Magnolia 4.5 reached end of life on June 30, 2016. This branch is no longer supported, see End-of-life policy.
The NTLM (NT LAN Manager) connector provides single sign-on (SSO) functionality for Windows systems within a trusted domain environment. The connector utilizes the Windows challenge/response authentication protocol to retrieve credentials from the Windows operating system and uses those credentials to log into Magnolia's CMS.
Download the NTLM connector module from the Nexus repository.
NTLM connector is an Enterprise Edition module (3.6 and higher) included in the
add-ons folder of the Enterprise Edition bundle and available on Nexus repository.
The LDAP connector must be installed and the AD (Active Directory) connection should be verified to be working before proceeding with installing this module. The LDAP connector must be configured to connect to the host Windows system's domain controller and set to resolve users and groups from AD.
Optionally you can write your own
ADRoleResolver and resolve also roles from AD. Your
ADRoleResolver should implement the
See the general module uninstalling instructions and advice.
To configure the module:
magnolia-module-ntlmJAR file into the WEB-INF/lib directory in the webapp:
CATALINA_HOME/lib. (Note: If you using Tomcat 6 you need use
waffle-tomcat6JAR; if Tomcat 7 then
waffle-tomcat7JAR. If you using a different version of Tomcat, see https://oss.sonatype.org)/content/repositories/releases/com/github/dblock/waffle/
CATALINA_HOME/lib. Note: These JARs (slf4j-log4j12, slf4j-api and jcl-over-slf4j) are located in the Tomcat installation directory in
magnoliaPublic/WEB-INFin Magnolia Enterprise Edition.
ad.propertiesis contained within the LDAP connector bundle and is typically in the directory WEB-INF/config/ldap.)
Append the following code to
Restart all instances. If
context.xml is removed after starting the instance, Tomcat needs to be forced to redeploy the application by removing all references from
While this module logs in directly instead of going through JAAS, it does so by utilizing the Waffle Windows Authentication Framework. Waffle utilizes JAAS resulting in the need for the JAAS installation steps. Waffle's Servlet Negotiate Security Filter from the Waffle Framework was used for the implementation. This module works in connection with the LDAP connector module's AD authentication. Once SSO is enabled, only user accounts that exist in AD can be used to log into Magnolia. For this reason, there must be accounts with administrator rights in addition to the provided superuser account that exist in AD. Once installation is completed, NTLM will appear as a login filter in AdminCentral.
Add the login handler:
Add the waffle filter:
Add NTLM client callback:
Add external user manager type:
When SSO authentication is enabled to occur via Tomcat as described in the configuration, waffle will delegate the NTLM authentication to Tomcat. Tomcat performs server wide authentication in which all web applications on the instance share the authentication. When SSO authentication does not occur via Tomcat, the waffle authentication is utilized only by the Magnolia web application and is valid only within the Magnolia web container.
To avoid logged in users bypassing password requirement and changing identity:
info.magnolia.jaas.sp.ldap.ADAuthenticationModulejaasinto separate jaas login chains. For example, add
magnolia-ntlm. Then change your jaas.config to: