NTLMv2 Authentication on Windows7
I am using Windows7(64 bit) as the client machine with authentication level set to "send ntlmv2 response only. refuse lm". I need to write server side code for a java web application that accepts NTLMv2 and extract username, domain, workstation etc details from the HTTP header part of the request. This is in Java 1.6. I searched in google, but could not get the right solution. Pls help me writing the code..
Thanks
Sundeep
While I haven't used it myself, the Apache HTTP components project claims to support NTLMv2 - http://hc.apache.org/httpcomponents-client-ga/ntlm.html.
Similar Messages
-
NTLMv2 authentication from linux
Hello All,
I spent good amount of time on Internet tyring to figure this out, without any success. So i thought i would better ask.
We use corporate proxy to access internet. We have both linux & win box. We access internet from linux, via firefox, after authenticating with our win domain id/pass.
Recently our proxy authentication module was upgraded/configured to accept only NTLMv2. After this, firefox keeps on prompting for id/pass as if we provided in-correct credentials.
From whatever i read, NTLMv2 is an authentication protocol. A bit advanced from LM or NTLM protocols.
So i am not sure whether firefox doesn't support NTLMv2 or should i install some package helping firefox to speak NTLMv2 or i am missing something.
Cheers,
Uday.It's an old post but the basic problem is that the code shown doesn't implement NTLMv2 authentication at all. It just implements basic password authentication.
Does anyone know whether Sun's Linux implementation of JDK 1.6 supports NTLMv2 authentication protocol?@OP: you should have read the link you provided! It clearly says that NTLM authentication via java.net.Authenticator only works on Windows platforms, and it works by not calling your installed Authenticator. If yours gets called, it is not working or not available.
There are other problems:
public static PrintStream setupPrintStream( String fileName ) throws FileNotFoundException
PrintStream out = null;
File file = new File( fileName );
file.delete();
FileOutputStream stream = new FileOutputStream(fileName, true);
out = new PrintStream( stream );
return out;
}All that could be reduced to new PrintStream(new FileOutputStream(fileName), false). You don't even need the method. -
NTLMv2 Authentication in Linux
I am creating a web services client in Java that is intended to extract data from a sharepoint site. My code works in the windows environment but not in the Linux environment. Research lead me to write a java.net.Authenticator implementation as described by the Java Documentation on HTTP Authentication. The link is provided below:
http://java.sun.com/javase/6/docs/technotes/guides/net/http-auth.html
I am using JDK 1.6.0_06. the Sharepoint server requires NTLMv2 Authentication. In windows the authenticator is not called my login credentials are automatically used. In Linux, the authenticator is called and fails. The Linux stack trace is:
java.io.IOException: Server returned HTTP response code: 500 for URL: http://myserver/sites/asite/_vti_bin/Lists.asmx?WSDL
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1241)
at java.net.URL.openStream(URL.java:1009)
at com.uboc.sharepoint.io.URLGetter.loadURLToStrings(URLGetter.java:26)
at com.uboc.sharepoint.io.URLGetter.main(URLGetter.java:105)
I tried every variation of the userid and password. This included:
1 - Using the domain name as a prefix with a backslash seperator. (<DomainName>\<UserName>)
2 - Using the system property -Dhttp.auth.ntlm.domain=<DomainName>
3 - Omitting the domain name alltogether
None of these work for me.
Does anyone know whether Sun's Linux implementation of JDK 1.6 supports NTLMv2 authentication protocol?
My authenticator code is as follows:
import java.net.Authenticator;
import java.net.PasswordAuthentication;
public class WindowsAuthenticator extends Authenticator {
private String user;
private String password;
public WindowsAuthenticator()
super();
public WindowsAuthenticator(String user, String password)
this.user = user;
this.password = password;
@Override
protected PasswordAuthentication getPasswordAuthentication()
PasswordAuthentication auth;
System.out.println("RequestingHost=" + this.getRequestingHost());
System.out.println("RequestingProtocol=" + this.getRequestingProtocol());
System.out.println("RequestingPort=" + this.getRequestingPort());
System.out.println("RequestingScheme=" + this.getRequestingScheme());
System.out.println("RequestingPrompt=" + this.getRequestingPrompt());
System.out.println("RequestingSite=" + this.getRequestingSite());
System.out.println("RequestingURL=" + this.getRequestingURL().toString());
if (this.getRequestorType() == Authenticator.RequestorType.PROXY)
System.out.println("RequestType=PROXY");
else if (this.getRequestorType() == Authenticator.RequestorType.SERVER)
System.out.println("RequestType=SERVER");
System.out.println("UserID=\"" + this.getUser() +"\"");
System.out.println("Password=\"" + this.getPassword()+ "\"");
auth = new PasswordAuthentication(this.user, this.password.toCharArray());
return auth;
* @return the password
public String getPassword()
return password;
* @param password the password to set
public void setPassword(String password)
this.password = password;
* @return the user
public String getUser()
return user;
* @param user the user to set
public void setUser(String user)
this.user = user;
My URLGetter Code is as follows
import java.io.BufferedReader;
import java.io.File;
import java.io.FileNotFoundException;
import java.io.FileOutputStream;
import java.io.IOException;
import java.io.InputStreamReader;
import java.io.PrintStream;
import java.net.Authenticator;
import java.net.URL;
import java.util.ArrayList;
public class URLGetter {
public static ArrayList<String> loadURLToStrings( URL url )
throws IOException
String inputLine;
ArrayList<String> lines = new ArrayList<String>();
** get an input stream for the URL
BufferedReader in = new BufferedReader(new InputStreamReader(url.openStream()));
** Move the data. OK maybe buffered IO might improve performance.
while ( (inputLine = in.readLine()) != null )
lines.add(inputLine);
** Close the stream
in.close();
return lines;
* @param args URL, outputFile, userid, password
public static void main(String[] args)
String url = null;
String outFile = null;
String user = null;
String password = null;
PrintStream out = null;
WindowsAuthenticator auth = null;
try
* Get the URL
if (args.length > 0 )
url = args[0];
else
System.err.println("Error: URL not specified.");
cmdLineInfo();
System.exit(1);
* Get the output file name
if (args.length > 1 )
outFile = args[1];
out = setupPrintStream( outFile);
else
out = System.out;
System.err.println("Using stdout.");
* Get the userid
if (args.length > 2 )
user = args[2];
auth = new WindowsAuthenticator();
auth.setUser(user);
Authenticator.setDefault(auth);
System.err.println("userid specified.");
* Get the password
if (args.length > 3 )
password = args[3];
auth.setPassword(password);
System.err.println("password specified.");
* Download the URL
ArrayList<String> data = loadURLToStrings(new URL( url ));
for ( int i = 0; i < data.size(); i++)
out.println( data.get(i));
catch (Exception e)
e.printStackTrace();
* Prints the command line parameters to the console
public static void cmdLineInfo()
System.err.println("Usage: java [options] URLGetter URL outputFileName [userid] [password]");
System.err.println("Where command line parameters include:");
System.err.println("URL The full qualified URL or address of the information to download.");
System.err.println("outputFile The name of the file to save downloaded info.");
System.err.println("userid The optional username when the URL requires login.");
System.err.println("password The optional password when the URL requires login.");
* Setup output File
* @param fileName
* file that will be used to create an output file
public static PrintStream setupPrintStream( String fileName ) throws FileNotFoundException
PrintStream out = null;
File file = new File( fileName );
file.delete();
FileOutputStream stream = new FileOutputStream(fileName, true);
out = new PrintStream( stream );
return out;
}It's an old post but the basic problem is that the code shown doesn't implement NTLMv2 authentication at all. It just implements basic password authentication.
Does anyone know whether Sun's Linux implementation of JDK 1.6 supports NTLMv2 authentication protocol?@OP: you should have read the link you provided! It clearly says that NTLM authentication via java.net.Authenticator only works on Windows platforms, and it works by not calling your installed Authenticator. If yours gets called, it is not working or not available.
There are other problems:
public static PrintStream setupPrintStream( String fileName ) throws FileNotFoundException
PrintStream out = null;
File file = new File( fileName );
file.delete();
FileOutputStream stream = new FileOutputStream(fileName, true);
out = new PrintStream( stream );
return out;
}All that could be reduced to new PrintStream(new FileOutputStream(fileName), false). You don't even need the method. -
Message signature for NTLMv2 Authentication message
Hi,
I'm implementing NTLMv2 support for SMBv2 and I have encountered some problems calculating the correct checksum for the authentication message.
