https://connect.hyland.com/t5/alfresco-archive/labs-3c-external-ad-auth-sso-need-some-direction/m-p/193785#M146915 <HTML><HEAD></HEAD><BODY><STRONG style="text-decoration: underline;">Alfresco Platform:</STRONG><BR /><SPAN>&nbsp;&nbsp; Alfresco Community Labs 3c</SPAN><BR /><SPAN>&nbsp;&nbsp; Red Hat Enterprise Linux 5.2</SPAN><BR /><SPAN>&nbsp;&nbsp; MySQL 5.0.45-community MySQL Community Edition (GPL) (NOTE: Came with RHEL 5.2)</SPAN><BR /><SPAN>&nbsp;&nbsp; Tomcat 5.5.23 (comes with Alfresco)</SPAN><BR /><SPAN>&nbsp;&nbsp; Java 6 Update 11 (jdk1.6.0_11)</SPAN><BR /><BR /><STRONG style="text-decoration: underline;">End-user Workstations:</STRONG><BR /><SPAN>&nbsp;&nbsp; OS: Windows XP Professional (majority are 32bit, but also a few 64bit)</SPAN><BR /><SPAN>&nbsp;&nbsp; User Authentication: Active Directory (Windows Server 2003 R2)</SPAN><BR /><BR /><STRONG style="text-decoration: underline;">Background/Goal:</STRONG><BR /><SPAN>We have upwards of 250 users in our area that all authenticate using Active Directory. We do not want/need to manage a separate set of login/password combinations for Alfresco, separate from the current PC login via Active Directory. Also, we would like to configure single sign-on (SSO) for our users so that they never have to login to Alfresco for CIFS or the Web UI.</SPAN><BR /><BR /><SPAN>So, in short, the end-goal is to have an Alfresco implementation where user authentication is performed against an external Active Directory server, and also have SSO for our users for both the CIFS and Web UI.</SPAN><BR /><BR /><STRONG style="text-decoration: underline;">Issues/Questions:</STRONG><BR /><SPAN>It looks like we can use the </SPAN><A href="http://wiki.alfresco.com/wiki/Configuring_the_CIFS_and_web_servers_for_Kerberos/AD_integration" rel="nofollow noopener noreferrer">Configuring the CIFS and web servers for Kerberos/AD integration</A><SPAN> instructions to allow what we want for user authentication.</SPAN><BR /><BR /><SPAN>But what about groups defined within Alfresco? If users are externally-authenticated (this would mean that the users don't actually exist in Alfresco, right?) then how can I add each user to one or more Alfresco-defined groups which then give them the privileges I want them to have from within Alfresco? Is this possible?</SPAN><BR /><BR /><SPAN>Am I approaching this right or is there a better way to accomplish what I want?</SPAN></BODY></HTML> Fri, 19 Dec 2008 14:29:39 GMT meansartin14 2008-12-19T14:29:39Z https://connect.hyland.com/t5/alfresco-archive/labs-3c-external-ad-auth-sso-need-some-direction/m-p/193785#M146915 Alfresco Platform:&nbsp;&nbsp; Alfresco Community Labs 3c&nbsp;&nbsp; Red Hat Enterprise Linux 5.2&nbsp;&nbsp; MySQL 5.0.45-community MySQL Community Edition (GPL) (NOTE: Came with RHEL 5.2)&nbsp;&nbsp; Tomcat 5.5.23 (comes with Alfresco)&nbsp;&nbsp; Java 6 Update 11 (jdk1.6.0_11)End-user Workstations:&nbsp;&nbsp; OS: Windows XP Professional (majority are 32 Fri, 19 Dec 2008 14:29:39 GMT https://connect.hyland.com/t5/alfresco-archive/labs-3c-external-ad-auth-sso-need-some-direction/m-p/193785#M146915 meansartin14 2008-12-19T14:29:39Z https://connect.hyland.com/t5/alfresco-archive/labs-3c-external-ad-auth-sso-need-some-direction/m-p/193786#M146916 <HTML><HEAD></HEAD><BODY><SPAN>External authentication only externalizes… authentication. Users are still stored within Alfresco, just that their passwords aren't and Alfresco delegates authentication to an external source.</SPAN><BR /><BR /><SPAN>Actually, AFAICT, users are created in Alfresco only when they first log in. However, you can optionnally synchronize (import) your users' into Alfresco (along with their first/last name, email address, etc.) from your AD (see the ldap-synchronisation-context.xml.sample in tomcat/shared/classes/alfresco/extension).</SPAN><BR /><BR /><SPAN>Anyway, users will end up existing within Alfresco so you'll be able to add them to groups.</SPAN></BODY></HTML> Fri, 19 Dec 2008 15:27:58 GMT https://connect.hyland.com/t5/alfresco-archive/labs-3c-external-ad-auth-sso-need-some-direction/m-p/193786#M146916 t_broyer 2008-12-19T15:27:58Z https://connect.hyland.com/t5/alfresco-archive/labs-3c-external-ad-auth-sso-need-some-direction/m-p/193787#M146917 <HTML><HEAD></HEAD><BODY><BLOCKQUOTE class="jive-quote">External authentication only externalizes… authentication. Users are still stored within Alfresco, just that their passwords aren't and Alfresco delegates authentication to an external source.<BR /><BR />Actually, AFAICT, users are created in Alfresco only when they first log in. However, you can optionnally synchronize (import) your users' into Alfresco (along with their first/last name, email address, etc.) from your AD (see the ldap-synchronisation-context.xml.sample in tomcat/shared/classes/alfresco/extension).<BR /><BR />Anyway, users will end up existing within Alfresco so you'll be able to add them to groups.