topic Re: AD Passthru Authentication - 3.4 in Alfresco Archive

AD Passthru Authentication - 3.4

wtrippler — Wed, 27 Oct 2010 18:24:47 GMT

I have installed version 3.4 and cannot get the AD authentication/passthru to work properly.I continually receive the following error when launching Alfresco Explorernet.sf.acegisecurity.AuthenticationServiceException: Failed to open passthru auth session at org.alfresco.repo.security.authentication

Re: AD Passthru Authentication - 3.4

imad77 — Wed, 27 Oct 2010 19:28:10 GMT

I have installed version 3.4 and cannot get the AD authentication/passthru to work properly.

I continually receive the following error when launching Alfresco Explorer

net.sf.acegisecurity.AuthenticationServiceException: Failed to open passthru auth session
at org.alfresco.repo.security.authentication.ntlm.NTLMAuthenticationComponentImpl.authenticatePassthru(NTLMAuthenticationComponentImpl.java:783)
at org.alfresco.repo.security.authentication.ntlm.NTLMAuthenticationComponentImpl.authenticate(NTLMAuthenticationComponentImpl.java:554)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:307)
at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:183)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:150)
at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:107)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:202)
at $Proxy227.authenticate(Unknown Source)
at org.alfresco.repo.webdav.auth.BaseNTLMAuthenticationFilter.processType1(BaseNTLMAuthenticationFilter.java:372)
at org.alfresco.repo.webdav.auth.BaseNTLMAuthenticationFilter.authenticateRequest(BaseNTLMAuthenticationFilter.java:278)
at org.alfresco.repo.webdav.auth.BaseSSOAuthenticationFilter.doFilter(BaseSSOAuthenticationFilter.java:132)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.alfresco.repo.management.subsystems.ChainingSubsystemProxyFactory$1.invoke(ChainingSubsystemProxyFactory.java:103)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:202)
at $Proxy240.doFilter(Unknown Source)
at org.alfresco.repo.web.filter.beans.BeanProxyFilter.doFilter(BeanProxyFilter.java:82)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
at org.apache.coyote.http11.Http11AprProcessor.process(Http11AprProcessor.java:859)
at org.apache.coyote.http11.Http11AprProtocol$Http11ConnectionHandler.process(Http11AprProtocol.java:579)
at org.apache.tomcat.util.net.AprEndpoint$Worker.run(AprEndpoint.java:1555)
at java.lang.Thread.run(Thread.java:619)

Hi,

You should do 2 things:

vi /opt/alfresco/tomcat/webapps/alfresco/WEB-INF/classes/alfresco/subsystems/Authentication/passthru/passthru-authentication-context.properties
passthru.authentication.useLocalServer=false
passthru.authentication.domain=tata
passthru.authentication.servers=tata\\192.168.1.13
passthru.authentication.guestAccess=false
passthru.authentication.defaultAdministratorUserNames=administrator
#Timeout value when opening a session to an authentication server, in milliseconds
passthru.authentication.connectTimeout=5000
#Offline server check interval in seconds
passthru.authentication.offlineCheckInterval=300
passthru.authentication.protocolOrder=NetBIOS,TCPIP
passthru.authentication.authenticateCIFS=true
passthru.authentication.authenticateFTP=true

You should add this line in this file:
vi /opt/alfresco-3.3.3/tomcat/shared/classes/alfresco-global.properties

authentication.chain=alfrescoNtlm1:alfrescoNtlm,passthru1assthru

create the following folders tomcat/shared/classes/alfresco/extension/subsytems/Authenication/passthru/passthru1/
and copy the files tomcat/webapps/alfresco/WEB-INF/classes/alfresco/subsystems/Authentication/passthru/*.properties to the above folder.
Now edit the file tomcat/shared/classes/alfresco/extension/subsytems/Authenication/passthru/passthru1/passthru-authentication-context.properties

restart the Alfresco services.

