Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Authentication Chains

clynham
Champ in-the-making
Champ in-the-making

‎09-03-2009 11:18 AM

Hi,

I'm trying to setup an authentication chain in Alfreso 3.2.

I successfully managed to get LDAP working using: 

authentication.chain=alfrescoNtlm1:alfrescoNtlm,ldap1:ldap

and confiduring the LDAP properties file.  I now need to move this a step further by enabling CIFS authentication using Passthru.  I've amended the chain to read:

authentication.chain=alfrescoNtlm1:alfrescoNtlm,ldap1:ldap,passthru1:passthru

and configured the passthru properties file as follows:

passthru.authentication.useLocalServer=false
passthru.authentication.domain=DOMAINNAME
passthru.authentication.servers=NAMEOFDOMAINCONTROLLER
passthru.authentication.guestAccess=false
passthru.authentication.defaultAdministratorUserNames=administrator,admin
#Timeout value when opening a session to an authentication server, in milliseconds
passthru.authentication.connectTimeout=5000
#Offline server check interval in seconds
passthru.authentication.offlineCheckInterval=300
passthru.authentication.protocolOrder=NetBIOS,TCPIP
passthru.authentication.authenticateCIFS=true
passthru.authentication.authenticateFTP=false

However when calling up the Alfresco login page I get the following error:

net.sf.acegisecurity.AuthenticationServiceException: Failed to open passthru auth session 
at org.alfresco.repo.security.authentication.ntlm.NTLMAuthenticationComponentImpl.authenticatePassthru(NTLMAuthenticationComponentImpl.java:789) 
at org.alfresco.repo.security.authentication.ntlm.NTLMAuthenticationComponentImpl.authenticate(NTLMAuthenticationComponentImpl.java:560) 
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) 
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) 
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) 
at java.lang.reflect.Method.invoke(Method.java:597) 
at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:304) 
at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:182) 
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149) 
at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:106) 
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171) 
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204) 
at $Proxy190.authenticate(Unknown Source) 
at org.alfresco.repo.webdav.auth.BaseNTLMAuthenticationFilter.processType1(BaseNTLMAuthenticationFilter.java:423) 
at org.alfresco.repo.webdav.auth.BaseNTLMAuthenticationFilter.doFilter(BaseNTLMAuthenticationFilter.java:332) 
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) 
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) 
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) 
at java.lang.reflect.Method.invoke(Method.java:597) 
at org.alfresco.repo.management.subsystems.ChainingSubsystemProxyFactory$1.invoke(ChainingSubsystemProxyFactory.java:109) 
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171) 
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204) 
at $Proxy194.doFilter(Unknown Source) 
at org.alfresco.repo.web.filter.beans.BeanProxyFilter.doFilter(BeanProxyFilter.java:88) 
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) 
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) 
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) 
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) 
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128) 
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) 
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) 
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286) 
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:845) 
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583) 
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447) 
at java.lang.Thread.run(Thread.java:619)

Can anyone help?

Many thanks!
Labels:
0 Kudos
23 REPLIES 23

nuttinjeff
Champ in-the-making
Champ in-the-making

‎09-03-2009 01:58 PM

Hi,

I'm getting the same error. Can someone help?

Login works using Firefox (you need to type the domain login of course), but in Internet Explorer it throws this error.

Thanks.
0 Kudos

dward
Champ on-the-rise
Champ on-the-rise

‎09-03-2009 02:38 PM

Try this

passthru.authentication.domain=# Intentionally left blank
passthru.authentication.servers=DOMAINNAME\\dns.name.of.domain.controller,dns.name.of.domain.controller

The domain, servers and useLocalServer properties are mutually exclusive so you should only set one of them. I'm afraid I find the domain property unreliable and have never got it to work. Perhaps we should remove it altogether.

The most reliable way is to list the domain server host names in the servers property. You should prefix each with their domain name so that CIFS knows which domain they map to. And at the end of the list, you should include one without a domain prefix that will be used when a client (such as firefox) doesn't provide a domain name.

