Expand my Community achievements bar.

Don’t miss the AEM Skill Exchange in SF on Nov 14—hear from industry leaders, learn best practices, and enhance your AEM strategy with practical tips.
SOLVED

NTLM in AEM 5.6.1

Avatar

Level 5

Hello!

 

I’m looking for documentation about how to configure NTLM authentication in AEM 5.6.1.

For now, I’ve located these documents: [1],[2], [3] and [4], but in my opinion they’re very brief and incomplete. I need more detailed info. Specifically, I need information about the disableNTLMAuth parameter in LoginModule and NTLMAuthorizableAction.

Any more general, explanatory information regarding 'NTLM in AEM 5.6.1' concept would be also very appreciated.

Do you know any good source of information?

 

[1] http://dev.day.com/docs/en/cq/current/deploying/single_sign_on.html

[2] http://dev.day.com/docs/en/cq/current/deploying/osgi_configuration_settings.html#Day%20CQ%20SSO%20Au...

[3] http://dev.day.com/docs/en/cq/5-6/core/release_notes/overview/important_notes.html#Changes in Default Configuration

[4] http://dev.day.com/content/docs/en/crx/current/release_notes/overview.html#Changes in Default Configuration

1 Accepted Solution

Avatar

Correct answer by
Level 10

The product team simply said this is a supported use case. 

As you stated that authenication via LDAP was one of your goals -- this is a supported. As an example -- see the follownig artilce that bases this use case on Apache Directory Service. This artilce shows you how you can configure CQ to pull in users from this specific LDAP systems. See 
http://scottsdigitalcommunity.blogspot.ca/2012/10/configuring-adobe-cq-to-use-apache.html

Your 2nd goals is SSO: "Windows domain don’t have to write their username/password to access to CQ, so I would like to set up the NTLM, or Windows authentication."

IN this article:

http://www.wemblog.com/2012/06/how-to-add-custom-login-module-in-cq55.html it states that you have to write an OSGi bundle that uses org.apache.jackrabbit.core.security.authentication.AbstractLoginModule. Have you done this yet? That would be the way to meet your needs

 



 

View solution in original post

12 Replies

Avatar

Level 10

We passed this question to the AEM Product team. 

Avatar

Level 10

Here is a great community member article that talks about how to create a custom authentication handler. I recommend reading this: http://www.wemblog.com/2013/03/how-to-create-custom-authentication.html. The author of this blog is one of our community members. 

Avatar

Level 5

Thank you smacdonald2008.

I've been investigating today, and I've reviewed the link you've provided. This article talks about authentication handler (after authentication is done), not about authentication itself.

Now, I think my needs are closer to this blog: [1]

In [1] you could see this: "Note that LDAP login module com.day.crx.security.ldap.LDAPLoginModule in CQ is good example of custom Login Module", but there's no source code link! :-) 

It would be extremely useful for me if I can access the LDAPLoginModule source code (the fragment-bundle project). Is it public? Where can I find it?

Thank you very much!

[1] http://www.wemblog.com/2012/06/how-to-add-custom-login-module-in-cq55.html

Avatar

Level 5

Hi masters!

I'm still trying to configure NTLM authentication in my AEM 5.6.1 instance. I was looking for more documentation about it, but without luck.

I’ve tried to guess how to configure repository.xml, based on the comments in [3] & [4] references, in the first post, and I made a test:

  • I’ve uncommented the line ‘<AuthorizableAction class="com.day.crx.core.ntlm.NTLMAuthorizableAction"/>’, in UserManager section.
  • I’ve set ‘<param name="disableNTLMAuth" value="false"/>’, in LoginModule section.

After restart the instance, I found this error (many times):

 

12.09.2013 09:04:31.519 *ERROR* [FelixStartLevel] com.day.cq.cq-security [com.day.cq.security.impl.CQUserManagerFactoryImpl] The activate method has thrown an exception (org.apache.sling.api.SlingException: Configured bean implementation class com.day.crx.core.ntlm.NTLMAuthorizableAction was not found.) org.apache.sling.api.SlingException: Configured bean implementation class com.day.crx.core.ntlm.NTLMAuthorizableAction was not found.

Caused by: org.apache.jackrabbit.core.config.ConfigurationException: Configured bean implementation class com.day.crx.core.ntlm.NTLMAuthorizableAction was not found.

Caused by: java.lang.ClassNotFoundException: com.day.crx.core.ntlm.NTLMAuthorizableAction not found by com.day.crx.sling.server [65]

 

So, it’s clear something is missing.

smacdonald2008, any help from AEM Product team?

It seems like NTLM authentication setup should be an easy task, but I’m lost. Anyone out there who has ever implemented this? Any, any tip, piece of advice, would be very, very appreciated.

Thank you very much!

Avatar

Level 10

Could you use NTMLAuthorizableAction instead of NTLMAuthorizableAction

Avatar

Level 10

I will follow up with them. Sorry about the difficult time that you are experiencing. 

Avatar

Level 5

Sham HC, I've repeated the test with <AuthorizableAction class="com.day.crx.core.ntlm.NTMLAuthorizableAction"/>, and now I don't see any 'was not found' error message in the log, but when I put my username and password in login page, I see this in the log:

16.09.2013 10:26:04.726 *INFO* [127.0.0.1 [1379319964723] POST /libs/granite/core/content/login.html/j_security_check HTTP/1.1] org.apache.sling.auth.core.impl.SlingAuthenticator handleLoginFailure: Unable to authenticate null: LoginModule ignored Credentials

Please help. Thank you!

smacdonald2008, thank you very much. I'll be waiting for news...

Avatar

Level 1

Hello Julio,

What are trying to do?  Enable single sign on so users do not have to login to AEM?  Or do you want to enable authentication via LDAP?  or both?

Thanks,

Nick

Avatar

Level 5

Hello Nick. Any news? 

@smacdonald2008: any feedback from AEM Product Team?

 

Thank you very much in advance.

Avatar

Level 5

Hello Nick.

The answer is both.

I’ve an author cluster, with a dispatcher. (No publishers in this scenario)

I’ll configure CQ to synchronize users/groups, from LDAP to CQ. I’ve configured LDAP previously, in other installations, and I don’t expect any problems with this.

But, furthermore, I would like that users in the Windows domain don’t have to write their username/password to access to CQ, so I would like to set up the NTLM, or Windows authentication.

I hope I’ve explained well enough! Please, feel free to ask me any questions.

Thank you very much in advance.

Avatar

Correct answer by
Level 10

The product team simply said this is a supported use case. 

As you stated that authenication via LDAP was one of your goals -- this is a supported. As an example -- see the follownig artilce that bases this use case on Apache Directory Service. This artilce shows you how you can configure CQ to pull in users from this specific LDAP systems. See 
http://scottsdigitalcommunity.blogspot.ca/2012/10/configuring-adobe-cq-to-use-apache.html

Your 2nd goals is SSO: "Windows domain don’t have to write their username/password to access to CQ, so I would like to set up the NTLM, or Windows authentication."

IN this article:

http://www.wemblog.com/2012/06/how-to-add-custom-login-module-in-cq55.html it states that you have to write an OSGi bundle that uses org.apache.jackrabbit.core.security.authentication.AbstractLoginModule. Have you done this yet? That would be the way to meet your needs

 



 

Avatar

Level 10

Here is a good piece of content that talks about extending Jackrabbit’s AbstractLoginModule:

http://satyadeepm.wordpress.com/2012/09/29/extending-jackrabbits-abstractloginmodule/

We do not have articles like this for AEM currently. However -- we are talking about the possibility of creating something like this meant to work with AEM. A step by step guide.