留言板

  1. 主页
  2. Portal
  3. Liferay 7 - NTLM authentication issue

Liferay 7 - NTLM authentication issue

thumbnail
Nor EL MALKI,修改在7 年前。

Liferay 7 - NTLM authentication issue

New Member 帖子: 14 加入日期: 16-8-27 最近的帖子
Hello everyone,

I'm trying to configure my Liferay instance (Liferay CE 7.0 GA3) to authenticate users through NTLM.

I'm using Wireshark to monitor NTLM authentication packets.

I also set the log level to DEBUG for a new category com.liferay.portal.security.sso.ntlm to get authentication logs.

The logs shows that Liferay retrieves the user correct username but the authentication doesn't complete, I'm getting the classic login / password screen after NTLM authentication.

Thanks for any help,

Nor

附件:

thumbnail
Sandeep Nair,修改在7 年前。

RE: Liferay 7 - NTLM authentication issue

Liferay Legend 帖子: 1744 加入日期: 08-11-6 最近的帖子
Hi,

I dont have Liferay 7 source handy with me. But from what I know of Liferay 6.2, as you have shown in log you are getting username in NTLMFilter.
What happens next is this username is stored in request attribute and later on used by NTLMAutoLogin. In NTLMAutoLogin using one of LDAPUtil method it tries to get user details from LDAP. I suspect something wrong there.

The next thing i suspect is once user is successfully obtained from LDAP, user is also imported in Liferay. Liferay does not allow numeric screenname by default and I see that your username is numeric. I am sure there is a property available using which you can allow numeric screenname.

Kindly check these two areas.

Regards,
Sandeep
thumbnail
Nor EL MALKI,修改在7 年前。

RE: Liferay 7 - NTLM authentication issue

New Member 帖子: 14 加入日期: 16-8-27 最近的帖子
Hello Sandeep,

Thanks a lot for your suggestions,

I tried to add com.liferay.portal.security.ldap.internal.exportimport.LDAPUserImporterImpl for DEBUG logging but nothing came up. The LDAP authentication is working and the Import enabled.

Numerical username values are allowed through portal-ext.properties file :

users.screen.name.allow.numeric=true


Maybe there is something missing in my authentication config? or maybe, since there is no logs for LDAPUserImporterImpl after NTLM authentication, the NTLMAutoLogin use another implementation for UserImporter?

附件:

thumbnail
Sandeep Nair,修改在7 年前。

RE: Liferay 7 - NTLM authentication issue

Liferay Legend 帖子: 1744 加入日期: 08-11-6 最近的帖子
Hi,


I assume this is in one of your lower environments. If so is it possible to enable remote debug, and debug using eclipse by attaching Liferay Source.
I would suggest you to keep debug at doLogin method of NTLMAutoLogin to see which implementation of UserImporter is being used (I think it is still LDAPUserImporterImpl) and then put debug point at importUserByScreenName method of that class.

Regards,
Sandeep
thumbnail
Nor EL MALKI,修改在7 年前。

RE: Liferay 7 - NTLM authentication issue

New Member 帖子: 14 加入日期: 16-8-27 最近的帖子
Hello Sandeep,

I think we've made a huge step in understading the issue origin :

When remote-debugging the NTLMAutoLogin doLogin method, I noticed that NTLM_REMOTE_USER attribute is never set at the request.

I tried following a step by step debugging from NTLMFilter processFilter method, the attribute is well set at line #347. When the request land at org.apache.catalina.connector.CoyoteAdapter service method, the attribute is cleared at line #584 uppon the condition that the request is neither a comet or async. I don't know if it's a normal behavior ? Is there a special config to apply to Tomcat, my Liferay instance runs under Tomcat 8.0.32 (embeded) ?

// Recycle the wrapper request and response
if (!comet && !async || error.get()) {
           request.recycle();
           response.recycle();
} else {
           // Clear converters so that the minimum amount of memory
           // is used by this processor
           request.clearEncoders();
           response.clearEncoders();
}


Thanks again for your help !

Nor

附件:

thumbnail
Sandeep Nair,修改在7 年前。

RE: Liferay 7 - NTLM authentication issue

Liferay Legend 帖子: 1744 加入日期: 08-11-6 最近的帖子
It is not a normal behavior. You are using Liferay Tomcat bundle right? If so then I think you should raise a bug.

PS : I am assuming you are doing the testing on IE browser. (There was a known issue on IE 11 https://issues.liferay.com/browse/LPS-43909)

Regards,
Sandeep
Ionut Stanescu,修改在7 年前。

RE: Liferay 7 - NTLM authentication issue

New Member 帖子: 3 加入日期: 16-4-17 最近的帖子
Hi !

Any progress on this issue ? Our Liferay deployment has the same behaviour so any update is welcome.

Thanks
thumbnail
Wesley Lago,修改在4 年前。

RE: Liferay 7 - NTLM authentication issue

New Member 帖子: 2 加入日期: 12-4-19 最近的帖子
Hello,
any news on the subject?