This wiki does not contain official documentation and is currently deprecated and read only. Please try reading the documentation on the Liferay Developer Network, the new site dedicated to Liferay documentation. DISCOVER Build your web site, collaborate with your colleagues, manage your content, and more. DEVELOP Build applications that run inside Liferay, extend the features provided out of the box with Liferay's APIs. DISTRIBUTE Let the world know about your app by publishing it in Liferay's marketplace. PARTICIPATE Become a part of Liferay's community, meet other Liferay users, and get involved in the open source project. NTLM SSO
Introduction #
The purpose of this document is to explain how to integrate NTLM Single Sign-On (SSO) into the Liferay portal with an example. By default, the portal uses its own authorization, i.e. user name and password, to identify a user. Liferay portal supports external authorization methods like Lightweight Directory Access Protocol (LDAP) to any compliant LDAP database as well as a Central Authorization Service (JA-SIG CAS), OpenID, and OpenSSO, Computer Associate’s (CA) Siteminder.
Overview #
Suppose that you have a server: Microsoft Active Directory Server (ADS) with IP e.g. 192.168.2.230 and a domain, e.g., cignex.net. By default, the port number is 389.
Users and groups are in CN=Users,DC=CIGNEX,DC=NET
The administrator: CN=Administrator,CN=Users,DC=CIGNEX,DC=NET
We are planning to integrate this NTLM in Liferay portal.
ADS Settings #
Default settings #
Check the checkbox Enabled.
Check the checkbox Required.
Select Microsoft Active Directory Server.
Connection #
Connect to the ADS server
Base Provider URL: for example, ldap://192.168.2.230:389.
Base DN: for example, CN=Users,DC=CIGNEX,DC=NET
Principal: for example, CN=Administrator,CN=Users,DC=CIGNEX,DC=NET
Credentials: the password of the Administrator.
Users Mapping #
Note: use Authentication Search Filter: (cn=@screen_name@) for screenName login
Groups Mapping #
Import and Export #
Save when you are ready.
NTLM Settings #
Check the checkbox Enabled.
Input Domain Controller: for example, cignex.net.
Input Domain: e.g., 192.168.2.230.
Note that the server (where Liferay portal installed) must have access on the domain by the domain controller.
Testing Results #
You should get similar screenshot as follows.
Imported Users #
Imported Groups #
User Groups 
Users in User Groups 
SSO authentication #
That's it. You got!
[Adding dynamic content model in Document Library]
[Upgrade - migration from 4.3.1 to 5.2.3 - successfully]
[How do you develop - Development Strategies]
[Remote Publishing - what and how]
[Web services - Manage Users, Organizations, User Groups, and Roles via SOAP ]
[Custom Query in the Ext - What and How ]
[JBoss-Tomcat-Liferay portal Clustering - what and how]
[Tomcat 6 as a Windows Service in Windows server 2008 and a 64-bit JDK 6]
[Errata for the Liferay Portal 5.2 Systems Development]
Issues #
As for now NTLM is deactivated for other browsers than Internet Explorer due to security issues. To activate it, one have to replace the current NtlmFilter by a new class (e.g. adding a new class by an extension and override the SSO Ntlm Filter class in ROOT/WEB-INF/liferay-web.xml).
Unlike Internet Explorer, in Firefox one have to add the portal url in "about:config" to the "network.automatic-ntlm-auth.trusted-uris" setting.
