Hyland Connect

ofrxnz · ‎07-08-2009

So, i have configured Alfresco proper to use NTLM SSO against a windows 2k3 R2 Active directory server. everything is working well.

I followed the instructions here http://wiki.alfresco.com/wiki/Alfresco_Authentication_Subsystems
but when i tried to switch Share over to use SSO against passthru/ntlm authentication, Everything caught on fire.

I have tried both firefox 3.5 and IE8 and in IE8 have set it for both trusted and untrusted the server so it will prompt for basic and try to sso. when it prompts for basic auth, i have also tried explicitly specifying the domain and only using a username

This is alfresco 3.2 running on windows 2k3 R2 using the full windows installer and an xp sp3 client

here is the alfresco.log portion with NTLM debugging turned on in both alfresco and share

11:32:43,008 DEBUG [org.alfresco.web.app.servlet.NTLMAuthenticationFilter] Processing request: /alfresco/wcs/touch SID:null
11:32:43,024 DEBUG [org.alfresco.web.app.servlet.NTLMAuthenticationFilter] Received type1 [Type1:0xa2088207,Domain:<NotSet>,Wks:<NotSet>]
11:32:43,024 DEBUG [org.alfresco.web.app.servlet.NTLMAuthenticationFilter] Failed to map client IP 192.168.1.240 to a domain
11:32:43,024 DEBUG [org.alfresco.web.app.servlet.NTLMAuthenticationFilter] Client domain null
11:32:43,274 DEBUG [org.alfresco.web.app.servlet.NTLMAuthenticationFilter] Sending NTLM type2 to client - [Type2:0x80000203,Target:MYSERVERA,Ch:dac3eaf23cc2d44b]
11:32:43,305 DEBUG [org.alfresco.web.app.servlet.NTLMAuthenticationFilter] Processing request: /alfresco/wcs/touch SID:00905931528ED05F731F8DECA79DCDE7
11:32:43,321 DEBUG [org.alfresco.web.app.servlet.NTLMAuthenticationFilter] Received type3 [Type3:,LM:5d5120f1585f9d9f21e828685e4941c9811c4dafd80b2fc3,NTLM:c11f6698d7800d095a555d048e1f450ea520566b816cba3c,Dom:PHARPOINT,User:myuser.name,Wks:MyWorkStation]
11:32:43,430 DEBUG [org.alfresco.web.app.servlet.NTLMAuthenticationFilter] Updated cached NTLM details
11:32:43,446 DEBUG [org.alfresco.web.app.servlet.NTLMAuthenticationFilter] User logged on via NTLM, [myuser.name,Wks:MyWorkStation,Dom:MYDOMAIN,AuthSrv:MyServer,Wed Jul 08 11:32:43 EDT 2009]
11:32:43,446 DEBUG [org.alfresco.web.app.servlet.NTLMAuthenticationFilter] Login page requested, chaining …
11:32:43,555 DEBUG [org.alfresco.web.app.servlet.NTLMAuthenticationFilter] Processing request: /alfresco/wcs/webframework/content/metadata SID:00905931528ED05F731F8DECA79DCDE7
11:32:43,555 DEBUG [org.alfresco.web.app.servlet.NTLMAuthenticationFilter] User myuser.name validate ticket
11:32:43,571 DEBUG [org.alfresco.web.app.servlet.NTLMAuthenticationFilter] Authentication not required (user), chaining …
11:32:43,571 ERROR [org.alfresco.web.scripts.AbstractRuntime] Exception from executeScript - redirecting to status template error: 06080019 Web Script org/alfresco/webframework/metadata.get requires user authentication; however, a guest has attempted access.
org.alfresco.web.scripts.WebScriptException: 06080019 Web Script org/alfresco/webframework/metadata.get requires user authentication; however, a guest has attempted access.
   at org.alfresco.repo.web.scripts.RepositoryContainer.executeScript(RepositoryContainer.java:257)
   at org.alfresco.web.scripts.AbstractRuntime.executeScript(AbstractRuntime.java:262)
   at org.alfresco.web.scripts.AbstractRuntime.executeScript(AbstractRuntime.java:139)
   at org.alfresco.web.scripts.servlet.WebScriptServlet.service(WebScriptServlet.java:122)
   at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
   at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
   at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
   at org.alfresco.repo.webdav.auth.BaseNTLMAuthenticationFilter.doFilter(BaseNTLMAuthenticationFilter.java:264)
   at org.alfresco.web.app.servlet.WebScriptNTLMAuthenticationFilter.doFilter(WebScriptNTLMAuthenticationFilter.java:94)
   at sun.reflect.GeneratedMethodAccessor411.invoke(Unknown Source)
   at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
   at java.lang.reflect.Method.invoke(Method.java:597)
   at org.alfresco.repo.management.subsystems.ChainingSubsystemProxyFactory$1.invoke(ChainingSubsystemProxyFactory.java:109)
   at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
   at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
   at $Proxy188.doFilter(Unknown Source)
   at org.alfresco.repo.web.filter.beans.BeanProxyFilter.doFilter(BeanProxyFilter.java:88)
   at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
   at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
   at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
   at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
   at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
   at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
   at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
   at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286)
   at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:845)
   at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
   at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
   at java.lang.Thread.run(Thread.java:619)
‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

