PUBLIC - Liferay Portal Community Edition

NTLM fails authenticating with the service account in windows 2008 r2

Details

  • Type: Bug Bug
  • Status: Closed Closed
  • Priority: Minor Minor
  • Resolution: Fixed
  • Affects Version/s: 5.2.3, 6.0.5 GA
  • Fix Version/s: 6.0.12 EE, 5.2.X EE
  • Component/s: Authentication
  • Labels:
  • Environment:
    6.0.x, 5.2.x
  • Branch Version/s:
    5.2.x, 6.0.x
  • Backported to Branch:
    Committed
  • Similar Issues:
    Show 5 results 

Description

NTLM fails authenticating with the service account in windows 2008 r2

High level steps to reproduce:
1) Setup windows2008 r2 server, with a domain/active directory configured
2) Create computer account, follow steps from: http://www.ioplex.com/d/Jespa_Operators_Manual.pdf (section: Create the Computer Account for NETLOGON Communication)
3) Setup LDAP/NTLM settings in Liferay to point to the windows2008 r2 server
4) Attempt to log in to Liferay via NTLM
5) You should receive in the stacktrace, "Session key negotiation failed"

Activity

Ascending order - Click to sort in descending order
Hide
Permalink
Wesley Gong added a comment - - edited

Marcellus discovered that we had enabled all flags in the negotiation process between Liferay and NTLM which windows2008 r2 disallowed. In order to resolve this, we disabled some of the bits based on the specifications presented in the below document:

http://download.microsoft.com/download/a/e/6/ae6e4142-aa58-45c6-8dcf-a657e5900cd3/%5BMS-NLMP%5D.pdf

Show
Wesley Gong added a comment - - edited Marcellus discovered that we had enabled all flags in the negotiation process between Liferay and NTLM which windows2008 r2 disallowed. In order to resolve this, we disabled some of the bits based on the specifications presented in the below document: http://download.microsoft.com/download/a/e/6/ae6e4142-aa58-45c6-8dcf-a657e5900cd3/%5BMS-NLMP%5D.pdf
Hide
Permalink
Sonia Predieri added a comment -

We have the same problem on liferay 6.0.5 GA and Active Directory on Windows 2008 Server R2;
we receive an "Session key negotiation failed" exception when liferay try to authenticate on ldap with the Computer Account that we have created.

We want to know if we can fix this bug in our enviroment.

Show
Sonia Predieri added a comment - We have the same problem on liferay 6.0.5 GA and Active Directory on Windows 2008 Server R2; we receive an "Session key negotiation failed" exception when liferay try to authenticate on ldap with the Computer Account that we have created. We want to know if we can fix this bug in our enviroment.
Hide
Permalink
Yves LeGrand added a comment -

Hi @all.
We are facing the same issue with liferay 6.0.6 CE GA and AD, NTLM on Windows 2008 R2.
What are the necessary steps to solve this issue? Thanks.

Show
Yves LeGrand added a comment - Hi @all. We are facing the same issue with liferay 6.0.6 CE GA and AD, NTLM on Windows 2008 R2. What are the necessary steps to solve this issue? Thanks.
Hide
Permalink
Paul Piao added a comment -

FAILED Manual Testing following steps in description.

Reproduced on:
Tomcat 6.0 + MySQL 5. Firefox 4.0.1. 6.0.5 GA.
Tomcat 6.0 + MySQL 5. Firefox 4.0.1. 5.2.3 CE.

Failed on:
Tomcat 6.0 + MySQL 5. Firefox 4.0.1. Trunk Revision 80911.
Tomcat 6.0 + MySQL 5. Firefox 4.0.1. 5.2.x Revision 80911.

Show
Paul Piao added a comment - FAILED Manual Testing following steps in description. Reproduced on: Tomcat 6.0 + MySQL 5. Firefox 4.0.1. 6.0.5 GA. Tomcat 6.0 + MySQL 5. Firefox 4.0.1. 5.2.3 CE. Failed on: Tomcat 6.0 + MySQL 5. Firefox 4.0.1. Trunk Revision 80911. Tomcat 6.0 + MySQL 5. Firefox 4.0.1. 5.2.x Revision 80911.
Hide
Permalink
Berndt Krieger added a comment -

After patching our DC to 2008 R2 we had the same problem. I solved it by modifying
com.liferay.portal.security.ntlm.NetlogonConnection:

