This discussion is archived
7 Replies Latest reply: Jun 19, 2012 2:50 AM by 944523 RSS

NTLM in IBM's JVM

DrClap Expert
Currently Being Moderated
We are upgrading to Exchange 2010 where I work and we are trying to get our existing (long-established) Java code to connect to the new SMTP server successfully. We are using JavaMail 1.4.4, and we can connect to the SMTP server successfully from my Windows test machine. But when we try using the same code to connect from our IBM System i machine, it doesn't get authenticated and therefore can't send e-mail. Sample debug output is below:

DEBUG: setDebug: JavaMail version 1.4.4
DEBUG: getProvider() returning javax.mail.Provider[TRANSPORT,smtp,com.sun.mail.smtp.SMTPTransport,Sun Microsystems, Inc]
DEBUG SMTP: useEhlo true, useAuth true
DEBUG SMTP: useEhlo true, useAuth true
DEBUG SMTP: trying to connect to host "vcr-cas1", port 25, isSSL false
220 xxxxxxxxxxxxxx Microsoft ESMTP MAIL Service ready at Mon, 15 Aug 2011 10:01:21 -0700
DEBUG SMTP: connected to host "vcr-cas1", port: 25

EHLO DC911
250-xxxxxxxxxxxxxx Hello [10.20.254.96]
250-SIZE 20971520
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-STARTTLS
250-AUTH
250-8BITMIME
250-BINARYMIME
250-CHUNKING
250-XEXCH50
250 XSHADOW
DEBUG SMTP: Found extension "SIZE", arg "20971520"
DEBUG SMTP: Found extension "PIPELINING", arg ""
DEBUG SMTP: Found extension "DSN", arg ""
DEBUG SMTP: Found extension "ENHANCEDSTATUSCODES", arg ""
DEBUG SMTP: Found extension "STARTTLS", arg ""
DEBUG SMTP: Found extension "AUTH", arg ""
DEBUG SMTP: Found extension "8BITMIME", arg ""
DEBUG SMTP: Found extension "BINARYMIME", arg ""
DEBUG SMTP: Found extension "CHUNKING", arg ""
DEBUG SMTP: Found extension "XEXCH50", arg ""
DEBUG SMTP: Found extension "XSHADOW", arg ""
DEBUG SMTP: Attempt to authenticate
DEBUG SMTP: check mechanisms: LOGIN PLAIN DIGEST-MD5 NTLM
DEBUG SMTP: mechanism LOGIN not supported by server
DEBUG SMTP: mechanism PLAIN not supported by server
DEBUG SMTP: mechanism DIGEST-MD5 not supported by server
DEBUG SMTP: mechanism NTLM not supported by server
Exception in thread "main" javax.mail.AuthenticationFailedException: No authentication mechansims supported by both server and client
at com.sun.mail.smtp.SMTPTransport.authenticate(SMTPTransport.java:756)
at com.sun.mail.smtp.SMTPTransport.protocolConnect(SMTPTransport.java:669)
at javax.mail.Service.connect(Service.java:317)
at javax.mail.Service.connect(Service.java:176)
at javax.mail.Service.connect(Service.java:125)
at javax.mail.Transport.send0(Transport.java:194)
at javax.mail.Transport.send(Transport.java:124)
at TestMail.main(TestMail.java:51)

The output from the Windows test is similar but contains this instead:

DEBUG SMTP: Attempt to authenticate
DEBUG SMTP: check mechanisms: LOGIN PLAIN DIGEST-MD5 NTLM
DEBUG SMTP: mechanism LOGIN not supported by server
DEBUG SMTP: mechanism PLAIN not supported by server
DEBUG SMTP: mechanism DIGEST-MD5 not supported by server
DEBUG NTLM: type 1 message: 4E 54 4C 4D 53 53 50 00 01 00 00 00 03 A2 00 00 00 00 00 00 2D 00 00 00 0D 00 0D 00 20 00 00 00 56 41 4E 2D 43 4C 41 50 48 41 4D 2D 50
AUTH NTLM TlRMTVNTUAABAAAAA6IAAAAAAAAtAAAADQANACAAAABWQU4tQ0xBUEhBTS1Q
334 TlRMTVNTUAACAAAAEAAQADgAAAAFgoECNpANq5ABiNkAAAAAAAAAAJ4AngBIAAAABgGxHQAAAA9DAE8AUgBFAE0AQQBSAEsAAgAQAEMATwBSAEUATQBBAFIASwABABAAVgBDAFIALQBDAEEAUwAxAAQAGABjAG8AcgBlAG0AYQByAGsALgBjAG8AbQADACoAVgBDAFIALQBDAEEAUwAxAC4AYwBvAHIAZQBtAGEAcgBrAC4AYwBvAG0ABQAYAGMAbwByAGUAbQBhAHIAawAuAGMAbwBtAAcACABbv1VZblvMAQAAAAA=
DEBUG NTLM: type 3 message: 4E 54 4C 4D 53 53 50 00 03 00 00 00 18 00 18 00 6E 00 00 00 18 00 18 00 86 00 00 00 00 00 00 00 40 00 00 00 14 00 14 00 40 00 00 00 1A 00 1A 00 54 00 00 00 00 00 00 00 9E 00 00 00 01 82 00 00 74 00 65 00 73 00 74 00 6D 00 62 00 2D 00 65 00 64 00 69 00 56 00 41 00 4E 00 2D 00 43 00 4C 00 41 00 50 00 48 00 41 00 4D 00 2D 00 50 00 2E 3C 67 36 0A EE 90 4A 5E 2F DA 4A 6B 02 9F 13 1F 1A 49 77 36 FC 34 56 20 2D 3E B0 2E D1 CE E8 85 D5 30 3A 1E 13 2E B4 BC 13 A9 7B 82 57 17 2C
TlRMTVNTUAADAAAAGAAYAG4AAAAYABgAhgAAAAAAAABAAAAAFAAUAEAAAAAaABoAVAAAAAAAAACeAAAAAYIAAHQAZQBzAHQAbQBiAC0AZQBkAGkAVgBBAE4ALQBDAEwAQQBQAEgAQQBNAC0AUAAuPGc2Cu6QSl4v2kprAp8THxpJdzb8NFYgLT6wLtHO6IXVMDoeEy60vBOpe4JXFyw=
235 2.7.0 Authentication successful
DEBUG SMTP: use8bit false
MAIL FROM:<xxxxxxxx@xxxxxxxx>
250 2.1.0 Sender OK