Authentication packet:
4E 54 4C 4D 53 53 50 00 03 00 00 00 18 00 18 00 AE 00 00 00 42 01 42 01 C6 00 00 00 1E 00 1E 00 58 00 00 00 1A 00 1A 00 76 00 00 00 1E 00 1E 00 90 00 00 00 10 00 10 00 08 02 00 00 15 82 88 E2 06 01 B1 1D 00 00 00 0F 57 7C 17 17 5E DF 25 D8 8C 06 8D E6 75 5F
62 65 57 00 49 00 4E 00 2D 00 34 00 37 00 50 00 30 00 39 00 4E 00 51 00 42 00 4B 00 49 00 38 00 41 00 64 00 6D 00 69 00 6E 00 69 00 73 00 74 00 72 00 61 00 74 00 6F 00 72 00 57 00 49 00 4E 00 2D 00 51 00 32 00 33 00 49 00 36 00 4F 00 34 00 55 00 55 00 44 00
53 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 67 E7 1D 8A 39 CC A0 52 A7 01 51 02 E9 5A DF 7B 01 01 00 00 00 00 00 00 7F D2 02 FD 80 6C D0 01 2A 01 01 16 D7 E9 11 F7 00 00 00 00 02 00 1E 00 57 00 49 00 4E 00 2D 00 34 00 37 00
50 00 30 00 39 00 4E 00 51 00 42 00 4B 00 49 00 38 00 01 00 1E 00 57 00 49 00 4E 00 2D 00 34 00 37 00 50 00 30 00 39 00 4E 00 51 00 42 00 4B 00 49 00 38 00 04 00 1E 00 57 00 49 00 4E 00 2D 00 34 00 37 00 50 00 30 00 39 00 4E 00 51 00 42 00 4B 00 49 00 38 00
03 00 1E 00 57 00 49 00 4E 00 2D 00 34 00 37 00 50 00 30 00 39 00 4E 00 51 00 42 00 4B 00 49 00 38 00 07 00 08 00 7F D2 02 FD 80 6C D0 01 06 00 04 00 02 00 00 00 08 00 30 00 30 00 00 00 00 00 00 00 00 00 00 00 00 30 00 00 20 28 45 5A F8 71 0C F9 CC 5A EB A1
F5 FB C3 17 49 CE 76 FF 1B 32 31 4D 52 E7 0E D8 B0 BA C5 F9 0A 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 09 00 22 00 63 00 69 00 66 00 73 00 2F 00 31 00 39 00 32 00 2E 00 31 00 36 00 38 00 2E 00 31 00 2E 00 31 00 31 00 00 00 00 00 00 00 00 00
00 00 00 00 03 AC 9B EA 78 DD DF 49 BB D8 2D 66 0C 4F 22 61
By offline testing of packets I was able to get
ExportedSessionKey: 945d257f88b6be1a4b201748e3f134c5
and from there calculate the correct MIC (based on the negotiation,challenge and authentication messages).
But now when I am trying to calculate the checksum for the message signature I can't get this right.
The SignKey equals to md5(concat(ExportedSessionKey,"session key to client-to-server signing key magic constant")):
2643d035ac56345368b321df5059f9b0
The SealKey equals to md5(concat(ExportedSessionKey,"session key to client-to-server sealing key magic constant"))
dbb66166a80c4be9b876a6f4ec1dd3a5
and the sequence number is: 0
I'm using this function to calculate the checksum:
rc4(sealKey,hmac_md5(SignKey,concat(Sequence Number,message) ) ) [0 .. 7] = 0790d273a21186ce
That's an incorrect checksum, the real checksum should have been: 524102bf5e86c109 (captured from the packet).
These are the negotiation flags of this session that are set:
NegotiateUnicode,RequestTarget,NegotiateSign,NegotiateNTLM,NegotiateAlwaysSign,NegotiateNTLM2,
NegotiateTargetInfo,NegotiateVersion,Negotiate128,NegotiateKeyExch,Negotiate56
The only thing I wasn't sure about is if I need to calculate the checksum from the message with Z(16) instead of the mic or with the real calculated mic. Nevertheless I don't get the checksum on both ways.
I've also added the packets from the relevant session.
https://www.dropbox.com/s/eepcpmim3rj2zkd/ntlm.cap?dl=0
Thanks in advance!Hi Guy:
The details for how to calculate a MechListMIC are described in RFC 4178 (http://www.rfc-editor.org/rfc/rfc4178.txt) section 5(a).
Any details specific to Windows are described in MS-SPNG (https://msdn.microsoft.com/en-us/library/cc247021.aspx) documents.
I will give you an example here how the client calculates MechListMIC in case of NTLM.
For this example, I used an actual SMB2 session set up exchange. If you need the network trace that I used, please send an email to dochelp at microsoft dot com to my attention referencing this thread.
server challenge: 0x91, 0xA7, 0xB5, 0xA0, 0x93, 0xD1, 0x28, 0x73
Password: Password01!
client's MechTypes from first session set up message : 30 0C 06 0A 2B 06 01 04 01 82 37 02 02 0A
Security blob from the session set up command that contains the authenticate message:
A1 82 01 CD 30 82 01 C9 A0 03 0A 01 01 A2 82 01
AC 04 82 01 A8 4E 54 4C 4D 53 53 50 00 03 00 00
00 18 00 18 00 86 00 00 00 FA 00 FA 00 9E 00 00
00 0C 00 0C 00 58 00 00 00 06 00 06 00 64 00 00
00 1C 00 1C 00 6A 00 00 00 10 00 10 00 98 01 00
00 15 82 88 E2 06 03 80 25 00 00 00 0F 82 C4 C5
F7 7B 08 49 FD A2 87 0E A3 05 EC 77 AB 66 00 6F
00 72 00 4D 00 44 00 4D 00 61 00 62 00 63 00 4D
00 49 00 4E 00 49 00 4E 00 54 00 2D 00 36 00 37
00 31 00 30 00 38 00 46 00 4B 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 30 0B A0 EF 0B 39 38 45 54 E6 ED 4F B4
FD 6D B6 01 01 00 00 00 00 00 00 72 23 6C 58 68
6D D0 01 B5 FF F2 9D 10 1B 35 60 00 00 00 00 02
00 0C 00 46 00 4F 00 52 00 4D 00 44 00 4D 00 01
00 0C 00 46 00 4F 00 52 00 4D 00 44 00 4D 00 04
00 0C 00 66 00 6F 00 72 00 4D 00 44 00 4D 00 03
00 0C 00 66 00 6F 00 72 00 4D 00 44 00 4D 00 07
00 08 00 72 23 6C 58 68 6D D0 01 06 00 04 00 02
00 00 00 08 00 30 00 30 00 00 00 00 00 00 00 01
00 00 00 00 20 00 00 15 7C 95 BD E7 02 DE 3B C9
8D F1 46 91 04 AC 4D 16 61 03 F1 BF 42 77 85 B2
82 B7 83 2E CB 1E 3F 0A 00 10 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 09 00 22 00 63
00 69 00 66 00 73 00 2F 00 31 00 39 00 32 00 2E
00 31 00 36 00 38 00 2E 00 31 00 2E 00 34 00 30
00 00 00 00 00 00 00 00 00 00 00 00 00 8E 07 9F
C9 F1 50 97 65 F3 BD A8 C1 32 8A 52 56 A3 12 04
10 01 00 00 00 3B 1F D5 E0 2D 97 5F 97 00 00 00
00
My calculation are from servers perspective. Everything server needs to verify client's MechListMIC
is in the security blob and what is not in blob is already with the server (password, server challenge and client's MechTypes sent in an earlier message).
The KeyExchangeKey is NTLMv2 session base whose calculation is described in MS-NLMP (https://msdn.microsoft.com/en-us/library/cc236621.aspx) section "3.3.2 NTLM v2 Authentication"
KeyExchangeKey (NTLMv2 session base key)=ad6e6c75872afd2178533d2ebb8ad9ad
Using KeyExchangeKey to RC4 decrypt the Encrypted Random Session key, we get
Random Session Key: c7 9a 31 b6 8d b6 4e 3f 84 66 be a3 b2 22 3b c1
Using Random session key above and description in MS-NLMP, we calculate the signing and sealing keys.
Server Signing Key: 69 cb 53 69 d5 18 75 04 dc 7e 61 03 33 10 53 e9
Server Seal Key: 35 4e c9 d1 86 2d 4f a5 98 25 87 c4 b5 35 f2 33
Client Signing Key: a2 b2 1a ed a9 ec d3 f1 3d ff c3 3d e0 1b 59 30
Client Seal Key: 1e bb c6 f3 65 5b dc 13 b3 5b e4 e2 24 eb 71 e2
Now using the client signing and sealing keys, we proceed to calculate the NTLM signature of client's MechTypes as described in MS-NLMP section "3.4.4.2 With Extended Session Security":
Message number is 00 00 00 00
MechList with 0000 concatenated:
00 00 00 00 30 0c 06 0a 2b 06 01 04 01 82 37 02 02 0a
HMAC_MD5 of the above using client signing key (first 8 bytes): 28 d5 e1 57 a4 d4 58 24
checksum (RC4 encrypting the above using Client Sealing key): 3b 1f d5 e0 2d 97 5f 97
MechListMIC by appending version and sequence: 01 00 00 00 3b 1f d5 e0 2d 97 5f 97 00 00 00 00
As you can see this matches with what client sent.
