Hello!
I’m looking for documentation about how to configure NTLM authentication in AEM 5.6.1.
For now, I’ve located these documents: [1],[2], [3] and [4], but in my opinion they’re very brief and incomplete. I need more detailed info. Specifically, I need information about the disableNTLMAuth parameter in LoginModule and NTLMAuthorizableAction.
Any more general, explanatory information regarding 'NTLM in AEM 5.6.1' concept would be also very appreciated.
Do you know any good source of information?
[1] http://dev.day.com/docs/en/cq/current/deploying/single_sign_on.html
[3] http://dev.day.com/docs/en/cq/5-6/core/release_notes/overview/important_notes.html#Changes in Default Configuration
[4] http://dev.day.com/content/docs/en/crx/current/release_notes/overview.html#Changes in Default Configuration
Solved! Go to Solution.
Views
Replies
Total Likes
The product team simply said this is a supported use case.
As you stated that authenication via LDAP was one of your goals -- this is a supported. As an example -- see the follownig artilce that bases this use case on Apache Directory Service. This artilce shows you how you can configure CQ to pull in users from this specific LDAP systems. See http://scottsdigitalcommunity.blogspot.ca/2012/10/configuring-adobe-cq-to-use-apache.html
Your 2nd goals is SSO: "Windows domain don’t have to write their username/password to access to CQ, so I would like to set up the NTLM, or Windows authentication."
IN this article: .
http://www.wemblog.com/2012/06/how-to-add-custom-login-module-in-cq55.html it states that you have to write an OSGi bundle that uses org.apache.jackrabbit.core.security.authentication.AbstractLoginModule. Have you done this yet? That would be the way to meet your needs
Views
Replies
Total Likes
We passed this question to the AEM Product team.
Views
Replies
Total Likes
Here is a great community member article that talks about how to create a custom authentication handler. I recommend reading this: http://www.wemblog.com/2013/03/how-to-create-custom-authentication.html. The author of this blog is one of our community members.
Views
Replies
Total Likes
Thank you smacdonald2008.
I've been investigating today, and I've reviewed the link you've provided. This article talks about authentication handler (after authentication is done), not about authentication itself.
Now, I think my needs are closer to this blog: [1]
In [1] you could see this: "Note that LDAP login module com.day.crx.security.ldap.LDAPLoginModule in CQ is good example of custom Login Module", but there's no source code link! :-)
It would be extremely useful for me if I can access the LDAPLoginModule source code (the fragment-bundle project). Is it public? Where can I find it?
Thank you very much!
[1] http://www.wemblog.com/2012/06/how-to-add-custom-login-module-in-cq55.html
Views
Replies
Total Likes
Hi masters!
I'm still trying to configure NTLM authentication in my AEM 5.6.1 instance. I was looking for more documentation about it, but without luck.
I’ve tried to guess how to configure repository.xml, based on the comments in [3] & [4] references, in the first post, and I made a test:
After restart the instance, I found this error (many times):
12.09.2013 09:04:31.519 *ERROR* [FelixStartLevel] com.day.cq.cq-security [com.day.cq.security.impl.CQUserManagerFactoryImpl] The activate method has thrown an exception (org.apache.sling.api.SlingException: Configured bean implementation class com.day.crx.core.ntlm.NTLMAuthorizableAction was not found.) org.apache.sling.api.SlingException: Configured bean implementation class com.day.crx.core.ntlm.NTLMAuthorizableAction was not found.
…
Caused by: org.apache.jackrabbit.core.config.ConfigurationException: Configured bean implementation class com.day.crx.core.ntlm.NTLMAuthorizableAction was not found.
…
Caused by: java.lang.ClassNotFoundException: com.day.crx.core.ntlm.NTLMAuthorizableAction not found by com.day.crx.sling.server [65]
So, it’s clear something is missing.
smacdonald2008, any help from AEM Product team?
It seems like NTLM authentication setup should be an easy task, but I’m lost. Anyone out there who has ever implemented this? Any, any tip, piece of advice, would be very, very appreciated.
Thank you very much!
Views
Replies
Total Likes
Could you use NTMLAuthorizableAction instead of NTLMAuthorizableAction
Views
Replies
Total Likes
I will follow up with them. Sorry about the difficult time that you are experiencing.
Views
Replies
Total Likes
Sham HC, I've repeated the test with <AuthorizableAction class="com.day.crx.core.ntlm.NTMLAuthorizableAction"/>, and now I don't see any 'was not found' error message in the log, but when I put my username and password in login page, I see this in the log:
16.09.2013 10:26:04.726 *INFO* [127.0.0.1 [1379319964723] POST /libs/granite/core/content/login.html/j_security_check HTTP/1.1] org.apache.sling.auth.core.impl.SlingAuthenticator handleLoginFailure: Unable to authenticate null: LoginModule ignored Credentials
Please help. Thank you!
smacdonald2008, thank you very much. I'll be waiting for news...
Views
Replies
Total Likes
Hello Julio,
What are trying to do? Enable single sign on so users do not have to login to AEM? Or do you want to enable authentication via LDAP? or both?
Thanks,
Nick
Views
Replies
Total Likes
Hello Nick. Any news?
@smacdonald2008: any feedback from AEM Product Team?
Thank you very much in advance.
Views
Replies
Total Likes
Hello Nick.
The answer is both.
I’ve an author cluster, with a dispatcher. (No publishers in this scenario)
I’ll configure CQ to synchronize users/groups, from LDAP to CQ. I’ve configured LDAP previously, in other installations, and I don’t expect any problems with this.
But, furthermore, I would like that users in the Windows domain don’t have to write their username/password to access to CQ, so I would like to set up the NTLM, or Windows authentication.
I hope I’ve explained well enough! Please, feel free to ask me any questions.
Thank you very much in advance.
Views
Replies
Total Likes
The product team simply said this is a supported use case.
As you stated that authenication via LDAP was one of your goals -- this is a supported. As an example -- see the follownig artilce that bases this use case on Apache Directory Service. This artilce shows you how you can configure CQ to pull in users from this specific LDAP systems. See http://scottsdigitalcommunity.blogspot.ca/2012/10/configuring-adobe-cq-to-use-apache.html
Your 2nd goals is SSO: "Windows domain don’t have to write their username/password to access to CQ, so I would like to set up the NTLM, or Windows authentication."
IN this article: .
http://www.wemblog.com/2012/06/how-to-add-custom-login-module-in-cq55.html it states that you have to write an OSGi bundle that uses org.apache.jackrabbit.core.security.authentication.AbstractLoginModule. Have you done this yet? That would be the way to meet your needs
Views
Replies
Total Likes
Here is a good piece of content that talks about extending Jackrabbit’s AbstractLoginModule:
http://satyadeepm.wordpress.com/2012/09/29/extending-jackrabbits-abstractloginmodule/
We do not have articles like this for AEM currently. However -- we are talking about the possibility of creating something like this meant to work with AEM. A step by step guide.
Views
Replies
Total Likes