and the page Share provides me is

HTTP Status 500 -

type Exception report

message

description The server encountered an internal error () that prevented it from fulfilling this request.

exception

javax.servlet.ServletException: org.alfresco.web.site.exception.RequestContextException: Exception running UserFactory in HttpRequestContextFactory
   org.alfresco.web.site.servlet.DispatcherServlet.service(DispatcherServlet.java:146)
   javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
   org.alfresco.web.site.servlet.NTLMAuthenticationFilter.processType3(NTLMAuthenticationFilter.java:533)
   org.alfresco.web.site.servlet.NTLMAuthenticationFilter.doFilter(NTLMAuthenticationFilter.java:251)

root cause

org.alfresco.web.site.exception.RequestContextException: Exception running UserFactory in HttpRequestContextFactory
   org.alfresco.web.site.DefaultRequestContextFactory.newInstance(DefaultRequestContextFactory.java:117)
   org.alfresco.web.site.FrameworkHelper.initRequestContext(FrameworkHelper.java:202)
   org.alfresco.web.site.servlet.DispatcherServlet.service(DispatcherServlet.java:142)
   javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
   org.alfresco.web.site.servlet.NTLMAuthenticationFilter.processType3(NTLMAuthenticationFilter.java:533)
   org.alfresco.web.site.servlet.NTLMAuthenticationFilter.doFilter(NTLMAuthenticationFilter.java:251)

root cause

org.alfresco.web.site.exception.UserFactoryException: Unable to retrieve user from repository
   org.alfresco.web.site.AlfrescoUserFactory.loadUser(AlfrescoUserFactory.java:252)
   org.alfresco.web.site.UserFactory.faultUser(UserFactory.java:169)
   org.alfresco.web.site.UserFactory.faultUser(UserFactory.java:110)
   org.alfresco.web.site.DefaultRequestContextFactory.newInstance(DefaultRequestContextFactory.java:93)
   org.alfresco.web.site.FrameworkHelper.initRequestContext(FrameworkHelper.java:202)
   org.alfresco.web.site.servlet.DispatcherServlet.service(DispatcherServlet.java:142)
   javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
   org.alfresco.web.site.servlet.NTLMAuthenticationFilter.processType3(NTLMAuthenticationFilter.java:533)
   org.alfresco.web.site.servlet.NTLMAuthenticationFilter.doFilter(NTLMAuthenticationFilter.java:251)