Please let me know if it does not answer your question.
Regards, Obaid Farooqi -
I am creating a web services client in Java that is intended to extract data from a sharepoint site. My code works in the windows environment but not in the Linux environment
I am using Jboss 4.3, jdk1.5.0_14, Linux 2.6.18-53.el5
I see error message in server log: "*exception in input streamjava.io.IOException: Server returned HTTP response code: 500 for URL: http://MySite/sites/appsite/_vti_bin/Lists.asmx*"
Java code is as follows:
URL u = new URL(targetURL);
URLConnection uc = u.openConnection();
HttpURLConnection connection = (HttpURLConnection) uc;
connection.setDoOutput(true);
connection.setDoInput(true);
connection.setRequestMethod("POST");
connection.setRequestProperty("SOAPAction", actionPath);
connection.setRequestProperty("Content-Type", "text/xml; charset=ISO-8859-1");
StringBuffer sb= new StringBuffer();
sb.append("<?xml version='1.0' encoding='utf-8' ?>");
sb.append("<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\">");
sb.append("<soapenv:Body>");
sb.append(payload.toString());
sb.append("</soapenv:Body>");
sb.append("</soapenv:Envelope>");
String paramStr= sb.toString();
String lengthString = String.valueOf(paramStr.length());
connection.setRequestProperty("Content-Length", lengthString);
OutputStream out = connection.getOutputStream();
wout = new OutputStreamWriter(out);
wout.write(paramStr);
wout.flush();
wout.close();
in = connection.getInputStream();
sb =new StringBuffer();Hi
I will try to brief you down the problem here. I have java web application which talks to (Microsoft) Share point back end through Webservices. The Security (Authentication) level for Share point server is set to NTLM v2.0. I am using JDK 1.5.0_14, Jboss 4.3 under Linux Platform.
I use HttpURLConnection to establish connection with share point server. I have attached the code snippet in my previous post. When I run my application under Windows platform, i can establish server connection and talk to share point successfully. However, my target environment is Linux. When I test my code in Linux I am not able to talk to share point. All I can see in my server logs is "Response code is 500". On a side note if I try to bring down my NTLM version in share point from V2.0 to V1.0, my application works both in Windows and Linux.
I have tried looking at various sites and didn't find concrete answer for this issue. I think the JDK version of Linux use "*sun.net.www.protocol.http.HttpURLConnection*" whereas windows JDK use "*java.net.HttpURLConnection*". There could be some differences in Linux Jdk which is not able to talk to NTLM type authentication
Please share thoughts and solution -
How to use different (not local) user for NTLM auth in Authenticator?
Hi All,
I use custom authenticator to provide user / passwords to connect to .NET Web Services. I overloaded function getPasswordAuthentication() that returns right user / password combination for the requested URL. It all works perfectly for many kinds of HTTP connections: basic, ntlm, ntlm-v2, through proxy, ssl, etc.
My problem is that during NTLM authentication from Windows computers JVM uses credentials of the currently logged in domain user instead of calling Authenticator to get other user / password provided by the user. In case when local user credentials fail to authenticate, JVM calls my Authenticator but in case authentication is successful it does uses local domain user and never calls my Authenticator. The issue is when this local domain user does not have enough permissions but authenticated correctly there is no way to supply JVM with another user to begin with.
What can I do to force JVM to ignore local domain user and to use Authenticator to collect credentials during NTLM authentication requested by the server in case the software runs on a Windows box with currently logged in domain user?
I am looking for the answer for a long time already but found only questions and suggestions to switch server from NTLM authentication which is not an option for me. From the developer's view it has to be pretty simple change for Sun to do in Java networking API. Is there any way to escalate it to Sun support? Maybe there is some property in some JRE patch level that allows to do this?
Thank you very much!
MarkThank you for the reply. I have kind of an opposite problem. I can perfectly connect from Linux computers to Microsoft IIS servers using NTLM or even NTLMv2 authentication. My problem is connecting from Windows client computer joined to the same domain as IIS server with the domain user logged in to this computer. In this case this user account will be used in any HTTP connections I initiate to this IIS server instead of the one that I want to supply in my custom Authenticator.
I have graphical interactive application that connects to IIS Server. When user runs it and connects to IIS server I want to prompt for the user/password regardless whether JRE may correctly authenticate using current user account credentials. The current user may not have enough permissions in IIS application so I want to use different user to login to IIS application.
Thank you anyway,
Mark -
Unable to authenticate to https sites using ntlmv2 on Mac OS 10.6 and Firefox 11.0
I am using a Mac with OS X 10.6. The Firefox version is 11.0.
we cannot authenticate to https:// sites that require NTLMv2. We were able to use Firefox on the Mac to authenticate to https:// sites until our organization dropped NTLMv1 and required the use of NTLMv2. The problem on the PC was corrected by using the NTLM plugin but we have never managed to correct the problem on the Mac. The operating system does not appear to be the problem since Safari can authenticate to these sites. I have added the https:// url to the network.negotiate-auth.delegation-uris, network.negotiate-auth.trusted-uris and the network.automatic-ntlm-auth.trusted-uris parameters (which is necessary to correct the problem on the PC). After reading the thread about ntlmv2 authentication in Lion I also set network.automatic-ntlm-auth.allow-proxies and network.negotiate-auth.allow-proxies to false but I still can't authenticate. I also tried creating an nsmb.conf file in /etc with minauth=ntlmv2Hi
Thanks for the posts. I set network.ntlm.send-lm-response to TRUE but the behavior was the same. I changed https:// to http:// and made sure there were no trailing /'s but still cannot authenticate -
ACS 4.0 to NT Domain with NTLMv2 problem.
I am trying to authenticate users from a VPN Concentrator (3030) to our NT Domain. We are not running AD yet but we are required to use NTLMv2 authentication on the Domain.
I want to use ACS4.0 to authenticate Radius w/Expiry from the VPN concentrator and let ACS handle the NTLMv2 part.
In ACS I have defined my Domain in the External Users Database, I have defined the Unknown User Policy to use the Windows Database, and I have defined the Group Mapping to point to the default group.
When I run the Authentication test from the VPN setup screen I get a failed request.
In the CSAuth log I am getting:
AUTH 02/16/2006 15:13:42 E 0376 1572 External DB [NTAuthenDLL.dll]: Windows authentication FAILED (error 1326L)
AUTH 02/16/2006 15:13:42 E 0376 1572 External DB [NTAuthenDLL.dll]: Windows authentication FAILED (error 1326L)
With NTLMv2 turned off and running ACS 3.2 this setup is working (My production network) My only reason for upgrading to ACS4.0 was the NTLMv2 portion.
Does anyone have any advise? thanks!Please make sure you read this Field Notice:
http://www-tac.cisco.com/Support_Library/field_alerts/fn62167.html
Note that, despite the Windows URL mentioning only 2003 server, the 2000 server also supports NTLMv2. Therefore, the following scenarios apply:
- DC on Win 2003 SP1 - don't require any hotfix since it's included in SP1
- DC on Win 2000 SP4 - don't require any hotfix since it's included in SP4
- DC on Win 2003 - require hotfix KB893318 -
NTLM Authentication in the Outlook Anywhere
I use Exchange Server 2007 sp1 RollUp 6 installed on Windows Server 2008. I need to use Outlook Anywhere from non-domain computers. I test Outlook Anywhere with Basic and NTLM Authentication and all works fine. But when I use NTLM authentucation, Outlook promt user credential every time when it start, even "remember password" was checked. The login and password are remembered in the network password of user, but Outlook prompt password again and again, when it starts. Exchange published by 443 port directly (without any listeners)!
When I connect by VPN, and use TCP/IP connection to the server, Outlook remeber password withoun any problems, and did not ask password again.
get-OutlookAnywhere:
ServerName : SRVEXCH2
SSLOffloading : False
ExternalHostname : mail.my_domain.ru
ClientAuthenticationMethod : Ntlm
IISAuthenticationMethods : {Ntlm}
MetabasePath : IIS://srvexch2.net.local/W3SVC/1/ROOT/Rpc
Path : C:\Windows\System32\RpcProxy
Server : SRVEXCH2
AdminDisplayName :
ExchangeVersion : 0.1 (8.0.535.0)
Name : srvexch2
DistinguishedName : CN=srvexch2,CN=HTTP,CN=Protocols,CN=SRVEXCH2,CN=Servers,CN=Exchange Administrative Group (
FYDIBOHF23SPDLT),CN=Administrative Groups,CN=First Organization,CN=Microsoft Exchange,CN=S
ervices,CN=Configuration,DC=net,DC=local
Identity : SRVEXCH2\srvexch2
Guid : 2c24f11b-852c-4948-b236-3f37d071d500
ObjectCategory : net.local/Configuration/Schema/ms-Exch-Rpc-Http-Virtual-Directory
ObjectClass : {top, msExchVirtualDirectory, msExchRpcHttpVirtualDirectory}
WhenChanged : 18.02.2009 14:17:55
WhenCreated : 17.02.2009 14:53:36
OriginatingServer : dc1.net.local
IsValid : True
I have tried this cases, but they have not helped for this issue:
1) Disable kernel mode authentication with this command: %systemroot%\system32\inetsrv\AppCmd.exe set config /section:system.webServer/security/authentication/windowsAuthentication /useKernelMode:false, I also have unchecked Kernel mode authentication in the properties of Windows Authentication for Default Web site, \Rpc and \Autodiscovery virtual directories.
