« Back to Single Sign-on

NTLMv2 SSO Configuration

Introduction #

The purpose of this document is to explain how to integrate NTLM Single Sign-On (SSO) into the Liferay Portal that works for NTLMv1 and NTLMv2. Lets first understand what is NTLMv1 and NTLMv2. In very simple words NTLMv1 is supported by Windows XP / Windows 2003 and older version of windows. NTLMv2 is supported by Windows Vista/ Windows 7/ Windows 2008 and higher version for improved security. Liferay Portal till 5.2.x was not supporting NTLMv2. Now they have developed a patch for that works with both NTLMv1 and NTLMv2. This article explains how to integrate NTLM SSO and Microsoft Active Directory Single or Multiple Domain with Liferay Portal.

Overview #

In large enterprises, they have multiple organizations distributed in various locations throughout the globe. For small enterprise assume they have only one location. Some of the enterprises use Microsoft Active Directory to manage user’s security and used to application authentication. Large organizations use multiple LDAP domains and small organization use single LDAP domain. Following section in the article shows how anyone can configure NTLM SSO with Single or Multiple Domain Controllers.

How to configure Single Domain for NTLM SSO in Liferay Portal? #

Find following steps to configure Single LDAP and Single Domain Controller for NTLM SSO It is assumes that following information you have available.

  • - LDAP Server Information
  • - Computer Account information for NTLM SSO

LDAP Server Information: #

Note: if you don’t have the following information, contact organization IT team who manages AD and get all information

Organization Name: CIGNEX
Domain Controller Name: CCA
LDAP Server Host Name: AD01
AD Server with default port 389 : ldap.base.provider.url= ldap://AD01.cca.cignex.com:389
Base DN:ldap.base.dn= DC=CCA,DC=cignex,DC=com
AD Admin User (if you want to sync AD with Portal changes then user should have all rights including read/update, if you are using just for read only purpose and don’t want to make changes to AD then make sure that User has Read Only Rights
In following property CCA is domain controller name and ccaadmin is admin user
ldap.security.principal= cca\ccaadmin
ldap.security.credentials= abcded-1234

Computer Account Information #

If you don’t have Computer Account please follow following steps to create a computer account in AD. ( Check Attachment that shows screen shot how to create computer account)

Step 1: Create the Service Account for NETLOGON Communication #

  • - To use the NTLM security provider as an authentication service you will need to create a service account in Active Directory with a specific password.
  • - To create the service account, the Active Directory Users and Computers (ADUC) utility may be used. The NETLOGON service requires that this account be a Computer account (a User account will not work). We recommend that you use the same value for both the "Computer name" (cn) and "pre-Windows 2000 name" (sAMAccountName) and use only letters, digits and possibly underscores (do not use spaces). This name will be part of the service.acctname property described in the NtlmSecurityProvider Properties section.
  • - Also determine and note the service account "distinguished name" (DN) for setting the password in the next step. The DN can usually be derived from the account name and domain. For example if the service account name CIGNEXCMS1 is in the Active Directory domain cignex.com, the DN might be: CN=CIGNEXCMS1,CN=Computers,DC=CCA,DC=cignex,DC=com. If you are still not sure about what the DN is, the ADSI Edit MMC Snap-In will show you directory entries by DN.

Step 2: Set the Service Account Password #

  • - The service account password must be supplied to Liferay Portal
  • - Currently we are unaware of a standard MS utility that can be used to set passwords on Computer accounts. Therefore, the following VBScript is used to set the password on a Computer account.
  • - Copy Paste following VB Script code in file called SetComputerPass.vbs , you can find this script as an attachment to this Wiki.
SetComputerPass.vbs

Option Explicit

Dim strDn, objPassword, strPassword, objComputer

If WScript.arguments.count <> 1 Then WScript.Echo "Usage: SetComputerPass.vbs <ComputerDN>" WScript.Quit End If

strDn = WScript.arguments.item(0)

Set objPassword = CreateObject("ScriptPW.Password") WScript.StdOut.Write "Password:" strPassword = objPassword.GetPassword() Set objComputer = GetObject("LDAP://" & strDn) objComputer.SetPassword strPassword

WScript.Echo WScript.Echo "Password set on " & strDn

WScript.Quit

Note: This script should also work remotely from another workstation provided it is executed with sufficient credentials.

  • - Execute script on the Domain Controller for example "AD01.cca.cignex.com"
  • - The following command-line dialog using the above SetComputerPass.vbs illustrates how to set the password for the service account CN=CIGNEXCMS1,CN=Computers,DC=CCA,DC=cignex,DC=com

C:\>cscript SetComputerPass.vbs CN=CIGNEXCMS1,CN=Computers,DC=CCA,DC=cignex,DC=com Password: Note: You have to login as an Administrator to run the above command. DO NOT use same password as Computer Account Name and it should match AD Password Policy

  • - Use a long and random password and make a note of it. And later it will be configured in portal-ext.properties
  • - In this case, open SetComputerPass.vbs with notepad and just temporarily hard-code the password by commenting out the three lines that collect the password (a ' is a comment in VBScript) and set it manually like following and try to run the command again

'Set objPassword = CreateObject("ScriptPW.Password")
'WScript.StdOut.Write "Password:"
'strPassword = objPassword.GetPassword()
strPassword = "ALongRandomPassword"

Note: Unlike User accounts, Computer account passwords do not expire. Domain security policy is frequently used to instruct Windows installations to periodically reset their own passwords however in practice these accounts are not denied access if they do not (such as because they were turned off for several months).

