Foren

Liferay 7 - NTLM authentication issue

thumbnail
Nor EL MALKI, geändert vor 7 Jahren.

Liferay 7 - NTLM authentication issue

New Member Beiträge: 14 Beitrittsdatum: 27.08.16 Neueste Beiträge
Hello everyone,

I'm trying to configure my Liferay instance (Liferay CE 7.0 GA3) to authenticate users through NTLM.

I'm using Wireshark to monitor NTLM authentication packets.

I also set the log level to DEBUG for a new category com.liferay.portal.security.sso.ntlm to get authentication logs.

The logs shows that Liferay retrieves the user correct username but the authentication doesn't complete, I'm getting the classic login / password screen after NTLM authentication.

Thanks for any help,

Nor
thumbnail
Sandeep Nair, geändert vor 7 Jahren.

RE: Liferay 7 - NTLM authentication issue

Liferay Legend Beiträge: 1744 Beitrittsdatum: 06.11.08 Neueste Beiträge
Hi,

I dont have Liferay 7 source handy with me. But from what I know of Liferay 6.2, as you have shown in log you are getting username in NTLMFilter.
What happens next is this username is stored in request attribute and later on used by NTLMAutoLogin. In NTLMAutoLogin using one of LDAPUtil method it tries to get user details from LDAP. I suspect something wrong there.

The next thing i suspect is once user is successfully obtained from LDAP, user is also imported in Liferay. Liferay does not allow numeric screenname by default and I see that your username is numeric. I am sure there is a property available using which you can allow numeric screenname.

Kindly check these two areas.

Regards,
Sandeep
thumbnail
Nor EL MALKI, geändert vor 7 Jahren.

RE: Liferay 7 - NTLM authentication issue

New Member Beiträge: 14 Beitrittsdatum: 27.08.16 Neueste Beiträge
Hello Sandeep,

Thanks a lot for your suggestions,

I tried to add com.liferay.portal.security.ldap.internal.exportimport.LDAPUserImporterImpl for DEBUG logging but nothing came up. The LDAP authentication is working and the Import enabled.

Numerical username values are allowed through portal-ext.properties file :

users.screen.name.allow.numeric=true


Maybe there is something missing in my authentication config? or maybe, since there is no logs for LDAPUserImporterImpl after NTLM authentication, the NTLMAutoLogin use another implementation for UserImporter?
thumbnail
Sandeep Nair, geändert vor 7 Jahren.

RE: Liferay 7 - NTLM authentication issue

Liferay Legend Beiträge: 1744 Beitrittsdatum: 06.11.08 Neueste Beiträge
Hi,


I assume this is in one of your lower environments. If so is it possible to enable remote debug, and debug using eclipse by attaching Liferay Source.
I would suggest you to keep debug at doLogin method of NTLMAutoLogin to see which implementation of UserImporter is being used (I think it is still LDAPUserImporterImpl) and then put debug point at importUserByScreenName method of that class.

Regards,
Sandeep
thumbnail
Nor EL MALKI, geändert vor 7 Jahren.

RE: Liferay 7 - NTLM authentication issue

New Member Beiträge: 14 Beitrittsdatum: 27.08.16 Neueste Beiträge
Hello Sandeep,

I think we've made a huge step in understading the issue origin :

When remote-debugging the NTLMAutoLogin doLogin method, I noticed that NTLM_REMOTE_USER attribute is never set at the request.

I tried following a step by step debugging from NTLMFilter processFilter method, the attribute is well set at line #347. When the request land at org.apache.catalina.connector.CoyoteAdapter service method, the attribute is cleared at line #584 uppon the condition that the request is neither a comet or async. I don't know if it's a normal behavior ? Is there a special config to apply to Tomcat, my Liferay instance runs under Tomcat 8.0.32 (embeded) ?

// Recycle the wrapper request and response
if (!comet && !async || error.get()) {
           request.recycle();
           response.recycle();
} else {
           // Clear converters so that the minimum amount of memory
           // is used by this processor
           request.clearEncoders();
           response.clearEncoders();
}


Thanks again for your help !

Nor
thumbnail
Sandeep Nair, geändert vor 7 Jahren.

RE: Liferay 7 - NTLM authentication issue

Liferay Legend Beiträge: 1744 Beitrittsdatum: 06.11.08 Neueste Beiträge
It is not a normal behavior. You are using Liferay Tomcat bundle right? If so then I think you should raise a bug.

PS : I am assuming you are doing the testing on IE browser. (There was a known issue on IE 11 https://issues.liferay.com/browse/LPS-43909)

Regards,
Sandeep
Ionut Stanescu, geändert vor 7 Jahren.

RE: Liferay 7 - NTLM authentication issue

New Member Beiträge: 3 Beitrittsdatum: 17.04.16 Neueste Beiträge
Hi !

Any progress on this issue ? Our Liferay deployment has the same behaviour so any update is welcome.

Thanks
thumbnail
Wesley Lago, geändert vor 4 Jahren.

RE: Liferay 7 - NTLM authentication issue

New Member Beiträge: 2 Beitrittsdatum: 19.04.12 Neueste Beiträge
Hello,
any news on the subject?