Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Alfresco Share and SSO

kizux
Champ in-the-making
Champ in-the-making

‎12-02-2010 09:56 AM

Hi all,
I'm new on this forum : I'm a student who study a little Alfresco and try some test. Actually I can't resolve a problem :

I'm trying to configure SSO during one day without success, I already done this following steps :
-Configure tomcat and share on port 80
-Link AD to share (using passthru)

Everything work fine, after this, I 've followed the wiki's guide :
http://wiki.alfresco.com/wiki/Alfresco_Authentication_Subsystems#Alfresco_Share_SSO_using_NTLM
No success for this step.

Here you can find my properties files :

share-config-custom.xml
<alfresco-config>
   
   <!– Repository Library config section –>
   <config evaluator="string-compare" condition="RepositoryLibrary" replace="true">
      <!–
         Whether the link to the Repository Library appears in the header component or not.
      –>
      <visible>true</visible>
   </config>

   <config evaluator="string-compare" condition="Remote">
      <remote>
         <endpoint>
            <id>alfresco-noauth</id>
            <name>Alfresco - unauthenticated access</name>
            <description>Access to Alfresco Repository WebScripts that do not require authentication</description>
            <connector-id>alfresco</connector-id>
            <endpoint-url>http://localhost:80/alfresco/s</endpoint-url>
            <identity>none</identity>
         </endpoint>
         
         <connector>
            <id>alfrescoCookie</id>
            <name>Alfresco Connector</name>
            <description>Connects to an Alfresco instance using cookie-based authentication</description>
            <class>org.springframework.extensions.webscripts.connector.AlfrescoConnector</class>
         </connector>

         <endpoint>
            <id>alfresco</id>
            <name>Alfresco - user access</name>
            <description>Access to Alfresco Repository WebScripts that require user authentication</description>
            <connector-id>alfrescoCookie</connector-id>
            <endpoint-url>http://localhost:80/alfresco/s</endpoint-url>
            <identity>user</identity>
         </endpoint>

         <endpoint>
            <id>alfresco-feed</id>
            <name>Alfresco Feed</name>
            <description>Alfresco Feed - supports basic HTTP authentication via the EndPointProxyServlet</description>
            <connector-id>http</connector-id>
            <endpoint-url>http://localhost:80/alfresco/s</endpoint-url>
            <basic-auth>true</basic-auth>
            <identity>user</identity>
         </endpoint>
         
      </remote>
   </config>

</alfresco-config>

passthru-authentication-context.properties
passthru.authentication.useLocalServer=false
passthru.authentication.domain=
passthru.authentication.servers=MYDOMAIN\\192.168.83.10,192.168.83.10
passthru.authentication.guestAccess=false
passthru.authentication.defaultAdministratorUserNames=myadmin
#Timeout value when opening a session to an authentication server, in milliseconds
passthru.authentication.connectTimeout=5000
#Offline server check interval in seconds
passthru.authentication.offlineCheckInterval=300
passthru.authentication.protocolOrder=NetBIOS,TCPIP
passthru.authentication.authenticateCIFS=true
passthru.authentication.authenticateFTP=true

passthru/ntlm-filter.properties
ntlm.authentication.sso.enabled=true
ntlm.authentication.mapUnknownUserToGuest=false
ntlm.authentication.browser.ticketLogons=true

and
authentication.chain=alfinst:alfrescoNtlm,passthru1:passthru

Some help will be welcome !
Thanks a lot
Labels:
0 Kudos
9 REPLIES 9

loftux
Star Contributor
Star Contributor

‎12-02-2010 10:56 AM

What version of Alfresco are you on?
Have you enabled NTLMv1 on your AD server? Passthru only supports NTLMv1, normally this is not enabled on an AD server, only NTLMv2 is enabled. If so, you have to try Kerberos.

But first step is to verify that http://server:8080/alfresco works with sso. When you have that up and running, then you can move on to getting Share sso working.
0 Kudos

kizux
Champ in-the-making
Champ in-the-making

‎12-02-2010 11:32 AM

I'm using 3.4b.
http://domain/alfresco doesn't work with sso :
When I open the URL, a login box pop (like the box when we use .htaccess on apache), I cancel this authentication and I'm able to see the alfresco explorer's login page.

It's the same with share login page  :evil:
0 Kudos

loftux
Star Contributor
Star Contributor

‎12-02-2010 01:14 PM

Then most likely it is that your AD server doesn't accept NTLMv1, see
http://wiki.alfresco.com/wiki/Alfresco_Authentication_Subsystems#Passthru (last sentence under introduction)

Alfresco itself can however authenticate Ntlmv2, so what you can do to test SSO is to create a user with the same username and password as your windows user. You should the be able to authenticate SSO wiht AlfrescoNtlm.
0 Kudos

kizux
Champ in-the-making
Champ in-the-making

‎12-17-2010 08:39 AM

Protocol NTLMv1 is activated now, but always doesn't work (v2 and v1 are activated, no problem ?)