Re: AD Passthru Authentication - 3.4

aman — Tue, 02 Nov 2010 21:04:28 GMT

BTW - you can put all of the above recommended settings in the alfresco-global.properties file - you don't need to create all those folders and go copying files around…. I've got 3.4b + AD + LDAP sync + Passthru + CIFS working on a W2K3 server, and the only file I've needed to edit is alfresco-global.properties. Good work team Alfresco!
cheers,
Aman

Re: AD Passthru Authentication - 3.4

tgchen — Thu, 04 Nov 2010 21:29:25 GMT

Hi Can you post how you did it by just editting the global properties ?

THank you

Re: AD Passthru Authentication - 3.4

wtrippler — Mon, 08 Nov 2010 16:07:40 GMT

How can I download 3.4b, it seems like things work much better in b versus a

Re: AD Passthru Authentication - 3.4

misstina_sm — Tue, 09 Nov 2010 13:07:36 GMT

hi you can download it from here:

http://dev.alfresco.com/downloads/nightly/dist/
cheers,Tina

Re: AD Passthru Authentication - 3.4

imad77 — Tue, 09 Nov 2010 18:53:58 GMT

BTW - you can put all of the above recommended settings in the alfresco-global.properties file - you don't need to create all those folders and go copying files around…. I've got 3.4b + AD + LDAP sync + Passthru + CIFS working on a W2K3 server, and the only file I've needed to edit is alfresco-global.properties. Good work team Alfresco!
cheers,
Aman

Hi Aman,

Can you share your experience? can you give us an example about your modified files?

Thanks,

Imad

Re: AD Passthru Authentication - 3.4

imad77 — Tue, 09 Nov 2010 19:50:33 GMT

BTW - you can put all of the above recommended settings in the alfresco-global.properties file - you don't need to create all those folders and go copying files around…. I've got 3.4b + AD + LDAP sync + Passthru + CIFS working on a W2K3 server, and the only file I've needed to edit is alfresco-global.properties. Good work team Alfresco!
cheers,
Aman

Hi Aman,

It is not true, I installed 3.4b version and I have to configure files in this directory:

tomcat/webapps/alfresco/WEB-INF/classes/alfresco/subsystems/Authentication/ldap-ad/*
tomcat/webapps/alfresco/WEB-INF/classes/alfresco/subsystems/Authentication/passthru/*

If you have any other suggestion, can you share it please^

Thanks,

Imad

Re: AD Passthru Authentication - 3.4

aman — Tue, 09 Nov 2010 20:50:21 GMT

OK, here we have it. Just add the following lines to the alfresco-global.properties file on a W2K3 server (domain member) fresh install of 3.4b, substituting the correct values for your environment, and you should get:

Other stuff I did:

Other stuff I did while trying to get 3.4a working, that I found in the forums, but I don't think made any difference in the end to 3.4b (i.e. only do if you have problems)

myserver

I repeat - the only Alfresco properties or config file I've changed is alfresco-global.properties - here are the lines I added:


filesystem.name=Alfresco
cifs.enabled=true
cifs.serverName=DOCSERVER1A
cifs.domain=
cifs.broadcast=255.255.255.255
cifs.disableNativeCode=false
ftp.enable=true
imap.server.enable=true
authentication.chain=passthru1:passthru,alfrescoNtlm1:alfrescoNtlm,ldap1:ldap-ad
ntlm.authentication.sso.enabled=false
alfresco.authentication.allowGuestLogin=true
alfresco.authentication.authenticateCIFS=false
passthru.authentication.useLocalServer=false
passthru.authentication.domain=COMPANY
passthru.authentication.servers=COMPANY\\ad1,ad1
passthru.authentication.guestAccess=true
passthru.authentication.defaultAdministratorUserNames=aman
passthru.authentication.connectTimeout=5000
passthru.authentication.offlineCheckInterval=300
passthru.authentication.protocolOrder=NetBIOS,TCPIP
passthru.authentication.authenticateCIFS=true
passthru.authentication.authenticateFTP=true
# If you set the following to true, accounts are only created when they login, rather than being imported
# from LDAP all at once.  The downside with having them be created at first login is that (for some
# reason) you can't subsequently modify the account in Alfresco.
synchronization.authCreatePeopleOnLogin=false
ldap.authentication.active=false
ldap.synchronization.active=true
ldap.authentication.java.naming.provider.url=ldap://ad1:389
ldap.synchronization.java.naming.security.principle=searchUser@COMPANY
ldap.synchronization.java.naming.security.credentials=secretPassword
ldap.synchronization.groupSearchBase=OU\=Groups,DC\=company,DC\=org,DC\=nz
ldap.synchronization.userSearchBase=OU\=People,DC\=company,DC\=org,DC\=nz
‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

