7 Replies Latest reply: Jun 19, 2012 4:50 AM by 944523 RSS

    NTLM in IBM's JVM

    DrClap
      We are upgrading to Exchange 2010 where I work and we are trying to get our existing (long-established) Java code to connect to the new SMTP server successfully. We are using JavaMail 1.4.4, and we can connect to the SMTP server successfully from my Windows test machine. But when we try using the same code to connect from our IBM System i machine, it doesn't get authenticated and therefore can't send e-mail. Sample debug output is below:

      DEBUG: setDebug: JavaMail version 1.4.4
      DEBUG: getProvider() returning javax.mail.Provider[TRANSPORT,smtp,com.sun.mail.smtp.SMTPTransport,Sun Microsystems, Inc]
      DEBUG SMTP: useEhlo true, useAuth true
      DEBUG SMTP: useEhlo true, useAuth true
      DEBUG SMTP: trying to connect to host "vcr-cas1", port 25, isSSL false
      220 xxxxxxxxxxxxxx Microsoft ESMTP MAIL Service ready at Mon, 15 Aug 2011 10:01:21 -0700
      DEBUG SMTP: connected to host "vcr-cas1", port: 25

      EHLO DC911
      250-xxxxxxxxxxxxxx Hello [10.20.254.96]
      250-SIZE 20971520
      250-PIPELINING
      250-DSN
      250-ENHANCEDSTATUSCODES
      250-STARTTLS
      250-AUTH
      250-8BITMIME
      250-BINARYMIME
      250-CHUNKING
      250-XEXCH50
      250 XSHADOW
      DEBUG SMTP: Found extension "SIZE", arg "20971520"
      DEBUG SMTP: Found extension "PIPELINING", arg ""
      DEBUG SMTP: Found extension "DSN", arg ""
      DEBUG SMTP: Found extension "ENHANCEDSTATUSCODES", arg ""
      DEBUG SMTP: Found extension "STARTTLS", arg ""
      DEBUG SMTP: Found extension "AUTH", arg ""
      DEBUG SMTP: Found extension "8BITMIME", arg ""
      DEBUG SMTP: Found extension "BINARYMIME", arg ""
      DEBUG SMTP: Found extension "CHUNKING", arg ""
      DEBUG SMTP: Found extension "XEXCH50", arg ""
      DEBUG SMTP: Found extension "XSHADOW", arg ""
      DEBUG SMTP: Attempt to authenticate
      DEBUG SMTP: check mechanisms: LOGIN PLAIN DIGEST-MD5 NTLM
      DEBUG SMTP: mechanism LOGIN not supported by server
      DEBUG SMTP: mechanism PLAIN not supported by server
      DEBUG SMTP: mechanism DIGEST-MD5 not supported by server
      DEBUG SMTP: mechanism NTLM not supported by server
      Exception in thread "main" javax.mail.AuthenticationFailedException: No authentication mechansims supported by both server and client
      at com.sun.mail.smtp.SMTPTransport.authenticate(SMTPTransport.java:756)
      at com.sun.mail.smtp.SMTPTransport.protocolConnect(SMTPTransport.java:669)
      at javax.mail.Service.connect(Service.java:317)
      at javax.mail.Service.connect(Service.java:176)
      at javax.mail.Service.connect(Service.java:125)
      at javax.mail.Transport.send0(Transport.java:194)
      at javax.mail.Transport.send(Transport.java:124)
      at TestMail.main(TestMail.java:51)

      The output from the Windows test is similar but contains this instead:

      DEBUG SMTP: Attempt to authenticate
      DEBUG SMTP: check mechanisms: LOGIN PLAIN DIGEST-MD5 NTLM
      DEBUG SMTP: mechanism LOGIN not supported by server
      DEBUG SMTP: mechanism PLAIN not supported by server
      DEBUG SMTP: mechanism DIGEST-MD5 not supported by server
      DEBUG NTLM: type 1 message: 4E 54 4C 4D 53 53 50 00 01 00 00 00 03 A2 00 00 00 00 00 00 2D 00 00 00 0D 00 0D 00 20 00 00 00 56 41 4E 2D 43 4C 41 50 48 41 4D 2D 50
      AUTH NTLM TlRMTVNTUAABAAAAA6IAAAAAAAAtAAAADQANACAAAABWQU4tQ0xBUEhBTS1Q
      334 TlRMTVNTUAACAAAAEAAQADgAAAAFgoECNpANq5ABiNkAAAAAAAAAAJ4AngBIAAAABgGxHQAAAA9DAE8AUgBFAE0AQQBSAEsAAgAQAEMATwBSAEUATQBBAFIASwABABAAVgBDAFIALQBDAEEAUwAxAAQAGABjAG8AcgBlAG0AYQByAGsALgBjAG8AbQADACoAVgBDAFIALQBDAEEAUwAxAC4AYwBvAHIAZQBtAGEAcgBrAC4AYwBvAG0ABQAYAGMAbwByAGUAbQBhAHIAawAuAGMAbwBtAAcACABbv1VZblvMAQAAAAA=
      DEBUG NTLM: type 3 message: 4E 54 4C 4D 53 53 50 00 03 00 00 00 18 00 18 00 6E 00 00 00 18 00 18 00 86 00 00 00 00 00 00 00 40 00 00 00 14 00 14 00 40 00 00 00 1A 00 1A 00 54 00 00 00 00 00 00 00 9E 00 00 00 01 82 00 00 74 00 65 00 73 00 74 00 6D 00 62 00 2D 00 65 00 64 00 69 00 56 00 41 00 4E 00 2D 00 43 00 4C 00 41 00 50 00 48 00 41 00 4D 00 2D 00 50 00 2E 3C 67 36 0A EE 90 4A 5E 2F DA 4A 6B 02 9F 13 1F 1A 49 77 36 FC 34 56 20 2D 3E B0 2E D1 CE E8 85 D5 30 3A 1E 13 2E B4 BC 13 A9 7B 82 57 17 2C
      TlRMTVNTUAADAAAAGAAYAG4AAAAYABgAhgAAAAAAAABAAAAAFAAUAEAAAAAaABoAVAAAAAAAAACeAAAAAYIAAHQAZQBzAHQAbQBiAC0AZQBkAGkAVgBBAE4ALQBDAEwAQQBQAEgAQQBNAC0AUAAuPGc2Cu6QSl4v2kprAp8THxpJdzb8NFYgLT6wLtHO6IXVMDoeEy60vBOpe4JXFyw=
      235 2.7.0 Authentication successful
      DEBUG SMTP: use8bit false
      MAIL FROM:<xxxxxxxx@xxxxxxxx>
      250 2.1.0 Sender OK

