RE: NTLM authentication

2020-02-04T15:33:40Z

Thanks for the reply,
i have commented the Browsersniffer code as mentioned above , it is working fine in liferay 7.2 .1 ga2 by customizing the core portal-security-sso-ntlm-impl module

RE: NTLM authentication

2020-01-30T10:58:48Z

Well, to give you an honest answer:
I usually don't bother creating an ext plugin (I actutally don't know anymore how to do that in 7.x) and just fetch the NTLMFilter.java file from github, change the code, build it and replace that class in the original war file. Since there are very seldom changes to that class, that works pretty well. Of course, you would need to do that for every upgrade, so it could be a bit of a pain in the ....
This is one of the BUGS (yes, I consider this a bug, not a feature) that annoys me to no end since there is no real nice way to work around it.

RE: NTLM authentication

2020-01-28T04:22:27Z

Hi
Anyone has worked onNTLMFilters in liferay 7 , to make it work for chrome browser?

RE: NTLM authentication

2019-03-20T16:14:45Z

That issue is ancient and it doesn't seem to have anything to do with your problem.

In general:
If an issue is fixed in EE, it is also fixed in CE. But there are no patches for CE. So, all CE releases before 6.0.12 EE are affected by the problem. All releases since 6.1 CE should not be affected by that issue anymore.

While it is in general true, that all fixes are applied to CE too, please note:

There is also a gap between the "packaging" date of CE and the release date. So, when an issue is fixed on March 5 and the CE is released on March 10, you can be quite sure that that fix is not included. The CE release was branched much earlier and very recent fixes usually are not included (except for really important/breaking ones).

RE: NTLM authentication

2019-03-20T15:36:53Z

Christopher LuiThere is a known issue with NTLM authenticating with 2008 R2.

See http://issues.liferay.com/browse/LPS-15380

Is it still issue with Liferay CE ga7. As per the link above it was fixed for EE. No mention of CE is there.

Is there any way to confirm whether it is fixed for CE as well or not?

Thanks

RE: NTLM authentication

2019-03-20T10:57:29Z

Thanks for quick reply.

We checked everything and we are able to ping the controller IP but NOT ABLE TO telnet CONTROLLER (domain) on port 389. Is it required?

Also - Do you know what does the meaning of Heading zeros in the logs :

"Failed to connect: 0.0.0.0<00>/domain IP"

Thread - https://community.liferay.com/forums/-/message_boards/message/112819703 says

" Inspecting source code/debugging we found:
that netrServerAuthenticate3.getServerCredential() returns byte array filled with zeroes: http://www.jarvana.com/jarvana/view/com/liferay/portal/portal-impl/6.0.5/portal-impl-6.0.5-sources.jar!/com/liferay/portal/security/ntlm/NetlogonConnection.java?format=ok

so problem is somewhere in filling netrServerAuthenticate3 object by dcerpcHandle.sendrecv(netrServerAuthenticate3); "

Appreciate your help.

RE: NTLM authentication

2019-03-19T13:04:12Z

When looking at execption, the "Caused by" block is usually quite important. It says there:

Failed to connect: 0.0.0.0<00>/172.16.201.65

Looks like a network issue.
I guess, 172.16.201.65 is the IP of your domain controller. Correct?
Please check, from the server where Liferay is installed:

Is it reachable? Can you ping it?

RE: NTLM authentication

2019-03-19T12:32:28Z

Christopher LuiThere is a known issue with NTLM authenticating with 2008 R2.

See http://issues.liferay.com/browse/LPS-15380

I see this issue. It is fixed for EE as per the resolution there.

Is there any patch for CE ?

Thanks.

RE: NTLM authentication

2019-03-19T12:31:10Z

Hello,

I have tried all suggestions in above thread but still getting below exception. Appreciate help from experts on NTLM.

