https://connect.hyland.com/t5/alfresco-archive/ntlm-authentication-with-active-directory/m-p/248527#M201657 <HTML><HEAD></HEAD><BODY><SPAN>Hi all,</SPAN><BR /><BR /><SPAN>Im using community 4.0.d on a vanilla Tomcat 6.0.35 install.</SPAN><BR /><BR /><SPAN>I've been struggling for several days with this, so I'm hoping someone here might have an answer for me.&nbsp; I'm trying to achieve SSO in IE8 so that a user doesn't have to enter a username or password.&nbsp; I've managed to successfully log in (via the standard Alfresco login page) using my AD credentials.&nbsp; I've also managed to synchronise my AD users, so that I can see them in Alfresco.&nbsp; However if I try to log in using NTLM it fails (IE8 still pops up a dialog box, but it relates to the domain so I'm not sure what that's about).&nbsp; I've turned up logging on the NTLMAuthenticationFilter, and I get the following output:</SPAN><BR /><BR /><PRE class="language-none line-numbers"><CODE><BR /> 2012-08-17 16:11:03,691&nbsp; DEBUG [org.alfresco.web.app.servlet.NTLMAuthenticationFilter] [http-8080-1] New NTLM auth request from 192.168.10.10 (192.168.10.10:49567) SID:0F8D2CE2C82AE1F6655227A21B4EF9B5<BR /> 2012-08-17 16:11:11,010&nbsp; DEBUG [org.alfresco.web.app.servlet.NTLMAuthenticationFilter] [http-8080-1] Received type1 [Type1:0xa2088207,Domain:&lt;NotSet&gt;,Wks:&lt;NotSet&gt;]<BR /> 2012-08-17 16:11:11,013&nbsp; INFO&nbsp; [org.alfresco.web.app.servlet.NTLMAuthenticationFilter] [http-8080-1] NTLM filter using server name magrathea<BR /> 2012-08-17 16:11:11,017&nbsp; DEBUG [org.alfresco.web.app.servlet.NTLMAuthenticationFilter] [http-8080-1] Sending NTLM type2 to client - [Type2:0xa0080201,Target:magrathea,Ch:f387bc44a15b65f0]<BR /> 2012-08-17 16:11:11,021&nbsp; DEBUG [org.alfresco.web.app.servlet.NTLMAuthenticationFilter] [http-8080-1] Received type3 [Type3:,LM:000000000000000000000000000000000000000000000000,NTLM:c0eb1440bce9ced98dbcfdf8e7d5842e0101000000000000aa6416898a7ccd01d965cfb6682f75a400000000020012006d00610067007200610074006800650061000000000000000000,Dom:TEST,User:fred,Wks:WINDOWS7]<BR /> 2012-08-17 16:11:11,036&nbsp; DEBUG [org.alfresco.web.app.servlet.NTLMAuthenticationFilter] [http-8080-1] User fred does not have Alfresco account<BR /> 2012-08-17 16:11:11,036&nbsp; DEBUG [org.alfresco.web.app.servlet.NTLMAuthenticationFilter] [http-8080-1] restartLoginChallenge…<BR /><SPAN class="line-numbers-rows"><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN></SPAN></CODE></PRE><BR /><SPAN>So it's complaining that there is no account for fred, despite the fact that it was successfully imported from AD, and that I can see it if I log in as admin.</SPAN><BR /><BR /><SPAN>My alfresco-global.properties file has the following extra properties (passwords hidden by ****):</SPAN><BR /><BR /><PRE class="language-none line-numbers"><CODE><BR />authentication.chain=alfrescoNtlm1:alfrescoNtlm,ldap-ad1:ldap-ad<BR /><BR />alfresco.authentication.authenticateCIFS=false<BR />ntlm.authentication.sso.enabled=true<BR /><BR />#ldap.authentication.active=false<BR />ldap.authentication.java.naming.provider.url=ldap://192.168.10.1:389<BR />ldap.authentication.userNameFormat=%s@test.com<BR /><BR />ldap.synchronization.active=true<BR />ldap.synchronization.java.naming.security.authentication=simple<BR />ldap.synchronization.java.naming.security.principal=administrator@test.com<BR />ldap.synchronization.java.naming.security.credentials=****<BR />ldap.synchronization.groupSearchBase=cn\=Users,dc\=test,dc\=com<BR />ldap.synchronization.userSearchBase=cn\=Users,dc\=test,dc\=com<BR /><SPAN class="line-numbers-rows"><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN></SPAN></CODE></PRE><BR /><SPAN>I'm fairly new to this, but I think I've read most of the documentation, forum posts, and so on, and I'm now up against a bit of a brick wall.&nbsp; Any help would be very much appreciated!