UnknownHostException - NTLM Authentication - More then one Domain

Hi.
First the situation then details.

Situation:
We used to have one domain and life was good.  Now we have a second domain (full trust between them) but TeamCity is having difficulties authenticating in second domain.  So no users from second domain can even login for the first time.
I'm not sure how exactly TeamCity authenticates (seems different from what windows does).  May be there is a tweak on the box thats needed?  Or tweak on Domain controller?  Or have TeamCity go to a different domain controller somehow?  All guesses...


For sake of discussion:
Domain1 - ABC
User1 - Joe
Password1 - JoePass

Domain2 - XYZ
User2 - Bob
Password2 - BobPass

TeamCity Server: TCServer
TeamCity service account: ABC\TCProcessId
TCServer is on ABC domain.

All user names and passwords entered during testing are valid - guaranteed.

Example of issue:
Joe goes to log in.  (ABC\Joe using JoePass).  Works fine.
Bob goes to log in. (XYZ\Bob using BobPass).  Does not work (fails at logon screen: Login failed. Incorrect username or password.)

Extract from logs:
[2010-01-07 09:55:36,775]   WARN -   jetbrains.buildServer.SERVER - Login for user XYZ\Bob failed, error: java.net.UnknownHostException: XYZ
[2010-01-07 09:56:01,441]   WARN -   jetbrains.buildServer.SERVER -  
java.net.UnknownHostException: XYZ
at jcifs.UniAddress.getAllByName(UniAddress.java:315)
at jcifs.UniAddress.getByName(UniAddress.java:245)
at jetbrains.buildServer.serverSide.impl.auth.JCIFSBasedAuthenticator.authenticate(JCIFSBasedAuthenticator.java:34)
at jetbrains.buildServer.serverSide.impl.auth.NTDomainLoginModule.login(NTDomainLoginModule.java:69)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
at javax.security.auth.login.LoginContext$5.run(LoginContext.java:706)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokeCreatorPriv(LoginContext.java:703)
at javax.security.auth.login.LoginContext.login(LoginContext.java:575)
at jetbrains.buildServer.serverSide.impl.auth.ServerLoginModelImpl.tryToLogin(ServerLoginModelImpl.java:57)
at jetbrains.buildServer.serverSide.impl.auth.ServerLoginModelImpl.checkPassword(ServerLoginModelImpl.java:42)
at jetbrains.buildServer.serverSide.impl.auth.ServerLoginModelImpl.login(ServerLoginModelImpl.java:32)
at jetbrains.buildServer.controllers.login.WebLoginModelImpl.doLogin(WebLoginModelImpl.java:81)
at jetbrains.buildServer.controllers.login.WebLoginModelImpl.loginFromRequest(WebLoginModelImpl.java:89)
at jetbrains.buildServer.controllers.login.LoginSubmitController.doPost(LoginSubmitController.java:8)
at jetbrains.buildServer.controllers.BaseFormXmlController$1.handleRequest(BaseFormXmlController.java:35)
at jetbrains.buildServer.controllers.AjaxRequestProcessor.processRequest(AjaxRequestProcessor.java:29)
at jetbrains.buildServer.controllers.BaseFormXmlController.doHandle(BaseFormXmlController.java:33)
at jetbrains.buildServer.controllers.BaseController.handleRequestInternal(BaseController.java:60)
at org.springframework.web.servlet.mvc.AbstractController.handleRequest(AbstractController.java:153)
at org.springframework.web.servlet.mvc.SimpleControllerHandlerAdapter.handle(SimpleControllerHandlerAdapter.java:48)
at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:875)
at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:809)
at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:523)
at org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:463)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:637)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
at jetbrains.spring.web.TeamCityDispatcherServlet.service(TeamCityDispatcherServlet.java:12)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at jetbrains.buildServer.web.ResponseFragmentFilter.doFilter(ResponseFragmentFilter.java:8)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:845)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
at java.lang.Thread.run(Thread.java:595)



TeamCity server setup details:
Version: TeamCity Enterprise Version 4.0.1 (build 8171)
TeamCity service runs on a box within ABC domain.
TeamCity service runs under an ABC domain account which is an admin on TCServer
Bob is able to log on to TCServer using (XYZ\Bob and BobPass) while using Remote Desktop Connection - not to confuse that with TeamCity logon.
TeamCity security: NTLM (windows)


Contents of (config\main-config.xml)

<?xml version="1.0" encoding="UTF-8"?>
<server rootURL="http://TCServer:81">
  <db-compact>
    <scheduler hour="22" minute="0" />
    <keep cleanup-level="EVERYTHING" days="30" />
  </db-compact>
  <auth-type>
    <login-module />
    <login-description />
    <guest-login allowed="true" guest-username="guest" />
    <free-registration allowed="false" />
  </auth-type>
  <artifacts maxArtifactSize="300000000" />
  <report-tab title="Code Coverage" basePath="coverage.zip" />
  <report-tab title="JavaDoc" basePath="javadoc.zip" />
  <comment-transformation />
</server>

Contents of (config\ntlm-config.properties)

# Uncomment the line below if you want to use the old-fashioned login
# module. This login module is only works with Windows (e.g. the TeamCity
# server must be installed on computer running Windows).
# ntlm.compatibilityMode=true
# Uncomment to specify the default domain. If default domain is not
# specified, it must be provided in the username field using one of the
# following formats: <domain name>\<username> or <username>@<domain name>
# ntlm.defaultDomain=ABC

2 comments
Comment actions Permalink

Have you tried to logon to XYZ domain from the TCServer host with help of net use command, for example?

0
Comment actions Permalink

Hmmm.  I got very interesting results.  Needless to say that it didn't work, it also ruins "full trust" between domains that I was assured of.
Let me go back to Network gods and ping them about that.

0

Please sign in to leave a comment.