2) Modify this registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa lmcompatibilitylevel=3 and 2.
3) Set NTLM instead of Kerberos on the security tab in the properties of Outlook.
4) Install domain controller and global catalog roles on the Exchange Server.
Somebody have any solution for this issue? May be Outlook Anywhere and NTLM do not work at all?Have you also seen this:
You must provide Windows account credentials when you connect to Exchange Server 2003 by using the Outlook 2003 RPC over HTTP feature
http://support.microsoft.com/kb/820281
1.
Click
Start,
click Run,
type regedit in the Open
box, and then press ENTER.
2.
Locate
and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\
3.
In
the right pane, double-click lmcompatibilitylevel.
4.
In
the Value data
box, type a value of 2 or 3 that is appropriate for your environment, and
then click OK.
5.
Quit
Registry Editor.
6.
Restart
your computer.
LmCompatibilityLevel
settings
The
LmCompatibilityLevel registry entry can be configured with the following
values:
LmCompatibilityLevel
value of 0:
Send LAN Manager (LM) response and NTLM response; never use NTLM version 2
(NTLMv2) session security. Clients use LM and NTLM authentication, and
never use NTLMv2 session security; domain controllers accept LM, NTLM, and
NTLMv2 authentication.
LmCompatibilityLevel
value of 1:
Use NTLMv2 session security, if negotiated. Clients use LM and NTLM
authentication, and use NTLMv2 session security if the server supports it;
domain controllers accept LM, NTLM, and NTLMv2 authentication.
LmCompatibilityLevel
value of 2:
Send NTLM response only. Clients use only NTLM authentication, and use NTLMv2
session security if the server supports it; domain controllers accept LM,
NTLM, and NTLMv2 authentication.
LmCompatibilityLevel
value of 3:
Send NTLMv2 response only. Clients use NTLMv2 authentication, and use NTLMv2
session security if the server supports it; domain controllers accept LM,
NTLM, and NTLMv2 authentication.
LmCompatibilityLevel
value of 4:
(Server Only) - Domain controllers refuse LM responses. Clients use NTLM
authentication, and use NTLMv2 session security if the server supports it;
domain controllers refuse LM authentication, and accept NTLM and NTLMv2
authentication.
LmCompatibilityLevel
value of 5:
(Server Only) - Domain controllers refuse LM and NTLM responses, and accept
only NTLMv2 responses. Clients use NTLMv2 authentication, use NTLMv2
session security if the server supports it; domain controllers refuse NTLM
and LM authentication, and accept only NTLMv2 authentication.
Mike Crowley: MCT, MCSE, MCTS, MCITP: Enterprise Administrator / Messaging Administrator -
Upgraded to JRE 7.0 cause authentication popup
Hello all,
we have an applet application that host in IIS 7.0 with integrated windows authentication.
With JRE 1.6 we call the html page with the applet whithout authentication required popup.
Since we upgrade to JRE 7 we get alway a popup "Authentication Required" Enter login details to access <default> on xxx.arcplan.com/10.52.10.25:
Click to cancel the popup and the applet load normal.
In IE 9.0 the loading time take to long after cancel the popup.
It is a big issue and We urgently need a solution for this problem.
We use firefox 12 and IE 9.0
I appreciate for every solution and commentIt seems to be the same behaviour as descibed here: NTLMv2 authentication on proxy server (MS ISA 2006)
Do you also have a proxy server / firewall in usage? -
SMB connection to Windows 2008R2 File Server Problem
Hello, I recently migrated a file server from Windows 2003 to Windows 2008R2. Since the migration, I can no longer use our Canon multi-function printer to scan documents to a network share on the new file server. The share has Everyone, System
and Authenticated Users set to Full control and the NTFS Security is setup for Everyone to modify. The connection from the Canon uses SMB using a domain account called jdoe.
I wondering if the problem is related the the LAN Manger authentication level settings. On the new file server and domain controllers it's set to Network security: LAN Manager authentication level is set to Send NTLMv2 response only\refuse LM &
NTLM. I have setup a network capture and hope somebody can help me out with determinging the problem.
Here is the detals of the ErrorIt does seem possible that the NTLMv2 authentication level might be affecting things. So I would give it a try. It's difficult to troubleshoot from the image, but I beleive there is a flag in the negotiate response that might give you a clue.
In either case, I think your question would be better served by our networking group, rather than the group that makes the tool. While we have some general protocol knowledge, we don't have the depth that the experts for each component would have.
If changing that setting doesn't work we can move this thread over to the right place.
Thanks,
Paul -
We have 'Send NTLM response only" set on all domain controllers (Windows 2008) and "Send NTLMv2 response only. Refuse NTLM and LM" configured on all member servers. We want to modify the authentication level on DC's to "Send NTLMv2
response only. Refuse NTLM and LM". Do you think we can do this safely as we have many SQL servers and AS 400 servers in our environment.
Can you tell me whats the authentication protocol that domain controller responds with when a member server send a request to the DC in our environment.Hi Michelle,
For a domain controller, if the LAN Manager authentication level is
Send NTLM response only, it will accept LM, NTLM, and NTLMv2 authentication. If the authentication level is
Send NTLMv2 response only\refuse LM & NTLM, it will refuse LM and NTLM and accept only NTLMv2 authentication.
Regarding LAN Manager authentication level, the following article can be referred to for more information.
LAN Manager authentication level
http://technet.microsoft.com/en-us/library/cc938105.aspx
Best regards,
Frank Shen -
Tiger VPN (PPTP) connection issues
Hello everyone.
I'm having major issues trying to connect to office VPN from home; hoping someone can point me in the right direction. (And my profound apologies in advance for the long post -- just trying make sure to include enough detail to debug whatever might be happening)
At the office we have a 3Com OfficeConnect VPN Firewall sitting in front of a Microsoft 2003 Exchange server. (3Com product page for this VPN box is http://www.3com.com/products/en_US/detail.jsp?tab=features&sku=3CR870-95&pathtyp e=purchase). Home connection is a Linksys WRT54GL wireless router in front of a broadband cable modem. PPTP pass-through is enabled in the router config.
At home I have a WinXP-SP2 laptop and my G4 Powerbook (OS 10.4.7) sitting side-by-side. From the XP laptop, I can get into the VPN using XP's built-in client without any problems. The DNS lookup and authentication steps take about 2-3 seconds combined. Once the connection is established, both external sites (cnn.com) and internal sites (intranet.companyname.local) load in a browser window without any appreciable delay. I can also access Windows shared drives on the internal network without problems, including large (10's of MB or more) file copies to/from the XP laptop's HD.
On the Powerbook, using Tiger's built-in VPN client, I can connect OK (though the authentication step takes a bit longer, about 4-5 seconds), but after that, almost nothing works. I can ping the internal DNS server, but after a few pings with reasonable delays (~15 millisecond range), the round-trip times suddenly jump to handfuls of seconds. In the browser, trying to load an internal webpage (http://intranet.companyname.local) times out before anything shows up on screen. In Finder, using Go>Connect to Server... very slowly establishes the connection (~10-15 seconds or longer), and sometimes opens a Finder window... but then invariably times out. I have never once had the connection remain stable enough to transfer so much as a single file from the shared volume onto the Powerbook's Desktop before it times out and disconnects.
On the XP machine, relevant(?) VPN config settings are:
require secured password
require data encryption (disconnect if none)
PPTP VPN
LCP extensions enabled
software compression enabled
multi-link negotiation for single link connections DISABLED
server type = PPP
transports = TCP/IP
authentication = MS CHAP
encryption = MPPE 128
compression = none
PPP multilink framing = off
and, once the VPN connection is established, parameters are (from "ipcofig /all"):
Windows IP Configuration
Host Name . . . . . . . . . . . . : (companyname)-hj2
Primary Dns Suffix . . . . . . . : (companyname).local
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : (companyname).local
Ethernet adapter Wireless Network Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) PRO/Wireless 2915ABG Network Connection
Physical Address. . . . . . . . . : XX-XX-XX-XX-XX-XX
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 192.168.1.104
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
DHCP Server . . . . . . . . . . . : 192.168.1.1
DNS Servers . . . . . . . . . . . : 192.168.1.1
PPP adapter (ConnectionName):
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
Physical Address. . . . . . . . . : XX-XX-XX-XX-XX-XX
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 172.16.0.70
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . : 172.16.0.70
DNS Servers . . . . . . . . . . . : 172.16.0.11
finally, results of "ping -n 10 (InternalServer)":
Pinging (InternalServer).(companyname).local [172.16.0.5] with 32 bytes of data:
Reply from 172.16.0.5: bytes=32 time=4ms TTL=128
Reply from 172.16.0.5: bytes=32 time=10ms TTL=128
Reply from 172.16.0.5: bytes=32 time=10ms TTL=128
Ping statistics for 172.16.0.5:
Packets: Sent = 10, Received = 10, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 4ms, Maximum = 10ms, Average = 9ms
On the Powerbook, I have a VPN (PPTP) connection set up with "Send all traffic over VPN connection" unchecked. In the Network panel of System Preferences, I have tried manually adding (and removing) "local, (companyname).local" in the Search Domains line, and manually adding (and removing) the IPs of our internal DNS servers (172.16.0.5, 172.16.0.11) under the TCP/IP tab. Proxies are turned off in all cases.
