Combination View Flat View Tree View
Threads [ Previous | Next ]
toggle
Piero Ribichini
NTLM authentication
October 15, 2010 6:28 AM
Answer

Piero Ribichini

Rank: New Member

Posts: 5

Join Date: July 7, 2010

Recent Posts

Hi,
i'm trying to configure NTML authentication in Liferay 6.0.5 with
Microsoft Active Directory on Windows Server 2008 R2.
During my test i receive the following error:

ERROR [NtlmFilter:214] Unable to perform NTLM authentication
com.liferay.portal.security.ntlm.NtlmLogonException: Session key negotiation failed
at com.liferay.portal.security.ntlm.NetlogonConnection.connect(NetlogonConnection.java:112)
at com.liferay.portal.security.ntlm.Netlogon.logon(Netlogon.java:54)
at com.liferay.portal.security.ntlm.NtlmManager.authenticate(NtlmManager.java:70)
at com.liferay.portal.servlet.filters.sso.ntlm.NtlmFilter.processFilter(NtlmFilter.java:209)
at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:123)

Configuration parameters seems correct. Computer service account was created and password was assigned.

Is it a configuration issue ?

Thanks, Piero
Marek Gregor
RE: NTLM authentication
November 25, 2010 12:41 AM
Answer

Marek Gregor

Rank: New Member

Posts: 2

Join Date: November 25, 2010

Recent Posts

Hello Pietro

We have experienced the same problem without any success. Searching web found that problem can be deeper in jcifs library, which liferay 6.0.5 internally uses for NTLM: http://samba.2283325.n4.nabble.com/JCIFS-and-Windows-2008-R2-with-IE8-td2964420.html

Inspecting source code/debugging we found:
that netrServerAuthenticate3.getServerCredential() returns byte array filled with zeroes: http://www.jarvana.com/jarvana/view/com/liferay/portal/portal-impl/6.0.5/portal-impl-6.0.5-sources.jar!/com/liferay/portal/security/ntlm/NetlogonConnection.java?format=ok

so problem is somewhere in filling netrServerAuthenticate3 object by dcerpcHandle.sendrecv(netrServerAuthenticate3);

mg.
Marek Gregor
RE: NTLM authentication
November 25, 2010 12:51 AM
Answer

Marek Gregor

Rank: New Member

Posts: 2

Join Date: November 25, 2010

Recent Posts

Maybe also interesting: http://adtroubleshooting.deuby.com/2010/02/w2k8-r2-ad-upgrade-tip-ntlm-changes.html
Patrice Laramee
RE: NTLM authentication
April 18, 2011 8:47 AM
Answer

Patrice Laramee

Rank: New Member

Posts: 4

Join Date: January 25, 2011

Recent Posts

Hi,

I had the same issue but I realized it was a configuration error..

Here's what I've done to fix it... The online documentation for NTML authentications is really outdated... It talks about NTLMv1 but in liferay 6+ it's forced to NTLMv2.

Two things to take into consideration:
1- Make sure your PC will support NTLMv2 auth... This can be found in Control Pannel/Local Security Policies/*NTLM* (There's more than one to check, but 'Network Security: LAN Manager authentication level' should be set to 'Send LM & NTLM - use NTLMv2 session security if negociated' (unsecure... I know! It's for legacy Intranet support)
2- Look at the configuration in liferay

Domain Controller: IP to domain controller
DOmain Controller Name: netbios name of the DC
Domain: DOMAIN
Service Account: A computer account
Service Password: (triky to set, you will need a script provided by liferay)


Example call for the following script
C:\liferay\>cscript setcomputerpass.vbs "CN=liferay,OU=computers,,dc=DOMAIN,dc=com"

save it as SetComputerPass.vbs
------------------ CODE ---------------------
Option Explicit
Dim strDn, objPassword, strPassword, objComputer

If WScript.arguments.count <> 1 Then
WScript.Echo "Usage: SetComputerPass.vbs <ComputerDN>"
WScript.Quit
End If

strDn = WScript.arguments.item(0)

Set objPassword = CreateObject("ScriptPW.Password")
WScript.StdOut.Write "Password:"
strPassword = objPassword.GetPassword()
Set objComputer = GetObject("LDAP://" & strDn)
objComputer.SetPassword strPassword

WScript.Echo
WScript.Echo "Password set on " & strDn

WScript.Quit
------------------ CODE ---------------------

There was a bug in the original script provided by liferay, I had to modify the original script.

Hope it helps!
-Pat
Christopher Lui
RE: NTLM authentication
April 19, 2011 3:21 PM
Answer

Christopher Lui

LIFERAY STAFF

Rank: Junior Member

Posts: 38

Join Date: March 22, 2010

Recent Posts

There is a known issue with NTLM authenticating with 2008 R2.