Configuration in Liferay Portal for NTLMv2 SSO #

  • - Change the User AUthenticate By setting to By Screen Name. This can be done via the Control Panel, or set property company.security.auth.type=screenName . This is necessary since NTLM returns/authenticates based on the sAMAccountName, and does not return the email address of the user, so LDAP lookup can only be via AD username, not email address. Make sure the LDAP mapping for screenName aligns with sAMAccountName .
  • - LDAP Server needs to be configured using Control Panel. Follow steps mention be bellow article http://www.liferay.com/community/wiki/-/wiki/Main/Integration+with+NTLM+plus+ADS
  • - You need to configure following properties in portal-ext.properties file.

ntlm.auth.enabled=true
ntlm.auth.domain=CCA
ntlm.auth.domain.controller=192.168.23.60 #IP of AD01 or Domain Controller server
ntlm.auth.domain.controller.name=AD01
ntlm.auth.service.account=CIGNEXCMS1$@CCA.cignex.com
ntlm.auth.service.password=abcdef-12345

You are almost done!! Start Application server and click on Sign In link from Dock Menu to login to Liferay Portal.

How to configure Multiple Domains for NTLM SSO in Liferay Portal? #

This looks complex but this is very simple.

  • - Configure Multiple LDAP Server using control panel
  • - Make sure that all Domain Controller are trusted and configure main domain controller as shown in Single Domain NTLM SSO Configuration

Example :

Assume there are three Domain controllers

US

AD Server with default port 389:

ldap.base.provider.url=ldap://AD01.cca.cignex.com:389
Base DN: ldap.base.dn=DC=CCA,DC=cignex,DC=com

AD Admin User

  • - in following property CCA is domain controller name and ccaadmin is admin user

ldap.security.principal=cca\ccaadmin
ldap.security.credentials=abcd-1234


UK

AD Server with default port 389:

ldap.base.provider.url=ldap://UKAD01.cca.cignex.com:389

Base DN:ldap.base.dn=DC=CUK,DC=cignex,DC=com

AD Admin User

  • - in following property CCA is domain controller name and ccaadmin is admin user

ldap.security.principal=cca\cukadmin
ldap.security.credentials=abcd-1234

India

AD Server with default port 389:
ldap.base.provider.url=ldap://INDIAAD01.cca.cignex.com:389

Base DN: ldap.base.dn=DC=CINDIA,DC=cignex,DC=com

AD Admin User

  • - in following property CCA is domain controller name and ccaadmin is admin user

ldap.security.principal=cca\cindiaadmin
ldap.security.credentials=abcd-1234



As shown in above example there are three Domains CCA, CUK, CINDIA make sure that all Domain Controller are trusted with each other, and you can configure only one Domain Controller in portal-ext.propertis as explained above and configure web.xml as above.

You are almost done!! Start Application server and click on Sign In link from Dock Menu to login to Liferay Portal.

6 Attachments
37854 Views
Average (5 Votes)
The average rating is 3.0 stars out of 5.
Comments
Threaded Replies Author Date
Is the use of NTLMv2Filter still required in LR... Daniel Kempf November 24, 2011 5:48 AM
I agree, In LR 6.1 CE, I didn't change anything... Raphael Kong March 7, 2012 8:10 AM
We use LR 6.1 Enterprise version. We set up the... Ron Fong June 25, 2013 11:45 PM

Is the use of NTLMv2Filter still required in LR 6.1.0? I can't find the class in trunk, also no NTLM-Filters are set up in web.xml.

I am currently using WinXP on the client machine and NTLM works just fine in IE8.
Posted on 11/24/11 5:48 AM.
I agree, In LR 6.1 CE, I didn't change anything in web.xml.

Notice the "$" at the end of the computername (here CIGNEXCMS1 $ ) in the ntlm.auth.service.account=CIGNEXCMS1$@CCA.cignex.com, otherwise, it will not work.
Posted on 3/7/12 8:10 AM.
We use LR 6.1 Enterprise version. We set up the NTLMv2 SSO. The MSAD user accounts can be imported to LF. When we click on the "Sign In" link, a Windows login box will be shown if we use IE8 as the browser. We type in the computer account and the password, the login page is shown and no SSO is done. We use an AIX server to host LF 6.1. We have updated the portal-ext.properties file according to different forums. Please advise the right way for SSO. Thanks.
Posted on 6/25/13 11:45 PM.