Principle

1. The user opens a Windows session on its PC.
   Its authentication occurs using a Windows Domain and an Active Directory server. This domain and the Active Directory must be accessible to the server hosting JCMS.
2. User connects to JCMS using its browser which automatically communicate the users' credential.
   With Internet Explorer this authentication is automatically sent to local intranet servers. This behavior can be modified by changing the security levels.
   With Firefox, the JCMS server hostname must be added to the configuration by modifying the property network.automatic-ntlm-auth.trusted-uris using about:config in the navigator address bar. It can also be modified in the pref.js file inside the user profile directory.
3. The NTLM Authentication Handler receive the credential through the JCIFS NTLM filter and set the authenticaticated member (synchronizing it from LDAP/Active Directory if required).

Configure LDAP / Active Directory

Make sure LDAP is enabled and configured to connect to your Active Directory server.
Try to connect to JCMS with one of your ActiveDirectory user account to make sure the connection and the synchronisation works properly.

Configure NTLM

Configure NtlmHttpFilter in your web.xml by following instruction available on the JCIFS website : http://jcifs.samba.org/src/docs/ntlmhttpauth.html

Make sure the <filter-mapping> section of the NtlmHttpFilter is added BEFORE the <filter-mapping> section of the InitFilter. The NTLM authentication is retrieved by JCMS in the InitFilter, thus the NtlmHttpFilter must have been invoked prior to the InitFilter.

Be aware that once this filter is configured, a Windows authentication will be asked and required, no other authentication will be possible.

Tomcat 5.0 incompatible: If you are using Tomcat, make sure you use Tomcat 5.5 or better. More information about this in the french forum discussion Catégories contextuelles : Tomcat 5.0 et module NTLM