With those settings, the relevant(?) parts of running "ifconfig" from a Terminal window after starting the VPN are as follows:
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
inet 127.0.0.1 netmask 0xff000000
en1: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet6 fe80::XXX:XXXX:XXXX:XXXX%en1 prefixlen 64 scopeid 0x5
inet 192.168.1.100 netmask 0xffffff00 broadcast 192.168.1.255
ether XX:XX:XX:XX:XX:XX
media: autoselect status: active
supported media: autoselect
fw0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 4078
lladdr XX:XX:XX:XX:XX:XX:XX:XX
media: autoselect <full-duplex> status: inactive
supported media: autoselect <full-duplex>
ppp0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1444
inet 172.16.0.69 --> 172.16.0.11 netmask 0xffff0000
The associated connection log from Internet Connect is:
Tue Jul 18 08:50:57 2006 : PPTP connecting to server 'vpn.(companyname).com' (XXX.XXX.XXX.XXX)...
Tue Jul 18 08:50:57 2006 : PPTP connection established.
Tue Jul 18 08:50:58 2006 : using link 0
Tue Jul 18 08:50:58 2006 : Using interface ppp0
Tue Jul 18 08:50:58 2006 : Connect: ppp0 <--> socket[34:17]
Tue Jul 18 08:50:58 2006 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0xb851f701> <pcomp> <accomp>]
Tue Jul 18 08:50:58 2006 : rcvd [LCP ConfReq id=0x1 <mru 1492> <auth chap MS> <magic 0x80697000>]
Tue Jul 18 08:50:58 2006 : lcp_reqci: returning CONFACK.
Tue Jul 18 08:50:58 2006 : sent [LCP ConfAck id=0x1 <mru 1492> <auth chap MS> <magic 0x80697000>]
Tue Jul 18 08:50:58 2006 : rcvd [LCP ConfRej id=0x1 <asyncmap 0x0> <pcomp> <accomp>]
Tue Jul 18 08:50:58 2006 : sent [LCP ConfReq id=0x2 <magic 0xb851f701>]
Tue Jul 18 08:50:58 2006 : rcvd [LCP ConfAck id=0x2 <magic 0xb851f701>]
Tue Jul 18 08:50:58 2006 : sent [LCP EchoReq id=0x0 magic=0xb851f701]
Tue Jul 18 08:50:58 2006 : rcvd [CHAP Challenge id=0x1 <4f0656add65818c2>, name = "Guest"]
Tue Jul 18 08:50:58 2006 : sent [CHAP Response id=0x1 <0000000000000000000000000000000000000000000000004c86e5ccf08b95431034ef14706021 d358dc21b96a59157301>, name = "(UserName)"]
Tue Jul 18 08:50:58 2006 : rcvd [LCP EchoRep id=0x0 magic=0x80697000]
Tue Jul 18 08:50:58 2006 : rcvd [CHAP Success id=0x1 "Authentication succeeded, welcome!"]
Tue Jul 18 08:50:58 2006 : CHAP authentication succeeded: Authentication succeeded, welcome!
Tue Jul 18 08:50:58 2006 : Disabling 40-bit MPPE; MS-CHAP LM not supported
Tue Jul 18 08:50:58 2006 : sent [CCP ConfReq id=0x1 <mppe +H -M +S -L -D -C>]
Tue Jul 18 08:50:58 2006 : rcvd [IPCP ConfReq id=0x1 <addr 172.16.0.11> <ms-dns3 0.0.0.0> <ms-wins 0.0.0.0>]
Tue Jul 18 08:50:58 2006 : sent [IPCP TermAck id=0x1]
Tue Jul 18 08:50:58 2006 : rcvd [CCP ConfReq id=0x1 <mppe +H +M +S +L -D -C>]
Tue Jul 18 08:50:58 2006 : sent [CCP ConfNak id=0x1 <mppe +H -M +S -L -D -C>]
Tue Jul 18 08:50:58 2006 : rcvd [CCP ConfAck id=0x1 <mppe +H -M +S -L -D -C>]
Tue Jul 18 08:50:58 2006 : rcvd [CCP ConfReq id=0x2 <mppe +H -M +S -L -D -C>]
Tue Jul 18 08:50:58 2006 : sent [CCP ConfAck id=0x2 <mppe +H -M +S -L -D -C>]
Tue Jul 18 08:50:58 2006 : MPPE 128-bit stateless compression enabled
Tue Jul 18 08:50:58 2006 : sent [IPCP ConfReq id=0x1 <addr 0.0.0.0> <ms-dns1 0.0.0.0> <ms-dns3 0.0.0.0>]
Tue Jul 18 08:50:58 2006 : sent [IPV6CP ConfReq id=0x1 <addr fe80::020a:95ff:fea5:564c>]
Tue Jul 18 08:50:58 2006 : sent [ACSCP] 01 01 00 10 01 06 00 00 00 01 02 06 00 00 00 01
Tue Jul 18 08:50:58 2006 : rcvd [LCP ProtRej id=0x1 80 57 01 01 00 0e 01 0a 02 0a 95 ff fe a5 56 4c]
Tue Jul 18 08:50:58 2006 : rcvd [LCP ProtRej id=0x2 82 35 01 01 00 10 01 06 00 00 00 01 02 06 00 00 00 01]
Tue Jul 18 08:50:58 2006 : rcvd [IPCP ConfRej id=0x1 <ms-dns3 0.0.0.0>]
Tue Jul 18 08:50:58 2006 : sent [IPCP ConfReq id=0x2 <addr 0.0.0.0> <ms-dns1 0.0.0.0>]
Tue Jul 18 08:50:58 2006 : rcvd [IPCP ConfNak id=0x2 <addr 172.16.0.69> <ms-dns1 172.16.0.11>]
Tue Jul 18 08:50:58 2006 : sent [IPCP ConfReq id=0x3 <addr 172.16.0.69> <ms-dns1 172.16.0.11>]
Tue Jul 18 08:50:58 2006 : rcvd [IPCP ConfAck id=0x3 <addr 172.16.0.69> <ms-dns1 172.16.0.11>]
Tue Jul 18 08:51:01 2006 : sent [IPCP ConfReq id=0x3 <addr 172.16.0.69> <ms-dns1 172.16.0.11>]
Tue Jul 18 08:51:01 2006 : rcvd [IPCP ConfAck id=0x3 <addr 172.16.0.69> <ms-dns1 172.16.0.11>]
Tue Jul 18 08:51:04 2006 : sent [IPCP ConfReq id=0x3 <addr 172.16.0.69> <ms-dns1 172.16.0.11>]
Tue Jul 18 08:51:04 2006 : rcvd [IPCP ConfAck id=0x3 <addr 172.16.0.69> <ms-dns1 172.16.0.11>]
Tue Jul 18 08:51:07 2006 : sent [IPCP ConfReq id=0x3 <addr 172.16.0.69> <ms-dns1 172.16.0.11>]
Tue Jul 18 08:51:07 2006 : rcvd [IPCP ConfAck id=0x3 <addr 172.16.0.69> <ms-dns1 172.16.0.11>]
Tue Jul 18 08:51:08 2006 : rcvd [IPCP ConfReq id=0x1 <addr 172.16.0.11> <ms-dns3 0.0.0.0> <ms-wins 0.0.0.0>]
Tue Jul 18 08:51:08 2006 : ipcp: returning Configure-REJ
Tue Jul 18 08:51:08 2006 : sent [IPCP ConfRej id=0x1 <ms-dns3 0.0.0.0> <ms-wins 0.0.0.0>]
Tue Jul 18 08:51:08 2006 : rcvd [IPCP ConfReq id=0x2 <addr 172.16.0.11>]
Tue Jul 18 08:51:08 2006 : ipcp: returning Configure-ACK
Tue Jul 18 08:51:08 2006 : sent [IPCP ConfAck id=0x2 <addr 172.16.0.11>]
Tue Jul 18 08:51:08 2006 : ipcp: up
Tue Jul 18 08:51:08 2006 : local IP address 172.16.0.69
Tue Jul 18 08:51:08 2006 : remote IP address 172.16.0.11
Tue Jul 18 08:51:08 2006 : primary DNS address 172.16.0.11
The problem is that despite this apparently successful negotiation, the VPN connection doesn't really work. If I type "intranet" into the browser URL bar, it doesn't pick it up as "intranet.companyname.local" and instead treats this as a search query, which it passes to google... which times out. If I type "intranet.companyname.local" into the URL bar instead, it appears to do the DNS lookup correctly... but then times out again.
