Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

3.4d passthru config

jayg30
Champ in-the-making
Champ in-the-making

‎06-13-2011 09:29 PM

Hello,

I've tried to get things working on my own for a very long time now, but I'm at my wits end.
I'm working on a Windows 2008 R2 box. Clients are Win7. Alfresco 3.4d Community Edition.
Alfresco and Active Directory are installed on the same Windows 2008R2 box. This is a test enviornment.

Basically I just want to get Active Directory with CIFS support for those users. I know that AD does not support CIFS. That is why I have to configure the authentication chain. I have gotten ldap-AD working on it's own fine and am confident I have no issues with syncing accounts. When I was trying to test if I could get CIFS working I just used the builtin AlfrescoNTLM to remove any variables. I managed to get the AlfrescoNTML CIFS working (I could mount network drive and browse but I think still had an issue with clicking CIFS link in Alfresco Explorer).

At this point I moved to trying to get passthru and LDAP-AD to work so that I could get CIFS support for AD users and not just Alfresco users. I've read all the threads and wiki pages, even external blogs about it. It seems that most of the information tells people to change files outside of the alfresco-global.properties file, but from the wiki sites and everything it seems that all the changes can be made in this one single file. This is what I've done to get everything else to work up to this point, but passthru I can't seem to get. I think it might be something really simple as well.


### Authentication Chain ###
authentication.chain=passthru1:passthru,ldap1:ldap-ad

### NTML Authentication ###
ntlm.authentication.sso.enabled=false

### Passthru Authentication ###
passthru.authentication.useLocalServer=false
passthru.authentication.domain=
passthru.authentication.servers=DOMAIN//server*
passthru.authentication.guestAccess=false
passthru.authentication.defaultAdministratorUserNames=Administrator
passthru.authentication.authenticateCIFS=true

### LDAP Authentication ###
ldap.authentication.active=false

### LDAP Sync ###
ldap.synchronization.active=true
ldap.synchronization.java.naming.security.principal=Administrator
ldap.synchronization.java.naming.security.credentials=password*
ldap.synchronization.groupSearchBase=ou=nj,dc=adpi,dc=nj,dc=local
ldap.synchronization.userSearchBase=ou=nj,dc=adpi,dc=nj,dc=local

### CIFS ###
cifs.enabled=true
cifs.hostannounce=true

synchronization.import.cron=0 * * ? * * * #this just updates things every single minute for testing
*This part of the code is different then what I have in my config.

Alfresco and AD are both setup on the Win 2008 R2 box.
The NetBios Domain is ADPI.
The NetBios Computer name is Alfresco.
The domain is adpi.nj.local.
I have tried setting localserver to true and leaving domain and servers empty. That gets me to a login screen no AD users can log in. I tried setting passthru.authentication.servers to many variations of the information listed above with no luck being able to log in. I tried setting the servers entry to the ip addresses and that doesn't even let me get to a log in screen (java errors get thrown).

I have also made the changes mentioned in the forum about the "Network Security: LAN Manager authentication level". I changed it to "Send LM & NTLM - use NTLMv2 session security if negotiated" as I understand there is a "man in the middle" issue with NTLMv2.

I feel like either I'm misunderstanding something, or I simple don't know what to put in the passthru.authentication.servers field. Or lastly for some reason the alfresco-global.properties file isn't setting the passthru settings correctly for me, but it is for the other stuff I've tried.

Please, if someone could help me with this I'd be very grateful. Gettings AD with CIFS is really all I need to get working now so I can finally have some people take this for a test run.

Thanks
Labels:
0 Kudos
7 REPLIES 7

jayg30
Champ in-the-making
Champ in-the-making

‎06-14-2011 03:10 PM

Some information I discovered today.
Passthru is still not working, but I also noticed that ldap snyc wasn't working either.
I don't know if this is due to passthru not working or if I need to provide the ldap authentication information even though it is disabled.
As it stands now, if I do provide the ldap authentication parameters then ldap sync works again (see code below).


