Combination View Flat View Tree View
Threads [ Previous | Next ]
Showing 1 - 20 of 47 results.
of 3
Robert Zahm
Non-domain NTLM Authentication
December 3, 2007 7:28 AM
Answer

Robert Zahm

Rank: Junior Member

Posts: 46

Join Date: October 8, 2007

Recent Posts

I was able to get NTLM working so that an instance of IE from a domain account passes the username through without prompting the user. However, I ran into issues when trying this from non-domain instances of IE and other browsers such as FireFox. These browsers pop up username and password dialogs as they should. However, it doesn't matter what I enter in as the password, it always authenticates the username that I enter. This is obviously a very large security hole, am I doing something wrong?

Thanks,

Rob
Robert Zahm
RE: Non-domain NTLM Authentication
December 5, 2007 10:58 AM
Answer

Robert Zahm

Rank: Junior Member

Posts: 46

Join Date: October 8, 2007

Recent Posts

Anyone have any ideas on this? Am I doing something wrong, or is this a hole in the NTLM security component?
Robert Zahm
RE: Non-domain NTLM Authentication
February 26, 2008 9:10 AM
Answer

Robert Zahm

Rank: Junior Member

Posts: 46

Join Date: October 8, 2007

Recent Posts

Can anyone tell me if this sounds like an issue with my configuration, or if this is a bug?

Thanks,

Rob
Jorge Ferrer
RE: Non-domain NTLM Authentication
March 9, 2008 2:04 PM
Answer

Jorge Ferrer

LIFERAY STAFF

Rank: Liferay Legend

Posts: 2771

Join Date: August 31, 2006

Recent Posts

Hi Robert,

I've never used this functionality but as nobody else in answering I'd like to, at least, try to guide you on how to find the root problem.

The NTLM functionality is implemented through two clases. The first one is NtlmFilter which can be configured through properties in portal(-ext).properties:

1    ntlm.auth.enabled=false
2    ntlm.auth.domain.controller=127.0.0.1
3    ntlm.auth.domain=EXAMPLE


This filter reads the HTTP Authentication headers and act accordingly. If it decides the user should be authenticated it leaves an attribute in the request.

The second class is NtlmAutoLogin. This class is responsible for the login and tries to authenticate the user If it finds in the request the attribute left by the filter.

I hope this info. helps you get started debugging the problem.
Bruno Farache
RE: Non-domain NTLM Authentication
March 9, 2008 6:06 PM
Answer

Bruno Farache

LIFERAY STAFF

Rank: Liferay Master

Posts: 602

Join Date: May 14, 2007

Recent Posts

Hi Robert, what you mean and you say "non-domain instances of IE"? The user is accessing outside the domain?
Robert Zahm
RE: Non-domain NTLM Authentication
March 10, 2008 6:30 AM
Answer

Robert Zahm

Rank: Junior Member

Posts: 46

Join Date: October 8, 2007

Recent Posts

Thanks for the info, we have worked around this issue for the time being, but I am hoping to be able to revisit it, as allowing proper logins will make life much simpler for us.

What I've found is that NTLM works great for IE browsers where the user has logged into the domain. For machines outside the domain (including non-domain machines, users logged in to machines using local accounts and for Firefox), I have found that it prompts me for a username and password, and then simply signs me in with the username without actually validating that the password is correct.

The "non-domain" machine isn't really a big deal, I was just questioning whether or not the password was actually being validated.

Thanks,

Rob
Scott Westbrook
RE: Non-domain NTLM Authentication
October 3, 2008 12:58 PM
Answer

Scott Westbrook

Rank: New Member

Posts: 14

Join Date: February 11, 2008

Recent Posts

Unfortunately I am experiencing the same issue with using NTLM. Using an IE browser on the domain that has the Liferay portal (5.1.1) as a trusted or intranet site will login automatically once the user selects "Sign In" from the Dock menu without prompting.

However Firefox and Chrome will prompt for a username/password which isn't a problem. However any password is accepted and the user is logged in. If the user has never logged in before, their information is loaded via LDAP.

If the user logs in using the Sign In portlet, the user's credentials are validated correctly with LDAP.
Luca Costa
RE: Non-domain NTLM Authentication
February 10, 2009 2:58 AM
Answer

Luca Costa

Rank: Junior Member

Posts: 72

Join Date: March 5, 2008

Recent Posts

Same problem on liferay 5.2.1 + LDAP + NTLM:
password is not checked.

problem is solved?

Luca
Jonas Yuan
RE: Non-domain NTLM Authentication
March 9, 2009 9:26 AM
Answer

Jonas Yuan

Rank: Liferay Master

Posts: 993

Join Date: April 26, 2007

Recent Posts

Any update on this issue?
Jonas Yuan
RE: Non-domain NTLM Authentication
March 10, 2009 5:13 PM
Answer

Jonas Yuan

Rank: Liferay Master

Posts: 993

Join Date: April 26, 2007

Recent Posts

Just testing, it popped up a window for inputs of user name and password in FireFox 3.0.7 and IE 7.0.

The password is not checked ....

It seems that the users are not imported properly ....
Attachment

Attachments: LDAP-ADS.png (4.6k)
Luca Costa
RE: Non-domain NTLM Authentication
March 11, 2009 5:17 AM
Answer

Luca Costa

Rank: Junior Member

Posts: 72

Join Date: March 5, 2008

Recent Posts

I have same problems, if you successfully connect with your AD,
(select AD, reset, test all three LDAP test button,
I can see users, if you cannot see them I thin your AD is different from standard, mine goes immediately well)

just check "import at startup" and restart server.
Now users and groups should be in your server (I know, not the best, but works).

