Hyland Connect

meansartin14 · ‎12-16-2008

My end-users are using Windows XP Professional PCs and the Alfresco Community Labs 3c application is hosted on a RHEL 5.2 server. Each of the end-user Windows XP PCs are tied to Microsoft's Active Directory for user authentication during login.

Alfresco is not tied to our Active Directory setup in any way (that I am aware of). Yet, when I attempt to use the 'Map Network Drive…' function from any of the Windows XP Professional PCs, the only way this action will succeed is if the Alfresco username/password exactly matches the user's Active Directory username/password.

I don't even know where to begin diagnosing this issue. I have no idea why the Alfresco username/password would need to be identical to the Active Directory username/password. No attempt has been made to do any sort of synchronized user authentication between the two areas (Active Directory and Alfresco).

Does anyone have ANY idea why this would be? I would greatly appreciate any helpful advice or suggestions you may have. Thanks in advance!!

meansartin14 · ‎12-16-2008

Anyone ever experienced this before?

loftux · ‎12-16-2008

Most likely it is not a requirement, what you are authenticating against is the username and password stored in Alfresco.
Have a look at these pages (and look at the categories in the bottom if each page, will take you further)
http://wiki.alfresco.com/wiki/Security_and_Authentication
http://wiki.alfresco.com/wiki/Enterprise_Security_and_Authentication_Configuration
http://wiki.alfresco.com/wiki/CIFS_Server_Authentication

It may seem complex to understand, but so is every enterprise authentication out there, you can do this in so many ways.

meansartin14 · ‎12-17-2008

Most likely it is not a requirement, what you are authenticating against is the username and password stored in Alfresco.
Have a look at these pages (and look at the categories in the bottom if each page, will take you further)
http://wiki.alfresco.com/wiki/Security_and_Authentication
http://wiki.alfresco.com/wiki/Enterprise_Security_and_Authentication_Configuration
http://wiki.alfresco.com/wiki/CIFS_Server_Authentication

It may seem complex to understand, but so is every enterprise authentication out there, you can do this in so many ways.

I agree that I *SHOULD* only need to enter the Alfresco username/password when attempting to Map Network Drive… to the Alfresco CIFS server. However, I have tried numerous times with a username/password different from my ActiveDirectory username/password without success.

The *ONLY* time I am able to successfully complete the Map Network Drive… function to the Alfresco CIFS server is when my Alfresco username/password matches my ActiveDirectory username/password (used to login to my PC) exactly.

I'm still very confused as to what the problem might be. It does not seem logical to me that the Alfresco username/password would have to be identical to the ActiveDirectory username/password, yet that is the case.

I would greatly appreciate any help. I am at a total loss.

meansartin14 · ‎12-18-2008

Is there any configuration I should check? I haven't attempted to configure Alfresco to use any sort of external authentication. Yet, for some reason, our Windows XP PCs (which use ActiveDirectory for user authentication) will not allow us to successfully complete the Map Network Drive… function successfully unless the Alfresco username/password is IDENTICAL to the ActiveDirectory username/password.

Again, I am at a complete loss. I have taken no steps to force Alfresco to do this.

loftux · ‎12-18-2008

The links posted are links to the security and authentication configuration setup howto and files. In case of cifs, it is file-servers-custom.xml you should look at. Also have a look at ntlm-authentication-context.xml if that is in use.
More links for you
http://wiki.alfresco.com/wiki/3.0_Configuring_NTLM

Now have a look at these links, make any modifications you find suitable, tell us what you did (and why you changed it so and what you expected it to do), include any config changes in you post. Turn on logging in log4j.properties, in that file search for cifs, there are 3 entries there, 2 needs to be uncommented, set to debug. Restart Alfresco and post you log file.

Peter Löfgren

meansartin14 · ‎01-02-2009

Turn on logging in log4j.properties, in that file search for cifs, there are 3 entries there, 2 needs to be uncommented, set to debug. Restart Alfresco and post you log file.