Environment : LIFERAY 7 GA7 CE + WINDOWS SERVER 2012

ERROR [ajp-nio-8009-exec-9][NtlmFilter:298] Unable to perform NTLM authentication
com.liferay.portal.security.sso.ntlm.internal.NtlmLogonException: Unable to authenticate due to communication failure with server
at com.liferay.portal.security.sso.ntlm.internal.Netlogon.logon(Netlogon.java:115) at com.liferay.portal.security.sso.ntlm.internal.NtlmManager.authenticate(NtlmManager. java:74) at com.liferay.portal.security.sso.ntlm.internal.servlet.filter.NtlmFilter.processFilt er(NtlmFilter.java:294) at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:49) at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilte r(InvokerFilterChain.java:207) at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(Invok erFilterChain.java:112) at com.liferay.portal.kernel.servlet.BaseFilter.processFilter(BaseFilter.java:144) at com.liferay.portal.monitoring.internal.servlet.filter.MonitoringFilter.processFilte r(MonitoringFilter.java:181) at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:49) at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilte r(InvokerFilterChain.java:207) at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(Invok erFilterChain.java:112) at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDirectC allFilter(InvokerFilterChain.java:188) at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(Invok erFilterChain.java:96) at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDirectC allFilter(InvokerFilterChain.java:188) at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(Invok erFilterChain.java:96) at org.tuckey.web.filters.urlrewrite.RuleChain.handleRewrite(RuleChain.java:176) at org.tuckey.web.filters.urlrewrite.RuleChain.doRules(RuleChain.java:145) at org.tuckey.web.filters.urlrewrite.UrlRewriter.processRequest(UrlRewriter.java:92) at org.tuckey.web.filters.urlrewrite.UrlRewriteFilter.doFilter(UrlRewriteFilter.java:3 94) at com.liferay.portal.servlet.filters.urlrewrite.UrlRewriteFilter.processFilter(UrlRew riteFilter.java:65) at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:49) at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilte r(InvokerFilterChain.java:207) at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(Invok erFilterChain.java:112) at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDirectC allFilter(InvokerFilterChain.java:168) at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(Invok erFilterChain.java:96) at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDirectC allFilter(InvokerFilterChain.java:168) at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(Invok erFilterChain.java:96) at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDirectC allFilter(InvokerFilterChain.java:188) at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(Invok erFilterChain.java:96) at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilter.doFilter(InvokerFil ter.java:100) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterC hain.java:240) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.jav a:207) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:212) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:106) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:5 02) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:141) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79) at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.jav a:616) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:522) at org.apache.coyote.ajp.AbstractAjpProcessor.process(AbstractAjpProcessor.java:868) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtoc ol.java:672) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1500) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1456) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:748)Caused by: jcifs.smb.SmbException: Failed to connect: 0.0.0.0<00>/<domain IP>_jcifs.util.tra nsport.TransportException: Connection timeout_ at jcifs.util.transport.Transport.connect(Tran sport.java:174)_ at jcifs.smb.SmbTransport.connect(SmbTransport.java:307)_ at jcifs.smb.SmbTree.treeConnect(SmbTree.java:156)_ at jcifs.smb.SmbFile.doConnect(SmbFile.java:91 1)_ at jcifs.smb.SmbFile.connect(SmbFile.java:954)_ at jcifs.smb.SmbFile.connect0(SmbFile. java:880)_ at jcifs.smb.SmbFileInputStream.<init>(SmbFileInputStream.java:76)_ at jci fs.smb.TransactNamedPipeInputStream.<init>(TransactNamedPipeInputStream.java:38)_ at jci fs.smb.SmbNamedPipe.getNamedPipeInputStream(SmbNamedPipe.java:166)_ at jcifs.dcerpc.DcerpcPipeHandle.doSendFragment(DcerpcPipeHandle.java:66)_ at jcifs.dcerpc.DcerpcHandle.sendrecv( DcerpcHandle.java:190)_ at

Thanks.

RE: NTLM authentication

2018-03-19T10:36:39Z

Thanks a lot ! Sir...

It is really helpful.

God Bless you.

RE: NTLM authentication

2016-04-14T09:02:03Z

Hi Silvio Meier,

I did the same steps that you mention but I always got the error

com.liferay.portal.security.ntlm.NtlmLogonException: Session key negotiation failed

My environments:
Liferay CE 6.2
Windows Server 2008
domain: test.org
NetBIOS: TEST
Computer acct: LIFERAY$@TEST.ORG
Password: password

connection with LDAP works fine

I have tried with all options for LAN Manager authentication level on Client PC, but still the same error...

Thank in advance for helping

RE: NTLM authentication

2015-08-11T19:15:55Z

Hi Chris and Domingo

we also had this problem at our company using LR 6.2. Our configuration only worked with the client-side setting Send LM & NTLM - use NTLMv2 session security if negociated on our client systems. In contrast, the setting Send NTLMv2 response only/refuse LM & NTLM or Send NTLMv2 response only/refuse LM was not successful. This indicates that NTLMv1 is used instead of NTLMv2 and this is not recommended.

When configuring NTLMv2, we encountered two possible pitfalls with respect to the configuration settings of ntlm.auth.domain.controller.name and ntlm.auth.domain in portal-ext.properties file or the corresponding fields in the control panel UI of Liferay.