See http://issues.liferay.com/browse/LPS-15380
Patrice Laramee
RE: NTLM authentication
April 21, 2011 12:51 PM
Answer

Patrice Laramee

Rank: New Member

Posts: 4

Join Date: January 25, 2011

Recent Posts

Forgot to mention, I was using Windows Server 2003.
Jason Smith
RE: NTLM authentication
October 5, 2012 6:34 AM
Answer

Jason Smith

Rank: New Member

Posts: 17

Join Date: April 18, 2011

Recent Posts

Is liferay 6.1 GA2 supposed to work with NTLMv2 and Microsoft AD 2008 R2?

I read:
http://www.windowsecurity.com/articles/Protect-Weak-Authentication-Protocols-Passwords.html

When I got security policy "Send NTLMv2 response only/refuse LM" in Domain Controller, everything works fine.
When I put "Send NTLMv2 response only/refuse LM & NTLM" to Domain Controller, it stops working and IE 9 starts poping up username and password dialog.

Liferay property is set to default:
ntlm.auth.negotiate.flags=0x600FFFFF

Anybody know where is the problem?

By changing the security policy to be more strict, I get the following exception:

16:09:53,111 ERROR [NtlmFilter:235] Unable to perform NTLM authentication
com.liferay.portal.security.ntlm.NtlmLogonException: Unable to authenticate due to communication failure with server
at com.liferay.portal.security.ntlm.Netlogon.logon(Netlogon.java:96)
at com.liferay.portal.security.ntlm.NtlmManager.authenticate(NtlmManager.java:69)
at com.liferay.portal.servlet.filters.sso.ntlm.NtlmFilter.processFilter(NtlmFilter.java:230)
at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:57)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilter(InvokerFilterChain.java:206)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:108)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:116)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:116)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:116)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDirectCallFilter(InvokerFilterChain.java:187)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:95)
..........
Caused by: jcifs.smb.SmbAuthException: Logon failure: unknown user name or bad password.
at jcifs.smb.SmbTransport.checkStatus(SmbTransport.java:528)
at jcifs.smb.SmbTransport.send(SmbTransport.java:645)
at jcifs.smb.SmbSession.sessionSetup(SmbSession.java:322)
at jcifs.smb.SmbSession.send(SmbSession.java:224)
at jcifs.smb.SmbTree.treeConnect(SmbTree.java:176)
at jcifs.smb.SmbFile.doConnect(SmbFile.java:906)
at jcifs.smb.SmbFile.connect(SmbFile.java:949)
at jcifs.smb.SmbFile.connect0(SmbFile.java:875)
at jcifs.smb.SmbFileInputStream.<init>(SmbFileInputStream.java:76)
at jcifs.smb.TransactNamedPipeInputStream.<init>(TransactNamedPipeInputStream.java:38)
at jcifs.smb.SmbNamedPipe.getNamedPipeInputStream(SmbNamedPipe.java:166)
at jcifs.dcerpc.DcerpcPipeHandle.doSendFragment(DcerpcPipeHandle.java:66)
at jcifs.dcerpc.DcerpcHandle.sendrecv(DcerpcHandle.java:181)
at jcifs.dcerpc.DcerpcHandle.bind(DcerpcHandle.java:126)
at com.liferay.portal.security.ntlm.NetlogonConnection.connect(NetlogonConnection.java:88)
at com.liferay.portal.security.ntlm.Netlogon.logon(Netlogon.java:50)
... 68 more
Jason Smith
RE: NTLM authentication
October 9, 2012 2:32 AM
Answer

Jason Smith

Rank: New Member

Posts: 17

Join Date: April 18, 2011

Recent Posts

It seems to me, even though I'm trying to use NTLMv2, its still using NTLMv1.

Or am I wrong?
Domingo Martinez
RE: NTLM authentication
January 29, 2015 12:42 PM
Answer

Domingo Martinez

Rank: New Member

Posts: 8

Join Date: January 29, 2015

Recent Posts

Hi,
Me too I´m trying configure NTML authentication in Liferay Portal Community Edition 6.2 CE GA2 (Newton / Build 6201 / March 20, 2014) with
Microsoft Active Directory on Windows Server 2008 R2. This set "Send MTLMv2 response only" as netword security lan manager autentification level.

And received the exeption "Session key negotiation failed", how make to avoid this problem?,

Thanks,
Chris Börgermann
RE: NTLM authentication
February 11, 2015 10:29 PM
Answer

Chris Börgermann

Rank: New Member

Posts: 8

Join Date: September 3, 2013

Recent Posts

Same problem here.

