Page tree
Skip to end of metadata
Go to start of metadata

The NTLM (NT LAN Manager) connector provides single sign-on (SSO) functionality for Windows systems within a trusted domain environment. The connector utilizes the Windows challenge/response authentication protocol to retrieve credentials from the Windows operating system and uses those credentials to log into Magnolia's CMS.

Installing

Maven is the easiest way to install the module. Add the following dependency to your bundle:

<dependency>
  <groupId>info.magnolia</groupId>
  <artifactId>magnolia-module-ntlm</artifactId>
  <version>1.1</version>
</dependency>

Pre-built jars are also available for download. See Installing a module for help.

Configuration

To configure the module:

  1. Stop the application server(s) where you are deploying the module.
  2. Copy the magnolia-module-ntlm JAR file into the WEB-INF/lib directory in the webapp:
    • Tomcat: /webapps/magnoliaAuthor/WEB-INF/lib
    • JBoss: /server/default/deploy/magnoliaPublic/WEB-INF/lib
    Note:  the location of this directory depends on the application server.
  3. Copy the  jaas.policy file into the magnoliaAuthor and magnoliaPublic directories.
  4. Enable SSO authentication via Tomcat:
      1. Copy the provided context.xml into magnoliaAuthor/META-INF and magnoliaPublic/META-INF directories.
      2. Copy all JARs in the bundle -  with the exception of the magnolia-module-ntlm JAR and the appropriate waffle-tomcat* JAR, to CATALINA_HOME/lib. (Note: If you using Tomcat 6 you need use waffle-tomcat6 JAR; if Tomcat 7 then waffle-tomcat7 JAR. If you using a different version of Tomcat, see https://oss.sonatype.org)/content/repositories/releases/com/github/dblock/waffle/
      3. Copy all slf4j and commons-logging wrapper JARs to CATALINA_HOME/lib. Note: These JARs (slf4j-log4j12, slf4j-api and jcl-over-slf4j) are located in the Tomcat installation directory in magnoliaAuthor/WEB-INF and magnoliaPublic/WEB-INF  in Magnolia Enterprise Edition.
  5. Set ssoSlave = true in your ad.properties file. (Note: ad.properties is contained within the LDAP connector bundle and is typically in the directory WEB-INF/config/ldap.)
  6. Append the following code to jaas.config in magnoliaAuthor/WEB-INF/config and magnoliaPublic/WEB-INF/config:

    Jaas {
       waffle.jaas.WindowsLoginModule sufficient;
    };
  7. Restart all instances. If context.xml is removed after starting the instance, Tomcat needs to be forced to redeploy the application by removing all references from CATALINA_HOME/work/Catalina and CATALINA_HOME/conf/Catalina.

Functionality

While this module logs in directly instead of going through JAAS, it does so by utilizing the Waffle Windows Authentication Framework. Waffle utilizes JAAS resulting in the need for the JAAS installation steps. Waffle's Servlet Negotiate Security Filter from the Waffle Framework was used for the implementation.  This module works in connection with the LDAP connector module's AD authentication. Once SSO is enabled, only user accounts that exist in AD can be used to log into Magnolia. For this reason, there must be accounts with administrator rights in addition to the provided superuser account that exist in AD. Once installation is completed, NTLM will appear as a login filter in AdminCentral.

Add the login handler:

Node nameValue

 server

 

 filters

 

 context

 

....

 

 login

 

 loginHandlers

 

 Basic

 

 NTLM

 

 class

info.magnolia.module.ntlm.NTLMLogin

 Form

 

Adding the waffle filter:

Node nameValue

 server

 

 filters

 

 context

 

....

 

 registration

 

 waffle

 

 decoratedFilter

 

 class

waffle.servlet.NegotiateSecurityFilter

 class

info.magnolia.module.ntlm.WaffleWrapperFilter

 enabled

true

NTLM client callback:

Node nameValue

 server

 

 filters

 

 context

 

....

 

 unicodeNormalization

 

 securityCallback

 

 clientCallbacks

 

 ntlm

 

 class

info.magnolia.module.ntlm.NTLMClientCallback

 Public

 

 Form

 

 class

info.magnolia.cms.security.SecurityCallbackFilter

 registration

 

 waffle

 

 login

 

Adding external user manager:

Node nameValue

 server

 

 filters

 

 IPConfig

 

 i18n

 

 security

 

 userManagers

 

 system

 

 external

 

 class

info.magnolia.cms.security.ExternalUserManager

 admin

 

 public

 

 groupManager

 

 roleManager

 

 class

info.magnolia.cms.security.SecuritySupportImpl

 security

 

When SSO authentication is enabled to occur via Tomcat as described in the configuration, waffle will delegate the NTLM authentication to Tomcat. Tomcat performs server wide authentication in which all web applications on the instance share the authentication. When SSO authentication does not occur via Tomcat, the waffle authentication is utilized only by the Magnolia web application and is valid only within the Magnolia web container.

Security

To avoid logged in users bypassing password requirement and changing identity:

  1. Disable Config:/server/filters/login/form (info.magnolia.cms.security.auth.login.FormLogin) handler
  2. Split info.magnolia.jaas.sp.jcr.JCRAuthenticationModule and info.magnolia.jaas.sp.ldap.ADAuthenticationModulejaas into separate jaas login chains. For example, add jaasChain property to Config:/server/filters/login/ntlm/ with value magnolia-ntlm. Then change your jaas.config to:
magnolia {
  info.magnolia.jaas.sp.jcr.JCRAuthenticationModule required;
  info.magnolia.jaas.sp.jcr.JCRAuthorizationModule required;
};

magnolia-ntlm {
  info.magnolia.jaas.sp.ldap.ADAuthenticationModule required realm=external;
  info.magnolia.jaas.sp.jcr.JCRAuthorizationModule required;
};

Jaas {
  waffle.jaas.WindowsLoginModule sufficient;
};

Limitations

  • This module can only be used on a Windows operating system server with a domain controller. This requirement excludes the ability to use this module on Vista.
  • SSO when enabled is enabled for all users in all realms.
  • Some versions of Tomcat have issues with unloading native connectors used to perform the actual NTLM authentication operations. When this occurs you can see an exception explaining the problem on shutdown and you need to kill the Tomcat process manually.
  • NTLM authentication is not supported for all browsers. Native support exists for IE only. Safari, Chrome and Firefox allow users to enter their Windows username and password while some other browsers such as Opera do not allow login.
  • While the installation is reported to be working fine with older versions of Windows Server, Windows Server 2008 configuration is certified and tested by Magnolia.
  • When SSO is enabled on the author instance, activation works only via workflow.
  • For security reasons SSO is recommended only for author instances, not for public instances. It is common practice not to expose Active Directory services to the Internet. In a controlled intranet environment it is OK to use SSO on a public instance but not on a public website.

Common issues

  • IE incorrectly requests Windows login
  • IE will request the Windows login despite correct installation of the module. This can be due to the server not configured to be in the IE intranet zone or the security settings of IE are configured to always ask for username and password.
  • Can't log out
  • One of the features of SSO is that authentication data are automatically negotiated between browser and server. The result is that log in is transparent and automatically occurs immediately after the user logs out.
  • Can't directly activate content
  • When SSO is enabled Magnolia does not retain user related data and is unable to authenticate itself to public instances on behalf of the user. The result is that activation must be done via workflow when SSO is enabled.