      I remember something about earlier versions of JavaMail using JCIFS to support NTLM authentication; I already have JCIFS in my classpath on the System i and it doesn't seem to help. Is there anything I can do on the System i to make this work?
        • 1. Re: NTLM in IBM's JVM
          bshannon
          You seem to be changing two things at once and it wasn't clear to me which
          of them you think is the cause of the problem.

          You're using an older version of Exchange as well as Exchange 2010,
          and you're connecting from Windows and from an IBM machine.
          Which combinations work and which fail?

          The case that's failing is failing because the server is not advertising
          any authentication mechanisms. Possibly something changed in the
          configuration for Exchange 2010, or possibly the server is imposing
          rules that are different for different client machines.

          JavaMail 1.4.4 doesn't use jcifs; the NTLM support is built in. But your
          server isn't saying that it supports NTLM. I don't know why.
          • 2. Re: NTLM in IBM's JVM
            DrClap
            Good point. Here's what's working:

            (1) Sun JVM to old Exchange
            (2) Sun JVM to new Exchange
            (3) IBM JVM to old Exchange

            Here's what's not working:

            (4) IBM JVM to new Exchange

            And yes, for sure the configuration for the new Exchange system is going to be different. We're having a discussion with the people who run the server and we'll probably resolve this by making it do other forms of authentication.

            However since (2) gets authentication but (4) doesn't, that means that the new Exchange server is advertising some authentication mechanism, and since the authentication happens via NTLM that means that it's advertising NTLM to the Sun JVM. And it means that it isn't advertising NTLM to the IBM JVM. Which doesn't sound right to me, it sounds more like the IBM JVM doesn't understand it when the Exchange server tells it that NTLM is available. Which also doesn't sound right to me.
            • 3. Re: NTLM in IBM's JVM
              bshannon
              You can see from the protocol trace that it's just not advertising NTLM;
              it's not an issue of the client failing to understand it.

              I'd look at authentication rules based on the client's IP address or host name.

              Oh, and are you connecting with SSL in both cases?
              It may refuse to do NTLM unless you use SSL.
              • 4. Re: NTLM in IBM's JVM
                DrClap
                bshannon wrote:
                You can see from the protocol trace that it's just not advertising NTLM;
                it's not an issue of the client failing to understand it.
                Then why does the protocol trace for the same code on a Windows machine look like what I posted, namely this:

                DEBUG SMTP: Attempt to authenticate
                DEBUG SMTP: check mechanisms: LOGIN PLAIN DIGEST-MD5 NTLM
                DEBUG SMTP: mechanism LOGIN not supported by server
                DEBUG SMTP: mechanism PLAIN not supported by server
                DEBUG SMTP: mechanism DIGEST-MD5 not supported by server
                DEBUG NTLM: type 1 message: 4E 54 4C 4D 53 53 50 00 01 00 00 00 03 A2 00 00 00 00 00 00 2D 00 00 00 0D 00 0D 00 20 00 00 00 56 41 4E 2D 43 4C 41 50 48 41 4D 2D 50
                AUTH NTLM TlRMTVNTUAABAAAAA6IAAAAAAAAtAAAADQANACAAAABWQU4tQ0xBUEhBTS1Q
                334

                Looks like there's understanding happening here, anyway. Can that happen even if the server doesn't advertise NTLM?
                • 5. Re: NTLM in IBM's JVM
                  bshannon
                  Presumably the response to the EHLO command includes "AUTH NTLM".
                  You didn't include the full response for the working case so I can't say for sure.
                  • 6. Re: NTLM in IBM's JVM
                    DrClap
                    Yes, it does say that. (At least it says that today.)

                    However I just got a message from our e-mail administrator saying "I changed something, try it again" and now I'm getting NTLM authorization happening with the IBM JVM. It did sound like he had different configurations for the IBMs versus the other systems so probably that was the source of the problem.
                    • 7. Re: NTLM in IBM's JVM
                      944523
                      Hello DrClap.
                      I have the same problem.
                      What needs to change for the solution to the problem?
                      thank you.