Affects Version/s: 7.0.X EE, Master
Steps to Reproduce:
- Configure an Active Directory and NTLM server (do not change the default Negotiate Flags in your NTLM server);
- Start Liferay and go to Control Panel > Instance Settings;
- In fieldset Configuration > Authentication:
- Go to General tab and change the "How do users authenticate?" field to "By Screen Name" and Save;
- Go to LDAP tab and add an Active Directory LDAP Server (make sure that the token for Authentication Search Filter is @screen_name@);
- Under the same LDAP tab, check Enabled for LDAP authentication;
- Go to NTLM tab and fill all the fields with the corresponding values in your NTLM server and Save;
- Go to Control Panel > System Settings > Foundation > NTLM and fill the Negotiate Flags with 0x211AAAAA that's different than the default value in your NTLM server and Save;
- Now, in a Windows environment configured to the NTLM and AD server as authentication tool, using Microsoft Internet Explorer, access the Liferay instance just configured and try to sign in.
Liferay signs in succesfully with the user that's logged in the Windows environment.
Since the Negotiate Flags were changed in System Settings to be different than the NTLM server, the authentication process shouldn't have been successful, and the following message should have been thrown in the app server console instead: "Session key negotiation failed".
The reason why this is happening is because the Instance Settings is saving a blank value for that property even though it doesn't exist in the page yet.
master @ commit 12e1d4fdc3327c93274ded6d6b66835ce86a3cbe
ee-7.0.x @ commit 0ee01aeb02db2a6b2a43515345475b7c711dffd3
Not able to reproduce in 6.2.x because this property was set in portal.properties back then and all NTLM settings done inside the Portal were by Instance.