Ping times look like this at first:
PING (InternalServer).(companyname).local (172.16.0.5): 56 data bytes
64 bytes from 172.16.0.5: icmp_seq=0 ttl=128 time=16.605 ms
64 bytes from 172.16.0.5: icmp_seq=1 ttl=128 time=15.920 ms
64 bytes from 172.16.0.5: icmp_seq=2 ttl=128 time=16.154 ms
^C
--- (InternalServer).(companyname).local ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/stddev = 15.920/16.226/16.605/0.284 ms
... but then if I try it again two seconds later:
PING (InternalServer).(companyname).local (172.16.0.5): 56 data bytes
64 bytes from 172.16.0.5: icmp_seq=0 ttl=128 time=727.144 ms
64 bytes from 172.16.0.5: icmp_seq=1 ttl=128 time=1727.030 ms
64 bytes from 172.16.0.5: icmp_seq=2 ttl=128 time=2727.260 ms
64 bytes from 172.16.0.5: icmp_seq=3 ttl=128 time=3726.747 ms
64 bytes from 172.16.0.5: icmp_seq=4 ttl=128 time=5723.986 ms
64 bytes from 172.16.0.5: icmp_seq=5 ttl=128 time=5719.810 ms
64 bytes from 172.16.0.5: icmp_seq=6 ttl=128 time=6720.334 ms
64 bytes from 172.16.0.5: icmp_seq=7 ttl=128 time=6719.848 ms
^C
--- (InternalServer).(companyname).local ping statistics ---
15 packets transmitted, 8 packets received, 46% packet loss
round-trip min/avg/max/stddev = 727.144/4224.020/6720.334/2176.543 ms
OK, enough for now. Can anyone spot what I might be doing wrong, and/or suggest something to try to remedy this? If there is any additional logging/debug info that would be useful, please ask and I will track it down.
Thanks very much in advance!!! /HJProblem not entirely solved, but mostly working now. It turns out the issue was with the 3Com OfficeConnect VPN box. It was causing all sorts of headaches and had to be manually power cycled at least once a week, so we ditched it and got a Linux-based Firewall/VPN appliance (http://www.ingate.com/ingate_vpn.php).
Now I can connect and mount Windows drives via SMB (both the command line and the Finder's "Connect to Server" approach seem to work). Performance still exhibits annoying lags at random times, and occasionally the VPN connection disconnects for no good reason, but at least I can get at my files from home. The other issues -- such as being able to resolve "xxx.yyy.local" addresses in the browser by making sure I hit the internal DNS server before any external ones -- all seem to be network configuration issues on my end.
In short, my guess is that the 3Com box was causing issues with some low-level timing parameters or other related settings in how the VPN connection was being established. I was just starting to teach myself about ARP tables, NTLMv2 authentication, and the like when we replaced it with the new firewall.
Hope this helps.
/Heywood -
SMB Logon: ImPossible after Restart
Hello
Since the introduction of OS X 10.8 and their OS X Server we have an real Problem with SMB logon.
When the Server is restartet it is not possible to connect over SMB with the OS X Server. It always comes with unkown user. We have about 8 Server all have the same problem.
The Windows clients connect to the SMB Server of OS X with an netlogin.bat. Also Our HP MFC Printers uses SMB to drop the Scans to an SMB SharePoint because the OS X Scan driver is toooooo slow.
I openend a lot of Cases about this Problem with Apple but we steill got no fix, only a workaround.
Everytime we restart the server we need to to a lot a manuell handling which makes me angry
1) First Connect with SSH to the Server and do a following CLI-Commands
sudo Defaults write /Library/Preferences/SystemConfiguration/com.apple.smb.server AclsEnabled -bool YES
sudo Defaults write /Library/Preferences/SystemConfiguration/com.apple.smb.server AclsEnabled -bool NO
sudo Defaults write /Library/Preferences/SystemConfiguration/com.apple.smb.server AclsEnabled -bool YES
2) Then we need to deacitve the filesharing a couple of times till we are able to connect with SMB.
It is for me not acceptable that Apple hasn't fix this bug now for 1 year!!!!
Has other OS X Server User not the same Problem.
Is their a way to fix this?
Regards
GérardI have really no idea how to put OD in debig mode an read the log what happens their.
Here some entries of the Protocol in the Server-App
-- Start: Server rolled log on: Jul 5 2013 09:20:53 --
Jul 5 2013 09:50:58 264129us Error: command: slapconfig -updateaddresses, exitcode = 70.
Jul 5 2013 10:06:23 685419us Error: command: slapconfig -updateaddresses, exitcode = 70.
Jul 5 2013 11:44:10 992457us Error: command: slapconfig -updateaddresses, exitcode = 70.
Jul 5 2013 14:14:20 121879us Error: command: slapconfig -updateaddresses, exitcode = 70.
Jul 5 2013 14:47:19 184105us Error: command: slapconfig -updateaddresses, exitcode = 70.
Jul 5 2013 15:11:44 486325us Error: command: slapconfig -updateaddresses, exitcode = 70.
Jul 5 2013 23:20:57 436530us Error: command: slapconfig -updateaddresses, exitcode = 70.
Jul 6 2013 00:55:57 112150us Registration is finished error: (10, -72000).
Jul 6 2013 00:55:57 114761us Registration is finished error: (10, -72000).
Jul 6 2013 01:30:51 582585us Error: command: slapconfig -updateaddresses, exitcode = 70.
and the Server Error Protocoll
-- Start: Server rolled log on: Jul 5 2013 13:48:04 --
Jul 5 2013 13:48:23 620378us TestPolicies: updating last login time
Jul 5 2013 13:48:23 637037us AUTH2: {0x09b08398d2af11e28687a8206645a020, fundus} SMB-NTLMv2 authentication succeeded.
Jul 5 2013 14:00:09 362424us DoAuth: {0x09b08398d2af11e28687a8206645a020, fundus} SMB-NTLMv2 authentication failed, SASL error -13 (password incorrect).
Jul 5 2013 14:00:22 422622us TestPolicies: updating last login time
Jul 5 2013 14:00:22 433835us AUTH2: {0x09b08398d2af11e28687a8206645a020, fundus} SMB-NTLMv2 authentication succeeded.
Jul 5 2013 14:07:45 173761us GETPOLICY: user {0x09b08398d2af11e28687a8206645a020, fundus}.
Jul 5 2013 14:07:45 179319us GETPOLICY: user {0xf979873ad29b11e288d0a8206645a020, untersuchung1}.
Jul 5 2013 14:07:45 183144us GETPOLICY: user {0x0512babcd29c11e288d0a8206645a020, untersuchung2}.
Jul 5 2013 14:07:45 187326us GETPOLICY: user {0xfcf3b5c6d2ae11e28687a8206645a020, perimeter}.
Jul 5 2013 14:07:45 265953us GETPOLICY: user {0x2d981648d2b111e28687a8206645a020, scanner}.
Jul 5 2013 14:07:45 394862us GETPOLICY: user {0xafb8a37cd11211e2a9d6a8206645a020, wagnerdiradmin}.
Jul 5 2013 14:07:45 522851us GETPOLICY: user {0xee64fed8d29b11e288d0a8206645a020, empfang}.
Jul 5 2013 14:07:51 931139us GETPOLICY: user {0x7bcb13a0d2e911e2adcba8206645a020, vpnadmin}.
Jul 5 2013 14:14:09 952722us AUTH2: {0x7bcb13a0d2e911e2adcba8206645a020, vpnadmin} MS-CHAPv2 authentication succeeded.
Jul 5 2013 14:14:10 36514us A network transition was received.
Jul 5 2013 14:14:20 38006us Initializing TCP ...
Jul 5 2013 14:14:20 38137us Updating interface list due to a network transition.
Jul 5 2013 14:26:25 250162us DoAuth: {0x09b08398d2af11e28687a8206645a020, fundus} SMB-NTLMv2 authentication failed, SASL error -13 (password incorrect).
Jul 5 2013 14:26:54 124886us TestPolicies: updating last login time
Jul 5 2013 14:26:54 139890us AUTH2: {0x09b08398d2af11e28687a8206645a020, fundus} SMB-NTLMv2 authentication succeeded.
Jul 5 2013 14:47:09 87096us A network transition was received.
Jul 5 2013 14:47:19 88857us Initializing TCP ...
Jul 5 2013 14:47:19 88942us Updating interface list due to a network transition.
Jul 5 2013 14:47:41 647489us A network transition was received.