Good luck!
Aman

Re: AD Passthru Authentication - 3.4

aman — Tue, 09 Nov 2010 20:53:54 GMT

BTW - you can put all of the above recommended settings in the alfresco-global.properties file - you don't need to create all those folders and go copying files around…. I've got 3.4b + AD + LDAP sync + Passthru + CIFS working on a W2K3 server, and the only file I've needed to edit is alfresco-global.properties. Good work team Alfresco!
cheers,
Aman

Hi Aman,

It is not true, I installed 3.4b version and I have to configure files in this directory:

tomcat/webapps/alfresco/WEB-INF/classes/alfresco/subsystems/Authentication/ldap-ad/*
tomcat/webapps/alfresco/WEB-INF/classes/alfresco/subsystems/Authentication/passthru/*

If you have any other suggestion, can you share it please^

Thanks,

Imad

It is true! See above…

Re: AD Passthru Authentication - 3.4

imad77 — Thu, 11 Nov 2010 17:45:40 GMT

BTW - you can put all of the above recommended settings in the alfresco-global.properties file - you don't need to create all those folders and go copying files around…. I've got 3.4b + AD + LDAP sync + Passthru + CIFS working on a W2K3 server, and the only file I've needed to edit is alfresco-global.properties. Good work team Alfresco!
cheers,
Aman

Hi Aman,

It is not true, I installed 3.4b version and I have to configure files in this directory:

tomcat/webapps/alfresco/WEB-INF/classes/alfresco/subsystems/Authentication/ldap-ad/*
tomcat/webapps/alfresco/WEB-INF/classes/alfresco/subsystems/Authentication/passthru/*

If you have any other suggestion, can you share it please^

Thanks,

Imad

It is true! See above…

Hi Aman,

I use a RedhAt server for Alfresco server and not W2k3. I tried to edit only alfresco-global.properties and put the required information. But it does not work.

Imad

Re: AD Passthru Authentication - 3.4

angra — Thu, 11 Nov 2010 19:08:30 GMT

I'm also having problem with this configuration.

It would be nice if you explain some of the key lines to us so we can figure out what is wrong with our server.

Thank you in advance.

Re: AD Passthru Authentication - 3.4

baltun — Thu, 11 Nov 2010 19:13:56 GMT

At last! It starts to authorise by AD LDAP! Thank you very much!

But in the alfresco web-client user management panel I don't see any AD users. How can I know does synchronization works and when it should begins to import users and groups from AD?

Second question: It will import all users and groups or I can manage what groups and users to import? How?

Is it possible to set SSO same way?

Re: AD Passthru Authentication - 3.4

angra — Thu, 11 Nov 2010 20:41:41 GMT

baltum, please share what you did with us.

I changes some lines from aman´s code:

cifs.serverName = REC-SAD02 (MY DOMAIN CONTROLER)
passthru.authentication.domain=EBBA (MY DOMAIN)
passthru.authentication.servers=EBBA\\REC-SAD02,RECSAD02 (twice to look exatcly aman´s code)
passthru.authentication.defaultAdministratorUserNames=cpd-rafael (my domain logon)

based on my informations, what else should i change to get my ad authentication working?

Thank you in advance.

