Forums de discussion
Liferay 7 - NTLM authentication issue
Nor EL MALKI, modifié il y a 7 années.
Liferay 7 - NTLM authentication issue
New Member Publications: 14 Date d'inscription: 27/08/16 Publications récentes
Hello everyone,
I'm trying to configure my Liferay instance (Liferay CE 7.0 GA3) to authenticate users through NTLM.
I'm using Wireshark to monitor NTLM authentication packets.
I also set the log level to DEBUG for a new category com.liferay.portal.security.sso.ntlm to get authentication logs.
The logs shows that Liferay retrieves the user correct username but the authentication doesn't complete, I'm getting the classic login / password screen after NTLM authentication.
Thanks for any help,
Nor
I'm trying to configure my Liferay instance (Liferay CE 7.0 GA3) to authenticate users through NTLM.
I'm using Wireshark to monitor NTLM authentication packets.
I also set the log level to DEBUG for a new category com.liferay.portal.security.sso.ntlm to get authentication logs.
The logs shows that Liferay retrieves the user correct username but the authentication doesn't complete, I'm getting the classic login / password screen after NTLM authentication.
Thanks for any help,
Nor
Sandeep Nair, modifié il y a 7 années.
RE: Liferay 7 - NTLM authentication issue
Liferay Legend Publications: 1744 Date d'inscription: 06/11/08 Publications récentes
Hi,
I dont have Liferay 7 source handy with me. But from what I know of Liferay 6.2, as you have shown in log you are getting username in NTLMFilter.
What happens next is this username is stored in request attribute and later on used by NTLMAutoLogin. In NTLMAutoLogin using one of LDAPUtil method it tries to get user details from LDAP. I suspect something wrong there.
The next thing i suspect is once user is successfully obtained from LDAP, user is also imported in Liferay. Liferay does not allow numeric screenname by default and I see that your username is numeric. I am sure there is a property available using which you can allow numeric screenname.
Kindly check these two areas.
Regards,
Sandeep
I dont have Liferay 7 source handy with me. But from what I know of Liferay 6.2, as you have shown in log you are getting username in NTLMFilter.
What happens next is this username is stored in request attribute and later on used by NTLMAutoLogin. In NTLMAutoLogin using one of LDAPUtil method it tries to get user details from LDAP. I suspect something wrong there.
The next thing i suspect is once user is successfully obtained from LDAP, user is also imported in Liferay. Liferay does not allow numeric screenname by default and I see that your username is numeric. I am sure there is a property available using which you can allow numeric screenname.
Kindly check these two areas.
Regards,
Sandeep
Nor EL MALKI, modifié il y a 7 années.
RE: Liferay 7 - NTLM authentication issue
New Member Publications: 14 Date d'inscription: 27/08/16 Publications récentes
Hello Sandeep,
Thanks a lot for your suggestions,
I tried to add com.liferay.portal.security.ldap.internal.exportimport.LDAPUserImporterImpl for DEBUG logging but nothing came up. The LDAP authentication is working and the Import enabled.
Numerical username values are allowed through portal-ext.properties file :
Maybe there is something missing in my authentication config? or maybe, since there is no logs for LDAPUserImporterImpl after NTLM authentication, the NTLMAutoLogin use another implementation for UserImporter?
Thanks a lot for your suggestions,
I tried to add com.liferay.portal.security.ldap.internal.exportimport.LDAPUserImporterImpl for DEBUG logging but nothing came up. The LDAP authentication is working and the Import enabled.
Numerical username values are allowed through portal-ext.properties file :
users.screen.name.allow.numeric=true
Maybe there is something missing in my authentication config? or maybe, since there is no logs for LDAPUserImporterImpl after NTLM authentication, the NTLMAutoLogin use another implementation for UserImporter?
Sandeep Nair, modifié il y a 7 années.
RE: Liferay 7 - NTLM authentication issue
Liferay Legend Publications: 1744 Date d'inscription: 06/11/08 Publications récentes
Hi,
I assume this is in one of your lower environments. If so is it possible to enable remote debug, and debug using eclipse by attaching Liferay Source.
I would suggest you to keep debug at doLogin method of NTLMAutoLogin to see which implementation of UserImporter is being used (I think it is still LDAPUserImporterImpl) and then put debug point at importUserByScreenName method of that class.
Regards,
Sandeep
I assume this is in one of your lower environments. If so is it possible to enable remote debug, and debug using eclipse by attaching Liferay Source.
I would suggest you to keep debug at doLogin method of NTLMAutoLogin to see which implementation of UserImporter is being used (I think it is still LDAPUserImporterImpl) and then put debug point at importUserByScreenName method of that class.
Regards,
Sandeep
Nor EL MALKI, modifié il y a 7 années.
RE: Liferay 7 - NTLM authentication issue
New Member Publications: 14 Date d'inscription: 27/08/16 Publications récentes
Hello Sandeep,
I think we've made a huge step in understading the issue origin :
When remote-debugging the NTLMAutoLogin doLogin method, I noticed that NTLM_REMOTE_USER attribute is never set at the request.
I tried following a step by step debugging from NTLMFilter processFilter method, the attribute is well set at line #347. When the request land at org.apache.catalina.connector.CoyoteAdapter service method, the attribute is cleared at line #584 uppon the condition that the request is neither a comet or async. I don't know if it's a normal behavior ? Is there a special config to apply to Tomcat, my Liferay instance runs under Tomcat 8.0.32 (embeded) ?
Thanks again for your help !
Nor
I think we've made a huge step in understading the issue origin :
When remote-debugging the NTLMAutoLogin doLogin method, I noticed that NTLM_REMOTE_USER attribute is never set at the request.
I tried following a step by step debugging from NTLMFilter processFilter method, the attribute is well set at line #347. When the request land at org.apache.catalina.connector.CoyoteAdapter service method, the attribute is cleared at line #584 uppon the condition that the request is neither a comet or async. I don't know if it's a normal behavior ? Is there a special config to apply to Tomcat, my Liferay instance runs under Tomcat 8.0.32 (embeded) ?
// Recycle the wrapper request and response
if (!comet && !async || error.get()) {
request.recycle();
response.recycle();
} else {
// Clear converters so that the minimum amount of memory
// is used by this processor
request.clearEncoders();
response.clearEncoders();
}
Thanks again for your help !
Nor
Sandeep Nair, modifié il y a 7 années.
RE: Liferay 7 - NTLM authentication issue
Liferay Legend Publications: 1744 Date d'inscription: 06/11/08 Publications récentes
It is not a normal behavior. You are using Liferay Tomcat bundle right? If so then I think you should raise a bug.
PS : I am assuming you are doing the testing on IE browser. (There was a known issue on IE 11 https://issues.liferay.com/browse/LPS-43909)
Regards,
Sandeep
PS : I am assuming you are doing the testing on IE browser. (There was a known issue on IE 11 https://issues.liferay.com/browse/LPS-43909)
Regards,
Sandeep
Ionut Stanescu, modifié il y a 7 années.
RE: Liferay 7 - NTLM authentication issue
New Member Publications: 3 Date d'inscription: 17/04/16 Publications récentes
Hi !
Any progress on this issue ? Our Liferay deployment has the same behaviour so any update is welcome.
Thanks
Any progress on this issue ? Our Liferay deployment has the same behaviour so any update is welcome.
Thanks
Wesley Lago, modifié il y a 4 années.
RE: Liferay 7 - NTLM authentication issue
New Member Publications: 2 Date d'inscription: 19/04/12 Publications récentes
Hello,
any news on the subject?
any news on the subject?