### Authentication Chain ###
authentication.chain=alfrescoNtlm1:alfrescoNtlm,passthru1:passthru,ldap1:ldap-ad

### NTML Authentication ###
ntlm.authentication.sso.enabled=false
alfresco.authentication.authenticateCIFS=false

### Passthru Authentication ###
passthru.authentication.authenticateCIFS=true
passthru.authentication.useLocalServer=false
passthru.authentication.domain=
passthru.authentication.servers=<domain>\\<server>
passthru.authentication.defaultAdministratorUserNames=Administrator

### LDAP Authentication ###
ldap.authentication.active=false
ldap.authentication.userNameFormat=%s@<domain>
ldap.authentication.java.naming.provider.url=ldap://<NetBiosCompName>.<domain>:389
ldap.authentication.defaultAdministratorUserNames=Administrator

### Syncronization ###
synchronization.import.cron=0 * * ? * * *

### LDAP Sync ###
ldap.synchronization.active=true
ldap.synchronization.java.naming.security.principal=Administrator
ldap.synchronization.java.naming.security.credentials=password*
ldap.synchronization.groupSearchBase=ou=nj,dc=adpi,dc=nj,dc=local
ldap.synchronization.userSearchBase=ou=nj,dc=adpi,dc=nj,dc=local

### CIFS ###
cifs.enabled=true
cifs.hostannounce=true

I still feel like my problem is I'm not putting the right value in passthru.authentication.servers, as I'm not sure if I'm using domain, netbois computer name, netbios domain, ip address, server name, etc.. But even then, I'm a bit confused why setting the passthru.authentication.useLocalServer=true wouldn't work either since everything is on the same machine.
0 Kudos

jayg30
Champ in-the-making
Champ in-the-making

‎06-14-2011 05:33 PM

Well I finally was able to log in with my AD users.
I ended up using the passthru.authentication.domain=NetBios domain name.
And I had to change the DNS server addresses from automatically obtain to manually putting the alfresco server ip address in, that it works. I found this information in this thread. I would like to know if there is a way to do this without having to put the alfresco server ip into the dns server addresses. The poster in the thread mentions using the firewall to block SMB over TCP port 445 but I don't think this works. I've removed all the "file & printer sharing" stuff mentioned in other threads because it was the only way to make port 445 stuff appearing as listening. I added a rule in the firewall to block all traffic on port 445 but that didn't seem to do anything at all either. I'm sure there is some way to do this but I'm really not sure how.

I'm still left without CIFS though. Drive mapping prompts for user name and password but it never works.

PS: Also, just to clear up the question I posed in the post above about if you need ldap-ad authentication parameters once passthru is working. Yes you do. This was not clear at all in the wiki on configuring the authentication chaining or in the individual section that explains the LDAP authentication subsystem. It should be more clear in the wiki that you can not have synchronization (ie. user registry export) without providing the settings for the LDAP authentication. If you just want synchronization (user registry export) you still provide all the parameters, but you just also disable authentication with ldap.authentication.active=false. I was under the impression these two features were exclusive of one another, but I was wrong.
0 Kudos

mrogers
Star Contributor
Star Contributor

‎06-15-2011 04:39 AM

If you think that the wiki is unclear then please go ahead and change it.
0 Kudos

jayg30
Champ in-the-making
Champ in-the-making

‎06-15-2011 04:02 PM

If you think that the wiki is unclear then please go ahead and change it.
I'll consider doing that, thanks.

I'm still having some problems but things are getting better.

I still can't get things working using passthru.authentication.servers.
Using passthru.authentication.domain is at least letting me login with my AD users.
If I put passthru.authentication.domain=ADPI, wouldn't passthru.authenticaton.servers=ADPI\\<serverip>,<serverip>?
In other works is the <domain> part for passthru.authentication.servers the same thing you put for passthru.authentication.domain?
And then after the "\\" you either put the ip address of the server or the server Netbios computer name? I also read that you have to put at least one server name/ip without a domain attached to act as a fallback.

I still can't get CIFS to work. Like I said, when I use the built in Alfresco authentication and set alfresco.authentication.authenticateCIFS=true, I was able to get it working. At the time the only Alfresco user was the default admin account so I assume it logged me into that (it didn't even prompt for user/password). I went back today and tried to set it up the same but this time I added another user and tried to log on with that account. It didn't seem to work and I don't know why. When I attempt to add the network drive with "\\alfrescoa\alfresco" I get a prompt for user/password but whenever I put the credentials for one of my AD users in it complains about a bad password.