</SPAN><BR /><BR /><SPAN>Thanks in advance,</SPAN><BR /><SPAN>Ian</SPAN></BODY></HTML> Fri, 17 Aug 2012 15:41:24 GMT ianp 2012-08-17T15:41:24Z https://connect.hyland.com/t5/alfresco-archive/ntlm-authentication-with-active-directory/m-p/248527#M201657 Hi all,Im using community 4.0.d on a vanilla Tomcat 6.0.35 install.I've been struggling for several days with this, so I'm hoping someone here might have an answer for me.&nbsp; I'm trying to achieve SSO in IE8 so that a user doesn't have to enter a username or password.&nbsp; I've managed to successfully log Fri, 17 Aug 2012 15:41:24 GMT https://connect.hyland.com/t5/alfresco-archive/ntlm-authentication-with-active-directory/m-p/248527#M201657 ianp 2012-08-17T15:41:24Z https://connect.hyland.com/t5/alfresco-archive/ntlm-authentication-with-active-directory/m-p/248528#M201658 <HTML><HEAD></HEAD><BODY><SPAN>Hi Ian,</SPAN><BR /><BR /><SPAN>What Windows OS are you running.&nbsp; If you're running anything newer than Windows XP, you'll have to change how authentication is handled for NTLM.&nbsp; Alfresco can only use NTLMv1 session security.&nbsp; By default, Vista and Windows 7 don't allow NTLMv1.&nbsp; This can be change though.</SPAN><BR /><BR /><SPAN>See this thread: </SPAN><A href="https://forums.alfresco.com/en/viewtopic.php?f=9&amp;t=24610#p80352" rel="nofollow noopener noreferrer">https://forums.alfresco.com/en/viewtopic.php?f=9&amp;t=24610#p80352</A><BR /><BR /><SPAN>Ben</SPAN></BODY></HTML> Fri, 17 Aug 2012 18:48:06 GMT https://connect.hyland.com/t5/alfresco-archive/ntlm-authentication-with-active-directory/m-p/248528#M201658 benswitzer 2012-08-17T18:48:06Z https://connect.hyland.com/t5/alfresco-archive/ntlm-authentication-with-active-directory/m-p/248529#M201659 <HTML><HEAD></HEAD><BODY><SPAN>Hi Ben,</SPAN><BR /><BR /><SPAN>Thanks for your reply.&nbsp; I'm a little confused here though.&nbsp; According to the documentation (</SPAN><A href="http://docs.alfresco.com/4.0/topic/com.alfresco.enterprise.doc/concepts/auth-alfrescontlm-ntlm.html" rel="nofollow noopener noreferrer">http://docs.alfresco.com/4.0/topic/com.alfresco.enterprise.doc/concepts/auth-alfrescontlm-ntlm.html</A><SPAN>), what I'm trying to achieve should be possible:</SPAN><BR /><BR /><BLOCKQUOTE class="jive-quote">The alfrescoNtlm subsystem supports optional NTLM Single Sign-On (SSO) functions for WebDAV and the Alfresco Explorer client.<BR />NTLM v2 is supported, which is more secure that the NTLM v1. If the client does not support NTLMv2, it will automatically downgrade to NTLMv1.<BR />By using NTLM authentication to access Alfresco Explorer and Alfresco WebDAV sites, the web browser can automatically log in.<BR /><BR />When SSO is enabled, Internet Explorer will use your Windows log in credentials when requested by the web server. Firefox and Mozilla also support the use of NTLM but you need to add the URI to the Alfresco site that you want to access to network.automatic-ntlm-auth.trusted-uris option (available through writing about:config in the URL field) to allow the browser to use your current credentials for login purposes.</BLOCKQUOTE><SPAN>The above describes almost (maybe that's the problem?) exactly what I'm trying to do.</SPAN><BR /><BR /><SPAN>The link you posted seemed to be primarily about CIFS, which I'm not trying to do (well, not yet, anyway).&nbsp; Have I missed something?</SPAN><BR /><BR /><SPAN>Many thanks,</SPAN><BR /><SPAN>Ian</SPAN></BODY></HTML> Mon, 20 Aug 2012 15:57:43 GMT https://connect.hyland.com/t5/alfresco-archive/ntlm-authentication-with-active-directory/m-p/248529#M201659 ianp 2012-08-20T15:57:43Z https://connect.hyland.com/t5/alfresco-archive/ntlm-authentication-with-active-directory/m-p/248530#M201660 <HTML><HEAD></HEAD><BODY><SPAN>Anybody?</SPAN></BODY></HTML> Fri, 24 Aug 2012 13:34:00 GMT https://connect.hyland.com/t5/alfresco-archive/ntlm-authentication-with-active-directory/m-p/248530#M201660 ianp 2012-08-24T13:34:00Z