Message Boards

  1. Home
  2. Development
  3. NTLM authentication not working in Liferay 7

NTLM authentication not working in Liferay 7

Deepjyoti Nath, modified 7 Years ago.

NTLM authentication not working in Liferay 7

Junior Member Posts: 86 Join Date: 11/2/10 Recent Posts
Hi,
I tried to configure NTLM authentication with our AD server (configured in LDAP). But after the configuration, when I click on Sign-In button, in Liferay, it asks windows userid/password. But submitting with correct credentials also its not working.
Log shows connection error (attached the log file).

Has someone worked on NTLMv2 configuration in Liferay 7?

Thanks,
Deep

Attachments:

thumbnail
Andrew Jardine, modified 7 Years ago.

RE: NTLM authentication not working in Liferay 7

Liferay Legend Posts: 2416 Join Date: 12/22/10 Recent Posts
Hi Deepjyoti

Based on the log you attached, it looks like the Principal (service account) that you set up is not correct, or you have the wrong address for the endpoint perhaps?

06:41:41,369 ERROR [http-nio-8083-exec-1][NtlmFilter:297] Unable to perform NTLM authentication
com.liferay.portal.security.sso.ntlm.internal.NtlmLogonException: Unable to authenticate due to communication failure with server


I don't have a DXP server to try it on (or a windows machine for an NTLM connection in fact) so I can't say for sure that it's not a bug. If you are certian that it is a bug, then your best course of action is to open a LESA with Liferay and see what they say.
Deepjyoti Nath, modified 7 Years ago.

RE: NTLM authentication not working in Liferay 7

Junior Member Posts: 86 Join Date: 11/2/10 Recent Posts
Thanks Andrew. I also had the same feeling, and I tried the same configuration in Liferay 6.2 version, which resulted the same error. I will check with the administrator to confirm the service account credentials. Is there any way (tool) to manually check if the credentials entered in service account field is correct or not.

Thanks,
Deep
thumbnail
Andrew Jardine, modified 7 Years ago.

RE: NTLM authentication not working in Liferay 7

Liferay Legend Posts: 2416 Join Date: 12/22/10 Recent Posts
Not that I am aware of. The only "test" button I am familiar with is the one in the LDAP configuration.
thumbnail
Jack Bakker, modified 7 Years ago.

RE: NTLM authentication not working in Liferay 7

Liferay Master Posts: 978 Join Date: 1/3/10 Recent Posts
Deepivoti,

I've had to set the service account password with a VBScript. There are several out there including ones from Microsoft, and are similar to below

Dim objComputer
Set objComputer = GetObject("LDAP://CN=someName,CN=someServiceAccounts,DC=Example,DC=COM"")
objComputer.SetPassword "somePassword"
Wscript.Quit

Have you done this ?
EDIT: I've got NTLM this to work on Liferay v6.2EE but haven't tried in v7/DXP yet. I also had to adjust Internet Explorer configs, but I given your error you might not be at that step yet.
Roshan Qureshi, modified 5 Years ago.

RE: NTLM authentication not working in Liferay 7

Regular Member Posts: 159 Join Date: 8/24/10 Recent Posts
Hello,

We have same issue with   LIFERAY 7 GA7 CE + WINDOWS SERVER 2012


ERROR [ajp-nio-8009-exec-9][NtlmFilter:298] Unable to perform NTLM authentication
com.liferay.portal.security.sso.ntlm.internal.NtlmLogonException: Unable to authenticate due to communication failure with server


There was a known issue :

https://issues.liferay.com/browse/LPS-15380

It says, it is resolved in 5.2.X EE, 6.0.12 EE but what about CE? Specially Liferay 7 ga7 CE?

Is anyone from Liferay staff can update on this please?

Thanks.
thumbnail
David H Nebinger, modified 5 Years ago.

RE: NTLM authentication not working in Liferay 7

Liferay Legend Posts: 14916 Join Date: 9/2/06 Recent Posts
By now that fix would have made it into CE, sure, but that has nothing to do with the "Unable to authenticate due to communication failure with server" issue you are facing, that was due to trying to use a service account for authentication.

But verify the low hanging fruit - make sure that you can actually connect from the server to AD and that it isn't just some silly windows firewall thing blocking connectivity.
Roshan Qureshi, modified 5 Years ago.

RE: NTLM authentication not working in Liferay 7

Regular Member Posts: 159 Join Date: 8/24/10 Recent Posts
"David H NebingerBy now that fix would have made it into CE, sure, but that has nothing to do with the "Unable to authenticate due to communication failure with server" issue you are facing, that was due to trying to use a service account for authentication.

But verify the low hanging fruit - make sure that you can actually connect from the server to AD and that it isn't just some silly windows firewall thing blocking connectivity."

Thanks for quick reply.

We checked everything and we are able to ping the controller IP.