Jul 5 2013 14:47:51 649475us Initializing TCP ...
Jul 5 2013 14:47:51 649592us Updating interface list due to a network transition.
Jul 5 2013 14:55:58 788745us AUTH2: {0x09b08398d2af11e28687a8206645a020, fundus} SMB-NTLMv2 authentication succeeded.
Jul 5 2013 15:11:34 167067us AUTH2: {0x7bcb13a0d2e911e2adcba8206645a020, vpnadmin} MS-CHAPv2 authentication succeeded.
Jul 5 2013 15:11:34 177007us AUTH2: {0xb6ed29c4d11211e28e03a8206645a020, vpn_0c35fb2dc3c9} MS-CHAPv2 authentication succeeded.
Jul 5 2013 15:11:34 177685us GETPPTPKEYS: requested
Jul 5 2013 15:11:34 382815us A network transition was received.
Jul 5 2013 15:11:44 383780us Initializing TCP ...
Jul 5 2013 15:11:44 383853us Updating interface list due to a network transition.
Jul 5 2013 15:16:52 222893us A network transition was received.
Jul 5 2013 15:17:02 224886us Initializing TCP ...
Jul 5 2013 15:17:02 225005us Updating interface list due to a network transition.
Jul 5 2013 17:59:11 670577us AUTH2: {0x09b08398d2af11e28687a8206645a020, fundus} SMB-NTLMv2 authentication succeeded.
Jul 5 2013 23:20:47 220832us AUTH2: {0x7bcb13a0d2e911e2adcba8206645a020, vpnadmin} MS-CHAPv2 authentication succeeded.
Jul 5 2013 23:20:47 325856us A network transition was received.
Jul 5 2013 23:20:57 326615us Initializing TCP ...
Jul 5 2013 23:20:57 326672us Updating interface list due to a network transition.
Jul 5 2013 23:37:02 392640us GETPOLICY: user {0x09b08398d2af11e28687a8206645a020, fundus}.
Jul 5 2013 23:37:02 397424us GETPOLICY: user {0xf979873ad29b11e288d0a8206645a020, untersuchung1}.
Jul 5 2013 23:37:02 401367us GETPOLICY: user {0x0512babcd29c11e288d0a8206645a020, untersuchung2}.
Jul 5 2013 23:37:02 405085us GETPOLICY: user {0xfcf3b5c6d2ae11e28687a8206645a020, perimeter}.
Jul 5 2013 23:37:02 408627us GETPOLICY: user {0x2d981648d2b111e28687a8206645a020, scanner}.
Jul 5 2013 23:37:02 412482us GETPOLICY: user {0xafb8a37cd11211e2a9d6a8206645a020, wagnerdiradmin}.
Jul 5 2013 23:37:02 415734us GETPOLICY: user {0xee64fed8d29b11e288d0a8206645a020, empfang}.
Jul 5 2013 23:52:54 825721us AUTH2: {0xee64fed8d29b11e288d0a8206645a020, empfang} DIGEST-MD5 authentication succeeded.
Jul 5 2013 23:54:59 558974us AUTH2: {0xf979873ad29b11e288d0a8206645a020, untersuchung1} DIGEST-MD5 authentication succeeded.
Jul 5 2013 23:55:26 187360us AUTH2: {0x0512babcd29c11e288d0a8206645a020, untersuchung2} DIGEST-MD5 authentication succeeded.
Jul 6 2013 00:32:12 917581us AUTH2: {0xee64fed8d29b11e288d0a8206645a020, empfang} SMB-NTLMv2 authentication succeeded.
Jul 6 2013 00:55:33 271826us A network transition was received.
Jul 6 2013 00:55:43 273466us Initializing TCP ...
Jul 6 2013 00:55:43 273555us Updating interface list due to a network transition.
Jul 6 2013 00:55:57 123864us Stopping server processes ...
Jul 6 2013 00:55:57 123896us Closing all incoming connections ...
Jul 6 2013 00:55:57 123911us StopCentralThreads: Stopping Connection Listeners ...
Jul 6 2013 00:55:57 124772us StopCentralThreads: Current Threads: 5
Jul 6 2013 00:55:57 124796us Stopping Network Processes ...
Jul 6 2013 00:55:57 124808us Deinitializing networking ...
Jul 6 2013 00:55:57 124827us Server Processes Stopped ...
Jul 6 2013 00:55:57 124854us RunAppThread Stopped
Jul 6 2013 00:55:57 124870us RunAppThread Deleted
Jul 6 2013 00:55:58 958531us Mac OS X Password Service (pid = 102) was shut down at: Sat Jul 6 00:55:58 2013
Jul 6 2013 00:56:08 288653us Mac OS X Password Service version 387.2 (pid = 76) was started at: Sat Jul 6 00:56:08 2013
Jul 6 2013 00:56:08 289386us RunAppThread Created
Jul 6 2013 00:56:08 289870us RunAppThread Started
Jul 6 2013 00:56:08 289895us Initializing Server Globals ...
Jul 6 2013 00:56:08 310213us Initializing Networking ...
Jul 6 2013 00:56:08 310263us Initializing TCP ...
Jul 6 2013 00:56:09 460149us SASL is using realm "server8590.praxiswagner.lan"
Jul 6 2013 00:56:09 460204us Starting Central Thread ...
Jul 6 2013 00:56:09 460219us Starting other server processes ...
Jul 6 2013 00:56:09 460231us StartCentralThreads: 1 threads to stop
Jul 6 2013 00:56:09 460277us Initializing TCP ...
Jul 6 2013 00:56:09 460312us Starting TCP/IP Listener on ethernet interface, port 106
Jul 6 2013 00:56:09 460392us Starting TCP/IP Listener on ethernet interface, port 3659
Jul 6 2013 00:56:09 460424us Starting TCP/IP Listener on interface lo0, port 106
Jul 6 2013 00:56:09 460451us Starting TCP/IP Listener on interface lo0, port 3659
Jul 6 2013 00:56:09 460477us StartCentralThreads: Created 4 TCP/IP Connection Listeners
Jul 6 2013 00:56:09 460490us Starting UNIX domain socket listener /var/run/passwordserver
Jul 6 2013 00:56:09 462171us Finished starting other server processes ...
Jul 6 2013 00:56:09 462197us -- Password Server successfully started --
Jul 6 2013 00:56:09 462210us -- Start time: 1 sec, 189 msec --
Jul 6 2013 00:56:14 486488us A network transition was received.
Jul 6 2013 00:57:31 107158us Initializing TCP ...
Jul 6 2013 00:57:31 107229us Updating interface list due to a network transition.
Jul 6 2013 01:30:41 200140us RSAVALIDATE: success.
Jul 6 2013 01:30:41 207041us AUTH2: {0x7bcb13a0d2e911e2adcba8206645a020, vpnadmin} MS-CHAPv2 authentication succeeded.
Jul 6 2013 01:30:41 437596us A network transition was received.
Jul 6 2013 01:30:51 439631us Initializing TCP ...
Jul 6 2013 01:30:51 439715us Updating interface list due to a network transition.
Jul 6 2013 01:35:27 958136us GETPOLICY: user {0x09b08398d2af11e28687a8206645a020, fundus}.
Jul 6 2013 01:35:27 964304us GETPOLICY: user {0xf979873ad29b11e288d0a8206645a020, untersuchung1}.
Jul 6 2013 01:35:27 968991us GETPOLICY: user {0x0512babcd29c11e288d0a8206645a020, untersuchung2}.
Jul 6 2013 01:35:27 973478us GETPOLICY: user {0xfcf3b5c6d2ae11e28687a8206645a020, perimeter}.
Jul 6 2013 01:35:27 978904us GETPOLICY: user {0x2d981648d2b111e28687a8206645a020, scanner}.
Jul 6 2013 01:35:27 984291us GETPOLICY: user {0xafb8a37cd11211e2a9d6a8206645a020, wagnerdiradmin}.
Jul 6 2013 01:35:27 988411us GETPOLICY: user {0x7bcb13a0d2e911e2adcba8206645a020, vpnadmin}.
Jul 6 2013 01:35:27 993258us GETPOLICY: user {0xee64fed8d29b11e288d0a8206645a020, empfang}.
Jul 6 2013 01:41:17 304670us AUTH2: {0x2d981648d2b111e28687a8206645a020, scanner} SMB-NTLMv2 authentication succeeded.
Jul 6 2013 01:48:47 163963us AUTH2: {0xee64fed8d29b11e288d0a8206645a020, empfang} SMB-NTLMv2 authentication succeeded.
Jul 6 2013 01:53:01 383104us AUTH2: {0xee64fed8d29b11e288d0a8206645a020, empfang} DIGEST-MD5 authentication succeeded.
Jul 6 2013 02:52:30 645142us AUTH2: {0xf979873ad29b11e288d0a8206645a020, untersuchung1} DIGEST-MD5 authentication succeeded.
