Vue combinée Vue Plate Arborescence
Sujets [ Précédent | Suivant ]
toggle
Eric Tse
NTLMv2 Issues in Liferay 6.0.6 / 6.1.2-ce-ga3 with Windows 7 Client
11 septembre 2013 00:26
Réponse

Eric Tse

Rang: New Member

Publications: 9

Date d'inscription: 5 août 2011

Publications Récentes

I setup LDAP and NTLM authentication in my Liferay a year ago and it works perfectly. Recently, the system admin would like to enhance the security and deployed the following group policy settings, and the NTLM authentication does not work anymore (i.e. Popup a dialog box for login):

In gpedit.msc > Local Computer Policy > Windows Settings > Security Settings > Local Policies > Security Options >

Original Settings:
"Network security: LAN Manager authentication level" = "Send LM & NTLM - use NTLMv2 session security if negotiated"
"Network security: Minimum session security for NTLM SSP based (including secure RPC) clients" = "No minimum"
"Network security: Minimum session security for NTLM SSP based (including secure RPC) servers" = "No minimum"

New Settings:
"Network security: LAN Manager authentication level" = "Send NTLMv2 response only. Refuse LM & NTLM"
"Network security: Minimum session security for NTLM SSP based (including secure RPC) clients" = "Require NTLMv2 session security, Require 128 bit encryption"
"Network security: Minimum session security for NTLM SSP based (including secure RPC) servers" = "Require NTLMv2 session security, Require 128 bit encryption"

The NTLM works again immediately after changing the "Network security: LAN Manager authentication level" back to the original settings.

Environment
Liferay: 6.0.6 CE and liferay-portal-tomcat-6.1.2-ce-ga3-20130816114619181.zip running on Solaris server and Windows 7 (64bits) development PC
LDAP: Windows 2008 R2
Client: Windows XP (32bits) + IE8.0.6001.18702CO Update version: 0 OR Windows 7 (64bits) + IE9.0.8112.16421; Update versions: 9.0.18 (KB2846071)

NTLM negotiation
- end user click sign in button
- client (IE) fires request
- server (Liferay) responds 401 with WWW-Authenticate: NTLM
- client fires Authorization NTLM xxxxxxxxxxxxxx, Provider: NTLMSSP, Type 1
- server responds 401 with WWW-Authenticate: NTLM xxxxxxxxxx, Provider: NTLMSSP, Type 2
- client fires Authorization NTLM xxxxxxxxxxx, Provider NTLMSSP, Type 3, lm_resp (24 bytes, all null), nt_resp (240 bytes)
- server (com.liferay.portal.security.ntlm.NetLogon.java) call LDAP server with response code -1073741715 (dec) or 0xc000006d (hex)
- server throws NtlmLogonException (Logon failure: unknown user name or bad password.)
- server responds 401 WWW-Authenticate: NTLM
- client pop up login dialog box

Tried the following, still failed
Basic Setup - Liferay NTLMv2 SSO (link)
Modify the negotiateFlags (link) in 6.0.6
I wonder if my Liferay is too old, so downloaded the latest liferay-portal-tomcat-6.1.2-ce-ga3-20130816114619181.zip, still having same issue.
Upgraded jcifs to jcifs-1.3.17.jar to allow getting ntresponse as 240 bytes

Reference
http://issues.liferay.com/browse/LPS-15380
http://msdn.microsoft.com/en-us/library/cc704291.aspx
http://www.liferay.com/community/forums/-/message_boards/message/6164790
http://jcifs.samba.org/ntstatus.txt
http://davenport.sourceforge.net/ntlm.html#theNtlmv2Response
http://www.liferay.com/community/forums/-/message_boards/message/26414568

Any suggestions / ideas are welcome !!
Eric Tse
RE: NTLMv2 Issues in Liferay 6.0.6 / 6.1.2-ce-ga3 with Windows 7 Client
12 septembre 2013 09:17
Réponse

Eric Tse

Rang: New Member

Publications: 9

Date d'inscription: 5 août 2011

Publications Récentes

any expert have some ideas??