NTLM Single Sign On Authentication

NTLM Single Sign On Authentication

NTLM (NT LAN Manager) is a suite of Microsoft protocols that provide authentication, integrity, and confidentiality for users. Though Microsoft has adopted Kerberos in modern versions of Windows server, NTLM is still used when authenticating to a workgroup. Liferay DXP now supports NTLM v2 authentication. NTLM v2 is more secure and has a stronger authentication process than NTLMv1.

Note that in order to use NTLM SSO, Liferay DXP’s portal instance authentication type must be set to screen name.

Most importantly, all users must be imported from an Active Directory server. NTLM (and Kerberos) works only if the users are in the AD; otherwise any SSO requests initiated by Liferay DXP fail.

NTLM configuration can be applied either at the system scope or at the scope of a portal instance. To configure the NTLM SSO module at the system scope, navigate to the Control Panel, click on ConfigurationSystem SettingsSecuritySSO → NTLM. The values configured there provide the default values for all portal instances. Enter values in the same format as you would when initializing a Java primitive type with a literal value.

Property LabelProperty KeyDescriptionType
EnabledenabledCheck this box to enable NTLN SSO authentication. Note that NTLM will only work if Liferay DXP’s authentication type is set to screen name.boolean
Domain ControllerdomainControllerEnter the IP address of your domain controller. This is the server that contains the user accounts you want to use with Liferay DXP.String
Domain Controller NamedomainControllerNameSpecify the domain controller NetBIOS name.String
DomaindomainEnter the domain / workgroup nameString
Service AccountserviceAccountYou need to create a service account for NTLM. This account will be a computer account, not a user account.String
Service PasswordserviceAccountEnter the password for the service account.String
Negotiate FlagsnegotiateFlagsOnly available at system level. Set according to the client’s requested capabilities and the server’s ServerCapabilities. See hereString

Note the AD’s name and IP address correspond to the domainControllerName and domainController settings. The Service Account is for the NTLM account (registered with NTLM), not the Liferay DXP user account.

To override system defaults for a particular portal instance, navigate to the Control Panel, click on ConfigurationInstance Settings, click on Authentication and then on NTLM.


NTLM authentication is often highly desirable in Intranet scenarios where the IT department has control over what software is running on client devices and thus can ensure NTLM compatibility. In an Active Directory based network / domain, it is hard to beat the user experience that NTLM authentication can provide.

Please remember that in order to use NTLM SSO, your Liferay DXP instance authentication type must be set to screen name and that all users have been imported from your active directory. If this is not acceptable for your Liferay DXP implementation, then another SSO solution (such as CAS) can be used as a broker between your portal and the NTLM authentication process.

« OpenAM Single Sign On AuthenticationFacebook Connect Single Sign On Authentication »
Was this article helpful?
0 out of 0 found this helpful