Submit Feedback
Legacy Knowledge Base
Published Jul. 2, 2025

Setting Up NTLM With Liferay

Written By

Justin Choi

How To articles are not official guidelines or officially supporteddocumentation. They are community-contributed content and may not alwaysreflect the latest updates to Liferay DXP. We welcome your feedback toimprove How to articles!

While we make every effort to ensure this Knowledge Base is accurate, itmay not always reflect the most recent updates or official guidelines.We appreciate your understanding and encourage you to reach out with anyfeedback or concerns.

Legacy Article

You are viewing an article from our legacy "FastTrack"publication program, made available for informational purposes. Articlesin this program were published without a requirement for independentediting or verification and are provided "as is" withoutguarantee.

Before using any information from this article, independently verify itssuitability for your situation and project.

NTLM (NT Lan Manager) is a suite of Microsoft security protocols that provides authentication, integrity, and confidentiality to users. When Liferay Portal is successfully integrated with NTLM, Active Directory users who are logged in will be able to seamlessly log into Liferay Portal. In other words, when a user logged into a workstation on a particular domain clicks "Sign in" in Liferay Portal, Liferay Portal will authenticate based on the Active Directory user's credentials.

While NTLM is not recommended by Microsoft anymore (Kerberos is now the default Active Directory SSO application) we recognize that many of our customers still use this technology. NTLM can be set up once Liferay Portal is successfully synced with Active Directory.

Resolution

Setting up Active Directory

Before configuring Liferay Portal to work with NTLM, a few things need to be in place within Active Directory itself. If these steps are skipped or done incorrectly, then NTLM authentication will not work with Liferay Portal.

  1. Create a Service / Computer Account in Active Directory

    To connect with Active Directory, Liferay Portal uses a third-party application called jcifs to act as a sort of intermediary between Liferay Portal and Active Directory. Jcifs requires a service account to be configured within Active Directory so that it can properly handle NTLM authentication. For instructions on how to set up this service account, see the Jespa Operator's Manual (Creating a Computer Account on page 8; we used the alternative steps to configure our account).

  2. Know (and match) Your Negotiation Flags

    Active Directory uses what's called a negotiation flag. This flag has two purposes. First off, the negotiation flag represents the security settings for Active Directory. For more information on how this hex code is arrived at, see 3.1.4.2 Netlogon Negotiable Options from Microsoft. The second and more relevant use of the negotiation flag is to serve as a sort of password. This simply means that when Liferay Portal seeks to authenticate using NTLM, it passes a negotiation flag to Active Directory. If this flag matches the actual flag in Active Directory, then authentication can happen. If it does not match, however, no one will be able to authenticate with NTLM.

To make sure this is working, simply set the ntlm.auth.negotiate.flags property to the negotiate flag that Active Directory is using. The Liferay Portal default flag is set to mirror Active Directory's default flag.

Configuring NTLM / Liferay

With Liferay Portal synced with Active Directory and Active Directory configured, we can now configure Liferay Portal for use with NTLM.

Setting NTLM in the GUI

  1. Go to the Control Panel > Settings
  2. Select Authentication > NTLM
  3. Fill in the Active Directory Server configurations and the Computer Account credentials.

Setting NTLM in the portal-ext.properties

Here are the equivalent setting that you would put in the portal-ext.properties.

ntlm.auth.enabled=true
ntlm.auth.domain.controller=192.168.0.50
ntlm.auth.domain.controller.name=vm-win2008r2
ntlm.auth.domain=windows2008r2
ntlm.auth.service.account=VikesTest$@windows2008r2.ntlm
ntlm.auth.service.password=test

Whether you use the GUI or portal-ext.properties, this should be the last step.

Testing NTLM

  1. Open Internet Explorer (NTLM is guaranteed to work in IE) and navigate to Liferay Portal, in our case, localhost:8080. If you are automatically logged in as a user, sign out.
  2. Now on the main page, click Sign In

If you are logging in from a workstation that is configured with NTLM and on the same domain as Active Directory and Liferay Portal, then you should be automatically logged in to Liferay Portal.

If, in your testing, you must use a machine that is outside the domain that includes Active Directory and Liferay Portal, then you will see a Windows dialog box pop up. In the user field, type in the following domain\user, with the domain being the name of the domain which Active Directory resides on and user being an active directory user on that domain. In our case an example would be: 

  • User: windows2008r2\randy
  • Password: test

Additional Information

Logging With NTLM

In order to increase the logging level for NTLM, we'll have to make some changes that will be picked up by jcifs. Here are the steps:

  1. Stop the app server
  2. Go to $LIFERAY_WAR/WEB-INF/web.xml
  3. Find this filter:
    filter> SSO Ntlm Filter com.liferay.portal.servlet.filters.sso.ntlm.NtlmFilter

    Add

    init-param> jcifs.util.loglevel 6

    So, it should look like this:

    filter> SSO Ntlm Filter com.liferay.portal.servlet.filters.sso.ntlm.NtlmFilter jcifs.util.loglevel 6
  4. Start the app server

When this is set, the console/log will show output of the user's Computer Account, Computer information, Java parameters, and logs .

Differences Between NTLM Version 1 and Version 2

From a security standpoint, NTLMv2 is much more secure than NTLMv1. Here's how authentication happens for each version.

NTLM v1

The server authenticates the client by sending a random 8-byte challenge, to which the client returns with an LM and NT hash. These hashes create a 21-byte string that is split into 3 7-bytes, then are recombined to form the DES encryption for the 64-bit challenge.

NTLM v2

NTLM v2 sends two 16-byte responses to an 8-byte HMCA-MD5 server challenge. The first challenge is an 8-byte random value that appends to the first 16-byte response to create a 24-byte package, which is compatible with NTLMv1. The second response is a variable length client challenge that consists of: The current time in NT Time format, an 8-byte random valude, the domain name, and some standard format stuff.

Did this article resolve your issue ?
Legacy Knowledge Base
Did this article resolve your issue ?