This is my current alfresco-global.properties file:

### Authentication Chain ###
authentication.chain=passthru1:passthru,ldap1:ldap-ad

### NTML Authentication ###
ntlm.authentication.sso.enabled=false
alfresco.authentication.authenticateCIFS=false

### Passthru Authentication ###
ntlm.authentication.sso.enabled=false
passthru.authentication.sso.enabled=false
passthru.authentication.authenticateCIFS=true
passthru.authentication.useLocalServer=false
passthru.authentication.domain=ADPI
passthru.authentication.servers=
passthru.authentication.defaultAdministratorUserNames=Administrator

### LDAP Authentication ###
ldap.authentication.active=false
ldap.authentication.userNameFormat=%s@<domain>
ldap.authentication.java.naming.provider.url=ldap://<full computer name>:389
ldap.authentication.defaultAdministratorUserNames=Administrator

### Syncronization ###
synchronization.import.cron=0 * * ? * * *

### LDAP Sync ###
ldap.synchronization.active=true
ldap.synchronization.java.naming.security.principal=Administrator
ldap.synchronization.java.naming.security.credentials=password*
ldap.synchronization.groupSearchBase=ou=nj,dc=adpi,dc=nj,dc=local
ldap.synchronization.userSearchBase=ou=nj,dc=adpi,dc=nj,dc=local

### CIFS ###
cifs.enabled=true
cifs.hostannounce=true

Just to be clear, I used the information from File Server Configuration and information found in the forums to try to allow the alfresco CIFS to work on server 2008 r2 x64. I added the SMBDeviceEnabled"=dword:00000000 registry edit even though I don't think it help with server 2008. I did the firewall settings noted for vista and windows 2008 which tell you to enable and disable certain firewall rules. I also added the registry vale "Smb2"=dword:00000000. This did not stop the LISTENING on port 445. I also put the "Message-oriented TCP/IP and TCP/IPv6 Protocol (SMB session)" to on demand in the device manager. Finally I found information on this forum HERE that the only way they were able to stop the listening on port 445 was to remove "File and Printer Sharing for Microsoft Networks" and "Client for Microsoft Networks'" from the network adapter. This stopped the listening on port 445 and seemed to solve my issues, but still CIFS using passthru does not work. I was under the impression that if I stopped the LISTENING on port 445, set the clients to use NTLM V1 instead of V2, and enabling CIFS in the alfresco-global.properties file it would work, but it seems something is still not right. Also, WebDav works and I mounted it with no problem.
0 Kudos

jayg30
Champ in-the-making
Champ in-the-making

‎06-21-2011 02:06 PM

Hello Everyone,

I know have AD, passthru, CIFS (and pretty much everything) working correctly on a Windows server 2008r2 x64 server with Win7 clients.

So I install a fresh copy of 2008r2 and alfresco and made singular changes and then tested. I still have more testing to do to figure out what things actually matter and what don't that have been mentioned in this forum and in the wiki. But just some key things I wanted to mention.

One major thing I found was that I did NOT need to stop port 445 from listening. It actually could be counterproductive for providing CIFS. When you run netstat -aon you will see port 445 listening on all ports (ie. 0.0.0.0). While reading the wiki explaining how alfresco handles CIFS for windows, I noticed a singular sentence that seemed to imply that windows or alfresco (cant remember) is smart enough to figure out when a request was being made to alfresco or to windows on port 445 and forward it accordingly. It seems that is the case. The ONLY way to completely get rid of listening on port 445 is to uninstall "File and Printer Sharing for Microsoft Networks" from the network adapters->properties menu. I do mean uninstall not just unchecked. But you do NOT have to do this. Currently all I have is "File and Printer Sharing for Microsoft Networks" unchecked, and port 445 is still listening. Unchecking it might not even be necessary but I need to test more. What I found was that when I uninstalled this, if I ran nbtstat -n I did not see an entry in the Netbios name table for <servername>a (ie. my server name is ALFRESCO so it should show an entry ALFRESCOA). From the Win7 client I could still get to the server with Alfrescoa, but passthru authentication for CIFS would not work. Another thing I found is that people recommended to remove "\Device\" from the TransportBindName registry entry. This will cause nbtstat to not work, so I did not do this.

Another issue I had was that if I just used passthru.authentication.domain in the alfresco-global.properties file I could not get CIFS to work. I could log into the alfresco/share websites. I thing this has to do with needed some more information in the properties file related to Domain Mapping. If you can use passthru.authentication.servers then it seems to allow CIFS to work without providing more information. This proved tricky for me (especially in a test environment) because it appears there is a bug or something. The only hint I found about this was HERE and this wasn't the thread starters issue I don't believe and it doesn't really explain what I'm experiencing, it just made me consider that there might be a bug. I could not get this setting to work with my server's NetBios name or the actual server ip address. I got it to work one time, (<domain>//<servername>,<ip>) but after restarting the machine it wouldn't let me sign into the websites or authenticate for CIFS. I ended up using the loopback ip address (127.0.0.1) and now it actually works. It appears to me that this needs to be looked at more because it seems to be very touchy depending on your particular setup. Mine was simple one machine setup as a DC, DNS, AD, and alfresco pointing back to itself for primary/secondary DNS (192.168.100.1, 127.0.0.1), the last being what I think causes the issues.

