Issue
- NTLM SSO protocol has some vulnerabilities addressed by Microsoft in CVE-2020-1472 (external link), forcing to use the secure RPC connection.
- See also How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472 (external link).
- It's not possible to use a secure RPC connection in the Liferay NTLM SSO integration.
- As an alternative, we want to replace the NTLM SSO with Kerberos.
- Kerberos is not officially supported in Liferay Portal 6.2 and can't be configured because the Token-based SSO authentication settings don't exist in this version; they were added in DXP 7.0.
- How can we configure Kerberos in this version?
Environment
- Liferay Portal 6.2
Resolution
- In Liferay Portal 6.2 it could be possible to configure Kerberos using the SiteMinder settings available in the Control Panel.
- SiteMinder settings are very similar to the Token-Based SSO settings used in DXP 7.x to configure Kerberos.
- So in Liferay Portal 6.2 you could try following the DXP documentation, Authenticating with Kerberos, but using the SiteMinder configuration section instead of the Token-Based SSO one.
- More information on the SiteMinder settings: Authentication: SiteMinder.
Note: Liferay Portal 6.2 SiteMinder settings are more limited than the Token-Based SSO of DXP 7.x. For example, you can't configure the cookie name to invalidate during logout or specify a redirection URL to use after logout. If you need these, you will have to implement them with a custom Autologin hook.