NTLM Single Sign On Authentication
NTLM (NT LAN Manager) is a suite of Microsoft protocols that provide authentication, integrity, and confidentiality for users. Though Microsoft has adopted Kerberos in modern versions of Windows server, NTLM is still used when authenticating to a workgroup. Liferay DXP now supports NTLM v2 authentication. NTLM v2 is more secure and has a stronger authentication process than NTLMv1.
Most importantly, all users must be imported from an Active Directory server. NTLM (and Kerberos) works only if the users are in the AD; otherwise any SSO requests initiated by Liferay DXP fail.
NTLM configuration can be applied either at the system scope or at the scope of a portal instance. To configure the NTLM SSO module at the system scope, navigate to the Control Panel, click on Configuration → System Settings → Security → SSO → NTLM. The values configured there provide the default values for all portal instances. Enter values in the same format as you would when initializing a Java primitive type with a literal value.
Property Label | Property Key | Description | Type |
---|---|---|---|
Enabled | enabled |
Check this box to enable NTLN SSO authentication. Note that NTLM will only work if Liferay DXP’s authentication type is set to screen name. | boolean |
Domain Controller | domainController |
Enter the IP address of your domain controller. This is the server that contains the user accounts you want to use with Liferay DXP. | String |
Domain Controller Name | domainControllerName |
Specify the domain controller NetBIOS name. | String |
Domain | domain |
Enter the domain / workgroup name | String |
Service Account | serviceAccount |
You need to create a service account for NTLM. This account will be a computer account, not a user account. | String |
Service Password | serviceAccount |
Enter the password for the service account. | String |
Negotiate Flags | negotiateFlags |
Only available at system level. Set according to the client’s requested capabilities and the server’s ServerCapabilities. See here | String |
Note the AD’s name and IP address correspond to the domainControllerName
and domainController
settings. The Service Account
is for the NTLM account (registered with NTLM), not the Liferay DXP user account.
To override system defaults for a particular portal instance, navigate to the Control Panel, click on Configuration → Instance Settings, click on Authentication and then on NTLM.
Summary
NTLM authentication is often highly desirable in Intranet scenarios where the IT department has control over what software is running on client devices and thus can ensure NTLM compatibility. In an Active Directory based network / domain, it is hard to beat the user experience that NTLM authentication can provide.
Please remember that in order to use NTLM SSO, your Liferay DXP instance authentication type must be set to screen name and that all users have been imported from your active directory. If this is not acceptable for your Liferay DXP implementation, then another SSO solution (such as CAS) can be used as a broker between your portal and the NTLM authentication process.