I remember something about earlier versions of JavaMail using JCIFS to support NTLM authentication; I already have JCIFS in my classpath on the System i and it doesn't seem to help. Is there anything I can do on the System i to make this work?
  • 1. Re: NTLM in IBM's JVM
    bshannon Pro
    Currently Being Moderated
    You seem to be changing two things at once and it wasn't clear to me which
    of them you think is the cause of the problem.

    You're using an older version of Exchange as well as Exchange 2010,
    and you're connecting from Windows and from an IBM machine.
    Which combinations work and which fail?

    The case that's failing is failing because the server is not advertising
    any authentication mechanisms. Possibly something changed in the
    configuration for Exchange 2010, or possibly the server is imposing
    rules that are different for different client machines.

    JavaMail 1.4.4 doesn't use jcifs; the NTLM support is built in. But your
    server isn't saying that it supports NTLM. I don't know why.
  • 2. Re: NTLM in IBM's JVM
    DrClap Expert
    Currently Being Moderated
    Good point. Here's what's working:

    (1) Sun JVM to old Exchange
    (2) Sun JVM to new Exchange
    (3) IBM JVM to old Exchange

    Here's what's not working:

    (4) IBM JVM to new Exchange

    And yes, for sure the configuration for the new Exchange system is going to be different. We're having a discussion with the people who run the server and we'll probably resolve this by making it do other forms of authentication.

    However since (2) gets authentication but (4) doesn't, that means that the new Exchange server is advertising some authentication mechanism, and since the authentication happens via NTLM that means that it's advertising NTLM to the Sun JVM. And it means that it isn't advertising NTLM to the IBM JVM. Which doesn't sound right to me, it sounds more like the IBM JVM doesn't understand it when the Exchange server tells it that NTLM is available. Which also doesn't sound right to me.
  • 3. Re: NTLM in IBM's JVM
    bshannon Pro
    Currently Being Moderated
    You can see from the protocol trace that it's just not advertising NTLM;
    it's not an issue of the client failing to understand it.

    I'd look at authentication rules based on the client's IP address or host name.

    Oh, and are you connecting with SSL in both cases?
    It may refuse to do NTLM unless you use SSL.
  • 4. Re: NTLM in IBM's JVM
    DrClap Expert
    Currently Being Moderated
    bshannon wrote:
    You can see from the protocol trace that it's just not advertising NTLM;
    it's not an issue of the client failing to understand it.
    Then why does the protocol trace for the same code on a Windows machine look like what I posted, namely this:

    DEBUG SMTP: Attempt to authenticate
    DEBUG SMTP: check mechanisms: LOGIN PLAIN DIGEST-MD5 NTLM
    DEBUG SMTP: mechanism LOGIN not supported by server
    DEBUG SMTP: mechanism PLAIN not supported by server
    DEBUG SMTP: mechanism DIGEST-MD5 not supported by server
    DEBUG NTLM: type 1 message: 4E 54 4C 4D 53 53 50 00 01 00 00 00 03 A2 00 00 00 00 00 00 2D 00 00 00 0D 00 0D 00 20 00 00 00 56 41 4E 2D 43 4C 41 50 48 41 4D 2D 50
    AUTH NTLM TlRMTVNTUAABAAAAA6IAAAAAAAAtAAAADQANACAAAABWQU4tQ0xBUEhBTS1Q
    334

    Looks like there's understanding happening here, anyway. Can that happen even if the server doesn't advertise NTLM?
  • 5. Re: NTLM in IBM's JVM
    bshannon Pro
    Currently Being Moderated
    Presumably the response to the EHLO command includes "AUTH NTLM".
    You didn't include the full response for the working case so I can't say for sure.
  • 6. Re: NTLM in IBM's JVM
    DrClap Expert
    Currently Being Moderated
    Yes, it does say that. (At least it says that today.)

    However I just got a message from our e-mail administrator saying "I changed something, try it again" and now I'm getting NTLM authorization happening with the IBM JVM. It did sound like he had different configurations for the IBMs versus the other systems so probably that was the source of the problem.
  • 7. Re: NTLM in IBM's JVM
    944523 Newbie
    Currently Being Moderated
    Hello DrClap.
    I have the same problem.
    What needs to change for the solution to the problem?
    thank you.

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points