This is my actual conf files :

tomcat\shared\classes\alfresco\web-extension\share-config-custom.xml
<alfresco-config>
   
   <!– Repository Library config section –>
   <config evaluator="string-compare" condition="RepositoryLibrary" replace="true">
      <!–
         Whether the link to the Repository Library appears in the header component or not.
      –>
      <visible>true</visible>
   </config>

   <config evaluator="string-compare" condition="Remote">
      <remote>
         <endpoint>
            <id>alfresco-noauth</id>
            <name>Alfresco - unauthenticated access</name>
            <description>Access to Alfresco Repository WebScripts that do not require authentication</description>
            <connector-id>alfresco</connector-id>
            <endpoint-url>http://localhost:80/alfresco/s</endpoint-url>
            <identity>none</identity>
         </endpoint>

         <connector>
            <id>alfrescoCookie</id>
            <name>Alfresco Connector</name>
            <description>Connects to an Alfresco instance using cookie-based authentication</description>
            <class>org.springframework.extensions.webscripts.connector.AlfrescoConnector</class>
         </connector>

         <endpoint>
            <id>alfresco</id>
            <name>Alfresco - user access</name>
            <description>Access to Alfresco Repository WebScripts that require user authentication</description>
            <connector-id>alfrescoCookie</connector-id>
            <endpoint-url>http://localhost:80/alfresco/s</endpoint-url>
            <identity>user</identity>
         </endpoint>

         <endpoint>
            <id>alfresco-feed</id>
            <name>Alfresco Feed</name>
            <description>Alfresco Feed - supports basic HTTP authentication via the EndPointProxyServlet</description>
            <connector-id>http</connector-id>
            <endpoint-url>http://localhost:80/alfresco/s</endpoint-url>
            <basic-auth>true</basic-auth>
            <identity>user</identity>
         </endpoint>
      </remote>
   </config>

</alfresco-config>

tomcat\shared\classes\alfresco\extension\subsystems\Authentication\alfrescoNtlm\alfinst\alfresco-authentication.properties
alfresco.authentication.allowGuestLogin=false
alfresco.authentication.authenticateCIFS=false

tomcat\shared\classes\alfresco\extension\subsystems\Authentication\alfrescoNtlm\alfinst\ntlm-filter.properties
ntlm.authentication.sso.enabled=false
ntlm.authentication.mapUnknownUserToGuest=false
ntlm.authentication.browser.ticketLogons=true

tomcat\shared\classes\alfresco\extension\subsystems\Authentication\passthru\passthru1\ntlm-filter.properties
ntlm.authentication.sso.enabled=true
ntlm.authentication.mapUnknownUserToGuest=false
ntlm.authentication.browser.ticketLogons=true

tomcat\shared\classes\alfresco\extension\subsystems\Authentication\passthru\passthru1\passthru-authentication-context.properties
passthru.authentication.useLocalServer=false
passthru.authentication.domain=
passthru.authentication.servers=SERVEURDEDEV\\192.168.83.10,192.168.83.10
passthru.authentication.guestAccess=false
passthru.authentication.defaultAdministratorUserNames=Administrator
#Timeout value when opening a session to an authentication server, in milliseconds
passthru.authentication.connectTimeout=5000
#Offline server check interval in seconds
passthru.authentication.offlineCheckInterval=300
passthru.authentication.protocolOrder=NetBIOS,TCPIP
passthru.authentication.authenticateCIFS=true
passthru.authentication.authenticateFTP=true

tomcat\shared\classes\alfresco-global.properties
authentication.chain=alfinst:alfrescoNtlm,passthru1:passthru

Please help me  :cry:
0 Kudos

loftux
Star Contributor
Star Contributor

‎12-17-2010 09:26 AM

Turn on logging in tomcat/webapps/alfresco/WEB_INF/classes/log4j.properties, you will find default ones there that has to do with authentication and ntlm.
Restart, and post your errors. It is also easier to help if you tell what is not working, is it CIFS, web, both or what?
0 Kudos

kizux
Champ in-the-making
Champ in-the-making

‎12-17-2010 09:59 AM

Ok, after compare the log, when I try to go on localhost/alfresco, a pop-up propose me to log in, after logged in, tomcat log :
14:19:03,390  ERROR [app.servlet.NTLMAuthenticationFilter] Client PCP987-PC using NTLMv2 logon, not valid with passthru authentication

My network administrator had normally enabled NTLMv1. I think v2 and v1 are running both. I have to disable v2 ?
0 Kudos

kizux
Champ in-the-making
Champ in-the-making

‎12-21-2010 06:04 AM

News !

Ok now SSO on alfresco explorer works perfectly, it was NTLMv2 that blocked. With only NTLMv1 no problems.
But on share it always doesn't work, I able to see the login page, when I try to log with my AD's login, Share doesn't accept them  Smiley Surprised

Need some help please
0 Kudos

loftux
Star Contributor
Star Contributor

‎12-21-2010 06:12 AM

Double check your share config. The alfresco endpoint doesn't look correct, from sample config:
   <config evaluator="string-compare" condition="Remote">
      <remote>
         <keystore>
             <path>alfresco/web-extension/alfresco-system.p12</path>
             <type>pkcs12</type>
             <password>alfresco-system</password>
         </keystore>
         
         <connector>
            <id>alfrescoCookie</id>
            <name>Alfresco Connector</name>
            <description>Connects to an Alfresco instance using cookie-based authentication</description>
            <class>org.springframework.extensions.webscripts.connector.AlfrescoConnector</class>
         </connector>
         
         <endpoint>
            <id>alfresco</id>
            <name>Alfresco - user access</name>
            <description>Access to Alfresco Repository WebScripts that require user authentication</description>
            <connector-id>alfrescoCookie</connector-id>
            <endpoint-url>http://localhost:8080/alfresco/wcs</endpoint-url>
            <identity>user</identity>
            <external-auth>true</external-auth>
         </endpoint>
      </remote>
   </config>
0 Kudos

kizux
Champ in-the-making
Champ in-the-making

‎12-21-2010 06:46 AM

Now it's perfect !

Thx for your help Loftux, I'm a happy man during all the day now  Smiley Very Happy
0 Kudos
Getting started

Tags

Find what you came for

We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.

Copyright © 2025 Khoros, LLC