The NTLM (NT Lan Manager) connector provides single sign-on (SSO) functionality for Windows systems within a trusted domain environment. The connector utilizes the Windows challenge/response authentication protocol to retrieve credentials from the Windows operating system and uses those credentials to log into Magnolia's CMS.

• Download
• Installing
• Uninstalling
• Configuration
• How it works
• Limitations
• Common issues
• IE incorrectly requests Windows login
• Can't log out
• Can't directly activate content

Download

Installing

The LDAP connector must be installed and the AD (Active Directory) connection should be verified to be working before proceeding with installing this module. The LDAP connector must be configured to connect to the host Windows system's domain controller and set to resolve users and groups from AD.

Optionally you can write your own ADRoleResolver and resolve also roles from AD. Your ADRoleResolver should implement the NameResolver interface.

Uninstalling

Configuration

To configure the module:

1. Stop the application server(s) where you are deploying the module.
2. Copy the provided JAR file(s) into WEB-INF/lib directory inside your webapp. Location of this directory depends on the application server.
• Tomcat: /webapps/magnoliaAuthor/WEB-INF/lib
• JBoss: /server/default/deploy/magnoliaPublic/WEB-INF/lib
3. Copy provided jaas.policy file into the magnoliaAuthor and magnoliaPublic directories.
4. If SSO authentication needs to be enabled to occur via Tomcat:
• Copy provided context.xml into magnoliaAuthor/META-INF and magnoliaPublic/META-INF directories.
• Copy all JARs in bundle, with exception of the magnolia-module-ntlm JAR, to CATALINA_HOME/lib.
• Copy all slf4j JARs to CATALINA_HOME/lib.
  Note: These JARs (slf4j-log4j21 and slf4j-api) will be located in the Tomcat installation directory in Magnolia Enterprise Edition in magnoliaAuthor/WEB-INF and magnoliaPublic/WEB-INF.
5. Set ssoSlave = true in your ad.properties file.
   Note: ad.properties is contained within the LDAP connector bundle and is typically in the directory WEB-INF/config/ldap.
6. Append following to jaas.config in magnoliaAuthor/WEB-INF/config and magnoliaPublic/WEB-INF/config:
   

Jaas {
     waffle.jaas.WindowsLoginModule sufficient;
  };

Restart all instances for which the configuration was performed.

If context.xml is removed after starting the instance, Tomcat needs to be forced to redeploy the application by removing all references from CATALINA_HOME/work/Catalina and CATALINA_HOME/conf/Catalina.

How it works

This module works in connection with the LDAP connector module's AD authentication. Once SSO is enabled, only user accounts that exist in AD can be used to log into Magnolia. For this reason, there must be accounts with administrator rights in addition to the provided superuser account that exist in AD.

Once installation is completed, NTLM will appear as a login filter in AdminCentral. Click Configuration > server/filters/login/loginHandlers to see the login handler.

The waffle filter will be added to filters. Click Configuration > server/filters to see that filter.

Client callbacks are added for URI and content security filters. To see the URI security filter callback click Configuration > server/filters/uriSecurity/clientCallback/patterns/magnolia/delegate. The class for the delegate will be changed to info.magnolia.enterprise.security.NTLMClientCallback.

To see the content security filter callback click Configuration > server/filters/cms/contentSecurity/clientCallback. The class will be changed to info.magnolia.module.ntlm.NTLMClientCallback.

Finally, external is added to the user managers. Click Configuration > server/security/userManagers to see that user manager.

When SSO authentication is enabled to occur via Tomcat as described in the configuration, waffle will delegate the NTLM authentication to Tomcat. Tomcat performs server wide authentication in which all web applications on the instance share the authentication. When SSO authentication does not occur via Tomcat, the waffle authentication is utilized only by the Magnolia web application and is valid only within the Magnolia web container.

Limitations

• This module can only be used on a Windows operating system server with a domain controller. This requirement excludes the ability to use this module on Vista.
• SSO when enabled is enabled for all users in all realms.
• Some versions of Tomcat have issues with unloading native connectors used to perform the actual NTLM authentication operations. When this occurs you can see an exception explaining the problem on shutdown and you need to kill the Tomcat process manually.
• NTLM authentication is not supported for all browsers. Native support exists for IE only. Safari, Chrome and Firefox allow users to enter their Windows username and password while some other browsers such as Opera do not allow login.
• While the installation is reported to be working fine with older versions of Windows Server, Windows Server 2008 configuration is certified and tested by Magnolia.
• When SSO is enabled on the author instance, activation works only via workflow.
• For security reasons SSO is recommended only for author instances, not for public instances. It is common practice not to expose Active Directory services to the Internet. In a controlled intranet environment it is OK to use SSO on a public instance but not on a public website.

Common issues

IE incorrectly requests Windows login

Can't log out

One of the features of SSO is that authentication data are automatically negotiated between browser and server. The result is that log in is transparent and automatically occurs immediately after the user logs out.

Can't directly activate content

When SSO is enabled Magnolia does not retain user related data and is unable to authenticate itself to public instances on behalf of the user. The result is that activation must be done via workflow when SSO is enabled.