Microsoft released patch to block vulnerable netlogon secure channel. https://support.microsoft.com/en-us/topic/how-to-manage-the-changes-in-netlogon-secure-channel-connections-associated-with-cve-2020-1472-f7e8cc17-0309-1d6a-304e-5ba73cd1a11e Getting "Unable to authenticate user: Access is denied" error after applying microsoft patch in my DC. Event ID 5827 is logged in my Domain controller. Jespa is working fine.
I solved the problem, I used a wrong ntlm-dc-name. Thank you for your support.
Hm... not sure. I have a working setup where I just used the name, without domain, for the username field, e.g. <param-name>ntlm-account</param-name> <param-value>TEST-PC$</param-value> I don' really see an obvious problem with your configuration.
Hi Marcel. I'm now trying to use your demo app with this configuration <filter> <filter-name>ntlmv2-auth</filter-name> <filter-class>org.ntlmv2.filter.NtlmFilter</filter-class> <init-param> <param-name>ntlm-domain</param-name> <param-value>xxx.yyy.com</param-value> </init-param> <init-param> <param-name>ntlm-dc</param-name> <param-value>192.168.9.4</param-value> </init-param> <init-param> <param-name>ntlm-dc-name</param-name> <param-value>xxx</param-value> </init-param> <init-param> <param-name>ntlm-account</param-name>...
On the client I'm using my personal user, the same I use to access the PC.
Not sure, but this error message "The account used is a Computer Account. Use your global user account or local user account to access this server." sounds like not actual user credentials were provided (from a real user). Instead a technical user was used for the authentication. I can't really be sure. Maybe the AD admin or logs can tell you more? What kind of username credential was used on the client for the login?
Hello. I'm facing this error 2020-06-16 09:46:38,383 [http-nio-8080-exec-7] ERROR org.ntlmv2.filter.NtlmFilter - [] [] NTLM authentication failed: org.ntlmv2.liferay.NtlmLogonException: Unable to authenticate due to communication failure with server org.ntlmv2.liferay.NtlmLogonException: Unable to authenticate due to communication failure with server at org.ntlmv2.liferay.Netlogon.logon(Netlogon.java:96) at org.ntlmv2.liferay.NtlmManager.authenticate(NtlmManager.java:66) at org.ntlmv2.filter.NtlmFilter.doFilter(NtlmFilter.java:236)...
Hm... I'm not sure; maybe try to enter the username together with the domain? In similar AD based setups, I sometimes have to enter my username as "<domain>\<username>", e.g.:</username></domain> ACME\johndoe
Thanks, Marcel! I think the issue was with my machine. Tried it from a different one and communication exception got resolved. However, I'm seeing this error after entering credentials in the popup: ERROR org.ntlmv2.filter.NtlmFilter - NTLM authentication failed: org.ntlmv2.liferay.NtlmLogonException: Unable to authenticate user: Logon failure: unknown user name or bad password. org.ntlmv2.liferay.NtlmLogonException: Unable to authenticate user: Logon failure: unknown user name or bad password. at...
Hi there, I don't know what to tell you, but this here really indicates connection problems: Caused by: jcifs.smb.SmbException: Failed to connect: 0.0.0.0<00>/18.209.165.217 jcifs.util.transport.TransportException: Connection timeout Being able to ping the IP does not mean that the connection on the specific port, or with the specific protocol, is possible. It could easily be blocked by a firewall, even if ping is possible. Try to make sure that port 445 is open, and that the SMB protocol is allowed....
I am able to resolve all the issues in my Project. Thanks for Providing the Project. God bless you. If anyone else does need any help regarding the project and implementation of the code Provided by marcel. I am ready to help on parveensingla08@gmail.com
Thanks marcel for providing the project. I am able to resolve the above issue as well. In web.xml for the parameter I was using USERDNSDOMAIN rather than USERDOMAIN. We can find these values bu using SET command in Command Prompt. Now Above Project is working fine for both NTLM and NTLMv2. Now When I am using the web.xml with OC4J 10.1.3 server. Java is 1.5 I am facing the below exception : This loader has been closed and should not be in use. java.lang.IllegalStateException: ClassLoader "LPS.root:0.0.0"...
Thanks marcel for providing the project. I am able to resolve the above issue as well. In web.xml for the parameter I was using USERDNSDOMAIN rather than USERDOMAIN. We can find these values bu using SET command in Command Prompt. Now Above Project is working fine for both NTLM and NTLMv2.
Hi Sergey, Are you able to resolve the issue.
Thanks for your help Marcel.I am able to fix the above exception issue.But I am facing the below scenario. It worked fine when group Policy settings is below : Send LM and NTLM Responses (0) Send LM and NTLM—use NTLMv2 session security if negotiated(1) Send NTLM response only(2) But It gives the error "Unable to authenticate user: Logon failure: unknown user name or bad password"* when the group policy settings is Send NTLMv2 response only(3) Send NTLMv2 response only/refuse LM(4) Send NTLMv2 response...
