Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Hyland Connect
- Enterprise Platforms
- Alfresco
- Alfresco Archive
- Re: Default authentication not working
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Default authentication not working
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-07-2015 08:49 AM
Hi,
I am trying external authentication in alfresco community 5.0.1 and for that if i set the authentication.chain= external1:external,alfrescoNtlm1:alfrescoNtlm
with this my default alfresco based authentication also doesn't work.
I added below properties in alfresco-global.properties
1. authentication.chain=external1:external,alfrescoNtlm1:alfrescoNtlm
2.external.authentication.enable=true
And added external-authentication.properties file in /Authentication/External folder with below properties
1. external.authentication.defaultAdministratorUserNames=admin
And also added external-filter.properties in same location with below properties
1. external.authentication.proxyUserName=
2. external.authentication.proxyHeader=X-Alfresco-Remote-User
3. external.authentication.userIdPattern=
Also uncommented the remote section in share-config-custom.xml file and also replaced the alfrescoCookie with alfrescoHeader in endpoint
and then restarted the alfresco server.
when i hit localhost:8080/share/page it redirects to http://localhost:8080/share/page?pt=login and in username and password by entering admin and admin it remains on the same page i.e login screen appears
In log file it shows authenticated admin with alfrescoNtlm succedded.
So please anyone here can help me what i am doing wrong in this? why my default authentication is not working?
Thanks
Nancy
I am trying external authentication in alfresco community 5.0.1 and for that if i set the authentication.chain= external1:external,alfrescoNtlm1:alfrescoNtlm
with this my default alfresco based authentication also doesn't work.
I added below properties in alfresco-global.properties
1. authentication.chain=external1:external,alfrescoNtlm1:alfrescoNtlm
2.external.authentication.enable=true
And added external-authentication.properties file in /Authentication/External folder with below properties
1. external.authentication.defaultAdministratorUserNames=admin
And also added external-filter.properties in same location with below properties
1. external.authentication.proxyUserName=
2. external.authentication.proxyHeader=X-Alfresco-Remote-User
3. external.authentication.userIdPattern=
Also uncommented the remote section in share-config-custom.xml file and also replaced the alfrescoCookie with alfrescoHeader in endpoint
<config evaluator="string-compare" condition="Remote">
<remote>
<keystore>
<path>alfresco/web-extension/alfresco-system.p12</path>
<type>pkcs12</type>
<password>alfresco-system</password>
</keystore>
<connector>
<id>alfrescoCookie</id>
<name>Alfresco Connector</name>
<description>Connects to an Alfresco instance using cookie-based authentication</description>
<class>org.alfresco.web.site.servlet.SlingshotAlfrescoConnector</class>
</connector>
<connector>
<id>alfrescoHeader</id>
<name>Alfresco Connector</name>
<description>Connects to an Alfresco instance using header and cookie-based authentication</description>
<class>org.alfresco.web.site.servlet.SlingshotAlfrescoConnector</class>
<userHeader>X-Alfresco-Remote-User</userHeader>
</connector>
<endpoint>
<id>alfresco</id>
<name>Alfresco - user access</name>
<description>Access to Alfresco Repository WebScripts that require user authentication</description>
<connector-id>alfrescoHeader</connector-id>
<endpoint-url>http://localhost:8080/alfresco/wcs</endpoint-url>
<identity>user</identity>
<external-auth>true</external-auth>
</endpoint>
</remote>
</config>
and then restarted the alfresco server.
when i hit localhost:8080/share/page it redirects to http://localhost:8080/share/page?pt=login and in username and password by entering admin and admin it remains on the same page i.e login screen appears
In log file it shows authenticated admin with alfrescoNtlm succedded.
So please anyone here can help me what i am doing wrong in this? why my default authentication is not working?