Do you know what does the meaning of Heading zeros in the logs :

"Failed to connect: 0.0.0.0<00>/domain IP"


Thread - https://community.liferay.com/forums/-/message_boards/message/112819703 says

" Inspecting source code/debugging we found:
that netrServerAuthenticate3.getServerCredential() returns byte array filled with zeroes: http://www.jarvana.com/jarvana/view/com/liferay/portal/portal-impl/6.0.5/portal-impl-6.0.5-sources.jar!/com/liferay/portal/security/ntlm/NetlogonConnection.java?format=ok

so problem is somewhere in filling netrServerAuthenticate3 object by dcerpcHandle.sendrecv(netrServerAuthenticate3); "


Appreciate your help.
thumbnail
David H Nebinger, modified 5 Years ago.

RE: NTLM authentication not working in Liferay 7

Liferay Legend Posts: 14916 Join Date: 9/2/06 Recent Posts
that's just the network mask/network ip form, it looks valid.

Pinging the server is not enough, it just means you have a network path to the host.

But it doesn't say anything about the ports you can access on the path. The port could be blocked on the server or on the host.

The reference you are looking at is a low level analysis of the responses being returned; a mask of 0.0.0.0/ip is not nulls getting inserted into the binary stream.
Roshan Qureshi, modified 5 Years ago.

RE: NTLM authentication not working in Liferay 7

Regular Member Posts: 159 Join Date: 8/24/10 Recent Posts
David H Nebingerthat's just the network mask/network ip form, it looks valid.

Pinging the server is not enough, it just means you have a network path to the host.

But it doesn't say anything about the ports you can access on the path. The port could be blocked on the server or on the host.

The reference you are looking at is a low level analysis of the responses being returned; a mask of 0.0.0.0/ip is not nulls getting inserted into the binary stream.


We checked everything and we are able to ping the controller IP but NOT ABLE TO telnet CONTROLLER (domain) on port 389.  Is it required?

Thanks
thumbnail
Christoph Rabel, modified 5 Years ago.

RE: NTLM authentication not working in Liferay 7

Liferay Legend Posts: 1554 Join Date: 9/24/09 Recent Posts
389 is ldap, I don't think that's relevant for NTLM. Well, it is indirectly relevant for AD authentication and user import, but I don't think it is relevant for your current error.

I don't know which ports are required, I would check with a network sniffer like tcpdump (on Linux), which ports it tries to access. Or I would ask the firewall people, they should see the connections.

If I'd to guess, I would try port 445 (SMemoticon and then maybe 88 (Kerberos).
https://support.microsoft.com/en-us/help/179442/how-to-configure-a-firewall-for-domains-and-trusts
Roshan Qureshi, modified 5 Years ago.

RE: NTLM authentication not working in Liferay 7

Regular Member Posts: 159 Join Date: 8/24/10 Recent Posts
Thanks

I am agree with you. Let me check the ports with telnet
thumbnail
Karthik Nainupatruni, modified 4 Years ago.

RE: NTLM authentication not working in Liferay 7

Junior Member Posts: 28 Join Date: 5/5/15 Recent Posts
Hi ,
I have enabled NTLM in Liferay 7.2.1 CE ga2 but i am getting the below error
Anyone have faced the similar issue? 
Configuration:Domain Controller = XXX.XXX.XXX(AD IP)Domain Controller Name =Host name of AD Domain = XXX.comException:2020-01-14 10:52:18.669 ERROR [http-nio-8080-exec-3][NtlmFilter:304] Unable to perform NTLM authenticationcom.liferay.portal.security.sso.ntlm.internal.NtlmLogonException: Session key negotiation failed 
thumbnail
Andrew Jardine, modified 4 Years ago.

RE: NTLM authentication not working in Liferay 7

Liferay Legend Posts: 2416 Join Date: 12/22/10 Recent Posts
I remember seeing this happen a loooooooooooong time ago and I don't remember all the specifics but I think it had something to do with the account that was specified to establish the connection to NTLM. The credentials you have specified for the connection, are they for a "system account" or for a "regular user account". It was something to do with that if my memory serves me right (disclaimer: this was a really long time ago and I have a hard time remembering what I had for dinner last night emoticon)
thumbnail
Karthik Nainupatruni, modified 4 Years ago.

RE: NTLM authentication not working in Liferay 7

Junior Member Posts: 28 Join Date: 5/5/15 Recent Posts
Thanks , it was user account and we have replaced those credentials with Computer/System account ,Now it is working fine, in IE browser.
But how could we customize the NTLMFilter to make it work on chrome? 
thumbnail
Karthik Nainupatruni, modified 4 Years ago.

RE: NTLM authentication not working in Liferay 7

Junior Member Posts: 28 Join Date: 5/5/15 Recent Posts
i have commented the Browsersniffer code in NTLFilter.java class , it is working fine in chrome browser
​​​​​​​In liferay 7.2 .1 ga2 by customizing the core  portal-security-sso-ntlm-impl  module