Vista combinada Visión Plana Vista de árbol
Discusiones [ Anterior | Siguiente ]
toggle
Piero Ribichini
NTLM authentication
15 de octubre de 2010 6:28
Respuesta

Piero Ribichini

Ranking: New Member

Mensajes: 5

Fecha de incorporación: 7 de julio de 2010

Mensajes recientes

Hi,
i'm trying to configure NTML authentication in Liferay 6.0.5 with
Microsoft Active Directory on Windows Server 2008 R2.
During my test i receive the following error:

ERROR [NtlmFilter:214] Unable to perform NTLM authentication
com.liferay.portal.security.ntlm.NtlmLogonException: Session key negotiation failed
at com.liferay.portal.security.ntlm.NetlogonConnection.connect(NetlogonConnection.java:112)
at com.liferay.portal.security.ntlm.Netlogon.logon(Netlogon.java:54)
at com.liferay.portal.security.ntlm.NtlmManager.authenticate(NtlmManager.java:70)
at com.liferay.portal.servlet.filters.sso.ntlm.NtlmFilter.processFilter(NtlmFilter.java:209)
at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:123)

Configuration parameters seems correct. Computer service account was created and password was assigned.

Is it a configuration issue ?

Thanks, Piero
Marek Gregor
RE: NTLM authentication
25 de noviembre de 2010 0:41
Respuesta

Marek Gregor

Ranking: New Member

Mensajes: 2

Fecha de incorporación: 25 de noviembre de 2010

Mensajes recientes

Hello Pietro

We have experienced the same problem without any success. Searching web found that problem can be deeper in jcifs library, which liferay 6.0.5 internally uses for NTLM: http://samba.2283325.n4.nabble.com/JCIFS-and-Windows-2008-R2-with-IE8-td2964420.html

Inspecting source code/debugging we found:
that netrServerAuthenticate3.getServerCredential() returns byte array filled with zeroes: http://www.jarvana.com/jarvana/view/com/liferay/portal/portal-impl/6.0.5/portal-impl-6.0.5-sources.jar!/com/liferay/portal/security/ntlm/NetlogonConnection.java?format=ok

so problem is somewhere in filling netrServerAuthenticate3 object by dcerpcHandle.sendrecv(netrServerAuthenticate3);

mg.
Marek Gregor
RE: NTLM authentication
25 de noviembre de 2010 0:51
Respuesta

Marek Gregor

Ranking: New Member

Mensajes: 2

Fecha de incorporación: 25 de noviembre de 2010

Mensajes recientes

Maybe also interesting: http://adtroubleshooting.deuby.com/2010/02/w2k8-r2-ad-upgrade-tip-ntlm-changes.html
Patrice Laramee
RE: NTLM authentication
18 de abril de 2011 8:47
Respuesta

Patrice Laramee

Ranking: New Member

Mensajes: 4

Fecha de incorporación: 25 de enero de 2011

Mensajes recientes

Hi,

I had the same issue but I realized it was a configuration error..

Here's what I've done to fix it... The online documentation for NTML authentications is really outdated... It talks about NTLMv1 but in liferay 6+ it's forced to NTLMv2.

Two things to take into consideration:
1- Make sure your PC will support NTLMv2 auth... This can be found in Control Pannel/Local Security Policies/*NTLM* (There's more than one to check, but 'Network Security: LAN Manager authentication level' should be set to 'Send LM & NTLM - use NTLMv2 session security if negociated' (unsecure... I know! It's for legacy Intranet support)
2- Look at the configuration in liferay

Domain Controller: IP to domain controller
DOmain Controller Name: netbios name of the DC
Domain: DOMAIN
Service Account: A computer account
Service Password: (triky to set, you will need a script provided by liferay)


Example call for the following script
C:\liferay\>cscript setcomputerpass.vbs "CN=liferay,OU=computers,,dc=DOMAIN,dc=com"

save it as SetComputerPass.vbs
------------------ CODE ---------------------
Option Explicit
Dim strDn, objPassword, strPassword, objComputer

If WScript.arguments.count <> 1 Then
WScript.Echo "Usage: SetComputerPass.vbs <ComputerDN>"
WScript.Quit
End If

strDn = WScript.arguments.item(0)

Set objPassword = CreateObject("ScriptPW.Password")
WScript.StdOut.Write "Password:"
strPassword = objPassword.GetPassword()
Set objComputer = GetObject("LDAP://" & strDn)
objComputer.SetPassword strPassword

WScript.Echo
WScript.Echo "Password set on " & strDn

WScript.Quit
------------------ CODE ---------------------

There was a bug in the original script provided by liferay, I had to modify the original script.

Hope it helps!
-Pat
Christopher Lui
RE: NTLM authentication
19 de abril de 2011 15:21
Respuesta

Christopher Lui

LIFERAY STAFF

Ranking: Junior Member

Mensajes: 38

Fecha de incorporación: 22 de marzo de 2010

Mensajes recientes

There is a known issue with NTLM authenticating with 2008 R2.

