Details

      Description

      Liferay fails to sign in user when NTLM SSO is used.

      The client side runs on Win 7. Windows is configured to use NTLMv2 only for authentication. Liferay runs on Linux (REHL). Active Directory runs on Windows Server 2012.

      If I try to access Liferay form PC that is outside the domain, the sign in works. If I try to access liferay from Win 7 that has domain configured sign in does not work and I get this exception:
      {{14:19:19,250 ERROR [ajp-bio-8009-exec-40][NtlmFilter:240] Unable to perform NTLM authentication
      com.liferay.portal.security.ntlm.NtlmLogonException: Unable to authenticate user: Logon failure: unknown user name or bad password.
      at com.liferay.portal.security.ntlm.Netlogon.logon(Netlogon.java:86)
      at com.liferay.portal.security.ntlm.NtlmManager.authenticate(NtlmManager.java:69)
      at com.liferay.portal.servlet.filters.sso.ntlm.NtlmFilter.processFilter(NtlmFilter.java:235)
      at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:59)
      at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilter(InvokerFilterChain.java:207)
      at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:109)
      at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:117)
      at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:117)
      at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:117)
      at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDirectCallFilter(InvokerFilterChain.java:188)
      at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:96)
      at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:117)
      at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:117)
      at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:117)
      at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:117)
      at org.tuckey.web.filters.urlrewrite.UrlRewriteFilter.doFilter(UrlRewriteFilter.java:738)
      at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilter(InvokerFilterChain.java:207)
      at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:109)
      at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDirectCallFilter(InvokerFilterChain.java:168)
      at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:96)
      at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:117)
      at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDirectCallFilter(InvokerFilterChain.java:168)
      at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:96)
      at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:117)
      at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDirectCallFilter(InvokerFilterChain.java:188)
      at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:96)
      at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilter.doFilter(InvokerFilter.java:79)
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
      at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
      at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
      at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
      at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
      at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99)
      at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:953)
      at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
      at org.apache.catalina.ha.tcp.ReplicationValve.invoke(ReplicationValve.java:333)
      at org.apache.catalina.ha.session.JvmRouteBinderValve.invoke(JvmRouteBinderValve.java:219)
      at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
      at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:200)
      at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:589)
      at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:310)
      at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source)
      at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
      at java.lang.Thread.run(Unknown Source)
      }}

      If the NTLM is set to v1 on client, the sign in works.

      I tried to test the system setup with ntlmv2auth (http://sourceforge.net/projects/ntlmv2auth/), which is based on Liferay code, but it did not work too. Then I tried jespa (http://www.ioplex.com/jespa.html). The example application was able to authenticate me. All this application use jcifs as the underlying library.

      I'm attaching all tcpdumps I made from ntlmv2auth, jespa, liferay within domain and liferay outside domain.

        Attachments

        1. dumpjcifs-failed
          15 kB
        2. dumpjespa-success
          11 kB
        3. dumpliferayin-failed
          29 kB
        4. dumpliferayout-success
          22 kB

          Issue Links

            Activity

              People

              Assignee:
              michael.saechang Michael Saechang
              Reporter:
              mir333 Miroslav Ligas
              Participants of an Issue:
              Recent user:
              Esther Sanz
              Votes:
              1 Vote for this issue
              Watchers:
              1 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Days since last comment:
                6 years, 32 weeks ago

                  Packages

                  Version Package