Thanks
Nancy
Labels:
- Labels:
-
Archive
6 REPLIES 6
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-13-2015 02:28 AM
can anyone help me with this?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-06-2016 09:43 PM
I have the exact same issue, I am using:
in share-config-custom.xml
<connector>
<id>alfrescoHeader</id>
<name>Alfresco Connector</name>
<description>Connects to an Alfresco instance using header and cookie-based authentication</description>
<class>org.alfresco.web.site.servlet.SlingshotAlfrescoConnector</class>
<userHeader>SsoUserHeader</userHeader>
</connector>
<endpoint>
<id>alfresco</id>
<name>Alfresco - user access</name>
<description>Access to Alfresco Repository WebScripts that require user authentication</description>
<connector-id>alfrescoHeader</connector-id>
<endpoint-url>http://localhost:8080/alfresco/wcs</endpoint-url>
<identity>user</identity>
<external-auth>true</external-auth>
</endpoint>
and in alfresco-global.properties
authentication.chain=MySSO:external,ldap1:ldap,alfrescoNtlm1:alfrescoNtlm
ldap.authentication.active=true
ldap.synchronization.active=true
external.authentication.enabled=true
external.authentication.proxyUserName=
external.authentication.proxyHeader=SsoUserHeader
But I get the same result, the login share page renders, I try to login with either admin, or an LDAP id, and it just returns back to the login page. There is no error recorded in catalina.out referencing a problem.
I would like to be able to use the SsoUserHeader for SSO situations from custom applications getting into the Alfresco share without having to authenticate, but not at the expense of not being able to authenticate from the normal alfresco share login page.
** Note, we just recently upgraded to 5.0.d from 4.2.f, and this was working in 4.2.f. But I have not been able to figure why this isnt working in 5.0.d. Any help or ideas would be appreciated. Thanks.
in share-config-custom.xml
<connector>
<id>alfrescoHeader</id>
<name>Alfresco Connector</name>
<description>Connects to an Alfresco instance using header and cookie-based authentication</description>
<class>org.alfresco.web.site.servlet.SlingshotAlfrescoConnector</class>
<userHeader>SsoUserHeader</userHeader>
</connector>
<endpoint>
<id>alfresco</id>
<name>Alfresco - user access</name>
<description>Access to Alfresco Repository WebScripts that require user authentication</description>
<connector-id>alfrescoHeader</connector-id>
<endpoint-url>http://localhost:8080/alfresco/wcs</endpoint-url>
<identity>user</identity>
<external-auth>true</external-auth>
</endpoint>
and in alfresco-global.properties
authentication.chain=MySSO:external,ldap1:ldap,alfrescoNtlm1:alfrescoNtlm
ldap.authentication.active=true
ldap.synchronization.active=true
external.authentication.enabled=true
external.authentication.proxyUserName=
external.authentication.proxyHeader=SsoUserHeader
But I get the same result, the login share page renders, I try to login with either admin, or an LDAP id, and it just returns back to the login page. There is no error recorded in catalina.out referencing a problem.
I would like to be able to use the SsoUserHeader for SSO situations from custom applications getting into the Alfresco share without having to authenticate, but not at the expense of not being able to authenticate from the normal alfresco share login page.
** Note, we just recently upgraded to 5.0.d from 4.2.f, and this was working in 4.2.f. But I have not been able to figure why this isnt working in 5.0.d. Any help or ideas would be appreciated. Thanks.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-09-2016 01:08 AM
Try to use <userHeader>X-Alfresco-Remote-User</userHeader> in connector with id "alfrescoHeader"
and below lines to alfresco-global.properties
Regards
Nancy
and below lines to alfresco-global.properties
authentication.chain=external1:external,alfrescoNtlm1:alfrescoNtlm
ntlm.authentication.sso.enabled=false
external.authentication.proxyUserName=
external.authentication.enabled=true
external.authentication.defaultAdministratorUserNames=admin
external.authentication.proxyHeader=X-Alfresco-Remote-User
Regards
Nancy
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-09-2016 09:05 AM
Hi Nancy, I was really hoping you might reply to this posting. So did this work for you? A different proxyHeader name? Were you able to use both SSO to the share, and still have the share login page work with a userid / password?
My understanding was that X-Alfresco-Remote-User was the default header name if you didn't supply one here. We have been using 'SsoUserHeader' since our 4.2.f installation 2 years ago. That always worked in 4.2.f, but since upgrading to 5.0.d, that no longer seems to work.
But regardless, I will give this a try.
Thanks so much for responding.
Steve
My understanding was that X-Alfresco-Remote-User was the default header name if you didn't supply one here. We have been using 'SsoUserHeader' since our 4.2.f installation 2 years ago. That always worked in 4.2.f, but since upgrading to 5.0.d, that no longer seems to work.
But regardless, I will give this a try.
Thanks so much for responding.
Steve
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-09-2016 11:24 AM
Hey Nancy, we incorporated your suggestions that we didn't have in our config yet:
external.authentication.defaultAdministratorUserNames=admin
external.authentication.proxyHeader=X-Alfresco-Remote-User - using that in share-config-custom too.
