
NTLMv2 SSO Configuration
Introduction #
The purpose of this document is to explain how to integrate NTLM Single Sign-On (SSO) into the Liferay Portal that works for NTLMv1 and NTLMv2. Lets first understand what is NTLMv1 and NTLMv2. In very simple words NTLMv1 is supported by Windows XP / Windows 2003 and older version of windows. NTLMv2 is supported by Windows Vista/ Windows 7/ Windows 2008 and higher version for improved security. Liferay Portal till 5.2.x was not supporting NTLMv2. Now they have developed a patch for that works with both NTLMv1 and NTLMv2. This article explains how to integrate NTLM SSO and Microsoft Active Directory Single or Multiple Domain with Liferay Portal.
Overview #
In large enterprises, they have multiple organizations distributed in various locations throughout the globe. For small enterprise assume they have only one location. Some of the enterprises use Microsoft Active Directory to manage user’s security and used to application authentication. Large organizations use multiple LDAP domains and small organization use single LDAP domain. Following section in the article shows how anyone can configure NTLM SSO with Single or Multiple Domain Controllers.
How to configure Single Domain for NTLM SSO in Liferay Portal? #
Find following steps to configure Single LDAP and Single Domain Controller for NTLM SSO It is assumes that following information you have available.
- - LDAP Server Information
- - Computer Account information for NTLM SSO
LDAP Server Information: #
Note: if you don’t have the following information, contact organization IT team who manages AD and get all information
Organization Name: CIGNEX | |
Domain Controller Name: CCA | |
LDAP Server Host Name: AD01 | |
AD Server with default port 389 : ldap.base.provider.url= ldap://AD01.cca.cignex.com:389 | |
Base DN:ldap.base.dn= DC=CCA,DC=cignex,DC=com | |
AD Admin User (if you want to sync AD with Portal changes then user should have all rights including read/update, if you are using just for read only purpose and don’t want to make changes to AD then make sure that User has Read Only Rights | |
In following property CCA is domain controller name and ccaadmin is admin user | |
ldap.security.principal= cca\ccaadmin | |
ldap.security.credentials= abcded-1234 |
Computer Account Information #
If you don’t have Computer Account please follow following steps to create a computer account in AD. ( Check Attachment that shows screen shot how to create computer account)
Step 1: Create the Service Account for NETLOGON Communication #
- - To use the NTLM security provider as an authentication service you will need to create a service account in Active Directory with a specific password.
- - To create the service account, the Active Directory Users and Computers (ADUC) utility may be used. The NETLOGON service requires that this account be a Computer account (a User account will not work). We recommend that you use the same value for both the "Computer name" (cn) and "pre-Windows 2000 name" (sAMAccountName) and use only letters, digits and possibly underscores (do not use spaces). This name will be part of the service.acctname property described in the NtlmSecurityProvider Properties section.
- - Also determine and note the service account "distinguished name" (DN) for setting the password in the next step. The DN can usually be derived from the account name and domain. For example if the service account name CIGNEXCMS1 is in the Active Directory domain cignex.com, the DN might be: CN=CIGNEXCMS1,CN=Computers,DC=CCA,DC=cignex,DC=com. If you are still not sure about what the DN is, the ADSI Edit MMC Snap-In will show you directory entries by DN.
Step 2: Set the Service Account Password #
- - The service account password must be supplied to Liferay Portal
- - Currently we are unaware of a standard MS utility that can be used to set passwords on Computer accounts. Therefore, the following VBScript is used to set the password on a Computer account.
- - Copy Paste following VB Script code in file called SetComputerPass.vbs , you can find this script as an attachment to this Wiki.
SetComputerPass.vbs |
---|
Option Explicit
Dim strDn, objPassword, strPassword, objComputer
If WScript.arguments.count <> 1 Then WScript.Echo "Usage: SetComputerPass.vbs <ComputerDN>" WScript.Quit End If
strDn = WScript.arguments.item(0)
Set objPassword = CreateObject("ScriptPW.Password") WScript.StdOut.Write "Password:" strPassword = objPassword.GetPassword() Set objComputer = GetObject("LDAP://" & strDn) objComputer.SetPassword strPassword
WScript.Echo WScript.Echo "Password set on " & strDn
WScript.Quit
Note: This script should also work remotely from another workstation provided it is executed with sufficient credentials.