root cause

org.alfresco.web.site.exception.UserFactoryException: Unable to create user - failed to retrieve user metadata: 
   org.alfresco.web.site.AlfrescoUserFactory.loadUser(AlfrescoUserFactory.java:160)
   org.alfresco.web.site.UserFactory.faultUser(UserFactory.java:169)
   org.alfresco.web.site.UserFactory.faultUser(UserFactory.java:110)
   org.alfresco.web.site.DefaultRequestContextFactory.newInstance(DefaultRequestContextFactory.java:93)
   org.alfresco.web.site.FrameworkHelper.initRequestContext(FrameworkHelper.java:202)
   org.alfresco.web.site.servlet.DispatcherServlet.service(DispatcherServlet.java:142)
   javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
   org.alfresco.web.site.servlet.NTLMAuthenticationFilter.processType3(NTLMAuthenticationFilter.java:533)
   org.alfresco.web.site.servlet.NTLMAuthenticationFilter.doFilter(NTLMAuthenticationFilter.java:251)

note The full stack trace of the root cause is available in the Apache Tomcat/6.0.18 logs.
Apache Tomcat/6.0.18‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

here is Share's web.xml

<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "http://java.sun.com/dtd/web-app_2_3.dtd">

<web-app>

   <display-name>Alfresco Project Slingshot</display-name>    
   <description>Alfresco Project Slingshot application</description>
   
   <context-param>
      <param-name>org.jboss.jbossfaces.WAR_BUNDLES_JSF_IMPL</param-name>
      <param-value>true</param-value>
   </context-param>

   <context-param>
      <param-name>contextConfigLocation</param-name>
      <param-value>
         classpath:alfresco/webscript-framework-application-context.xml
         classpath:alfresco/web-framework-model-context.xml
         classpath:alfresco/web-framework-application-context.xml
         classpath*:alfresco/web-extension/custom-web-framework-application-context.xml
         classpath:alfresco/slingshot-application-context.xml
         classpath*:alfresco/web-extension/custom-slingshot-application-context.xml
      </param-value>
      <description>Spring config file locations</description>
   </context-param>
   
   <context-param>
      <param-name>contextClass</param-name>
      <param-value>org.alfresco.config.JBossEnabledWebApplicationContext</param-value>
      <description>Spring context class</description>
   </context-param>
   
   <!– For NTLM authentication support use the following filter –>
   
   <filter>
      <filter-name>Authentication Filter</filter-name>
      <filter-class>org.alfresco.web.site.servlet.NTLMAuthenticationFilter</filter-class>
      <init-param>
         <param-name>endpoint</param-name>
         <param-value>alfresco</param-value>
      </init-param>
   </filter>
  
   
   <!– For NTLM authentication support enable the following mappings –>
   <!– after enabling the NTLMAuthenticationFilter filter class above –>
   
   <filter-mapping>
      <filter-name>Authentication Filter</filter-name>
      <url-pattern>/page/*</url-pattern>
   </filter-mapping>
   
   <filter-mapping>
      <filter-name>Authentication Filter</filter-name>
      <url-pattern>/p/*</url-pattern>
   </filter-mapping>
   
   <filter-mapping>
      <filter-name>Authentication Filter</filter-name>
      <url-pattern>/s/*</url-pattern>
   </filter-mapping>
  
   
   <listener>
      <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
   </listener>
   
   <servlet>
      <servlet-name>apiServlet</servlet-name>
      <servlet-class>org.alfresco.web.scripts.servlet.WebScriptServlet</servlet-class>
      <init-param>
         <param-name>container</param-name>
         <param-value>webframework.webscripts.container</param-value>
      </init-param>
      <!–
      <init-param>
         <param-name>authenticator</param-name>
         <param-value>webscripts.authenticator.basic</param-value>
      </init-param>
      –>
   </servlet>
   
   <servlet>
      <servlet-name>feedApiServlet</servlet-name>
      <servlet-class>org.alfresco.web.site.servlet.WebScriptFeedServlet</servlet-class>
      <init-param>
         <param-name>container</param-name>
         <param-value>webframework.webscripts.container</param-value>
      </init-param>
      <init-param>
         <param-name>authenticator</param-name>
         <param-value>webscripts.authenticator.delegatingbasic</param-value>
      </init-param>
   </servlet>

   <servlet>
      <servlet-name>proxyServlet</servlet-name>
      <servlet-class>org.alfresco.web.scripts.servlet.EndPointProxyServlet</servlet-class>
   </servlet>