The result was the same as before:
We are able to SSO to the share with this configuration, but it does break the regular userID / Password authentication on the /share/page login form to the share.
We were just trying to think of anything that could have changed from 4.2.f to 5.0.d, as the standard config to allow share SSO worked in 4.2.f.
Did you ever solve your problem? And if you did, what change did you have to make after you posted here originally?
Thanks again,
Steve.
This is what we currently have in alfresco-global.properties:
authentication.chain=MySSO:external,ldap1:ldap,alfrescoNtlm1:alfrescoNtlm
ldap.authentication.active=true
ldap.synchronization.active=true
ldap.authentication.userNameFormat=CN\=%s,OU\=xxxx,O\=xxxx
ldap.authentication.java.naming.provider.url=ldap://xxxx.com:389
ldap.synchronization.java.naming.security.principal=CN\=xxxx,OU\=xxxx,OU\=AD,O\=xxxx
ldap.synchronization.java.naming.security.credentials=xxxx
ldap.synchronization.groupQuery=CN\=GRP*
ldap.synchronization.groupSearchBase=ou\=xxxx,O\=xxxx
ldap.synchronization.personQuery=CN\=*
ldap.synchronization.userSearchBase=ou\=xxxx,O\=xxxx
ldap.synchronization.timestampFormat=yyyyMMddHHmmss'.0Z'
ldap.synchronization.userFirstNameAttributeName=givenName
ldap.synchronization.userLastNameAttributeName=sn
ldap.synchronization.userEmailAttributeName=mail
ldap.synchronization.userIdAttributeName=name
ldap.synchronization.groupIdAttributeName=cn
ldap.synchronization.groupDisplayNameAttributeName=name
ntlm.authentication.sso.enabled=false
external.authentication.proxyUserName=
external.authentication.enabled=true
external.authentication.defaultAdministratorUserNames=admin
external.authentication.proxyHeader=X-Alfresco-Remote-User
and in share-config-custom.xml
<config evaluator="string-compare" condition="Remote">
<remote>
<endpoint>
<id>alfresco-noauth</id>
<name>Alfresco - unauthenticated access</name>
<description>Access to Alfresco Repository WebScripts that do not require authentication</description>
<connector-id>alfresco</connector-id>
<endpoint-url>http://localhost:8080/alfresco/s</endpoint-url>
<identity>none</identity>
</endpoint>
<endpoint>
<id>alfresco</id>
<name>Alfresco - user access</name>
<description>Access to Alfresco Repository WebScripts that require user authentication</description>
<connector-id>alfresco</connector-id>
<endpoint-url>http://localhost:8080/alfresco/s</endpoint-url>
<identity>user</identity>
</endpoint>
<endpoint>
<id>alfresco-feed</id>
<name>Alfresco Feed</name>
<description>Alfresco Feed - supports basic HTTP authentication via the EndPointProxyServlet</description>
<connector-id>http</connector-id>
<endpoint-url>http://localhost:8080/alfresco/s</endpoint-url>
<basic-auth>true</basic-auth>
<identity>user</identity>
</endpoint>
<endpoint>
<id>alfresco-api</id>
<parent-id>alfresco</parent-id>
<name>Alfresco Public API - user access</name>
<description>Access to Alfresco Repository Public API that require user authentication.
This makes use of the authentication that is provided by parent 'alfresco' endpoint.</description>
<connector-id>alfresco</connector-id>
<endpoint-url>http://localhost:8080/alfresco/api</endpoint-url>
<identity>user</identity>
</endpoint>
</remote>
</config>
<!–
Overriding endpoints to reference an Alfresco server with external SSO enabled
NOTE: If utilising a load balancer between web-tier and repository cluster, the "sticky
sessions" feature of your load balancer must be used.
NOTE: If alfresco server location is not localhost:8080 then also combine changes from the
"example port config" section below.
*Optional* keystore contains SSL client certificate + trusted CAs.
Used to authenticate share to an external SSO system such as CAS
Remove the keystore section if not required i.e. for NTLM.
NOTE: For Kerberos SSO rename the "KerberosDisabled" condition above to "Kerberos"
NOTE: For external SSO, switch the endpoint connector to "alfrescoHeader" and set
the userHeader value to the name of the HTTP header that the external SSO
uses to provide the authenticated user name.
NOTE: For external SSO, Share now supports the "userIdPattern" mechanism as is available
on the repository config for External Authentication sub-system. Add the following
element to your "alfrescoHeader" connector config:
<userIdPattern>^ignore-(\w+)-ignore</userIdPattern>
This is an example, ensure the Id pattern matches your repository config.