The following is alfresco.log output upon startup of the Alfresco application:

INFO  [org.alfresco.config.xml.XMLConfigService$PropertyConfigurer] Loading properties file from class path resource [alfresco/file-servers.properties]
DEBUG [org.alfresco.smb.protocol.auth] preRegister called. Server=com.sun.jmx.mbeanserver.JmxMBeanServer@5a6b54ef, name=log4j:logger=org.alfresco.smb.protocol.auth
INFO  [org.alfresco.repo.domain.schema.SchemaBootstrap] Schema managed by database dialect org.hibernate.dialect.MySQLInnoDBDialect.
INFO  [org.alfresco.repo.domain.schema.SchemaBootstrap] No changes were made to the schema.
INFO  [org.alfresco.repo.admin.ConfigurationChecker] The Alfresco root data directory ('dir.root') is: /opt/alfresco/alf_data
INFO  [org.alfresco.repo.admin.patch.PatchExecuter] Checking for patches to apply …
INFO  [org.alfresco.repo.admin.patch.PatchExecuter] No patches were required.
INFO  [org.alfresco.repo.module.ModuleServiceImpl] Found 0 module(s).
INFO  [org.alfresco.service.descriptor.DescriptorService] Alfresco JVM - v1.6.0_11-b03; maximum heap size 910.250MB
INFO  [org.alfresco.service.descriptor.DescriptorService] Alfresco started (Labs): Current version 3.0.0 (c 1342) schema 1000 - Installed version 3.0.0 (c 1342) schema 1000
WARN  [org.alfresco.linkvalidation.LinkValidationServiceImpl] LinkValidationService Update is not running (virtualization server not registered or started)
INFO  [org.alfresco.web.scripts.DeclarativeRegistry] Registered 21 Web Scripts (+0 failed), 23 URLs
INFO  [org.alfresco.web.scripts.AbstractRuntimeContainer] Initialised Presentation Web Script Container (in 64.423ms)
INFO  [org.alfresco.web.scripts.DeclarativeRegistry] Registered 134 Web Scripts (+0 failed), 136 URLs
INFO  [org.alfresco.web.scripts.AbstractRuntimeContainer] Initialised WebFramework Web Script Container (in 201.72899ms)
INFO  [org.alfresco.web.site.FrameworkHelper] Successfully Initialized Web Framework
INFO  [org.alfresco.web.site.FrameworkHelper] Successfully Initialized Web Framework‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

The following is alfresco.log output when attempting to Map Network Drive… to \\<server>\alfresco:
(NOTE: The names have been changed to protect the innocent.)

DEBUG [org.alfresco.smb.protocol.auth] NT Session setup NTLMSSP, MID=8, UID=0, PID=65279
DEBUG [org.alfresco.smb.protocol.auth] Kerberos AP-REQ - [AP-REQ:APOptions=MutualAuth ,Ticket=Len=985,Authenticator=EncType=23,Kvno=-1,Len=180]
DEBUG [org.alfresco.smb.protocol.auth] Kerberos mutual auth required, parsing AP-REQ
ERROR [org.alfresco.smb.protocol.auth] Kerberos logon error
ERROR [org.alfresco.smb.protocol.auth] java.lang.NullPointerException
DEBUG [org.alfresco.smb.protocol.auth] NT Session setup NTLMSSP, MID=16, UID=0, PID=65279
DEBUG [org.alfresco.smb.protocol.auth] Kerberos AP-REQ - [AP-REQ:APOptions=MutualAuth ,Ticket=Len=1020,Authenticator=EncType=23,Kvno=-1,Len=175]
DEBUG [org.alfresco.smb.protocol.auth] Kerberos mutual auth required, parsing AP-REQ
ERROR [org.alfresco.smb.protocol.auth] Kerberos logon error
ERROR [org.alfresco.smb.protocol.auth] java.lang.NullPointerException
DEBUG [org.alfresco.smb.protocol.auth] NT Session setup NTLMSSP, MID=8, UID=0, PID=65279
DEBUG [org.alfresco.smb.protocol.auth] Kerberos AP-REQ - [AP-REQ:APOptions=MutualAuth ,Ticket=Len=985,Authenticator=EncType=23,Kvno=-1,Len=180]
DEBUG [org.alfresco.smb.protocol.auth] Kerberos mutual auth required, parsing AP-REQ
ERROR [org.alfresco.smb.protocol.auth] Kerberos logon error
ERROR [org.alfresco.smb.protocol.auth] java.lang.NullPointerException
DEBUG [org.alfresco.smb.protocol.auth] NT Session setup NTLMSSP, MID=16, UID=0, PID=65279
DEBUG [org.alfresco.smb.protocol.auth] User  logged on  (type Normal)
DEBUG [org.alfresco.smb.protocol.auth] NT Session setup NTLMSSP, MID=24, UID=0, PID=65279
DEBUG [org.alfresco.smb.protocol.auth] Logged on using NTLMSSP/NTLMv2
DEBUG [org.alfresco.smb.protocol.auth] User <username> logged on  (type Normal)
DEBUG [org.alfresco.smb.protocol.auth] Allocated UID=0 for VC=[0:0,[<username>:null,Windows XP 3790 Service Pack 2,,<ip address>],Tree=0,Searches=0]‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

