This server will be upgraded at 3pm Sydney time on December 3rd (December 2nd, 8pm PST) and will be down for up to 30 minutes.

NTLM FAQ

Added by Andy Brook, last edited by Andy Brook on Aug 09, 2008  (view change)

Introduction

This page will provide common Q&A, updated as they arise.

Error Messages

What Does 'A duplicate name exists on the network' mean?

This is a little cryptic, but what Ive seen is that if you use a dns alias for your ldap server, eg to save hard coding one in your app you use 'myldapserver' and add a local hosts entry to point to the correct one, well, apparently, this fact causes a duplicate name exception to be thrown during the NTLM conversation. My fix: use the hostname, even though my original LDAP configuration in atlassian-user.xml worked with this, the NTLM did not.

What Does 'Invalid access to memory location' mean?

The cause is that you have not specified all DC's. I will be adding a dump in the logs to show the results of an LDAP lookup so you can compare/contrast with your atlassian-user.xml / osuser.xml

What Does 'unknown user name or bad password' mean?

You should only see this if form based fallback was used and you got the password wrong.

Information

Multiple DC's?

The Confluence NTLM library doesn't define its own server list. If your clients are on mulitple AD servers, they should all be identified in the atlassian-user.xml or osuser.xml files. The Confluence NTLM library will use this information to send NTLM challenges to.
TODO:// still need to check on authentication failure that number of actual DC's match number configured, and spit out the differences for info

Multiple Domains?

If I see things right, by being already logged into that domain, it should, in those immortal words, just work.

Why do I keep getting a password box

Your setup does not meet the minimum requirements, as defined by Jcifs (quoted from jcifs.samba.org)

Transparent Authentication and the Network Password Dialog
If the Filter is working properly the Network Password Dialog should never appear. However there are several requirements that must be met for a web browser to transparently negotiate credentials using NTLM HTTP authenication. If any of these requirements are not met, the default behavior is to present the user with the Network Password dialog. The requirements are:

  1. The client must be logged into the Windows NT domain identified by the jcifs.smb.client.domain parameter (or the domain of the host identified by the jcifs.smb.client.domainController parameter if it is used instead). The client may also be logged into a domain that has a trust relationship with the target domain. Indeed it is not uncommon to configure workstations to join a different domain from those of users. Note that Windows 95/98/ME systems cannot really join a domain but can be configured to do so enough to participate in transparent NTLM HTTP authentication.
  2. By default, only Internet Explorer will negotiate NTLM HTTP authentication transparently. Mozilla must be configured to authenticate transparently. See these links for details:
    http://kb.mozillazine.org/Network.automatic-ntlm-auth.trusted-uris
    http://www.mozilla.org/projects/netlib/integrated-auth.html
  3. Either the target URL must contain a server in the local domain (e.g. ws1.mycompany.com) or the client's security settings must be changed (e.g. Tools > Internet Options > Security > Local Intranet > Sites > Advanced > add your site). If the URL does not contain a URL in the defined IntrAnet zone (e.g. not an IP address), Internet Explorer will assume that the server is in the IntErnet zone and present the user with the Network Password dialog. It would be very bad if a server on the Internet could convince IE to send it your NTLM password hashes. These hashes are easily cracked with brute force dictionary attacks. To prevent this scenario, IE tries to distinguish between Intranet sites and Internet sites. Here are some important notes to consider when deploying a site with NTLM HTTP Authentication regardless of whether or not jCIFS is used to do it.
  4. The user's credentials must be valid. For example if the account has expired, been disabled or is locked out the Network Password dialog will appear. To determine which error was at fault it will be necessary to modify the NtlmHttpFilter to inspect the SmbAuthException in doFilter.
  5. The jCIFS client must support the lmCompatibility level necessary for communication with the domain controller. If the server does not permit NTLMv1 try to set jcifs.smb.lmCompatibility = 3.

Another reason for the Network Password Dialog appearing unexpectedly is if your web server has keep-alive turned off (e.g. KeepAlive directive in Apache http.conf).

Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.