NOTE: For external SSO, Share now supports stateless (no Http Session or sticky session)
connection to the repository when using the alfrescoHeader remote user connector.
e.g. You can change endpoint config to use the faster /service URL instead of the
/wcs URL if you are using External Authentication and then remove sticky session config
from your proxy between Share and Alfresco. Note that this is also faster because Share
will no longer call the /touch REST API before every remote call to the repository.
–>
<config evaluator="string-compare" condition="Remote">
<remote>
<!–
<keystore>
<path>alfresco/web-extension/alfresco-system.p12</path>
<type>pkcs12</type>
<password>alfresco-system</password>
</keystore>
–>
<connector>
<id>alfrescoCookie</id>
<name>Alfresco Connector</name>
<description>Connects to an Alfresco instance using cookie-based authentication</description>
<class>org.alfresco.web.site.servlet.SlingshotAlfrescoConnector</class>
</connector>
<connector>
<id>alfrescoHeader</id>
<name>Alfresco Connector</name>
<description>Connects to an Alfresco instance using header and cookie-based authentication</description>
<class>org.alfresco.web.site.servlet.SlingshotAlfrescoConnector</class>
<userHeader>X-Alfresco-Remote-User</userHeader>
</connector>
<endpoint>
<id>alfresco</id>
<name>Alfresco - user access</name>
<description>Access to Alfresco Repository WebScripts that require user authentication</description>
<connector-id>alfrescoHeader</connector-id>
<endpoint-url>http://localhost:8080/alfresco/wcs</endpoint-url>
<identity>user</identity>
<external-auth>true</external-auth>
</endpoint>
</remote>
</config>
external.authentication.defaultAdministratorUserNames=admin
external.authentication.proxyHeader=X-Alfresco-Remote-User - using that in share-config-custom too.
The result was the same as before:
We are able to SSO to the share with this configuration, but it does break the regular userID / Password authentication on the /share/page login form to the share.
We were just trying to think of anything that could have changed from 4.2.f to 5.0.d, as the standard config to allow share SSO worked in 4.2.f.
Did you ever solve your problem? And if you did, what change did you have to make after you posted here originally?
Thanks again,
Steve.
This is what we currently have in alfresco-global.properties:
authentication.chain=MySSO:external,ldap1:ldap,alfrescoNtlm1:alfrescoNtlm
ldap.authentication.active=true
ldap.synchronization.active=true
ldap.authentication.userNameFormat=CN\=%s,OU\=xxxx,O\=xxxx
ldap.authentication.java.naming.provider.url=ldap://xxxx.com:389
ldap.synchronization.java.naming.security.principal=CN\=xxxx,OU\=xxxx,OU\=AD,O\=xxxx
ldap.synchronization.java.naming.security.credentials=xxxx
ldap.synchronization.groupQuery=CN\=GRP*
ldap.synchronization.groupSearchBase=ou\=xxxx,O\=xxxx
ldap.synchronization.personQuery=CN\=*
ldap.synchronization.userSearchBase=ou\=xxxx,O\=xxxx
ldap.synchronization.timestampFormat=yyyyMMddHHmmss'.0Z'
ldap.synchronization.userFirstNameAttributeName=givenName
ldap.synchronization.userLastNameAttributeName=sn
ldap.synchronization.userEmailAttributeName=mail
ldap.synchronization.userIdAttributeName=name
ldap.synchronization.groupIdAttributeName=cn
ldap.synchronization.groupDisplayNameAttributeName=name
ntlm.authentication.sso.enabled=false
external.authentication.proxyUserName=
external.authentication.enabled=true
external.authentication.defaultAdministratorUserNames=admin
external.authentication.proxyHeader=X-Alfresco-Remote-User
and in share-config-custom.xml
<config evaluator="string-compare" condition="Remote">
<remote>
<endpoint>
<id>alfresco-noauth</id>
<name>Alfresco - unauthenticated access</name>
<description>Access to Alfresco Repository WebScripts that do not require authentication</description>
<connector-id>alfresco</connector-id>
<endpoint-url>http://localhost:8080/alfresco/s</endpoint-url>
<identity>none</identity>
</endpoint>
<endpoint>
<id>alfresco</id>
<name>Alfresco - user access</name>
<description>Access to Alfresco Repository WebScripts that require user authentication</description>
<connector-id>alfresco</connector-id>
<endpoint-url>http://localhost:8080/alfresco/s</endpoint-url>
<identity>user</identity>
</endpoint>
<endpoint>
<id>alfresco-feed</id>
<name>Alfresco Feed</name>
<description>Alfresco Feed - supports basic HTTP authentication via the EndPointProxyServlet</description>
<connector-id>http</connector-id>
<endpoint-url>http://localhost:8080/alfresco/s</endpoint-url>
<basic-auth>true</basic-auth>
<identity>user</identity>
</endpoint>
<endpoint>
<id>alfresco-api</id>
<parent-id>alfresco</parent-id>
<name>Alfresco Public API - user access</name>
<description>Access to Alfresco Repository Public API that require user authentication.
