NTLM Single Sign On Authentication

NTLM Single Sign On Authentication

NTLM (NT LAN Manager) is a suite of Microsoft protocols that provide authentication, integrity, and confidentiality for users. Though Microsoft has adopted Kerberos in modern versions of Windows server, NTLM is still used when authenticating to a workgroup. Liferay DXP now supports NTLM v2 authentication. NTLM v2 is more secure and has a stronger authentication process than NTLMv1.

Most importantly, all users must be imported from an Active Directory server. NTLM (and Kerberos) works only if the users are in the AD; otherwise any SSO requests initiated by Liferay DXP fail.

NTLM configuration can be applied either at the system scope or at the scope of a portal instance. To configure the NTLM SSO module at the system scope, navigate to the Control Panel, click on ConfigurationSystem SettingsSecuritySSO → NTLM. The values configured there provide the default values for all portal instances. Enter values in the same format as you would when initializing a Java primitive type with a literal value.

Property Label Property Key Description Type
Enabled enabled Check this box to enable NTLN SSO authentication. Note that NTLM will only work if Liferay DXP’s authentication type is set to screen name. boolean
Domain Controller domainController Enter the IP address of your domain controller. This is the server that contains the user accounts you want to use with Liferay DXP. String
Domain Controller Name domainControllerName Specify the domain controller NetBIOS name. String
Domain domain Enter the domain / workgroup name String
Service Account serviceAccount You need to create a service account for NTLM. This account will be a computer account, not a user account. String
Service Password serviceAccount Enter the password for the service account. String
Negotiate Flags negotiateFlags Only available at system level. Set according to the client’s requested capabilities and the server’s ServerCapabilities. See here String

Note the AD’s name and IP address correspond to the domainControllerName and domainController settings. The Service Account is for the NTLM account (registered with NTLM), not the Liferay DXP user account.

To override system defaults for a particular portal instance, navigate to the Control Panel, click on ConfigurationInstance Settings, click on Authentication and then on NTLM.


NTLM authentication is often highly desirable in Intranet scenarios where the IT department has control over what software is running on client devices and thus can ensure NTLM compatibility. In an Active Directory based network / domain, it is hard to beat the user experience that NTLM authentication can provide.

Please remember that in order to use NTLM SSO, your Liferay DXP instance authentication type must be set to screen name and that all users have been imported from your active directory. If this is not acceptable for your Liferay DXP implementation, then another SSO solution (such as CAS) can be used as a broker between your portal and the NTLM authentication process.

« Configuring SAMLOpenID Single Sign On Authentication »
Was this article helpful?
0 out of 0 found this helpful