We had the opportunity to use a workaround by updating the local security policy.
1. Click Start, in the Start Search box enter “gpedit.msc”
2. Navigate to Computer Configuration->Windows Settings->Security Settings->Local Policies->Security Options.
3. In the right pane, find "Network Security: LAN Manager Authentication Level" and double-click it.
4. Change the setting from "Send NTMLv2 response only" to "Send LM & NTLM - use NTLMv2 session if negotiated"

But I am still searching for the "correct" way.
Domingo Martinez
RE: NTLM authentication
February 12, 2015 3:56 AM
Answer

Domingo Martinez

Rank: New Member

Posts: 8

Join Date: January 29, 2015

Recent Posts

Hi Crist,

I solved it by the way you said, seted this value in the client side and work fine the autentication with NTLM.

Thanks a lot for your advise,
Silvio Meier
RE: NTLM authentication
August 11, 2015 12:38 PM
Answer

Silvio Meier

Rank: New Member

Posts: 8

Join Date: May 6, 2014

Recent Posts

Hi Chris and Domingo

we also had this problem at our company using LR 6.2. Our configuration only worked with the client-side setting Send LM & NTLM - use NTLMv2 session security if negociated on our client systems. In contrast, the setting Send NTLMv2 response only/refuse LM & NTLM or Send NTLMv2 response only/refuse LM was not successful. This indicates that NTLMv1 is used instead of NTLMv2 and this is not recommended.

When configuring NTLMv2, we encountered two possible pitfalls with respect to the configuration settings of ntlm.auth.domain.controller.name and ntlm.auth.domain in portal-ext.properties file or the corresponding fields in the control panel UI of Liferay.

1. Pitfall
The controller name must be specified either as IP addresss or as *netbios name*. The netbios name of the ntlm.auth.domain.controller.name must be written without a trailing dollar sign ($), which is sometimes used for net bios names of computers. If not specifying a proper netbios name, you will probably get the exception com.liferay.portal.security.ntlm.NtlmLogonException: Session key negotiation failed. Ask the system administrator of your domain controller in order to get the netbios name. Example for the controller name setting:

ntlm.auth.domain.controller.name=MYCONTROLLER

2. Pitfall
The problem described above is probably caused by the setting ntlm.auth.domain which *must* be the netbios name of the domain. Example:

1ntlm.auth.domain=MYDOMAIN


If you set an improper net bios name, for example, if you set the internet DNS name of the domain, the client settings Send NTLMv2 response only/refuse LM or Send NTLMv2 response only/refuse LM & NTLM do not work! The only setting that is working is Send LM & NTLM - use NTLMv2 session security if negociated or any setting that is weaker.

I assume that this is because only NTLMv2 uses the netbios name controller but not NTLMv1. So if the netbios name of the controller is found to be wrong while trying to use NTLMv2, NTLMv1 is used as fallback. If this is not possible because the security restrictions are set to Send NTLMv2 response only/refuse LM or Send NTLMv2 response only/refuse LM & NTLM, an exception occurs com.liferay.portal.security.ntlm.NtlmLogonException: Unable to authenticate user: Logon failure: unknown user name or bad password.

In order to retrieve the proper netbios name of the domain, open a comand line (cmd.exe) with a user that is member of that domain. Then enter the command in the command line

1SET


Look in the output for the variable USERDOMAIN. As a site-note: the variable USERDNSDOMAIN contains the internet domain name of the domain which is also shown by System Control Panel --> System in the Windows settings. This could look something like that:

1
2...
3USERDNSDOMAIN=MYDOMAIN.EXAMPLE.COM
4USERDOMAIN=MYDOMAIN
5...


Use the value of the variable USERDOMAIN as value for ntlm.auth.domain. After doing so, we could set Send NTLMv2 response only/refuse LM or Send NTLMv2 response only/refuse LM & NTLM (or just leave the default settings of Windows 7+) on the clients and it worked without any problems for LR 6.2!

I think the pitfalls described above are caused because the use of the netbios names is not obvious from the official Liferay documentation https://www.liferay.com/de/community/wiki/-/wiki/Main/NTLMv2+SSO+Configuration. For retrieving the domain (Pitfall 2), Microsoft documentation instructs you to use the domain name from the System Control Center --> System for newer Windows versions, which is the internet domain name (cf. variable USERDNSDOMAIN above) of the domain and not the netbios name. This is maybe the root of the problem.

Maybe it helps for solving your issues.

Silvio
NGHE KIEN
RE: NTLM authentication
April 14, 2016 2:02 AM
Answer

NGHE KIEN

Rank: New Member

Posts: 2

Join Date: January 21, 2016

Recent Posts

Hi Silvio Meier,

I did the same steps that you mention but I always got the error

com.liferay.portal.security.ntlm.NtlmLogonException: Session key negotiation failed

My environments:
Liferay CE 6.2
Windows Server 2008
domain: test.org
NetBIOS: TEST
Computer acct: LIFERAY$@TEST.ORG
Password: password

connection with LDAP works fine

I have tried with all options for LAN Manager authentication level on Client PC, but still the same error...

Thank in advance for helping