- - Execute script on the Domain Controller for example "AD01.cca.cignex.com"
- - The following command-line dialog using the above SetComputerPass.vbs illustrates how to set the password for the service account CN=CIGNEXCMS1,CN=Computers,DC=CCA,DC=cignex,DC=com
C:\>cscript SetComputerPass.vbs CN=CIGNEXCMS1,CN=Computers,DC=CCA,DC=cignex,DC=com Password: Note: You have to login as an Administrator to run the above command. DO NOT use same password as Computer Account Name and it should match AD Password Policy
- - Use a long and random password and make a note of it. And later it will be configured in portal-ext.properties
- - In this case, open SetComputerPass.vbs with notepad and just temporarily hard-code the password by commenting out the three lines that collect the password (a ' is a comment in VBScript) and set it manually like following and try to run the command again
'Set objPassword = CreateObject("ScriptPW.Password")
'WScript.StdOut.Write "Password:"
'strPassword = objPassword.GetPassword()
strPassword = "ALongRandomPassword"
Note: Unlike User accounts, Computer account passwords do not expire. Domain security policy is frequently used to instruct Windows installations to periodically reset their own passwords however in practice these accounts are not denied access if they do not (such as because they were turned off for several months).
Configuration in Liferay Portal for NTLMv2 SSO #
- - Change the User AUthenticate By setting to By Screen Name. This can be done via the Control Panel, or set property company.security.auth.type=screenName . This is necessary since NTLM returns/authenticates based on the sAMAccountName, and does not return the email address of the user, so LDAP lookup can only be via AD username, not email address. Make sure the LDAP mapping for screenName aligns with sAMAccountName .
- - LDAP Server needs to be configured using Control Panel. Follow steps mention be bellow article http://www.liferay.com/community/wiki/-/wiki/Main/Integration+with+NTLM+plus+ADS
- - You need to configure following properties in portal-ext.properties file.
ntlm.auth.enabled=true
ntlm.auth.domain=CCA
ntlm.auth.domain.controller=192.168.23.60 #IP of AD01 or Domain Controller server
ntlm.auth.domain.controller.name=AD01
ntlm.auth.service.account=CIGNEXCMS1$@CCA.cignex.com
ntlm.auth.service.password=abcdef-12345
You are almost done!! Start Application server and click on Sign In link from Dock Menu to login to Liferay Portal. |
How to configure Multiple Domains for NTLM SSO in Liferay Portal? #
This looks complex but this is very simple.
- - Configure Multiple LDAP Server using control panel
- - Make sure that all Domain Controller are trusted and configure main domain controller as shown in Single Domain NTLM SSO Configuration
Example :
Assume there are three Domain controllers
US
AD Server with default port 389:
ldap.base.provider.url=ldap://AD01.cca.cignex.com:389
Base DN: ldap.base.dn=DC=CCA,DC=cignex,DC=com
AD Admin User
- - in following property CCA is domain controller name and ccaadmin is admin user
ldap.security.principal=cca\ccaadmin
ldap.security.credentials=abcd-1234
UK
AD Server with default port 389:
ldap.base.provider.url=ldap://UKAD01.cca.cignex.com:389
Base DN:ldap.base.dn=DC=CUK,DC=cignex,DC=com
AD Admin User
- - in following property CCA is domain controller name and ccaadmin is admin user
ldap.security.principal=cca\cukadmin
ldap.security.credentials=abcd-1234
India
AD Server with default port 389:
ldap.base.provider.url=ldap://INDIAAD01.cca.cignex.com:389
Base DN: ldap.base.dn=DC=CINDIA,DC=cignex,DC=com
AD Admin User
- - in following property CCA is domain controller name and ccaadmin is admin user
ldap.security.principal=cca\cindiaadmin
ldap.security.credentials=abcd-1234
As shown in above example there are three Domains CCA, CUK, CINDIA make sure that all Domain Controller are trusted with each other, and you can configure only one Domain Controller in portal-ext.propertis as explained above and configure web.xml as above.
You are almost done!! Start Application server and click on Sign In link from Dock Menu to login to Liferay Portal.