Re: AD Passthru Authentication - 3.4

angra — Fri, 12 Nov 2010 12:35:53 GMT

Ok, my AD Authentication is working. Alfresco now reconizes both local and remote users. But:

I still got this error in my sdtout logs:

09:25:14,063 Userystem INFO [security.sync.ChainingUserRegistrySynchronizer] Retrieving all groups from user registry 'ldap1'
09:25:14,095 Userystem ERROR [security.sync.ChainingUserRegistrySynchronizer] Synchronization aborted due to error
org.alfresco.repo.security.authentication.AuthenticationException: 10120000 LDAP authentication failed.

And i cant list my users and groups inside alfresco.

Any tip??

Thanks

Re: AD Passthru Authentication - 3.4

angra — Fri, 12 Nov 2010 16:25:44 GMT

At last! It starts to authorise by AD LDAP! Thank you very much!

But in the alfresco web-client user management panel I don't see any AD users. How can I know does synchronization works and when it should begins to import users and groups from AD?

Second question: It will import all users and groups or I can manage what groups and users to import? How?

Is it possible to set SSO same way?

If you got the same errors that i do, i think we have the same problems too

Re: AD Passthru Authentication - 3.4

angra — Fri, 12 Nov 2010 20:23:44 GMT

Ok, i just found that im missing something in these 4 lines:


ldap.synchronization.java.naming.security.principle=cpd-rafael,dc=ebba
ldap.synchronization.java.naming.security.credentials=********
ldap.synchronization.groupSearchBase=OU\=Groups,DC\=ebba,DC\=org,DC\=nz
ldap.synchronization.userSearchBase=OU\=Users,DC\=ebba,DC\=org,DC\=nz
‍‍‍‍‍‍

I know that i could use this one too:


ldap.authentication.java.naming.security.authentication=SIMPLE
‍‍‍

Let me share my informations:

Admin: cpd-rafael
Domain: EBBA
Domain Controler: REC-SAD02

Please, im just missing this configuration to get my alfresco on the run

Thank you in advance.

Re: AD Passthru Authentication - 3.4

angra — Tue, 16 Nov 2010 13:22:11 GMT

After spending my weekend and the holyday with the problem, i really dont know what to do anymore.

Everything seems to fit, but i just keep getting this error in my logs:

[LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db0 ]

I checked the internet for informations about it, and all i could find was here:

http://primalcortex.wordpress.com/2007/11/28/active-directory-ldap-errors/

80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 52e, v893
HEX: 0x52e – invalid credentials
DEC: 1326 – ERROR_LOGON_FAILURE (Logon failure: unknown user name or bad password.)
NOTE: Returns when username is valid but password/credential is invalid. Will prevent most other errors from being displayed as noted.

The thing is that i changed my principal to a wrong username and it still gives the same error.

I Have tried a lot of examples from the forum but none of them worked.

Can some good soul please enlight me about this issue?

Thanks,

Re: AD Passthru Authentication - 3.4

imad77 — Wed, 17 Nov 2010 12:17:32 GMT

After spending my weekend and the holyday with the problem, i really dont know what to do anymore.

Everything seems to fit, but i just keep getting this error in my logs:

[LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db0 ]

I checked the internet for informations about it, and all i could find was here:

http://primalcortex.wordpress.com/2007/11/28/active-directory-ldap-errors/

80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 52e, v893
HEX: 0x52e – invalid credentials
DEC: 1326 – ERROR_LOGON_FAILURE (Logon failure: unknown user name or bad password.)
NOTE: Returns when username is valid but password/credential is invalid. Will prevent most other errors from being displayed as noted.

The thing is that i changed my principal to a wrong username and it still gives the same error.

I Have tried a lot of examples from the forum but none of them worked.

Can some good soul please enlight me about this issue?

Thanks,

Hi Angra,

Can you give your configuration files and their path? and their content?

we can check what is wrong with your config.

Imad

Re: AD Passthru Authentication - 3.4

angra — Thu, 18 Nov 2010 12:35:34 GMT

Sure,

I have an out-of-the-box community instalation, in a Windows XP machine.

The Alfresco is instaled with default setting and files, including the instalation directory (C:\Alfresco).

I did nothing but what i wrote in the messages above. I can reinstal Alfresco if it is needed.

Thanks.