Hope this helps
0 Kudos

nuttinjeff
Champ in-the-making
Champ in-the-making

‎09-03-2009 03:03 PM

Try this

passthru.authentication.domain=# Intentionally left blank
passthru.authentication.servers=DOMAINNAME\\dns.name.of.domain.controller,dns.name.of.domain.controller

The domain, servers and useLocalServer properties are mutually exclusive so you should only set one of them. I'm afraid I find the domain property unreliable and have never got it to work. Perhaps we should remove it altogether.

The most reliable way is to list the domain server host names in the servers property. You should prefix each with their domain name so that CIFS knows which domain they map to. And at the end of the list, you should include one without a domain prefix that will be used when a client (such as firefox) doesn't provide a domain name.

Hope this helps

Hi,

I already had my passthru.authentication.domain=blank, but I only had passthru.authentication.servers=dns.name.of.domain.controller.

Worked ok after I add passthru.authentication.servers=DOMAINNAME\\dns.name.of.domain.controller,dns.name.of.domain.controller

Thanks dward.
0 Kudos

nuttinjeff
Champ in-the-making
Champ in-the-making

‎09-04-2009 02:05 PM

Hi,

other problem, I set the passthru successfully, but it doesn't work in Windows Vista clients, because of the NTLMv2 (like the docs said), error: "Client USER using NTLMv2 logon, not valid with passthru authentication".

That's ok, but I want a way to "if client gives NTLMv2 error then gives the user the option to manual login with the AD account".

I tried to do a LDAP sync + AlfrescoNTLM, but seens that AlfrescoNTLM doesn't query the ldap sync users, only the local ones. I tried LDAP Auth, but then it's asks for the user/pass always.

The "authentication.chain=passthru1Smiley Tongueassthru,ldap1:ldap-ad" doesn't work either, because alfresco don't jump do ldap, after the passthru error.

Can someone help me to archive a way to do this?
0 Kudos

paulweb
Champ in-the-making
Champ in-the-making

‎09-04-2009 08:38 PM

http://forums.alfresco.com/en/viewtopic.php?f=9&t=21248
0 Kudos

nuttinjeff
Champ in-the-making
Champ in-the-making

‎09-08-2009 02:38 PM

http://forums.alfresco.com/en/viewtopic.php?f=9&t=21248

Thanks, but kerberos is out of question here.

I alterady gave uu of SSO in the browser, I just need a ldap-ad, passthru chain that works.

When I set ldap-ad alone, it works well, asking the user/pass, but when I set the chain: "authentication.chain=ldap1:ldap-ad, passthru1Smiley Tongueassthru" it seens that ldap-ad is ignored, because in WinXP the login is auto and in Vista, the same NTLMv2 error happens.

I need this to work in Vista and need the passthru auth for CIFS.

Thanks.
0 Kudos

paulweb
Champ in-the-making
Champ in-the-making

‎09-09-2009 06:15 AM

but kerberos is out of question here
Impossible it is possible

authentication.chain=ldap1:ldap-ad, passthru1Smiley Tongueassthru" with NTLMv2

I looked a code and wished to rewrite, that the given chain worked with NTLMv2.
But having read the documentation I have understand, that it is not correct and the more so near at hand was kerberos.
0 Kudos

clynham
Champ in-the-making
Champ in-the-making

‎09-09-2009 06:27 AM

Try this

passthru.authentication.domain=# Intentionally left blank
passthru.authentication.servers=DOMAINNAME\\dns.name.of.domain.controller,dns.name.of.domain.controller

That sorted it for me! Thanks.
0 Kudos

dward
Champ on-the-rise
Champ on-the-rise

‎09-09-2009 10:23 AM

nuttinjef

NTLM v2 just can't be proxied like NTLM v1 as it is designed to prevent 'man-in-the-middle' attacks.

So your options are:

1. Enable NTLM v1 on the Vista machines
http://www.technologyquestions.com/technology/windows-vista/50823-force-ntlm-vista-home-premium.html
2. Use the alfrescoNtlm subsystem instead. This supports NTLM v2 but will require alfresco to store its own copy of the user password. You can switch on NTLM v2 SSO with
authentication.chain=alfrescoNtlm1:alfrescoNtlm
ntlm.authentication.sso.enabled=true
3. Switch off SSO with the passthru subsystem
ntlm.authentication.sso.enabled=false
0 Kudos
Getting started

Tags

Find what you came for

We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.

Copyright © 2025 Khoros, LLC