   <servlet>
      <servlet-name>uriTemplateServlet</servlet-name>
      <servlet-class>org.alfresco.web.uri.UriTemplateServlet</servlet-class>
   </servlet>

   <!– The Web Framework Dispatcher Servlet –>
   <servlet>
      <servlet-name>pageRendererServlet</servlet-name>
      <servlet-class>org.alfresco.web.site.servlet.DispatcherServlet</servlet-class>
      <load-on-startup>1</load-on-startup>
   </servlet>
   
   <servlet>
      <servlet-name>frameworkControlServlet</servlet-name>
      <servlet-class>org.alfresco.web.site.servlet.FrameworkControlServlet</servlet-class>
   </servlet>
   
   <servlet>
      <servlet-name>loginServlet</servlet-name>
      <servlet-class>org.alfresco.web.site.servlet.LoginServlet</servlet-class>
   </servlet> 

   <servlet>
      <servlet-name>logoutServlet</servlet-name>
      <servlet-class>org.alfresco.web.site.servlet.LogoutServlet</servlet-class>
   </servlet> 

   <servlet-mapping>
      <servlet-name>logoutServlet</servlet-name>
      <url-pattern>/logout</url-pattern>
   </servlet-mapping>

   <servlet-mapping>
      <servlet-name>loginServlet</servlet-name>
      <url-pattern>/login/*</url-pattern>
   </servlet-mapping>

   <servlet-mapping>
      <servlet-name>apiServlet</servlet-name>
      <url-pattern>/service/*</url-pattern>
   </servlet-mapping>
   
   <servlet-mapping>
      <servlet-name>feedApiServlet</servlet-name>
      <url-pattern>/feedservice/*</url-pattern>
   </servlet-mapping>
   
   <servlet-mapping>
      <servlet-name>proxyServlet</servlet-name>
      <url-pattern>/proxy/*</url-pattern>
   </servlet-mapping>
   
   <servlet-mapping>
      <servlet-name>pageRendererServlet</servlet-name>
      <url-pattern>/page/*</url-pattern>
   </servlet-mapping>

   <servlet-mapping>
      <servlet-name>pageRendererServlet</servlet-name>
      <url-pattern>/p/*</url-pattern>
   </servlet-mapping>
   
   <servlet-mapping>
      <servlet-name>uriTemplateServlet</servlet-name>
      <url-pattern>/s/*</url-pattern>
   </servlet-mapping>
   
   <servlet-mapping>
      <servlet-name>frameworkControlServlet</servlet-name>
      <url-pattern>/control/*</url-pattern>
   </servlet-mapping>
   
   <session-config>
      <session-timeout>60</session-timeout>
   </session-config>

   <!– welcome file list precedence order is index.jsp, then index.html –>
   <welcome-file-list>
      <welcome-file>index.jsp</welcome-file>
      <welcome-file>index.html</welcome-file>
   </welcome-file-list>

</web-app>‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

and the webscript-framework-config-custom.xml. I have tried about every combination for the server line including ipaddress, dns address and localhost

<alfresco-config>
   
   <!– Overriding endpoints to reference a remote Alfresco server –>
   <!–
   <config evaluator="string-compare" condition="Remote">
      <remote>

         <endpoint>
            <id>alfresco-noauth</id>
            <name>Alfresco - unauthenticated access</name>
            <description>Access to Alfresco Repository WebScripts that do not require authentication</description>
            <connector-id>alfresco</connector-id>
            <endpoint-url>http://yourserver:8080/alfresco/s</endpoint-url>
            <identity>none</identity>
         </endpoint>

         <endpoint>
            <id>alfresco</id>
            <name>Alfresco - user access</name>
            <description>Access to Alfresco Repository WebScripts that require user authentication</description>
            <connector-id>alfresco</connector-id>
            <endpoint-url>http://yourserver:8080/alfresco/s</endpoint-url>
            <identity>user</identity>
         </endpoint>

         <endpoint>
            <id>alfresco-feed</id>
            <name>Alfresco Feed</name>
            <description>Alfresco Feed - supports basic HTTP authentication</description>
            <connector-id>http</connector-id>
            <endpoint-url>http://yourserver:8080/alfresco/s</endpoint-url>
            <basic-auth>true</basic-auth>
            <identity>user</identity>
         </endpoint>
         
