing :
> - authenticate the current user of the application with the Windows Domain
> Controllers
> (and whatever is used as their back-end authentication mechanism)
> - "set" the internal "Tomcat user" to this user-id
>
> Then, after that, runs the other filters that are configured above, and your
> application.
> What they do with whatever information the authentication filter (jCIFS or
> Jespa) has
> passed to Tomcat, we do not know, and there could be a problem there (but
> more likely not).
> If there was a problem, then the people most likely to be able to help you
> are the Jespa guys.
>
>
> In theory, there could be another way : replace this "application-level"
> filter-based
> authentication by a container-level authentication (and get rid of the
> filters), but in
> your current situation, I believe that the Jespa solution is really the
> simplest one.
>
> And, really, consider upgrading your Tomcat version. Nothing which you are
> currently
> using is supported anymore.
When upgrading Tomcat from version 5.5 to 7, would I need to upgrade to version
6 first and then to 7 or can I go straight from 5.5 to 7?
I will first try all this in a test environment. Please bare with me, I may
come back with further questions to your responses.
But thanks for all the feedback, its appreciated (especially as I'm a newbie to
this).
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