Hi Parveen, Unfortunately, I don't really have a clue of NTLM. As you see in my project notes, the actual NTLMv2 code (on top of JCIFS) was taken from the "Liferay" portal project. However, my experience has shown me that often when people could not get my library to work, it was because of some setup problems. Like, for example, not using a computer account for the connection to the Domain Controller. A computer account is NOT a "tech user", it is a different kind of account, that can only be properly...
Thanks Marcel for your help. I tried NTLMv2 using the library provided here. I got the error org.ntlmv2.liferay.NtlmLogonException: Session key negotiation failed. I made changes in NetlogonConnection.java file as suggested in forum. NetrServerAuthenticate3 netrServerAuthenticate3 = _negotiateFlags is defined like this : if (_negotiateFlags == 0) { String negotiateFlags = "0x600FFFFF"; // <<<=== TODO / msc: make configurable if (negotiateFlags.startsWith("0x")) { _negotiateFlags = Integer.valueOf(...
Thanks Marcel for your help. I tried NTLMv2 using the library provided here. I got the error org.ntlmv2.liferay.NtlmLogonException: Session key negotiation failed. I made changes in NetlogonConnection.java file as suggested in forum. NetrServerAuthenticate3 netrServerAuthenticate3 = _negotiateFlags is defined like this : if (_negotiateFlags == 0) { String negotiateFlags = "0x600FFFFF"; // <<<=== TODO / msc: make configurable if (negotiateFlags.startsWith("0x")) { _negotiateFlags = Integer.valueOf(...
You can probably use either SPNEGO, which is built into Java directly, or NTLMv2, using this library here. SPNEGO is really the more modern way to go (Kerberos), but AFAIK also more complicated to set up and debug. My NTLMv2 filter here is relatively simple to set up. As you can see in the description, it basically extends JCIFS with NTLMv2 support.
My Project currently use JCISF as HTTP authentication which supports LM and NTLM authentication. Client make chnages in their Window allowing only NTLMv2 and refusing LM and NTLM authentication. I implemented Jespa for that. It works fine. But it is paid software. Can I use SPNEGO(freeware) for same purpose in my project. Server is OC4J . Please help me.
My Project currently use JCISF as HTTP authentication which supports LM and NTLM authentication. Client make chnages in their Window allowing only NTLMv2 and refusing LM and NTLM authentication. I implemented Jespa for that. It works fine. But it is paid software. Can I use SPNEGO(freeware) for same purpose in my project. Server is OC4J . Please help me.
Hi Johannes, I think the documentation somewhere clearly states what you need: A...
Hi all, I'm not sure what to enter for the properties ntlm-account and ntlm-password...
Sorry for my late reply, but i was working on another project. The use of a computer...
A computer accound is absolutely mandatory for this NTLMv2 functionality - it does...
ok, i will check the account. i think it's not a computer account (only a system...
ok, i will check the account. i think it's not a computer account (only a system...
ok, i will check the account. i think it's not a computer account (only a system...
The "$" at the end indicates a computer account, not a user account. For NTLMv2,...
I always get "Session key negotiation failed". So it seems, that my username and...
@jitender: Waht have you done to get it to work?
not really . I used/using version 1.5.
Hi, That's good to hear. But can you please tell me if you needed to use the new...
Finally got it running, yay.Thanks Marcel
Thanks for the quick response.I am using internet explorer 8 (domain "a") domain...
The fact that you can log in indicates that the NTLM setup is correct. My guess is...
When I type in the demo url in browser it opens up username and password box . I...
Hi, I have prepared a new experimental release (version 1.0.6-RC1). Maybe you would...
Updated to newest Liferay code version
Fixed invalid Eclipse classpath
kewl let me know I can help.
Hi, Well, following the discussion in that topic, I might have to patch some of the...
I googled the error and found this http://issues.liferay.com/browse/LPS-15380 But...
Thanks for the reply. I gave up on realms. I followed the steps from liferay wiki...
Hi, The error message is pretty clear: "unknown user name or bad password". This...
I have use ntlmv2-auth in our work,but it's throw a exception when i run it. I think...
I honestly have no idea. I don't know about "realms" in a Weblogic server. I think...
We have our LDAP integrated with our weblogic instance as a realm.How do you think...
provide method to retrieve negotiated flags fro...
provide getters for other fields
Well, it works in many places with NTLMv2. Without further details about your configuration...
Well, it works in many places with NTLMv2. Without further details about your configuration...
Hi Tony, Thanks for your feedback. Sorry for my late reply. For various personal...
I have looked at the code in preparation for implementing on a Centos server. Since...