I'm really at a loss because I was able to Map Network Drive… to the Alfresco CIFS server successfully before I took leave for the holidays. Now, I can not.

It is worth noting that I have created my Alfresco user to have the same username and password that I use to login to my PC.

meansartin14 · ‎01-05-2009

I could really use some assistance on this one.

Aside from the "null" where I believe the password should be, nothing really stands out to me.

loftux · ‎01-05-2009

From what I can see it tries to logon using Kerberos first, the it logs on using NTLMv2.
What is it that you want to use, and what files have you (or someone else at you place) changed?
It might be that some files in tomcat/shared/classes/alfresco/extension has been changed from having the sample extension to .xml (and thus is read as part of the config), but no further changes to them have been made.
Try sorting them on "changed date" to see what files have been updated from the default config, then post your config.
I would start with file-servers-custom.xml, ntlm-authentication-context.xml(.sample), chaining-authentication-context.xml(.sample), jaas-authentication-context.xml(.sample)
sample in the above meaning that is their default extension, if .xml only they are read as part of the config for Alfresco.

meansartin14 · ‎01-05-2009

From what I can see it tries to logon using Kerberos first, the it logs on using NTLMv2.
What is it that you want to use, and what files have you (or someone else at you place) changed?
It might be that some files in tomcat/shared/classes/alfresco/extension has been changed from having the sample extension to .xml (and thus is read as part of the config), but no further changes to them have been made.
Try sorting them on "changed date" to see what files have been updated from the default config, then post your config.
I would start with file-servers-custom.xml, ntlm-authentication-context.xml(.sample), chaining-authentication-context.xml(.sample), jaas-authentication-context.xml(.sample)
sample in the above meaning that is their default extension, if .xml only they are read as part of the config for Alfresco.

Well, originally, I just wanted to use Alfresco's standard authentication (itself). That worked, then, all of a sudden, stopped working with seemingly no action on my part. Now that I have external authentication (to a remote Active Directory server) working for the Web Interface, I would it to function for CIFS as well. I followed the procedure in http://wiki.alfresco.com/wiki/Configuring_the_CIFS_and_web_servers_for_Kerberos/AD_integration exactly and the Web Interface is now authenticating to the AD server (see this thread: http://forums.alfresco.com/en/viewtopic.php?f=9&t=15967). However, the CIFS server appears to have the same issue as first mentioned in this post when I WASN'T using external authentication.

None of the files you mention (or any seemingly-related files in those areas) have been modified in any way that would seem to effect authentication. I'm starting to think this is an issue with Windows, rather than Alfresco. Any way I can confirm this?

Hyland Connect

Alfresco user/pw must match AD user/pw for Map Network Drive