RE: java.net.UnknownHostException: Failed to negotiate with a suitable domain controller for xxx

Thu, 01 Aug 2013 04:03:23 -0700 


> Date: Thu, 1 Aug 2013 12:06:39 +0200
> From: a...@ice-sa.com
> To: users@tomcat.apache.org
> Subject: Re: java.net.UnknownHostException: Failed to negotiate with a 
> suitable domain controller for xxx
> 
> Seema Patel wrote:
> > Hi,
> >  
> > I am not sure if this is the right List to post this on, please advise if 
> > it isn't and let me know where is best to post.
> >  
> > I am getting the following error on one of our applications running on our 
> > intranet:
> >  
> > 2013-07-31 17:15:11,180 [http-xxx.xxx.x.xxx-xx-x] ERROR 
> > org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/forms].[action]
> >  - Servlet.service() for servlet action threw exception
> > java.net.UnknownHostException: Failed to negotiate with a suitable domain 
> > controller for xxx.LOCAL
> > at jcifs.smb.SmbSession.getChallengeForDomain(SmbSession.java:187)
> > at jcifs.http.NtlmHttpFilter.negotiate(NtlmHttpFilter.java:150)
> > at jcifs.http.NtlmHttpFilter.doFilter(NtlmHttpFilter.java:114)
> > at 
> > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)
> > at 
> > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
> > at 
> > org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
> > at 
> > org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:172)
> > at 
> > org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:465)
> > at 
> > org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
> > at 
> > org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117)
> > at 
> > org.apache.catalina.authenticator.SingleSignOn.invoke(SingleSignOn.java:393)
> > at 
> > org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:108)
> > at 
> > org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:174)
> > at 
> > org.apache.coyote.http11.Http11AprProcessor.process(Http11AprProcessor.java:837)
> > at 
> > org.apache.coyote.http11.Http11AprProtocol$Http11ConnectionHandler.process(Http11AprProtocol.java:640)
> > at org.apache.tomcat.util.net.AprEndpoint$Worker.run(AprEndpoint.java:1287)
> > at java.lang.Thread.run(Unknown Source)
> >  
> 
> I believe that you should read this page carefully, in particular the blue 
> text at the 
> beginning : http://jcifs.samba.org/src/docs/ntlmhttpauth.html
> 
> Can you have a look at the WEB-INF/web.xml file *of your application*, and 
> check if there 
> is a servlet filter configured there, which matches the name above ?
> 
> If so, make a backup copy of that web.xml file, and then edit it to remove 
> that filter 
> from it, and try again.
> I am not quite sure, but it looks possible to me that you have a duplicate 
> authentication 
> mechanism in use : one at the container (Tomcat) level, and one at the 
> application level.
> And the one used at the application level is obsolete, unsupported, 
> unmaintained etc..
> 

I have found out that JCIFS is no longer supported, but it will take a lot of 
time, development and resources to update it to the recommended Jespa.  In my 
web.xml file I have the following:

<filter>
        <filter-name>NtlmHttpFilter</filter-name>
        <filter-class>jcifs.http.NtlmHttpFilter</filter-class>
           
        <!--
            always needed for preauthentication / SMB signatures
        -->
        <init-param>
            <param-name>jcifs.smb.client.domain</param-name>
            <param-value>xxx</param-value>
        </init-param>
        <!-- SMB message signing requires a valid existing login -->
        <init-param>
            <param-name>jcifs.smb.client.username</param-name>
            <param-value>xxx</param-value>
        </init-param>
        <init-param>
            <param-name>jcifs.smb.client.password</param-name>
            <param-value>xxx</param-value>
        </init-param>
        <!-- Set the logging level -->
        <init-param>
            <param-name>jcifs.util.loglevel</param-name>
            <param-value>3</param-value>
        </init-param>
        <!--  allow non-IE browsers to use basic auth -->
        <init-param>
            <param-name>jcifs.http.insecureBasic</param-name>
            <param-value>true</param-value>
        </init-param>
    </filter>
    <filter>
        <filter-name>HRADGroupFilter</filter-name>
        <filter-class>xxx.ADGroupFilter</filter-class>
        <init-param>
            <param-name>AllowedGroups</param-name>
            <param-value>G-HR,G-MIS</param-value>
        </init-param>
    </filter>
        <filter>
        <filter-name>SuggestionsGroupFilter</filter-name>
        <filter-class>xxx.ADGroupFilter</filter-class>
        <init-param>
            <param-name>AllowedGroups</param-name>
            <param-value>xxx, xxx</param-value>
        </init-param>
    </filter>
    
    <filter-mapping>
        <filter-name>NtlmHttpFilter</filter-name>
        <url-pattern>/suggestions/*</url-pattern>
    </filter-mapping>
    <filter-mapping>
        <filter-name>SuggestionsGroupFilter</filter-name>
        <url-pattern>/suggestions/*</url-pattern>
    </filter-mapping>
    <filter-mapping>
        <filter-name>NtlmHttpFilter</filter-name>
        <url-pattern>/xxx/*</url-pattern>
    </filter-mapping>
    <filter-mapping>
        <filter-name>HRADGroupFilter</filter-name>
        <url-pattern>/xxx/xxx.do</url-pattern>
    </filter-mapping>


So, are you saying to just remove the following from the above?:
       <filter-name>NtlmHttpFilter</filter-name>
       <filter-class>jcifs.http.NtlmHttpFilter</filter-class>

Is there anything else in there that needs to be removed?  Sorry for my lack of 
understanding, but this was all developed by previous developers, who are no 
longer working here and have left no documentation.

Thanks

> 
> > In my tomcat/conf/server.xml file I have:
> >  
> > <Realm className="com.viatel.tomcatrealms.ADJNDIRealm"
> > debug="01" resourceName="ActiveDirectory"
> > connectionURL="ldap://xxx:xxx";
> > alternativeURL="ldap://xxx:xxx";
> > connectionName="LDAP@xxx.local" connectionPassword="xxx"
> > referrals="follow" userBase="dc=vtlwavenet,dc=local"
> > userSearch="(sAMAccountName={0})" userSubtree="true"
> > roleBase="dc=xxx,dc=local" roleSearch="(member={0})"
> > roleName="cn" roleSubtree="true" />
> >  
> > I have 2 .war files running from this tomcat - 1) intranet portal A, 2) 
> > intranet helpdesk page and also another intranet portal B (both run from 
> > slightly different URLs).
> > When tomcat was restarted the intranet portal A runs, intranet portal B 
> > runs but the intranet helpdesk portal doesn't run.  For this we get the 
> > error message shown above.
> >  
> > I don't know if it is the java code, some setting in the tomcat catalina 
> > base or if it is a tomcat network issue.
> >  
> > We are running Tomcat 5.5.29.
> > java version "1.5.0_22"
> > Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0_22-b03)
> > Java HotSpot(TM) Client VM (build 1.5.0_22-b03, mixed mode, sharing) 
> > It is on a Windows Server 2003 R2 SP2 VM box.
> >  
> > Any help on this is appreciated.
> > Thanks in advance
> >  
> > Seema
> >  
> >  
> >  
> >                                       
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>

Reply via email to