topic Enable SSO using Alfresco Authentication Chain in Alfresco Archive

Enable SSO using Alfresco Authentication Chain

saimohang — Wed, 02 May 2012 09:40:53 GMT

Hi All,I'm trying to enable SSO using native Alfresco Authentication sub systems, but I'm not able to process this operation for external users like LDAP, I followed as it is in alfresco documentation, please find the below configurations,alfrescoNtlm1:alfrescoNtlm,passthru1assthru,ldap1:ldapalfre

Re: Enable SSO using Alfresco Authentication Chain

afaust — Wed, 02 May 2012 10:03:52 GMT

Hello Sai,

can you provide your complete configuration for passthru? My first suspicion would be that you do not have the server list of domain controllers properly configured, but having the whole configuration available would allow for an accurate evaluation and not a general assumption that may be completely off.

Regards
Axel

Re: Enable SSO using Alfresco Authentication Chain

saimohang — Wed, 02 May 2012 10:58:08 GMT

Hi Axel,

Thanks allot for you reply, please find the below properties for passthru , alfrescoNTML and open LDAP properties to enable SSO and I've doubt, is SSO can possible using Open LDAP server and if please clear if I did any mistake in configurations,

Authentication Chain

authentication.chain=alfrescoNtlm1:alfrescoNtlm,passthru1assthru,ldap1:ldap

passthru-authentication-context.properties

passthru.authentication.useLocalServer=false
passthru.authentication.domain=
passthru.authentication.servers=10.0.0.11
passthru.authentication.guestAccess=false
passthru.authentication.defaultAdministratorUserNames=administrator
#Timeout value when opening a session to an authentication server, in milliseconds
passthru.authentication.connectTimeout=5000
#Offline server check interval in seconds
passthru.authentication.offlineCheckInterval=300
passthru.authentication.protocolOrder=NetBIOS,TCPIP
passthru.authentication.authenticateFTP=true
ntlm.authentication.sso.enabled=true
passthru.authentication.authenticateCIFS=true

ntlm-filter.properties

ntlm.authentication.sso.enabled=false
alfresco.authentication.authenticateCIFS=false
ntlm.authentication.mapUnknownUserToGuest=false
ntlm.authentication.browser.ticketLogons=true

LDAP Properties

ldap.authentication.active=false
ldap.synchronization.active=true
# The LDAP context factory to use
ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory

# The URL to connect to the LDAP server
ldap.authentication.java.naming.provider.url=ldap://10.0.0.11:389

# The authentication mechanism to use for password validation
ldap.authentication.java.naming.security.authentication=simple

and I hope remaining properties are same for "LDAP properties" and I can able to sync LDAP users properly. My only issue is SSO is not working for using Alfresco Subsystem authentication, it will be very thankful to you if give valuable suggestions on this, why because I'm totally lost my mind to solve this issue since last one month.

Thanks & Regards

Sai Mohan

Re: Enable SSO using Alfresco Authentication Chain

afaust — Wed, 02 May 2012 11:49:38 GMT

Hello Sai,

if you are using OpenLDAP alone without an accompanying domain controller (need not be Windows AD, might be a Samba-based DC) you cannot get passthru to work. I was assuming you had a separate domain controller available.

Regards
Axel

Re: Enable SSO using Alfresco Authentication Chain

saimohang — Wed, 02 May 2012 13:13:29 GMT

Hai Axel,

Thanks for you reply, as you told I added one Domain controller (LDAP-AD) but while I'm getting some Synchronization issues, please find the below error once and the Passthru authentication error is coming again and I configured authentication chain as follows,

authentication.chain=alfrescoNtlm1:alfrescoNtlm,passthru1assthru,ldap-ad1:ldap-ad

Please find the below error once, please let me know if any configurations required to solve this,