Another thing is you do need to change the "Network security: LAN Manager authentication level" to "Send LM & NTLM - use NTLMv2 session security if negotiated" either using you local security policy or in your group policy if you have AD setup.

In Summary, this is what I have done:
Disable File & Print Sharing (SMB-In) *not sure if necessary
Uncheck "File and Printer Sharing for Microsoft Networks" * not sure if necessary
Set passthru.authentication.servers=127.0.0.1 (I think there is a bug with this setting)
Set Network security: LAN Manager authentication level" to "Send LM & NTLM - use NTLMv2 session security if negotiated"
Map drive using \\<servername>\alfresco
0 Kudos

cyberheap
Champ in-the-making
Champ in-the-making

‎09-10-2011 03:20 AM

Hi!

Could you share your configs here?

I am trying so setup LDAP and CIFS on an Windows Server 2003.

AD configuration work and users are synced but I have problems configuring the passthru auth for CIFS.
0 Kudos

tapan_d_thakkar
Champ in-the-making
Champ in-the-making

‎12-09-2011 02:07 AM

hi All,

here i am trying to integrate alfresco with NTLM and AD. so when user is logged in to his Microsoft windows using AD credentials and tries to login to alfresco he should not be asked for uname and pass, he should to be redirected to alfresco dashboard.

here i am giving all configuration files and steps i have followed .. so if you find any thing wrong in that please help me out.

in my alfresco-global.properties.. i have added this properties ..

authentication.chain=alfrescoNtlm1:alfrescoNtlm,passthru1Smiley Tongueassthru,ldap-ad1:ldap-ad

#alfrescoNtlm1
    ntlm.authentication.sso.enabled=false
    alfresco.authentication.authenticateCIFS=false
#passthru1
   passthru.authentication.useLocalServer=false
   passthru.authentication.domain=
   passthru.authentication.servers=DOMAIL\\SERVER
   passthru.authentication.guestAccess=false
   passthru.authentication.defaultAdministratorUserNames=Administrator
   #Timeout value when opening a session to an authentication server, in milliseconds
   passthru.authentication.connectTimeout=5000
   #Offline server check interval in seconds
   passthru.authentication.offlineCheckInterval=300
   passthru.authentication.protocolOrder=NetBIOS,TCPIP
   passthru.authentication.authenticateFTP=false
   ntlm.authentication.sso.enabled=true
       passthru.authentication.authenticateCIFS=true

When i open alfresco login form "http://localhost:8080/alfresco/faces/jsp/login.jsp" user is able to login using his AD credentials.[If user does not exists in system, alfresco creates new user..]
but when user login to microsoft windows(os) using this credentials and then try to login in alfresco.. he is not able to login.[In this case, alfresco should take credentials, which user have used to login to system].

[Note: i am using internet explorer , i have added this site to Local Intranet site and also marked this Automatic login with current user name and password in internet explorer. I have also changed this - LAN Manager authentication level" to "Send LM & NTLM - use NTLMv2 session security if negotiated" ]

logs on console …

12:23:24,191  DEBUG [app.servlet.NTLMAuthenticationFilter] Received type1 [Type1:0xa2088207,Domain:<NotSet>,Wks:<NotSet>]
12:23:24,207  DEBUG [app.servlet.NTLMAuthenticationFilter] Sending NTLM type2 to client - [Type2:0xa0080201,Target:TAPANTA,Ch:fa2726b75dd3dbaa]
12:23:24,207  DEBUG [app.servlet.NTLMAuthenticationFilter] Received type3 [Type3:,LM:8fb962479940a86500000000000000000000000000000000,NTLM:b51b20be2eee5a5eb2f7bc9adac61f11adcd9ffa487afa06,
Dom:TestDomain.Com,User:testUser,Wks:testWKS]
12:23:24,285  DEBUG [app.servlet.NTLMAuthenticationFilter] User testUser does not have Alfresco account
12:23:24,285  DEBUG [app.servlet.NTLMAuthenticationFilter] restartLoginChallenge…

I think in this case alfresco should create user account to alfresco if user does not exists in system.. but this is not happening..
0 Kudos
Getting started

Tags

Find what you came for

We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.

Copyright © 2025 Khoros, LLC