1. Pitfall
The controller name must be specified either as IP addresss or as *netbios name*. The netbios name of the ntlm.auth.domain.controller.name must be written without a trailing dollar sign ($), which is sometimes used for net bios names of computers. If not specifying a proper netbios name, you will probably get the exception com.liferay.portal.security.ntlm.NtlmLogonException: Session key negotiation failed. Ask the system administrator of your domain controller in order to get the netbios name. Example for the controller name setting:

ntlm.auth.domain.controller.name=MYCONTROLLER

2. Pitfall
The problem described above is probably caused by the setting ntlm.auth.domain which *must* be the netbios name of the domain. Example:

ntlm.auth.domain=MYDOMAIN

If you set an improper net bios name, for example, if you set the internet DNS name of the domain, the client settings Send NTLMv2 response only/refuse LM or Send NTLMv2 response only/refuse LM & NTLM do not work! The only setting that is working is Send LM & NTLM - use NTLMv2 session security if negociated or any setting that is weaker.

I assume that this is because only NTLMv2 uses the netbios name controller but not NTLMv1. So if the netbios name of the controller is found to be wrong while trying to use NTLMv2, NTLMv1 is used as fallback. If this is not possible because the security restrictions are set to Send NTLMv2 response only/refuse LM or Send NTLMv2 response only/refuse LM & NTLM, an exception occurs com.liferay.portal.security.ntlm.NtlmLogonException: Unable to authenticate user: Logon failure: unknown user name or bad password.

In order to retrieve the proper netbios name of the domain, open a comand line (cmd.exe) with a user that is member of that domain. Then enter the command in the command line

SET

Look in the output for the variable USERDOMAIN. As a site-note: the variable USERDNSDOMAIN contains the internet domain name of the domain which is also shown by System Control Panel --> System in the Windows settings. This could look something like that:


...
USERDNSDOMAIN=MYDOMAIN.EXAMPLE.COM
USERDOMAIN=MYDOMAIN
...

Use the value of the variable USERDOMAIN as value for ntlm.auth.domain. After doing so, we could set Send NTLMv2 response only/refuse LM or Send NTLMv2 response only/refuse LM & NTLM (or just leave the default settings of Windows 7+) on the clients and it worked without any problems for LR 6.2!

I think the pitfalls described above are caused because the use of the netbios names is not obvious from the official Liferay documentation https://www.liferay.com/de/community/wiki/-/wiki/Main/NTLMv2+SSO+Configuration. For retrieving the domain (Pitfall 2), Microsoft documentation instructs you to use the domain name from the System Control Center --> System for newer Windows versions, which is the internet domain name (cf. variable USERDNSDOMAIN above) of the domain and not the netbios name. This is maybe the root of the problem.

Maybe it helps for solving your issues.

Silvio

RE: NTLM authentication

2015-02-12T11:56:34Z

Hi Crist,

I solved it by the way you said, seted this value in the client side and work fine the autentication with NTLM.

Thanks a lot for your advise,

RE: NTLM authentication

2015-02-12T06:17:33Z

Same problem here.

We had the opportunity to use a workaround by updating the local security policy.
1. Click Start, in the Start Search box enter “gpedit.msc”
2. Navigate to Computer Configuration->Windows Settings->Security Settings->Local Policies->Security Options.
3. In the right pane, find "Network Security: LAN Manager Authentication Level" and double-click it.
4. Change the setting from "Send NTMLv2 response only" to "Send LM & NTLM - use NTLMv2 session if negotiated"

But I am still searching for the "correct" way.

RE: NTLM authentication

2015-01-29T20:42:52Z

Hi,
Me too I´m trying configure NTML authentication in Liferay Portal Community Edition 6.2 CE GA2 (Newton / Build 6201 / March 20, 2014) with
Microsoft Active Directory on Windows Server 2008 R2. This set "Send MTLMv2 response only" as netword security lan manager autentification level.

And received the exeption "Session key negotiation failed", how make to avoid this problem?,

Thanks,

RE: NTLM authentication

2012-10-09T09:32:09Z

It seems to me, even though I'm trying to use NTLMv2, its still using NTLMv1.

Or am I wrong?

RE: NTLM authentication

2012-10-05T13:29:01Z

Is liferay 6.1 GA2 supposed to work with NTLMv2 and Microsoft AD 2008 R2?

I read:
http://www.windowsecurity.com/articles/Protect-Weak-Authentication-Protocols-Passwords.html

When I got security policy "Send NTLMv2 response only/refuse LM" in Domain Controller, everything works fine.
When I put "Send NTLMv2 response only/refuse LM & NTLM" to Domain Controller, it stops working and IE 9 starts poping up username and password dialog.

