Wiki

Main | Proposals

« Back to Single Sign-on

NTLM SSO

Details

Table of Contents [-]

Introduction #

The purpose of this document is to explain how to integrate NTLM Single Sign-On (SSO) into the Liferay portal with an example. By default, the portal uses its own authorization, i.e. user name and password, to identify a user. Liferay portal supports external authorization methods like Lightweight Directory Access Protocol (LDAP) to any compliant LDAP database as well as a Central Authorization Service (JA-SIG CAS), OpenID, and OpenSSO, Computer Associate’s (CA) Siteminder.

Overview #

Suppose that you have a server: Microsoft Active Directory Server (ADS) with IP e.g. 192.168.2.230 and a domain, e.g., cignex.net. By default, the port number is 389.

Users and groups are in CN=Users,DC=CIGNEX,DC=NET

The administrator: CN=Administrator,CN=Users,DC=CIGNEX,DC=NET

We are planning to integrate this NTLM in Liferay portal.

ADS Settings #

Default settings #

Check the checkbox Enabled.

Check the checkbox Required.

Select Microsoft Active Directory Server.

Connection #

Connect to the ADS server

Base Provider URL: for example, ldap://192.168.2.230:389.

Base DN: for example, CN=Users,DC=CIGNEX,DC=NET

Principal: for example, CN=Administrator,CN=Users,DC=CIGNEX,DC=NET

Credentials: the password of the Administrator.

Users Mapping #

Note: use Authentication Search Filter: (cn=@screen_name@) for screenName login

Groups Mapping #

Import and Export #

Save when you are ready.

NTLM Settings #

Check the checkbox Enabled.

Input Domain Controller: for example, cignex.net.

Input Domain: e.g., 192.168.2.230.

Note that the server (where Liferay portal installed) must have access on the domain by the domain controller.

Testing Results #

You should get similar screenshot as follows.

Imported Users #

Imported Groups #

User Groups

Users in User Groups

SSO authentication #

That's it. You got!

[Adding dynamic content model in Document Library]

[Upgrade - migration from 4.3.1 to 5.2.3 - successfully]

[How do you develop - Development Strategies]

[Remote Publishing - what and how]

[Web services - Manage Users, Organizations, User Groups, and Roles via SOAP ]

[Custom Query in the Ext - What and How ]

[JBoss-Tomcat-Liferay portal Clustering - what and how]

[Tomcat 6 as a Windows Service in Windows server 2008 and a 64-bit JDK 6]

Web Services

[Errata for the Liferay Portal 5.2 Systems Development]

0 Attachments

28078 Views

Average (0 Votes)

Comments

Showing 11 Comments

Gerimint Allat

6/18/09 3:41 AM

Section "ADS Settings":
I set all values, press "Save", but "Microsoft Active Directory Server" is still unchecked. I tried it several times but it remains unchecked no matter.
Is this an error or just a UI bug?

Gerimint Allat

6/22/09 6:43 AM

Section "Connection":
Is it a must that you specify a domain administrator account in field "Principal"? The "Test LDAP Connection" is successful but I still cannot login to Web Space with any AD login so I'd like to know if this may be the problem?

Amos Fong

8/11/09 10:43 AM

MSAD server does not need to be checked. It is meant for resetting the default values. (each different LDAP server has different default values)

alamut avani

9/17/09 3:07 AM

I followed all the steps, and I still can not connect via AD, is there a solution?

G P

10/22/09 2:45 AM

Hi Jona,
This article is very nice. Like this i have been imported all the users and groups from openldap to liferay. And now the problem is, whenevr i'm trying to create a user through liferay UI then that user in not exported to ldap?
is there any work around?

Tomasz Ryzner

11/27/09 1:26 AM

In my case all the tests go well but liferay does not import (export) users. Neither while saving nor while starting up the liferay (tried with tomcat 6 and tomcat 5.5) AD on windows 2008 server enterprise, liferay running on the same machine. Principal user has all maximum privileges (domain admin etc.) Of course I am unable to login on that user to liferay.

Anyone is invited to send any hint because I am stuck.

Matthew Snider

10/13/10 10:54 AM

I currently have LDAP authentication working and would like to setup SSO via NTLM. Once SSO is setup, how can I additionally log in as other users using LDAP? (I want to use SSO but also have a manual method for logging in as other users)

Martin Lungershausen

10/14/10 4:16 AM

I had a working installation with 5.2.3 and MS AD, but it does not work anymore with 6.0.5 ... I followed this site and that http://www.liferay.com/community/wiki/-/wiki/Main/NTLMv2+SSO+Configuration site but it is not able to connect to LDAP or has anyone solved the problem???

Jason Smith

4/18/11 11:56 PM

Where can I find the Ntlmv2Filter?

Greg Dray

2/23/12 2:34 AM

Pictures arent displayed for me in this article, and it seems that they contain a fair amount of the info needed to set this up. :/

Hendrik Klan

3/9/12 6:15 AM

Looks like NTLM SSO is not working with Liferay 6.1 and Winserver 2008 R2. Any suggestions?!