This makes use of the authentication that is provided by parent 'alfresco' endpoint.</description>
<connector-id>alfresco</connector-id>
<endpoint-url>http://localhost:8080/alfresco/api</endpoint-url>
<identity>user</identity>
</endpoint>
</remote>
</config>
<!–
Overriding endpoints to reference an Alfresco server with external SSO enabled
NOTE: If utilising a load balancer between web-tier and repository cluster, the "sticky
sessions" feature of your load balancer must be used.
NOTE: If alfresco server location is not localhost:8080 then also combine changes from the
"example port config" section below.
*Optional* keystore contains SSL client certificate + trusted CAs.
Used to authenticate share to an external SSO system such as CAS
Remove the keystore section if not required i.e. for NTLM.
NOTE: For Kerberos SSO rename the "KerberosDisabled" condition above to "Kerberos"
NOTE: For external SSO, switch the endpoint connector to "alfrescoHeader" and set
the userHeader value to the name of the HTTP header that the external SSO
uses to provide the authenticated user name.
NOTE: For external SSO, Share now supports the "userIdPattern" mechanism as is available
on the repository config for External Authentication sub-system. Add the following
element to your "alfrescoHeader" connector config:
<userIdPattern>^ignore-(\w+)-ignore</userIdPattern>
This is an example, ensure the Id pattern matches your repository config.
NOTE: For external SSO, Share now supports stateless (no Http Session or sticky session)
connection to the repository when using the alfrescoHeader remote user connector.
e.g. You can change endpoint config to use the faster /service URL instead of the
/wcs URL if you are using External Authentication and then remove sticky session config
from your proxy between Share and Alfresco. Note that this is also faster because Share
will no longer call the /touch REST API before every remote call to the repository.
–>
<config evaluator="string-compare" condition="Remote">
<remote>
<!–
<keystore>
<path>alfresco/web-extension/alfresco-system.p12</path>
<type>pkcs12</type>
<password>alfresco-system</password>
</keystore>
–>
<connector>
<id>alfrescoCookie</id>
<name>Alfresco Connector</name>
<description>Connects to an Alfresco instance using cookie-based authentication</description>
<class>org.alfresco.web.site.servlet.SlingshotAlfrescoConnector</class>
</connector>
<connector>
<id>alfrescoHeader</id>
<name>Alfresco Connector</name>
<description>Connects to an Alfresco instance using header and cookie-based authentication</description>
<class>org.alfresco.web.site.servlet.SlingshotAlfrescoConnector</class>
<userHeader>X-Alfresco-Remote-User</userHeader>
</connector>
<endpoint>
<id>alfresco</id>
<name>Alfresco - user access</name>
<description>Access to Alfresco Repository WebScripts that require user authentication</description>
<connector-id>alfrescoHeader</connector-id>
<endpoint-url>http://localhost:8080/alfresco/wcs</endpoint-url>
<identity>user</identity>
<external-auth>true</external-auth>
</endpoint>
</remote>
</config>
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-09-2016 08:19 PM
There is a bug on 5.0.s with SSO.
This project has the fix for which I think is related https://github.com/wrighting/alfresco-cas
This project has the fix for which I think is related https://github.com/wrighting/alfresco-cas
Related Content
- How to enable Ticket base authentication ? in Alfresco Forum
- this.commandExecutor is null when calling process instance api in Alfresco Forum
- NOT ABLE TO VALIDATE TICKET RECEIVED IN POSTMAN THROUGH ALFRESCO REST API in Alfresco Forum
- Alfresco don't start on tomcat 9 in Alfresco Forum
- Cannot login to Alfresco using "admin" username and password when running Docker image on VM in Alfresco Forum
Getting started
Tags
Find what you came for
We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.