Now the other 2 points will remain:
I cannot automatically get in with IE7/FF when I'm in the domain,
always I have a user /password request, and password is not checked.

Luca
jerin jacob
RE: Non-domain NTLM Authentication
April 14, 2009 9:34 PM
Answer

jerin jacob

Rank: New Member

Posts: 11

Join Date: March 23, 2009

Recent Posts

Any Fix for Non-Domain NTLM authentication ???? or any way to get around this problem ???
Jonas Yuan
RE: Non-domain NTLM Authentication
April 15, 2009 9:34 AM
Answer

Jonas Yuan

Rank: Liferay Master

Posts: 993

Join Date: April 26, 2007

Recent Posts

Hi Jerin,

This issue was fixed. You can refer to wiki page:

http://www.liferay.com/web/guest/community/wiki/-/wiki/Main/Integration+with+NTLM+plus+ADS

Hope that it helps.

Thanks

Jonas Yuan
Roman Orfinyak
RE: Non-domain NTLM Authentication
April 30, 2009 3:25 AM
Answer

Roman Orfinyak

Rank: New Member

Posts: 2

Join Date: April 30, 2009

Recent Posts

Jonas Yuan:
Hi Jerin,

This issue was fixed. You can refer to wiki page:

http://www.liferay.com/web/guest/community/wiki/-/wiki/Main/Integration+with+NTLM+plus+ADS

Hope that it helps.

Thanks

Jonas Yuan


Jonas, which issue you're referring to as fixed? I still see the bug in Jira LPS-2032 as open.

Also would like to stress that the problem is really severe both for non-domain and for domain NTLM authentication. A user can login to a portal knowing only user names of other users even if he is using IE which is domain. This can be done if one goes to the Tools -> Internet Options -> Security -> Choose a zone in which your site is -> Custom Level -> At the bottom of the page choose the radio button 'Prompt for user name and password'.

This will tell IE to give you a user name/password dialog box each time you enter the site with NTLM authenticaton configured. Knowing the user names of users one can login to the site *SUPPLYING ANY PASSWORD*.

Any feedback from Liferay community would be welcome.

Regards,
Roman.
jerin jacob
RE: Non-domain NTLM Authentication
May 7, 2009 3:13 AM
Answer

jerin jacob

Rank: New Member

Posts: 11

Join Date: March 23, 2009

Recent Posts

HI Roman ,
You are exactly into the problem I am facing ..................

Any work around for this ............... Is there any alternate way so that we fix it ...........

Thanks
cometta cometta cometta
RE: Non-domain NTLM Authentication
June 4, 2009 3:14 AM
Answer

cometta cometta cometta

Rank: Regular Member

Posts: 109

Join Date: April 26, 2009

Recent Posts

i though i the only one facing this. will update you all if i found anything. any update so far on this?
cometta cometta cometta
RE: Non-domain NTLM Authentication
June 4, 2009 6:15 PM
Answer

cometta cometta cometta

Rank: Regular Member

Posts: 109

Join Date: April 26, 2009

Recent Posts

trying to troubleshoot on this..
maybe we can disucss on this.. from information that i have. ntlmfilter using ntlmssp to get user credential . in order to fix this, we need to getPassword() and compare it right? each time i do getPassword(), i will get null . any findings you folks wanna share ?
cometta cometta cometta
RE: Non-domain NTLM Authentication
June 4, 2009 8:15 PM
Answer

cometta cometta cometta

Rank: Regular Member

Posts: 109

Join Date: April 26, 2009

Recent Posts

Hello Gurus,
after dig here and there... i think i came out a fix and i want to get feedback from all of you .

I edited ntlmfilter.java file , search for keyword "ntlm = NtlmSsp.authenticate(request, response, challenge);" then below this line, i add

 1
 2
 3  try{
 4            SmbSession.logon(uniAddress, ntlm);
 5
 6           }
 7           catch( jcifs.smb.SmbException smbE){
 8               //only print brief error and skip
 9              _log.error("smbSession.logon error logon credential");
10              return null;
11           }



now, if the ntlm pop up appear , you enter wrong password, u will not be allow to log in . and foward to blank page . maybe forward to blank page is not a good idea. any suggestion ? maybe you folks can give me feedback . if this is the fix to the problem. can someone put this in SVN. your feedback is needed, so that i can comment something in issues.liferay.com on the bug reported
Roman Orfinyak
RE: Non-domain NTLM Authentication
June 9, 2009 2:33 AM
Answer

Roman Orfinyak

Rank: New Member

Posts: 2

Join Date: April 30, 2009

Recent Posts

cometta cometta cometta:
Hello Gurus,
after dig here and there... i think i came out a fix and i want to get feedback from all of you .

I edited ntlmfilter.java file , search for keyword "ntlm = NtlmSsp.authenticate(request, response, challenge);" then below this line, i add
....


hi Cometta,

We actually also came to that fix. It is working for us now.
cometta cometta cometta
RE: Non-domain NTLM Authentication
June 9, 2009 6:26 PM
Answer

cometta cometta cometta

Rank: Regular Member

Posts: 109

Join Date: April 26, 2009

Recent Posts



portal-impl/src/com/liferay/portal/servlet/filters/sso/ntlm/NtlmFilter.java
Showing 1 - 20 of 47 results.
of 3

Participate in the State of Liferay Community 2017. Help the community and even win some prizes!