Hyland Connect

deaconboogie · ‎07-14-2009

This is really wearing me down… :shock:

I'm using 3.2 and have read http://wiki.alfresco.com/wiki/Alfresco_Authentication_Subsystems pretty heavily, and I still can't seem to get this to work correctly.

All I want to do is the following:

1. User visits an Alfresco page and based on the logged in domain user, logs in as that user.
2. If the browser presents no NTLM, it prompts and the user can enter (DOMAIN\user or user@domain).

I need to use passthru because I don't want to worry about password sync-up.

Here are the only file modifications I've made to alfresco-global.properties:

authentication.chain=alfrescoNtlm1:alfrescoNtlm,passthru1:passthru

ntlm.authentication.sso.enabled=true
ntlm.authentication.mapUnknownUserToGuest=false
passthru.authentication.domain=MYDOMAIN
passthru.authentication.servers=MYDOMAIN\\dc.mydomain.local
passthru.authentication.authenticateCIFS=true
passthru.authentication.authenticateFTP=true
passthru.authentication.guestAccess=true
passthru.authentication.defaultAdministratorUserNames=administrator
‍‍‍‍‍‍‍‍‍‍‍

Right now, it prompts me for credentials, but it wont accept anything I put in other than the local default admin/admin Alfresco user credentials.

Can anyone share some straightforward, non-confusing examples or help me untangle the above configuration?

Thanks!

dward · ‎07-14-2009

Try this

passthru.authentication.domain=
passthru.authentication.servers=MYDOMAIN\\dc.mydomain.local,dc.mydomain.local

Don't use the userLocalServer, domain or servers properties at the same time. They are mutually exclusive. If you set domain, it will try to work out your domain server from the domain name. It's most reliable to list the servers explicitly as above. Include a server without a domain mapping as a 'fallback' when no domain is specified in the authentication request.

deaconboogie · ‎07-14-2009

Try this

Trying… Alfresco sure takes a long time to start. Close to five minutes. It makes testing changes that much more painful…

What kind of hoops am I going to go through to get Share working with this? I read in another thread that NTLM is broken with 3.2?

dward · ‎07-14-2009

Well in the upcoming enterprise version you can edit these settings using Jconsole without restarting the entire system but I guess that's no consolation.

We expect to have a fix for Share NTLM very soon.

deaconboogie · ‎07-14-2009

Try this

No dice. Same problem as before.

BTW: I am sure that NTLM is enabled and the URL is in my intranet site list.

How can I enable some form of debugging for the authentication so I can see what possible issue it is having?

dward · ‎07-14-2009

Same problem as before what?

dward · ‎07-14-2009

Oh I see. Please forgive me. I re-read the original post. Have an idea…

dward · ‎07-14-2009

In the authentication subsystems wiki, it explains that SSO and CIFS authentication cannot be chained. You have two SSO-capable subsystems in your chain

authentication.chain=alfrescoNtlm1:alfrescoNtlm,passthru1

assthru

therefore the first enabled one in the chain (alfrescoNtlm1) will do the SSO authentication.

Probably best to take alfresco out the chain

authentication.chain=passthru1

assthru

Or if you really do want Alfresco internal users to be able to log in as well as domain users, you are going to have to switch off sso.enabled on both subsystems.

This is a limitation imposed on us by the NTLM negotiation mechanism.

deaconboogie · ‎07-14-2009

In the authentication subsystems wiki, it explains that SSO and CIFS authentication cannot be chained. You have two SSO-capable subsystems in your chain

authentication.chain=alfrescoNtlm1:alfrescoNtlm,passthru1assthru

Okay, that makes sense… I was going off of the example that seemed to describe what I want at first glance. I probably misread it in the panic.

The fact that it's called "alfrescoNtml" when it may or may not have anything to do with NTLM may have thrown me off… I mean, if it says NTLM and it has to do with the local Alfresco user database, in the context of creating local users with matching password hashes, it seems confusing. And even my just-stated understanding may be grossly inaccurate.

The chain modification above seems to work. However… I found another somewhat disturbing issue:

It looks like all three variations of the login/credentials work (user@domain, domain\user, user)

Notice my passthru.authentication.defaultAdministratorUserNames contains just "administrator". When I log in as administrator@domain or domain\administrator, I do not receive the administrative icon in the toolbar. When I log in as just "administrator", I do get the admin icon.

Won't this cause issues if the user is not using NTLM and has to type their credentials?

_sax · ‎07-15-2009

I'm trying to understand SSO systems right.
I try to use ldap sync and therefore use ldap-ad as second part of my authentication chain. To log the synced users in, I use passthru with SSO and CIFS enabled. This is working good. But I still would like to be able to use the internal guest account for webscripts or what may come.
So my requirements are: syncing from ldap-ad, sso through browser, cifs and having a guest account.
If I add alfrescoNtlm to the authentication chain I'm either able to login by SSO as 'me', but having no guest account (log saying '[org.alfresco.web.app.servlet.NTLMAuthenticationFilter] Authentication failed, 06150006 Account disabled' when trying to manually sign on as guest) or having a usable guest account, which is auto-signing me on regardless of my real username.
Is this a NTLM-limitation, or did I do something wrong? I tested almost every combination in the authentication chain and of the true/false options that come with the subsystems.

Thanks a lot for the clarifying statements in this forum!

Hyland Connect

Basic SSO and NTLM help, please... Getting frustrated...