Introduction #

The purpose of this document is to explain how to integrate NTLM Single Sign-On (SSO) into the Liferay portal with an example. By default, the portal uses its own authorization, i.e. user name and password, to identify a user. Liferay portal supports external authorization methods like Lightweight Directory Access Protocol (LDAP) to any compliant LDAP database as well as a Central Authorization Service (JA-SIG CAS), OpenID, and OpenSSO, Computer Associate’s (CA) Siteminder.

Overview #

Suppose that you have a server: Microsoft Active Directory Server (ADS) with IP e.g. 192.168.2.230 and a domain, e.g., cignex.net. By default, the port number is 389.

Users and groups are in CN=Users,DC=CIGNEX,DC=NET

The administrator: CN=Administrator,CN=Users,DC=CIGNEX,DC=NET

We are planning to integrate this NTLM in Liferay portal.

ADS Settings #

Default settings #

Check the checkbox Enabled.

Check the checkbox Required.

Select Microsoft Active Directory Server.

Connection #

Connect to the ADS server

Base Provider URL: for example, ldap://192.168.2.230:389.

Base DN: for example, CN=Users,DC=CIGNEX,DC=NET

Principal: for example, CN=Administrator,CN=Users,DC=CIGNEX,DC=NET

Credentials: the password of the Administrator.

Users Mapping #

Note: use Authentication Search Filter: (cn=@screen_name@) for screenName login

Groups Mapping #

Import and Export #

Save when you are ready.

NTLM Settings #

Check the checkbox Enabled.

Input Domain Controller: for example, cignex.net.

Input Domain: e.g., 192.168.2.230.

Note that the server (where Liferay portal installed) must have access on the domain by the domain controller.

Testing Results #

You should get similar screenshot as follows.

Imported Users #

Imported Groups #

User Groups

Users in User Groups

SSO authentication #

That's it. You got!

[Adding dynamic content model in Document Library]

[Upgrade - migration from 4.3.1 to 5.2.3 - successfully]

[How do you develop - Development Strategies]

[Remote Publishing - what and how]

[Web services - Manage Users, Organizations, User Groups, and Roles via SOAP ]

[Custom Query in the Ext - What and How ]

[JBoss-Tomcat-Liferay portal Clustering - what and how]

[Tomcat 6 as a Windows Service in Windows server 2008 and a 64-bit JDK 6]

Web Services

[Errata for the Liferay Portal 5.2 Systems Development]

Issues #

As for now NTLM is deactivated for other browsers than Internet Explorer due to security issues. To activate it, one have to replace the current NtlmFilter by a new class (e.g. adding a new class by an extension and override the SSO Ntlm Filter class in ROOT/WEB-INF/liferay-web.xml).

Unlike Internet Explorer, in Firefox one have to add the portal url in "about:config" to the "network.automatic-ntlm-auth.trusted-uris" setting.

0 archivos adjuntos
108709 Accesos
Promedio (1 Votar)
La valoración media es de 1.0 estrellas de 5.
Comentarios
Respuestas anidadas Autor Fecha
Section "ADS Settings": I set all values, press... Gerimint Allat 18 de junio de 2009 3:41
MSAD server does not need to be checked. It is... Amos Fong 11 de agosto de 2009 10:43
I followed all the steps, and I still can not... alamut avani 17 de septiembre de 2009 3:07
Hi Jona, This article is very nice. Like this i... G P 22 de octubre de 2009 2:45
In my case all the tests go well but liferay... Tomasz Ryzner 27 de noviembre de 2009 1:26
Section "Connection": Is it a must that you... Gerimint Allat 22 de junio de 2009 6:43
I currently have LDAP authentication working... Matthew Snider 13 de octubre de 2010 10:54
I had a working installation with 5.2.3 and MS... Martin Lungershausen 14 de octubre de 2010 4:16
Where can I find the Ntlmv2Filter? Jason Smith 18 de abril de 2011 23:56
Pictures arent displayed for me in this... Greg Dray 23 de febrero de 2012 2:34
Looks like NTLM SSO is not working with Liferay... Hendrik Lampe 9 de marzo de 2012 6:15
Anyone know the new location of broken image... Sailesh Ranjit 16 de mayo de 2014 6:19

Section "ADS Settings":
I set all values, press "Save", but "Microsoft Active Directory Server" is still unchecked. I tried it several times but it remains unchecked no matter.
Is this an error or just a UI bug?
Publicado el día 18/06/09 3:41.
Section "Connection":
Is it a must that you specify a domain administrator account in field "Principal"? The "Test LDAP Connection" is successful but I still cannot login to Web Space with any AD login so I'd like to know if this may be the problem?
Publicado el día 22/06/09 6:43.
MSAD server does not need to be checked. It is meant for resetting the default values. (each different LDAP server has different default values)
Publicado el día 11/08/09 10:43 en respuesta a Gerimint Allat.
I followed all the steps, and I still can not connect via AD, is there a solution?
Publicado el día 17/09/09 3:07 en respuesta a Amos Fong.
Hi Jona,
This article is very nice. Like this i have been imported all the users and groups from openldap to liferay. And now the problem is, whenevr i'm trying to create a user through liferay UI then that user in not exported to ldap?
is there any work around?
Publicado el día 22/10/09 2:45 en respuesta a alamut avani.
In my case all the tests go well but liferay does not import (export) users. Neither while saving nor while starting up the liferay (tried with tomcat 6 and tomcat 5.5) AD on windows 2008 server enterprise, liferay running on the same machine. Principal user has all maximum privileges (domain admin etc.) Of course I am unable to login on that user to liferay.

Anyone is invited to send any hint because I am stuck.
Publicado el día 27/11/09 1:26 en respuesta a java user 007.
I currently have LDAP authentication working and would like to setup SSO via NTLM. Once SSO is setup, how can I additionally log in as other users using LDAP? (I want to use SSO but also have a manual method for logging in as other users)
Publicado el día 13/10/10 10:54.
I had a working installation with 5.2.3 and MS AD, but it does not work anymore with 6.0.5 ... I followed this site and that http://www.liferay.com/community/wiki/-/wiki/Main/NTLMv2+SSO+Configuration site but it is not able to connect to LDAP or has anyone solved the problem???
Publicado el día 14/10/10 4:16 en respuesta a Matthew Snider.
Where can I find the Ntlmv2Filter?
Publicado el día 18/04/11 23:56 en respuesta a Martin Lungershausen.
Pictures arent displayed for me in this article, and it seems that they contain a fair amount of the info needed to set this up. :/
Publicado el día 23/02/12 2:34 en respuesta a Vili Perttilä.
Looks like NTLM SSO is not working with Liferay 6.1 and Winserver 2008 R2. Any suggestions?!
Publicado el día 9/03/12 6:15 en respuesta a Greg Dray.
Anyone know the new location of broken image links on this page? Seems like they are no longer in the original location http://liferay.cignex.com/ntlm/LDAP_01.png
Publicado el día 16/05/14 6:19.