Anyone have any ideas on this? Am I doing something wrong, or is this a hole in the NTLM security component?

Hi Robert,

I've never used this functionality but as nobody else in answering I'd like to, at least, try to guide you on how to find the root problem.

The NTLM functionality is implemented through two clases. The first one is NtlmFilter which can be configured through properties in portal(-ext).properties:



This filter reads the HTTP Authentication headers and act accordingly. If it decides the user should be authenticated it leaves an attribute in the request.

The second class is NtlmAutoLogin. This class is responsible for the login and tries to authenticate the user If it finds in the request the attribute left by the filter.

I hope this info. helps you get started debugging the problem.

Thanks for the info, we have worked around this issue for the time being, but I am hoping to be able to revisit it, as allowing proper logins will make life much simpler for us.

What I've found is that NTLM works great for IE browsers where the user has logged into the domain. For machines outside the domain (including non-domain machines, users logged in to machines using local accounts and for Firefox), I have found that it prompts me for a username and password, and then simply signs me in with the username without actually validating that the password is correct.

The "non-domain" machine isn't really a big deal, I was just questioning whether or not the password was actually being validated.

Thanks,

Rob

Same problem on liferay 5.2.1 + LDAP + NTLM:
password is not checked.

problem is solved?

Luca

Just testing, it popped up a window for inputs of user name and password in FireFox 3.0.7 and IE 7.0.

The password is not checked ....

It seems that the users are not imported properly ....

Attachments:

LDAP-ADS.png (4.6k)

Any Fix for Non-Domain NTLM authentication ???? or any way to get around this problem ???

Jonas, which issue you're referring to as fixed? I still see the bug in Jira LPS-2032 as open.

Also would like to stress that the problem is really severe both for non-domain and for domain NTLM authentication. A user can login to a portal knowing only user names of other users even if he is using IE which is domain. This can be done if one goes to the Tools -> Internet Options -> Security -> Choose a zone in which your site is -> Custom Level -> At the bottom of the page choose the radio button 'Prompt for user name and password'.

This will tell IE to give you a user name/password dialog box each time you enter the site with NTLM authenticaton configured. Knowing the user names of users one can login to the site *SUPPLYING ANY PASSWORD*.

Any feedback from Liferay community would be welcome.

Regards,
Roman.

i though i the only one facing this. will update you all if i found anything. any update so far on this?

Hello Gurus,
after dig here and there... i think i came out a fix and i want to get feedback from all of you .

I edited ntlmfilter.java file , search for keyword "ntlm = NtlmSsp.authenticate(request, response, challenge);" then below this line, i add




now, if the ntlm pop up appear , you enter wrong password, u will not be allow to log in . and foward to blank page . maybe forward to blank page is not a good idea. any suggestion ? maybe you folks can give me feedback . if this is the fix to the problem. can someone put this in SVN. your feedback is needed, so that i can comment something in issues.liferay.com on the bug reported

in production u will only find the class file. i not sure it inside with jar. but if you compile everything from source it should work . good luck




________________________________
From: Rathish R from liferay.com <no-reply@liferay.com>
To: "mb.239391.3299211@events.liferay.com" <mb.239391.3299211@events.liferay.com>
Sent: Thursday, June 11, 2009 12:54:26 PM
Subject: [Liferay Forums][5. Portal Framework] RE: Non-domain NTLM Authentication <mb.239391.3299211@events.liferay.com>

Hi Cometta,

I can download the source code and make the changes. But my concern is that i have the portal already deployed in production environment and in that package i am not able find the file ntlmfilter.java. Is this file located in any jar files?? Do i need to unpack any jar files in order to view this file??


Regards,

Rathish
--
Liferay Message Boards
http://www.liferay.com/web/guest/community/forums/-/message_boards/message/3299211
mb.239391.3299211@events.liferay.com
http://www.liferay.com

Hi Cometta!

Your fix work but,

I have a problem with login. I can login via NTLM only first time. And then I get Access denied! exception.

First user login successful, and when I try login by another user I got this exception.

Have you any suggestion about such problem?

I have downloaded the source and made the changes in ntlmfilter.java file. How do i compile the source code?

Do you have extension of your project?
If you have, you only must place this file on ext-impl/src/{file-path} and then run ant deploy target.

Hi Cometta,

I found what are causing my Access denied exeception. The problem is that I connect to th IPC$ share. And It allowed only one connection. My domain is located on Windows 2003 server. Do you have the same problem?

1. did u tried the code that i post on my previous post?
2. hope someone will respond on this. give some feedback to this user

so for i test 2-3 users login same times without problem.. any feedback from other members?

Just to toss 2 cents in, why not shim the authentication path with something like CAS? It would certainly seem easier than all this stuff that all of you are doing now.

ya ... worked .. great .... Is there any way to login with out NTLM settings ???

We had tried the methods above, but Still No Luck and having the same issue when using the 5.2.4 version ,are there any updates on how to fix the bug ? Somebody,pl Help.....

Dear Victor,

Thanks for your concerns.The problem is that I can Login only first time via NTLM. Second user(another user) couldn't login(but can if login first time). I use Windows 2003 server and tomcat. Can you help me with the problem?

Thanks,

Dear Victor,

Thanks for the kindly help, we didn't used any proxy on our network,we followed your ideas and the result are :

There are users A , B and C

1. User A login desktop then login portal. Successed!

2. User B login desktop then login portal. Failed.

3, User C login desktop and login portla used user A account, sucessed!

Michael , sorry for the delay. Had to go through some painful releases.
On your NTLM issue, there must be something simple, though hard to figure out what's going on without seeing your system setup.

If I start asking detailed questions one by one, there could about ten 2-way interactions on the forum, which may take 10 days (one per question/answer).
So may be it is a good time for you to roll up your sleeves and learn how to resolve such situations quickly. That's what I usually do:
- create a Java project in Eclipse, that is configured to produce a single jar file
- set library path to point to liferay impl and service jars
- create a replica of a class which your would like to debug, e.g. in this case you would want to know what's going on when NTLM is executed, so you have to create a cut-and-paste copy of class com.liferay.portal.security.auth.NtlmAutoLogin, but with your own package name, e.g. com.myoffice.portal.security.auth.NtlmAutoLogin
- insert your own debugging statements into it
- build, create your own jar, put it into classpath
- modify your portal-ext.propeties file, by copying line auto.login.hooks=... from portal.properties
- in this line change the class com.liferay.portal.security.auth.NtlmAutoLogin to com.myoffice.portal.security.auth.NtlmAutoLogin
- so when NTLM is executed, your own class will be executed instead of liferay' one
- run the portal and see which way it is going

Once you are set like this and feel comfortable, the entire debugging and build process for future problems and investigations may only take 30 minutes.

You can certainly do such builds in ext environment, but I found that it is much easier to do it this way, probably because I used this style on liferay installations before ext environment existed, (e.g. 4 years ago)