See http://issues.liferay.com/browse/LPS-15380
Patrice Laramee
RE: NTLM authentication
21 de abril de 2011 12:51
Respuesta

Patrice Laramee

Ranking: New Member

Mensajes: 4

Fecha de incorporación: 25 de enero de 2011

Mensajes recientes

Forgot to mention, I was using Windows Server 2003.
Jason Smith
RE: NTLM authentication
5 de octubre de 2012 6:34
Respuesta

Jason Smith

Ranking: New Member

Mensajes: 17

Fecha de incorporación: 18 de abril de 2011

Mensajes recientes

Is liferay 6.1 GA2 supposed to work with NTLMv2 and Microsoft AD 2008 R2?

I read:
http://www.windowsecurity.com/articles/Protect-Weak-Authentication-Protocols-Passwords.html

When I got security policy "Send NTLMv2 response only/refuse LM" in Domain Controller, everything works fine.
When I put "Send NTLMv2 response only/refuse LM & NTLM" to Domain Controller, it stops working and IE 9 starts poping up username and password dialog.

Liferay property is set to default:
ntlm.auth.negotiate.flags=0x600FFFFF

Anybody know where is the problem?

By changing the security policy to be more strict, I get the following exception:

16:09:53,111 ERROR [NtlmFilter:235] Unable to perform NTLM authentication
com.liferay.portal.security.ntlm.NtlmLogonException: Unable to authenticate due to communication failure with server
at com.liferay.portal.security.ntlm.Netlogon.logon(Netlogon.java:96)
at com.liferay.portal.security.ntlm.NtlmManager.authenticate(NtlmManager.java:69)
at com.liferay.portal.servlet.filters.sso.ntlm.NtlmFilter.processFilter(NtlmFilter.java:230)
at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:57)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilter(InvokerFilterChain.java:206)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:108)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:116)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:116)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:116)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDirectCallFilter(InvokerFilterChain.java:187)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:95)
..........
Caused by: jcifs.smb.SmbAuthException: Logon failure: unknown user name or bad password.
at jcifs.smb.SmbTransport.checkStatus(SmbTransport.java:528)
at jcifs.smb.SmbTransport.send(SmbTransport.java:645)
at jcifs.smb.SmbSession.sessionSetup(SmbSession.java:322)
at jcifs.smb.SmbSession.send(SmbSession.java:224)
at jcifs.smb.SmbTree.treeConnect(SmbTree.java:176)
at jcifs.smb.SmbFile.doConnect(SmbFile.java:906)
at jcifs.smb.SmbFile.connect(SmbFile.java:949)
at jcifs.smb.SmbFile.connect0(SmbFile.java:875)
at jcifs.smb.SmbFileInputStream.<init>(SmbFileInputStream.java:76)
at jcifs.smb.TransactNamedPipeInputStream.<init>(TransactNamedPipeInputStream.java:38)
at jcifs.smb.SmbNamedPipe.getNamedPipeInputStream(SmbNamedPipe.java:166)
at jcifs.dcerpc.DcerpcPipeHandle.doSendFragment(DcerpcPipeHandle.java:66)
at jcifs.dcerpc.DcerpcHandle.sendrecv(DcerpcHandle.java:181)
at jcifs.dcerpc.DcerpcHandle.bind(DcerpcHandle.java:126)
at com.liferay.portal.security.ntlm.NetlogonConnection.connect(NetlogonConnection.java:88)
at com.liferay.portal.security.ntlm.Netlogon.logon(Netlogon.java:50)
... 68 more
Jason Smith
RE: NTLM authentication
9 de octubre de 2012 2:32
Respuesta

Jason Smith

Ranking: New Member

Mensajes: 17

Fecha de incorporación: 18 de abril de 2011

Mensajes recientes

It seems to me, even though I'm trying to use NTLMv2, its still using NTLMv1.

Or am I wrong?
Domingo Martinez
RE: NTLM authentication
29 de enero de 2015 12:42
Respuesta

Domingo Martinez

Ranking: New Member

Mensajes: 8

Fecha de incorporación: 29 de enero de 2015

Mensajes recientes

Hi,
Me too I´m trying configure NTML authentication in Liferay Portal Community Edition 6.2 CE GA2 (Newton / Build 6201 / March 20, 2014) with
Microsoft Active Directory on Windows Server 2008 R2. This set "Send MTLMv2 response only" as netword security lan manager autentification level.

And received the exeption "Session key negotiation failed", how make to avoid this problem?,

Thanks,
Chris Börgermann
RE: NTLM authentication
11 de febrero de 2015 22:29
Respuesta

Chris Börgermann

Ranking: New Member

Mensajes: 7

Fecha de incorporación: 3 de septiembre de 2013

Mensajes recientes

Same problem here.