</BLOCKQUOTE><BR /><SPAN>Excellent. As soon as I get the System Admins to apply steps 1 through 8 of </SPAN><A href="http://wiki.alfresco.com/wiki/Configuring_the_CIFS_and_web_servers_for_Kerberos/AD_integration" rel="nofollow noopener noreferrer">Configuring the CIFS and web servers for Kerberos/AD integration</A><SPAN>, I will proceed with steps 9 through 11 and give it a try.</SPAN><BR /><BR /><SPAN>I will also go take a look at the ldap-synchronisation-context.xml.sample file to see if it'd be an easy import of the rest of the information. Does this require any further configuration on the Alfresco server (e.g. LDAP)? I do not have (and would prefer not to have) LDAP configured to operate on the Alfresco server currently.</SPAN><BR /><BR /><SPAN>Thank you for the help!!</SPAN></BODY></HTML> Fri, 19 Dec 2008 16:14:17 GMT https://connect.hyland.com/t5/alfresco-archive/labs-3c-external-ad-auth-sso-need-some-direction/m-p/193787#M146917 meansartin14 2008-12-19T16:14:17Z https://connect.hyland.com/t5/alfresco-archive/labs-3c-external-ad-auth-sso-need-some-direction/m-p/193788#M146918 <HTML><HEAD></HEAD><BODY><SPAN>I now have external AD authentication for Alfresco active and functioning properly for the Web interface! Thank you very much for the help!!</SPAN><BR /><BR /><SPAN>CIFS is still behaving properly, but I'm fairly certain this is not due to an Alfresco configuration/issue. (see my other thread, if you're interested: </SPAN><A href="http://forums.alfresco.com/en/viewtopic.php?f=9&amp;t=15888" rel="nofollow noopener noreferrer">http://forums.alfresco.com/en/viewtopic.php?f=9&amp;t=15888</A><SPAN>)</SPAN><BR /><BR /><STRONG>One thing I need to know: how do you login as "admin" when you're using external authentication?</STRONG></BODY></HTML> Mon, 05 Jan 2009 17:43:17 GMT https://connect.hyland.com/t5/alfresco-archive/labs-3c-external-ad-auth-sso-need-some-direction/m-p/193788#M146918 meansartin14 2009-01-05T17:43:17Z https://connect.hyland.com/t5/alfresco-archive/labs-3c-external-ad-auth-sso-need-some-direction/m-p/193789#M146919 <HTML><HEAD></HEAD><BODY><SPAN>To define admin users: </SPAN><A href="http://wiki.alfresco.com/wiki/Configuring_NTLM#Enabling_NTLM_users" rel="nofollow noopener noreferrer">http://wiki.alfresco.com/wiki/Configuring_NTLM#Enabling_NTLM_users</A></BODY></HTML> Tue, 06 Jan 2009 00:05:37 GMT https://connect.hyland.com/t5/alfresco-archive/labs-3c-external-ad-auth-sso-need-some-direction/m-p/193789#M146919 zaizi 2009-01-06T00:05:37Z https://connect.hyland.com/t5/alfresco-archive/labs-3c-external-ad-auth-sso-need-some-direction/m-p/193790#M146920 <HTML><HEAD></HEAD><BODY><BLOCKQUOTE class="jive-quote">To define admin users: <A href="http://wiki.alfresco.com/wiki/Configuring_NTLM#Enabling_NTLM_users" rel="nofollow noopener noreferrer">http://wiki.alfresco.com/wiki/Configuring_NTLM#Enabling_NTLM_users</A></BLOCKQUOTE><BR /><SPAN>I guess well. I had already done that with my own username prior to seeing your post and it works perfectly.</SPAN><BR /><BR /><SPAN>Thank you all very much. Thanks to your help, Alfresco is now authenticating via a remote Active Directory server for the Web Interface.</SPAN><BR /><BR /><SPAN>Now if I can just get our Windows XP client PCs to allow the CIFS server to be mapped as a network drive… Anyone have any experience in that arena? Take a look at my other thread here, if so: </SPAN><A href="http://forums.alfresco.com/en/viewtopic.php?f=9&amp;t=15888" rel="nofollow noopener noreferrer">http://forums.alfresco.com/en/viewtopic.php?f=9&amp;t=15888</A></BODY></HTML> Tue, 06 Jan 2009 14:06:27 GMT https://connect.hyland.com/t5/alfresco-archive/labs-3c-external-ad-auth-sso-need-some-direction/m-p/193790#M146920 meansartin14 2009-01-06T14:06:27Z https://connect.hyland.com/t5/alfresco-archive/labs-3c-external-ad-auth-sso-need-some-direction/m-p/193791#M146921 <HTML><HEAD></HEAD><BODY><SPAN>I have started a thread that I hope to eventually turn into a AlfrescoWiki page for how to configure Active Directory authentication for both CIFS and the Web Interface in Alfresco Labs 3c.</SPAN><BR /><BR /><SPAN>Please see my thread:</SPAN><BR /><STRONG><A href="http://forums.alfresco.com/en/viewtopic.php?f=9&amp;t=16242" rel="nofollow noopener noreferrer">[ERROR]Alfresco Engineers: CIFS auth does not work. Sugg?</A></STRONG><BR /><BR /><SPAN>Please come join in the discussion, or at least subscribe to the thread. I want to try to get everyone having these types of issues into the thread so that we can get a large collection of experiences and configurations.</SPAN><BR /><BR /><SPAN>We </SPAN><STRONG>WILL</STRONG><SPAN> find the answer for how to enable Active Directory authentication with CIFS in Alfresco!!</SPAN></BODY></HTML> Tue, 13 Jan 2009 20:35:10 GMT https://connect.hyland.com/t5/alfresco-archive/labs-3c-external-ad-auth-sso-need-some-direction/m-p/193791#M146921 meansartin14 2009-01-13T20:35:10Z