2012-05-02 18:34:20,004 INFO [security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-8] Synchronizing users and groups with user registry 'ldap-ad1'
2012-05-02 18:34:20,004 WARN [security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-8] Full synchronization with user registry 'ldap-ad1'; some users and groups previously created by synchronization with this user registry may be removed.
2012-05-02 18:34:20,004 INFO [security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-8] Retrieving all groups from user registry 'ldap-ad1'
2012-05-02 18:34:20,007 ERROR [security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-8] Synchronization aborted due to error
org.alfresco.repo.security.authentication.AuthenticationException: 04020031 LDAP authentication failed.
        at org.alfresco.repo.security.authentication.ldap.LDAPInitialDirContextFactoryImpl.buildInitialDirContext(LDAPInitialDirContextFactoryImpl.java:119)
        at org.alfresco.repo.security.authentication.ldap.LDAPInitialDirContextFactoryImpl.getDefaultIntialDirContext(LDAPInitialDirContextFactoryImpl.java:94)
        at org.alfresco.repo.security.authentication.ldap.LDAPInitialDirContextFactoryImpl.getDefaultIntialDirContext(LDAPInitialDirContextFactoryImpl.java:87)
        at org.alfresco.repo.security.sync.ldap.LDAPUserRegistry$3.<init>(LDAPUserRegistry.java:670)
        at org.alfresco.repo.security.sync.ldap.LDAPUserRegistry.getGroups(LDAPUserRegistry.java:667)
        at org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer.syncWithPlugin(ChainingUserRegistrySynchronizer.java:632)
        at org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer.synchronize(ChainingUserRegistrySynchronizer.java:435)
        at org.alfresco.repo.security.sync.UserRegistrySynchronizerJob$1.doWork(UserRegistrySynchronizerJob.java:51)
        at org.alfresco.repo.security.authentication.AuthenticationUtil.runAs(AuthenticationUtil.java:519)
        at org.alfresco.repo.security.sync.UserRegistrySynchronizerJob.execute(UserRegistrySynchronizerJob.java:47)
        at org.quartz.core.JobRunShell.run(JobRunShell.java:216)
        at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:563)
Caused by: javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903AA, comment: AcceptSecurityContext error, data 525, v1772]
        at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3041)
        at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2987)
        at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2789)
        at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2703)
        at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:293)
        at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)
        at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193)
        at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:136)
        at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66)
        at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)
        at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:288)
        at javax.naming.InitialContext.init(InitialContext.java:223)
        at javax.naming.InitialContext.<init>(InitialContext.java:197)
        at javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:82)
        at org.alfresco.repo.security.authentication.ldap.LDAPInitialDirContextFactoryImpl.buildInitialDirContext(LDAPInitialDirContextFactoryImpl.java:114)
        … 11 more
2012-05-02 18:34:20,010 ERROR [quartz.core.JobRunShell] [DefaultScheduler_Worker-8] Job DEFAULT.ldapPeopleJobDetail threw an unhandled Exception:
org.alfresco.repo.security.authentication.AuthenticationException: 04020031 LDAP authentication failed.
        at org.alfresco.repo.security.authentication.ldap.LDAPInitialDirContextFactoryImpl.buildInitialDirContext(LDAPInitialDirContextFactoryImpl.java:119)
        at org.alfresco.repo.security.authentication.ldap.LDAPInitialDirContextFactoryImpl.getDefaultIntialDirContext(LDAPInitialDirContextFactoryImpl.java:94)
        at org.alfresco.repo.security.authentication.ldap.LDAPInitialDirContextFactoryImpl.getDefaultIntialDirContext(LDAPInitialDirContextFactoryImpl.java:87)
        at org.alfresco.repo.security.sync.ldap.LDAPUserRegistry$3.<init>(LDAPUserRegistry.java:670)
        at org.alfresco.repo.security.sync.ldap.LDAPUserRegistry.getGroups(LDAPUserRegistry.java:667)
        at org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer.syncWithPlugin(ChainingUserRegistrySynchronizer.java:632)
        at org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer.synchronize(ChainingUserRegistrySynchronizer.java:435)
        at org.alfresco.repo.security.sync.UserRegistrySynchronizerJob$1.doWork(UserRegistrySynchronizerJob.java:51)
        at org.alfresco.repo.security.authentication.AuthenticationUtil.runAs(AuthenticationUtil.java:519)
        at org.alfresco.repo.security.sync.UserRegistrySynchronizerJob.execute(UserRegistrySynchronizerJob.java:47)
        at org.quartz.core.JobRunShell.run(JobRunShell.java:216)
        at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:563)
Caused by: javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903AA, comment: AcceptSecurityContext error, data 525, v1772]
        at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3041)
        at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2987)
        at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2789)
        at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2703)
        at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:293)
        at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)
        at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193)
        at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:136)
        at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66)
        at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)
        at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:288)
        at javax.naming.InitialContext.init(InitialContext.java:223)
        at javax.naming.InitialContext.<init>(InitialContext.java:197)
        at javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:82)

Thanks & Regards

Sai Mohan

Re: Enable SSO using Alfresco Authentication Chain

afaust — Fri, 04 May 2012 08:09:35 GMT

Hello Sai,

according to various explanations of LDAP error codes, code 49 states your credentials (username / password) are invalid. Check your LDAP configuration for the synchronization security principal and credentials.

Regards
Axel

Re: Enable SSO using Alfresco Authentication Chain

agovikar — Thu, 10 Apr 2014 16:27:00 GMT

Hi Axel,

I have below properties added in my alfresco-global.properties file.

authentication.chain=passthru1assthru,alfrescoNtlm1:alfrescoNtlm,ldap1:ldap-ad

ntlm.authentication.sso.enabled=true
alfresco.authentication.allowGuestLogin=true
alfresco.authentication.authenticateCIFS=false
passthru.authentication.useLocalServer=false
passthru.authentication.domain=INTRANET
passthru.authentication.servers=x.x.x.x
passthru.authentication.guestAccess=true
passthru.authentication.defaultAdministratorUserNames=abc
passthru.authentication.connectTimeout=5000
passthru.authentication.offlineCheckInterval=300
passthru.authentication.protocolOrder=NetBIOS,TCPIP
passthru.authentication.authenticateCIFS=true
passthru.authentication.authenticateFTP=true

### LDAP Integration ###
synchronization.import.cron=0 0 5 * * ?
synchronization.authCreatePeopleOnLogin=false
ldap.authentication.active=false
ldap.synchronization.active=true
ldap.authentication.java.naming.provider.url=x.x.x.x
ldap.synchronization.java.naming.security.principal=abc
ldap.synchronization.java.naming.security.credentials=abc
ldap.synchronization.groupSearchBase=ou\=MyGroups,dc\=MyFQDN,dc=com
ldap.synchronization.userSearchBase=ou\=MyUsers,dc=\MyFQDN,dc=com

The authentication is working perfectly for Alfresco Share.
But giving below error when I launch Alfresco URL. Could you please look into it.

type Exception report

message 03100045 Failed to open session to passthru server
description The server encountered an internal error that prevented it from fulfilling this request.xception

org.alfresco.repo.security.authentication.AuthenticationException: 03100045 Failed to open session to passthru server
   org.alfresco.repo.security.authentication.ntlm.NTLMAuthenticationComponentImpl.authenticatePassthru(NTLMAuthenticationComponentImpl.java:803)
   org.alfresco.repo.security.authentication.ntlm.NTLMAuthenticationComponentImpl.authenticate(NTLMAuthenticationComponentImpl.java:563)
   sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
   sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
   sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
   java.lang.reflect.Method.invoke(Method.java:606)