Introduction #

The purpose of this document is to explain how to integrate NTLM Single Sign-On (SSO) into the Liferay portal with an example. By default, the portal uses its own authorization, i.e. user name and password, to identify a user. Liferay portal supports external authorization methods like Lightweight Directory Access Protocol (LDAP) to any compliant LDAP database as well as a Central Authorization Service (JA-SIG CAS), OpenID, and OpenSSO, Computer Associate’s (CA) Siteminder.

Overview #

Suppose that you have a server: Microsoft Active Directory Server (ADS) with IP e.g. 192.168.2.230 and a domain, e.g., cignex.net. By default, the port number is 389.

Users and groups are in CN=Users,DC=CIGNEX,DC=NET

The administrator: CN=Administrator,CN=Users,DC=CIGNEX,DC=NET

We are planning to integrate this NTLM in Liferay portal.

ADS Settings #

Default settings #

Check the checkbox Enabled.

Check the checkbox Required.

Select Microsoft Active Directory Server.

Connection #

Connect to the ADS server

Base Provider URL: for example, ldap://192.168.2.230:389.

Base DN: for example, CN=Users,DC=CIGNEX,DC=NET

Principal: for example, CN=Administrator,CN=Users,DC=CIGNEX,DC=NET

Credentials: the password of the Administrator.

Users Mapping #

Note: use Authentication Search Filter: (cn=@screen_name@) for screenName login

Groups Mapping #

Import and Export #

Save when you are ready.

NTLM Settings #

Check the checkbox Enabled.

Input Domain Controller: for example, cignex.net.

Input Domain: e.g., 192.168.2.230.

Note that the server (where Liferay portal installed) must have access on the domain by the domain controller.

Testing Results #

You should get similar screenshot as follows.

Imported Users #

Imported Groups #

User Groups

Users in User Groups

SSO authentication #

That's it. You got!

[Adding dynamic content model in Document Library]

[Upgrade - migration from 4.3.1 to 5.2.3 - successfully]

[How do you develop - Development Strategies]

[Remote Publishing - what and how]

[Web services - Manage Users, Organizations, User Groups, and Roles via SOAP ]

[Custom Query in the Ext - What and How ]

[JBoss-Tomcat-Liferay portal Clustering - what and how]

[Tomcat 6 as a Windows Service in Windows server 2008 and a 64-bit JDK 6]

Web Services

[Errata for the Liferay Portal 5.2 Systems Development]

Issues #

As for now NTLM is deactivated for other browsers than Internet Explorer due to security issues. To activate it, one have to replace the current NtlmFilter by a new class (e.g. adding a new class by an extension and override the SSO Ntlm Filter class in ROOT/WEB-INF/liferay-web.xml).

Unlike Internet Explorer, in Firefox one have to add the portal url in "about:config" to the "network.automatic-ntlm-auth.trusted-uris" setting.

0 Anhänge
108684 Angesehen
Durchschnitt (1 Stimme)
Die durchschnittliche Bewertung ist 1.0 von max. 5 Sternen.
Kommentare
Antworten im Thread Autor Datum
Section "ADS Settings": I set all values, press... Gerimint Allat 18. Juni 2009 03:41
MSAD server does not need to be checked. It is... Amos Fong 11. August 2009 10:43
I followed all the steps, and I still can not... alamut avani 17. September 2009 03:07
Hi Jona, This article is very nice. Like this i... G P 22. Oktober 2009 02:45
In my case all the tests go well but liferay... Tomasz Ryzner 27. November 2009 01:26
Section "Connection": Is it a must that you... Gerimint Allat 22. Juni 2009 06:43
I currently have LDAP authentication working... Matthew Snider 13. Oktober 2010 10:54
I had a working installation with 5.2.3 and MS... Martin Lungershausen 14. Oktober 2010 04:16
Where can I find the Ntlmv2Filter? Jason Smith 18. April 2011 23:56
Pictures arent displayed for me in this... Greg Dray 23. Februar 2012 02:34
Looks like NTLM SSO is not working with Liferay... Hendrik Lampe 9. März 2012 06:15
Anyone know the new location of broken image... Sailesh Ranjit 16. Mai 2014 06:19

Section "ADS Settings":
I set all values, press "Save", but "Microsoft Active Directory Server" is still unchecked. I tried it several times but it remains unchecked no matter.
Is this an error or just a UI bug?
Gepostet am 18.06.09 03:41.
Section "Connection":
Is it a must that you specify a domain administrator account in field "Principal"? The "Test LDAP Connection" is successful but I still cannot login to Web Space with any AD login so I'd like to know if this may be the problem?
Gepostet am 22.06.09 06:43.
MSAD server does not need to be checked. It is meant for resetting the default values. (each different LDAP server has different default values)
Gepostet am 11.08.09 10:43 als Antwort auf Gerimint Allat.
I followed all the steps, and I still can not connect via AD, is there a solution?
Gepostet am 17.09.09 03:07 als Antwort auf Amos Fong.
Hi Jona,
This article is very nice. Like this i have been imported all the users and groups from openldap to liferay. And now the problem is, whenevr i'm trying to create a user through liferay UI then that user in not exported to ldap?
is there any work around?
Gepostet am 22.10.09 02:45 als Antwort auf alamut avani.
In my case all the tests go well but liferay does not import (export) users. Neither while saving nor while starting up the liferay (tried with tomcat 6 and tomcat 5.5) AD on windows 2008 server enterprise, liferay running on the same machine. Principal user has all maximum privileges (domain admin etc.) Of course I am unable to login on that user to liferay.

Anyone is invited to send any hint because I am stuck.
Gepostet am 27.11.09 01:26 als Antwort auf java user 007.
I currently have LDAP authentication working and would like to setup SSO via NTLM. Once SSO is setup, how can I additionally log in as other users using LDAP? (I want to use SSO but also have a manual method for logging in as other users)
Gepostet am 13.10.10 10:54.
I had a working installation with 5.2.3 and MS AD, but it does not work anymore with 6.0.5 ... I followed this site and that http://www.liferay.com/community/wiki/-/wiki/Main/NTLMv2+SSO+Configuration site but it is not able to connect to LDAP or has anyone solved the problem???
Gepostet am 14.10.10 04:16 als Antwort auf Matthew Snider.
Gepostet am 18.04.11 23:56 als Antwort auf Martin Lungershausen.
Pictures arent displayed for me in this article, and it seems that they contain a fair amount of the info needed to set this up. :/
Gepostet am 23.02.12 02:34 als Antwort auf Vili Perttilä.
Looks like NTLM SSO is not working with Liferay 6.1 and Winserver 2008 R2. Any suggestions?!
Gepostet am 09.03.12 06:15 als Antwort auf Greg Dray.
Anyone know the new location of broken image links on this page? Seems like they are no longer in the original location http://liferay.cignex.com/ntlm/LDAP_01.png
Gepostet am 16.05.14 06:19.