...
NetrServerAuthenticate3 netrServerAuthenticate3 =
new NetrServerAuthenticate3(
domainControllerName, ntlmServiceAccount.getAccountName(), 2,
ntlmServiceAccount.getComputerName(), clientCredential,
NetrServerAuthenticate3 netrServerAuthenticate3 =
new NetrServerAuthenticate3(
domainControllerName, ntlmServiceAccount.getAccountName(), 2,
ntlmServiceAccount.getComputerName(), clientCredential,
old:
<
new byte[8], 0xFFFFFFFF);
>
new
<
new byte[8], 0x6013C600);
>
...

description of the flags can be found here:

http://msdn.microsoft.com/en-us/library/cc704291%28PROT.10%29.aspx

Show
Berndt Krieger added a comment - After patching our DC to 2008 R2 we had the same problem. I solved it by modifying com.liferay.portal.security.ntlm.NetlogonConnection: ... NetrServerAuthenticate3 netrServerAuthenticate3 = new NetrServerAuthenticate3( domainControllerName, ntlmServiceAccount.getAccountName(), 2, ntlmServiceAccount.getComputerName(), clientCredential, NetrServerAuthenticate3 netrServerAuthenticate3 = new NetrServerAuthenticate3( domainControllerName, ntlmServiceAccount.getAccountName(), 2, ntlmServiceAccount.getComputerName(), clientCredential, old: < new byte [8] , 0xFFFFFFFF); > new < new byte [8] , 0x6013C600); > ... description of the flags can be found here: http://msdn.microsoft.com/en-us/library/cc704291%28PROT.10%29.aspx
Hide
Permalink
Paul Piao added a comment -

PASSED Manual Testing following steps in description.

Reproduced on:
Tomcat 6.0 + MySQL 5. Firefox 4.0.1. 6.0.5 GA.
Tomcat 6.0 + MySQL 5. Firefox 4.0.1. 5.2.3 CE.

Fixed on:
Tomcat 6.0 + MySQL 5. Firefox 4.0.1. Trunk Revision 82809.
Tomcat 6.0 + MySQL 5. Firefox 4.0.1. 5.2.x Revision 82809.

Thanks Wesley,

Show
Paul Piao added a comment - PASSED Manual Testing following steps in description. Reproduced on: Tomcat 6.0 + MySQL 5. Firefox 4.0.1. 6.0.5 GA. Tomcat 6.0 + MySQL 5. Firefox 4.0.1. 5.2.3 CE. Fixed on: Tomcat 6.0 + MySQL 5. Firefox 4.0.1. Trunk Revision 82809. Tomcat 6.0 + MySQL 5. Firefox 4.0.1. 5.2.x Revision 82809. Thanks Wesley,
Hide
Permalink
Vicki Tsang added a comment -

This is being bulk closed in preparation for the new workflow.

Show
Vicki Tsang added a comment - This is being bulk closed in preparation for the new workflow.
Hide
Permalink
Rushikesh Kulkarni added a comment -

Hello,

I am new with lifeRay and configuring NTLM. I am facing exactly the same issue.
Can you please tell me how to modify NetLogOnConnection to set the flags as mentioned above ?

I downloaded the source for portal-impl, but i am not able to build it on my local.

Thanks for your time.

Show
Rushikesh Kulkarni added a comment - Hello, I am new with lifeRay and configuring NTLM. I am facing exactly the same issue. Can you please tell me how to modify NetLogOnConnection to set the flags as mentioned above ? I downloaded the source for portal-impl, but i am not able to build it on my local. Thanks for your time.
Hide
Permalink
Rushikesh Kulkarni added a comment -

I am using LifeRay 6.0.6.

Show
Rushikesh Kulkarni added a comment - I am using LifeRay 6.0.6.
Hide
Permalink
Rushikesh Kulkarni added a comment -

I am using LifeRay 6.0.6.

Show
Rushikesh Kulkarni added a comment - I am using LifeRay 6.0.6.
Hide
Permalink
Priyanka Matai added a comment -

Hello Berndt,

We are in the same siutation as yours and need to apply the fix that has been outlined in your post.

Could you be kind enough to advise how you went about this change.

Thanks, Priyanka.

Show
Priyanka Matai added a comment - Hello Berndt, We are in the same siutation as yours and need to apply the fix that has been outlined in your post. Could you be kind enough to advise how you went about this change. Thanks, Priyanka.

People

Vote (3)
Watch (10)

Dates

  • Created:
    Updated:
    Resolved:
    Days since last comment:
    35 weeks, 6 days ago