getUserPrincipal() in JCIFS / Lan-Manager authentitation level setting in Windows 2k8

Posted by Chris on Server Fault See other posts from Server Fault or by Chris
Published on 2011-03-14T16:00:33Z Indexed on 2011/03/14 16:11 UTC
Read the original article Hit count: 364

I have to find out in which exact format JCIFS stores the user principal in the "getUserPrincipal()" property. Therefor i created a test Environment like this:

  • Windows Server 2008 Domain Controller
  • Domain named "MYDOMAIN"
  • Many Testusers in Active Directory
  • Tomcat Application Server with my Web Application (which simply reads the user Principal and displays its values).

The user should be logged in to the web-application with SSO therefor i need the format that jcifs is using to store the user. (For example user@MYDOMAIN or MYDOMAIN\user...)

I tested the Authentication with other SSO frameworks with Kerberos Method and it works as expected.

I'm now trying to use SSO through the NTLMHttpFilter of JCIFS. When i try to login i get the following error message:

jcifs.smb.SmbException: The parameter is incorrect.
    jcifs.smb.SmbTransport.checkStatus(SmbTransport.java:541)
    jcifs.smb.SmbTransport.send(SmbTransport.java:641)
    jcifs.smb.SmbSession.sessionSetup(SmbSession.java:322)
    jcifs.smb.SmbSession.send(SmbSession.java:224)
    jcifs.smb.SmbTree.treeConnect(SmbTree.java:176)
    jcifs.smb.SmbSession.logon(SmbSession.java:153)
    jcifs.smb.SmbSession.logon(SmbSession.java:146)
    jcifs.http.NtlmHttpFilter.negotiate(NtlmHttpFilter.java:189)
    jcifs.http.NtlmHttpFilter.doFilter(NtlmHttpFilter.java:121)

Regarding to the documentation i'm using to configure this, this is a know issue with the Group policy. It is stated there, that i have to change the Group policy "Networkaccess: lan-manager authentication level" to respond to NTLMv1 request.

I have done this, but it's still not working. So what i also have to configure is the same policy on the client computer. I have to change the policy, so that the client computer sends NTLMv1. But it is always sending NTLMv2 tokens.

The problem now is that i'm somehow not able to change this setting. (I already was before) because the dropdown box to choose the authentication method is "greyed out".

Lan-manager authentication level at Client-Side

edit: just to make this clear, this dialog is on the client-side in the "local-security policies"

As you can see from this screenshot, the chosen method is "Only send NTLMv2 responses" which is the wrong setting and i'm pretty sure that this is causing the error above.

My question is now, why can't i change this setting? Why is it greyd out?

© Server Fault or respective owner

Related posts about windows-server-2008

Related posts about group-policy