Jul 6 2013 02:54:22 41424us AUTH2: {0xf979873ad29b11e288d0a8206645a020, untersuchung1} DIGEST-MD5 authentication succeeded.
Jul 6 2013 02:54:33 870304us AUTH2: {0x0512babcd29c11e288d0a8206645a020, untersuchung2} DIGEST-MD5 authentication succeeded.
Jul 6 2013 03:00:50 17283us AUTH2: {0x0512babcd29c11e288d0a8206645a020, untersuchung2} DIGEST-MD5 authentication succeeded.
Jul 6 2013 03:01:20 245707us AUTH2: {0xee64fed8d29b11e288d0a8206645a020, empfang} DIGEST-MD5 authentication succeeded.
Jul 6 2013 03:24:45 454203us A network transition was received.
Jul 6 2013 03:24:55 456152us Initializing TCP ...
Jul 6 2013 03:24:55 456230us Updating interface list due to a network transition.
Jul 6 2013 03:44:22 687941us GETPOLICY: user {0x09b08398d2af11e28687a8206645a020, fundus}.
Jul 6 2013 03:44:22 692675us GETPOLICY: user {0xf979873ad29b11e288d0a8206645a020, untersuchung1}.
Jul 6 2013 03:44:22 697508us GETPOLICY: user {0x0512babcd29c11e288d0a8206645a020, untersuchung2}.
Jul 6 2013 03:44:22 702690us GETPOLICY: user {0xfcf3b5c6d2ae11e28687a8206645a020, perimeter}.
Jul 6 2013 03:44:22 707306us GETPOLICY: user {0x2d981648d2b111e28687a8206645a020, scanner}.
Jul 6 2013 03:44:22 712501us GETPOLICY: user {0xafb8a37cd11211e2a9d6a8206645a020, wagnerdiradmin}.
Jul 6 2013 03:44:22 717495us GETPOLICY: user {0x7bcb13a0d2e911e2adcba8206645a020, vpnadmin}.
Jul 6 2013 03:44:22 722236us GETPOLICY: user {0xee64fed8d29b11e288d0a8206645a020, empfang}.
Jul 6 2013 03:47:14 3411us GETPOLICY: user {0x09b08398d2af11e28687a8206645a020, fundus}.
Jul 6 2013 03:47:14 8520us GETPOLICY: user {0xf979873ad29b11e288d0a8206645a020, untersuchung1}.
Jul 6 2013 03:47:14 12465us GETPOLICY: user {0x0512babcd29c11e288d0a8206645a020, untersuchung2}.
Jul 6 2013 03:47:14 16206us GETPOLICY: user {0xfcf3b5c6d2ae11e28687a8206645a020, perimeter}.
Jul 6 2013 03:47:14 19713us GETPOLICY: user {0x2d981648d2b111e28687a8206645a020, scanner}.
Jul 6 2013 03:47:14 23234us GETPOLICY: user {0xafb8a37cd11211e2a9d6a8206645a020, wagnerdiradmin}.
Jul 6 2013 03:47:14 26323us GETPOLICY: user {0x7bcb13a0d2e911e2adcba8206645a020, vpnadmin}.
Jul 6 2013 03:47:14 29406us GETPOLICY: user {0xee64fed8d29b11e288d0a8206645a020, empfang}. -
I'm upgrading my organisation's Active Directory environment and I've created a replica of our environment in a test lab.
One medium-priority application uses a SQL server express installation on the same server that the application itself sits on.
The application itself recently broke after I changed the following setting in group policy:
"Send LM & NTLM - use NTLMv2 session security if negotiated"
to
"Send NTLMv2 response only\refuse LM & NTLM"
The main intent was to determine which applications will break if any - I was very surprised when troubleshooting this particular application to find that the issue was actually with SQL Server express itself.
The errors I get are as follows (note that there are hundreds of them, all the same two):
Log Name: Application
Source: MSSQL$SQLEXPRESS
Date: 1/19/2015 2:53:28 PM
Event ID: 18452
Task Category: Logon
Level: Information
Keywords: Classic,Audit Failure
User: N/A
Computer: APP1.test.dev
Description:
Login failed. The login is from an untrusted domain and cannot be used with Windows authentication. [CLIENT: 127.0.0.1]
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="MSSQL$SQLEXPRESS" />
<EventID Qualifiers="49152">18452</EventID>
<Level>0</Level>
<Task>4</Task>
<Keywords>0x90000000000000</Keywords>
<TimeCreated SystemTime="2015-01-19T22:53:28.000000000Z" />
<EventRecordID>37088</EventRecordID>
<Channel>Application</Channel>
<Computer>APP1.test.dev</Computer>
<Security />
</System>
<EventData>
<Data> [CLIENT: 127.0.0.1]</Data>
<Binary>144800000E00000017000000570053004C004400430054004D00540052004D0053005C00530051004C0045005800500052004500530053000000070000006D00610073007400650072000000</Binary>
</EventData>
</Event>
Log Name: Application
Source: MSSQL$SQLEXPRESS
Date: 1/19/2015 2:53:29 PM
Event ID: 17806
Task Category: Logon
Level: Error
Keywords: Classic
User: N/A
Computer: APP1.test.dev
Description:
SSPI handshake failed with error code 0x8009030c, state 14 while establishing a connection with integrated security; the connection has been closed. Reason: AcceptSecurityContext failed. The Windows error code indicates the cause of failure. [CLIENT:
127.0.0.1].
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="MSSQL$SQLEXPRESS" />
<EventID Qualifiers="49152">17806</EventID>
<Level>2</Level>
<Task>4</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2015-01-19T22:53:29.000000000Z" />
<EventRecordID>37089</EventRecordID>
<Channel>Application</Channel>
<Computer>APP1.test.dev</Computer>
<Security />
</System>
<EventData>
<Data>8009030c</Data>
<Data>14</Data>
<Data>AcceptSecurityContext failed. The Windows error code indicates the cause of failure.</Data>
<Data> [CLIENT: 127.0.0.1]</Data>
<Binary>8E4500001400000017000000570053004C004400430054004D00540052004D0053005C00530051004C004500580050005200450053005300000000000000</Binary>
</EventData>
</Event>
All of the documentation that I have followed suggests that the errors are caused by incorrect SPN configuration- I figured that they were never correct and it has always failed over to NTLM in the test environment (I can't look at production - we couldn't
replicate the setup due to special hardware and also RAM considerations), but only NTLMv2 has issues.
So I spent some time troubleshooting this. We have a 2003 forest/domain functional level, so our service accounts can't automatically register the SPN. I delegated the write/read service principle name ACEs in Active Directory. SQL Server
confirms that it is able to register the SPN.
So next I researched more into what is needed for Kerberos to work, and it seems that Kerberos is not used when authenticating with a resource on the same computer:
http://msdn.microsoft.com/en-us/library/ms191153.aspx
In any scenario that the correct username is supplied, "Local connections use NTLM, remote connections use Kerberos". So the above errors are not Kerberos (since it is a local connection it will use NTLM). It makes sense I guess - since
it worked in the past when LM/NTLM were allowed, I don't see how changing the Lan Manager settings would affect Kerberos.
So I guess my question is:
What can I do to fix this? It looks like the SQL server is misconfigured for NTLMv2 (I really doubt it's a problem with the protocol itself...). I have reset the SQL service or the server a number of times. Also - all of my other SQL applications
in the environment work. This specific case where the application is authenticating to a local SQL installation is where I get the failure - works with LAN Manager authentication set to "Send LM & NTLM - use NTLMv2 session security if negotiated",
but not "Send NTLMv2 response only\refuse LM & NTLM".
Note also - this behaviour is identical whether I set the Lan Manager authentication level at the domain or domain controller level in Active Directory - I did initially figure I had set up some kind of mismatch where neither would agree on the authentication
protocol to use but this isn't the case.Maybe your application doesn't support "Send NTLMv2 response only. Refuse LM & NTLM".
https://support.software.dell.com/zh-cn/foglight/kb/133971
Maybe you are looking for
-
Help needed for using BASIC authentication through JDBCRealm
Help needed. Hello, I am doing a degree project, so far it works fine in my local machine, I need to try it on my virtual hosting (as it is a live server). My project requires JDBCRealm, that is BASIC authentication loading access data from mysql dat
-
Why does my IE keep crashing because of Flash?
If I disable Flash, IE works fine, but then I can't view content that requires Flash. It seems to crash when I try to log onto any secure site.
-
Need advice about purchasing a dryer
Our dryer went out and we need some information about buying a new dryer. What's this hoopla about dryers not coming with a power cord? We don't need a venting kit as our old dryer still has a perfectly good venting system, but I find it strange that
-
Disabling Process Instance Monitoring
I am using Weblogic 8.1 service Pack 5. I have a stand alone class to deploy my application on Weblogic. The Process Instance Monitoring should be disabled during this. We can control this through the WLIConsole. Is there any way to disable the Proce
-
Taking datafile offline and moving it.
How i can move my datafile? what are steps ?