We had the opportunity to use a workaround by updating the local security policy.
1. Click Start, in the Start Search box enter “gpedit.msc”
2. Navigate to Computer Configuration->Windows Settings->Security Settings->Local Policies->Security Options.
3. In the right pane, find "Network Security: LAN Manager Authentication Level" and double-click it.
4. Change the setting from "Send NTMLv2 response only" to "Send LM & NTLM - use NTLMv2 session if negotiated"

But I am still searching for the "correct" way.
Domingo Martinez
RE: NTLM authentication
12 de febrero de 2015 3:56
Respuesta

Domingo Martinez

Ranking: New Member

Mensajes: 8

Fecha de incorporación: 29 de enero de 2015

Mensajes recientes

Hi Crist,

I solved it by the way you said, seted this value in the client side and work fine the autentication with NTLM.

Thanks a lot for your advise,
Silvio Meier
RE: NTLM authentication
11 de agosto de 2015 12:38
Respuesta

Silvio Meier

Ranking: New Member

Mensajes: 8

Fecha de incorporación: 6 de mayo de 2014

Mensajes recientes

Hi Chris and Domingo

we also had this problem at our company using LR 6.2. Our configuration only worked with the client-side setting Send LM & NTLM - use NTLMv2 session security if negociated on our client systems. In contrast, the setting Send NTLMv2 response only/refuse LM & NTLM or Send NTLMv2 response only/refuse LM was not successful. This indicates that NTLMv1 is used instead of NTLMv2 and this is not recommended.

When configuring NTLMv2, we encountered two possible pitfalls with respect to the configuration settings of ntlm.auth.domain.controller.name and ntlm.auth.domain in portal-ext.properties file or the corresponding fields in the control panel UI of Liferay.

1. Pitfall
The controller name must be specified either as IP addresss or as *netbios name*. The netbios name of the ntlm.auth.domain.controller.name must be written without a trailing dollar sign ($), which is sometimes used for net bios names of computers. If not specifying a proper netbios name, you will probably get the exception com.liferay.portal.security.ntlm.NtlmLogonException: Session key negotiation failed. Ask the system administrator of your domain controller in order to get the netbios name. Example for the controller name setting:

ntlm.auth.domain.controller.name=MYCONTROLLER

2. Pitfall
The problem described above is probably caused by the setting ntlm.auth.domain which *must* be the netbios name of the domain. Example:

1ntlm.auth.domain=MYDOMAIN


If you set an improper net bios name, for example, if you set the internet DNS name of the domain, the client settings Send NTLMv2 response only/refuse LM or Send NTLMv2 response only/refuse LM & NTLM do not work! The only setting that is working is Send LM & NTLM - use NTLMv2 session security if negociated or any setting that is weaker.

I assume that this is because only NTLMv2 uses the netbios name controller but not NTLMv1. So if the netbios name of the controller is found to be wrong while trying to use NTLMv2, NTLMv1 is used as fallback. If this is not possible because the security restrictions are set to Send NTLMv2 response only/refuse LM or Send NTLMv2 response only/refuse LM & NTLM, an exception occurs com.liferay.portal.security.ntlm.NtlmLogonException: Unable to authenticate user: Logon failure: unknown user name or bad password.

In order to retrieve the proper netbios name of the domain, open a comand line (cmd.exe) with a user that is member of that domain. Then enter the command in the command line

1SET


Look in the output for the variable USERDOMAIN. As a site-note: the variable USERDNSDOMAIN contains the internet domain name of the domain which is also shown by System Control Panel --> System in the Windows settings. This could look something like that:

1
2...
3USERDNSDOMAIN=MYDOMAIN.EXAMPLE.COM
4USERDOMAIN=MYDOMAIN
5...


Use the value of the variable USERDOMAIN as value for ntlm.auth.domain. After doing so, we could set Send NTLMv2 response only/refuse LM or Send NTLMv2 response only/refuse LM & NTLM (or just leave the default settings of Windows 7+) on the clients and it worked without any problems for LR 6.2!

I think the pitfalls described above are caused because the use of the netbios names is not obvious from the official Liferay documentation https://www.liferay.com/de/community/wiki/-/wiki/Main/NTLMv2+SSO+Configuration. For retrieving the domain (Pitfall 2), Microsoft documentation instructs you to use the domain name from the System Control Center --> System for newer Windows versions, which is the internet domain name (cf. variable USERDNSDOMAIN above) of the domain and not the netbios name. This is maybe the root of the problem.

Maybe it helps for solving your issues.

Silvio
NGHE KIEN
RE: NTLM authentication
14 de abril de 2016 2:02
Respuesta

NGHE KIEN

Ranking: New Member

Mensajes: 2

Fecha de incorporación: 21 de enero de 2016

Mensajes recientes

Hi Silvio Meier,

I did the same steps that you mention but I always got the error

com.liferay.portal.security.ntlm.NtlmLogonException: Session key negotiation failed

My environments:
Liferay CE 6.2
Windows Server 2008
domain: test.org
NetBIOS: TEST
Computer acct: LIFERAY$@TEST.ORG
Password: password

connection with LDAP works fine

I have tried with all options for LAN Manager authentication level on Client PC, but still the same error...

Thank in advance for helping