Liferay property is set to default:
ntlm.auth.negotiate.flags=0x600FFFFF

Anybody know where is the problem?

By changing the security policy to be more strict, I get the following exception:

16:09:53,111 ERROR [NtlmFilter:235] Unable to perform NTLM authentication
com.liferay.portal.security.ntlm.NtlmLogonException: Unable to authenticate due to communication failure with server
at com.liferay.portal.security.ntlm.Netlogon.logon(Netlogon.java:96)
at com.liferay.portal.security.ntlm.NtlmManager.authenticate(NtlmManager.java:69)
at com.liferay.portal.servlet.filters.sso.ntlm.NtlmFilter.processFilter(NtlmFilter.java:230)
at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:57)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilter(InvokerFilterChain.java:206)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:108)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:116)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:116)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:116)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDirectCallFilter(InvokerFilterChain.java:187)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:95)
..........
Caused by: jcifs.smb.SmbAuthException: Logon failure: unknown user name or bad password.
at jcifs.smb.SmbTransport.checkStatus(SmbTransport.java:528)
at jcifs.smb.SmbTransport.send(SmbTransport.java:645)
at jcifs.smb.SmbSession.sessionSetup(SmbSession.java:322)
at jcifs.smb.SmbSession.send(SmbSession.java:224)
at jcifs.smb.SmbTree.treeConnect(SmbTree.java:176)
at jcifs.smb.SmbFile.doConnect(SmbFile.java:906)
at jcifs.smb.SmbFile.connect(SmbFile.java:949)
at jcifs.smb.SmbFile.connect0(SmbFile.java:875)
at jcifs.smb.SmbFileInputStream.<init>(SmbFileInputStream.java:76)
at jcifs.smb.TransactNamedPipeInputStream.<init>(TransactNamedPipeInputStream.java:38)
at jcifs.smb.SmbNamedPipe.getNamedPipeInputStream(SmbNamedPipe.java:166)
at jcifs.dcerpc.DcerpcPipeHandle.doSendFragment(DcerpcPipeHandle.java:66)
at jcifs.dcerpc.DcerpcHandle.sendrecv(DcerpcHandle.java:181)
at jcifs.dcerpc.DcerpcHandle.bind(DcerpcHandle.java:126)
at com.liferay.portal.security.ntlm.NetlogonConnection.connect(NetlogonConnection.java:88)
at com.liferay.portal.security.ntlm.Netlogon.logon(Netlogon.java:50)
... 68 more

RE: NTLM authentication

2011-04-21T19:51:41Z

Forgot to mention, I was using Windows Server 2003.

RE: NTLM authentication

2011-04-19T22:21:25Z

There is a known issue with NTLM authenticating with 2008 R2.

See http://issues.liferay.com/browse/LPS-15380

RE: NTLM authentication

2011-04-18T15:47:06Z

Hi,

I had the same issue but I realized it was a configuration error..

Here's what I've done to fix it... The online documentation for NTML authentications is really outdated... It talks about NTLMv1 but in liferay 6+ it's forced to NTLMv2.

Two things to take into consideration:
1- Make sure your PC will support NTLMv2 auth... This can be found in Control Pannel/Local Security Policies/*NTLM* (There's more than one to check, but 'Network Security: LAN Manager authentication level' should be set to 'Send LM & NTLM - use NTLMv2 session security if negociated' (unsecure... I know! It's for legacy Intranet support)
2- Look at the configuration in liferay

Domain Controller: IP to domain controller
DOmain Controller Name: netbios name of the DC
Domain: DOMAIN
Service Account: A computer account
Service Password: (triky to set, you will need a script provided by liferay)

Example call for the following script
C:\liferay\>cscript setcomputerpass.vbs "CN=liferay,OU=computers,,dc=DOMAIN,dc=com"

save it as SetComputerPass.vbs
------------------ CODE ---------------------
Option Explicit
Dim strDn, objPassword, strPassword, objComputer

If WScript.arguments.count <> 1 Then
WScript.Echo "Usage: SetComputerPass.vbs <ComputerDN>"
WScript.Quit
End If

strDn = WScript.arguments.item(0)

Set objPassword = CreateObject("ScriptPW.Password")
WScript.StdOut.Write "Password:"
strPassword = objPassword.GetPassword()
Set objComputer = GetObject("LDAP://" & strDn)
objComputer.SetPassword strPassword

WScript.Echo
WScript.Echo "Password set on " & strDn

WScript.Quit
------------------ CODE ---------------------

There was a bug in the original script provided by liferay, I had to modify the original script.

Hope it helps!
-Pat