      </remote>
   </config>
   –>
   
   <!– Overriding endpoints to reference an Alfresco server with NTLM filter enabled –>
   <!– NOTE: the NTLM Authentication Filter must be enabled for both repository and web-tier web.xml –>
   <!– NOTE: if utilising a load balancer between web-tier and repository cluster, the "sticky –>
   <!–       sessions" feature of your load balancer must be used when NTLM filter is active –>
   
   <config evaluator="string-compare" condition="Remote">
      <remote>
         
         <endpoint>
            <id>alfresco</id>
            <name>Alfresco - user access</name>
            <description>Access to Alfresco Repository WebScripts that require user authentication</description>
            <connector-id>alfresco</connector-id>
            <endpoint-url>http://server.domain.com:8080/alfresco/wcs</endpoint-url>
            <identity>user</identity>
            <external-auth>true</external-auth>
         </endpoint>
         
      </remote>
   </config>
   

</alfresco-config>‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

gsoalheiro · ‎08-06-2009

Thanks Kev. Are there any timeframes available for the current 3.2 bug fixing phase?

dward · ‎08-17-2009

I have found a fix. You just need to edit webscript-framework-config-custom.xml as follows:


   <config evaluator="string-compare" condition="Remote">
      <remote>
         
         <connector>
            <id>alfrescoCookie</id>
            <name>Alfresco Connector</name>
            <description>Connects to an Alfresco instance using cookie-based authentication</description>
            <class>org.alfresco.connector.AlfrescoConnector</class>
         </connector>

         <endpoint>
            <id>alfresco</id>
            <name>Alfresco - user access</name>
            <description>Access to Alfresco Repository WebScripts that require user authentication</description>
            <connector-id>alfrescoCookie</connector-id>
            <endpoint-url>http://localhost:8080/alfresco/wcs</endpoint-url>
            <identity>user</identity>
            <external-auth>true</external-auth>
         </endpoint>
         
      </remote>
   </config>
‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

I have updated the .sample file and Wiki

http://wiki.alfresco.com/wiki/Alfresco_Authentication_Subsystems#Alfresco_Share_SSO_using_NTLM

kevinr · ‎08-17-2009

I have tested the fix locally, it works for me. Thanks David for that.

Cheers,

Kev

ivan_plestina · ‎08-17-2009

Kevin, David,

This breaks existing sites. Clicking on link to any existing site just redirects back to user dashboard. Newly created sites work fine. Any advice?

EDIT: After relogging couple of hours later that newly created site is dead too. No error in logs.

kevinr · ‎08-17-2009

Can i suggest you clear all session data from the browser etc. and any saved sessions in TomCat. There is no difference between "existing" and "new" sites as far as authentication is concerned.

Anyone else given this fix a try?

Thanks,

Kev

ivan_plestina · ‎08-17-2009

Cleared cookies, restarted browser, restarted tomcat, cleaned tomcat temp files….same thing in both FF and IE. Another user reported the same thing in JIRA.

kevinr · ‎08-17-2009

Indeed they did - but this is really about fixing the NTLM issue, nothing else. The other issue is still being investigated. AFAIK this fixes the NTLM issue, i have still not seen the other issue myself yet nor investigated it.

Kevin

ivan_plestina · ‎08-17-2009

I believe creating site and then restarting tomcat (or just share application) should trigger this bug.

dward · ‎08-18-2009

Thanks. Enabling SSO and restarting tomcat after creating a site was indeed a very good way of reproducing the issue reported in

http://forums.alfresco.com/en/viewtopic.php?f=47&t=20428&p=69304#p69304

We now have a solution to the problem. Please see the above thread. And can I point out that this regression was nothing to do with the refactoring of the authentication subsystems!

gotfredsen · ‎08-19-2009

Yes, it works for me too. Thanks

I suggest you change the wiki from "uncomment this section" to "cut and past this section".

Thanks again,
Bjarke

Hyland Connect

Alfresco Share 3.2 NTLM SSO fails