DISCOVER Build your web site, collaborate with your colleagues, manage your content, and more. DEVELOP Build applications that run inside Liferay, extend the features provided out of the box with Liferay's APIs. DISTRIBUTE Let the world know about your app by publishing it in Liferay's marketplace. PARTICIPATE Become a part of Liferay's community, meet other Liferay users, and get involved in the open source project.

Wiki

« Back to Single Sign-on

NTLM SSO

Details

Table of Contents [-]

Introduction #

The purpose of this document is to explain how to integrate NTLM Single Sign-On (SSO) into the Liferay portal with an example. By default, the portal uses its own authorization, i.e. user name and password, to identify a user. Liferay portal supports external authorization methods like Lightweight Directory Access Protocol (LDAP) to any compliant LDAP database as well as a Central Authorization Service (JA-SIG CAS), OpenID, and OpenSSO, Computer Associate’s (CA) Siteminder.

Overview #

Suppose that you have a server: Microsoft Active Directory Server (ADS) with IP e.g. 192.168.2.230 and a domain, e.g., cignex.net. By default, the port number is 389.

Users and groups are in CN=Users,DC=CIGNEX,DC=NET

The administrator: CN=Administrator,CN=Users,DC=CIGNEX,DC=NET

We are planning to integrate this NTLM in Liferay portal.

ADS Settings #

Default settings #

Check the checkbox Enabled.

Check the checkbox Required.

Select Microsoft Active Directory Server.

Connection #

Connect to the ADS server

Base Provider URL: for example, ldap://192.168.2.230:389.

Base DN: for example, CN=Users,DC=CIGNEX,DC=NET

Principal: for example, CN=Administrator,CN=Users,DC=CIGNEX,DC=NET

Credentials: the password of the Administrator.

Users Mapping #

Note: use Authentication Search Filter: (cn=@screen_name@) for screenName login

Groups Mapping #

Import and Export #

Save when you are ready.

NTLM Settings #

Check the checkbox Enabled.

Input Domain Controller: for example, cignex.net.

Input Domain: e.g., 192.168.2.230.

Note that the server (where Liferay portal installed) must have access on the domain by the domain controller.

Testing Results #

You should get similar screenshot as follows.

Imported Users #

Imported Groups #

User Groups

Users in User Groups

SSO authentication #

That's it. You got!

[Adding dynamic content model in Document Library]

[Upgrade - migration from 4.3.1 to 5.2.3 - successfully]

[How do you develop - Development Strategies]

[Remote Publishing - what and how]

[Web services - Manage Users, Organizations, User Groups, and Roles via SOAP ]

[Custom Query in the Ext - What and How ]

[JBoss-Tomcat-Liferay portal Clustering - what and how]

[Tomcat 6 as a Windows Service in Windows server 2008 and a 64-bit JDK 6]

Web Services

[Errata for the Liferay Portal 5.2 Systems Development]

Issues #

As for now NTLM is deactivated for other browsers than Internet Explorer due to security issues. To activate it, one have to replace the current NtlmFilter by a new class (e.g. adding a new class by an extension and override the SSO Ntlm Filter class in ROOT/WEB-INF/liferay-web.xml).

Unlike Internet Explorer, in Firefox one have to add the portal url in "about:config" to the "network.automatic-ntlm-auth.trusted-uris" setting.

0 Attachments

108676 Views

Average (1 Vote)

Comments

Threaded Replies	Author	Date
Section "ADS Settings": I set all values, press...	Gerimint Allat	June 18, 2009 3:41 AM
MSAD server does not need to be checked. It is...	Amos Fong	August 11, 2009 10:43 AM
I followed all the steps, and I still can not...	alamut avani	September 17, 2009 3:07 AM
Hi Jona, This article is very nice. Like this i...	G P	October 22, 2009 2:45 AM
In my case all the tests go well but liferay...	Tomasz Ryzner	November 27, 2009 1:26 AM
Section "Connection": Is it a must that you...	Gerimint Allat	June 22, 2009 6:43 AM
I currently have LDAP authentication working...	Matthew Snider	October 13, 2010 10:54 AM
I had a working installation with 5.2.3 and MS...	Martin Lungershausen	October 14, 2010 4:16 AM
Where can I find the Ntlmv2Filter?	Jason Smith	April 18, 2011 11:56 PM
Pictures arent displayed for me in this...	Greg Dray	February 23, 2012 2:34 AM
Looks like NTLM SSO is not working with Liferay...	Hendrik Lampe	March 9, 2012 6:15 AM
Anyone know the new location of broken image...	Sailesh Ranjit	May 16, 2014 6:19 AM

Gerimint Allat

Section "ADS Settings":
I set all values, press "Save", but "Microsoft Active Directory Server" is still unchecked. I tried it several times but it remains unchecked no matter.
Is this an error or just a UI bug?

Posted on 6/18/09 3:41 AM.

Gerimint Allat

Section "Connection":
Is it a must that you specify a domain administrator account in field "Principal"? The "Test LDAP Connection" is successful but I still cannot login to Web Space with any AD login so I'd like to know if this may be the problem?

Posted on 6/22/09 6:43 AM.

Amos Fong

MSAD server does not need to be checked. It is meant for resetting the default values. (each different LDAP server has different default values)

Posted on 8/11/09 10:43 AM in reply to Gerimint Allat.

alamut avani

I followed all the steps, and I still can not connect via AD, is there a solution?

Posted on 9/17/09 3:07 AM in reply to Amos Fong.

G P

Hi Jona,
This article is very nice. Like this i have been imported all the users and groups from openldap to liferay. And now the problem is, whenevr i'm trying to create a user through liferay UI then that user in not exported to ldap?
is there any work around?

Posted on 10/22/09 2:45 AM in reply to alamut avani.

Tomasz Ryzner

In my case all the tests go well but liferay does not import (export) users. Neither while saving nor while starting up the liferay (tried with tomcat 6 and tomcat 5.5) AD on windows 2008 server enterprise, liferay running on the same machine. Principal user has all maximum privileges (domain admin etc.) Of course I am unable to login on that user to liferay.

Anyone is invited to send any hint because I am stuck.

Posted on 11/27/09 1:26 AM in reply to java user 007.

Matthew Snider

I currently have LDAP authentication working and would like to setup SSO via NTLM. Once SSO is setup, how can I additionally log in as other users using LDAP? (I want to use SSO but also have a manual method for logging in as other users)

Posted on 10/13/10 10:54 AM.

Martin Lungershausen

I had a working installation with 5.2.3 and MS AD, but it does not work anymore with 6.0.5 ... I followed this site and that http://www.liferay.com/community/wiki/-/wiki/Main/NTLMv2+SSO+Configuration site but it is not able to connect to LDAP or has anyone solved the problem???

Posted on 10/14/10 4:16 AM in reply to Matthew Snider.

Jason Smith

Where can I find the Ntlmv2Filter?

Posted on 4/18/11 11:56 PM in reply to Martin Lungershausen.

Greg Dray

Pictures arent displayed for me in this article, and it seems that they contain a fair amount of the info needed to set this up. :/

Posted on 2/23/12 2:34 AM in reply to Vili Perttilä.

Hendrik Lampe

Looks like NTLM SSO is not working with Liferay 6.1 and Winserver 2008 R2. Any suggestions?!

Posted on 3/9/12 6:15 AM in reply to Greg Dray.

Sailesh Ranjit

Anyone know the new location of broken image links on this page? Seems like they are no longer in the original location http://liferay.cignex.com/ntlm/LDAP_01.png

Posted on 5/16/14 6:19 AM.