Hyland Connect

bdaniel · ‎06-28-2014

Hi there,

I want to enable external authentication via http headers as described here:
http://docs.alfresco.com/4.2/tasks/auth-alfrescoexternal-sso.html
http://www.youtube.com/watch?v=5tS0XrC_-rw

After configuring my system my normal web authentication (via username and password) no longer works. The external SSO is also not working. If I set the configurations back to normal my web authentication starts working again.

Here are the steps I have followed:

1. Downloaded alfresco-community-4.2.f-installer-linux-x64.bin and ran the auto installer
2. Verified that Alfresco and Share was working fine. Created a site with some content
3. In /opt/alfresco/tomcat/shared/classes/alfresco.global.properties add:

    ### External Authentication ###
    authentication.chain=external1:external

4. In /opt/alfresco/tomcat/shared/classes/alfresco/web-extension/share-config-custom.xml set connector-id:

    <connector-id>alfrescoHeader</connector-id>

5. In /opt/alfresco/tomcat/webapps/alfresco/WEB-INF/classes/alfresco/subsystems/Authentication/external/external-authentication.properties add:

    external.authentication.defaultAdministratorUserNames=admin
    external.authentication.enabled=true

6. In /opt/alfresco/tomcat/webapps/alfresco/WEB-INF/classes/alfresco/subsystems/Authentication/external/external-filter.properties add:

    external.authentication.proxyUserName=alfresco-system
    external.authentication.proxyHeader=X-Alfresco-Remote-User
    external.authentication.enabled=true
    external.authentication.userIdPattern=

7. In /opt/alfresco/tomcat/webapps/wcmqs/WEB-INF/classes/alfresco/wcmqs-api.properties and set the admin password:

    wcmqs.api.alfresco=http://localhost:8080/alfresco
    wcmqs.api.user=admin
    wcmqs.api.password=my_admin_password_details_here

8. In /opt/alfresco/tomcat/webapps/wcmqs/WEB-INF/classes/alfresco/extension/wqsapi-custom.properties and set the admin password:

    wcmqs.api.alfresco=http://localhost:8080/alfresco
    wcmqs.api.user=admin
    wcmqs.api.password=my_admin_password_details_here

9. In /opt/alfresco/tomcat/webapps/alfresco/WEB-INF/classes/log4j.properties add

    log4j.logger.org.alfresco.web.site.servlet.SSOAuthenticationFilter=debug
    log4j.logger.org.alfresco.repo.security.authentication.AuthenticationUtil=debug
    log4j.logger.org.alfresco.repo.security.authentication.AbstractChainingAuthenticationService=debug

10. In /opt/alfresco/tomcat/webapps/share/WEB-INF/classes/log4j.properties add

    log4j.logger.org.alfresco.web.app.servlet.DefaultRemoteUserMap=debug
    log4j.logger.org.springframework.extensions.webscripts.connector.RemoteClient=debug
    log4j.logger.org.springframework.extensions.webscripts.connector.AlfrescoAuthenticator=debug

11. service alfresco start
12. tail -f /opt/alfresco/tomcat/logs/catalina.out (wait until everything has started)
13. Use "Modify headers" add on in Firefox to try and log into Alfresco without a password as per demo in
    http://www.youtube.com/watch?v=5tS0XrC_-rw

    Result: I still get sent to the login screen. My usual password does not work any more.
    Here is the debug info from catalina.out:

2014-06-28 20:28:17,829 DEBUG [security.authentication.AuthenticationUtil] [http-bio-8080-exec-4] Setting RunAs principal: net.sf.acegisecurity.providers.dao.User@1d1396e4: Username: admin; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_AUTHENTICATED
2014-06-28 20:28:17,834 DEBUG [security.authentication.AuthenticationUtil] [http-bio-8080-exec-4] Setting RunAs principal: net.sf.acegisecurity.providers.dao.User@73f2361a: Username: System; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_SYSTEM
2014-06-28 20:28:17,834 DEBUG [security.authentication.AuthenticationUtil] [http-bio-8080-exec-4] Setting fully authenticated principal: net.sf.acegisecurity.providers.dao.User@1d1396e4: Username: admin; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_AUTHENTICATED

14. Try to use curl to login with modified header as follows:
     curl -X GET -L -H "X-Alfresco-Remote-User: admin" http://localhost:8080/alfresco/ | less
     Result: I still get the login page

Any idea what I'm doing wrong?

Much appreciated,

Barry D.

afaust · ‎06-29-2014

Hello,

you cannot use the External authentication subsystem without enabling a second, SSO-capable authentication subystem such as alfrescoNtlm. So your chain should include such a subsystem and you should set *.sso.enabled for that subystem.

Regards
Axel

bdaniel · ‎06-29-2014

Hi Axel,

Thanks for your help. I have added alfrescoNtlm to my chain and enabled SSO and at least normal authentication works again now.

However, I don't want to authenticate via NTLM (I understand this to be Windows authentication). I now get a username and password popup when I visit myhost:8080/alfresco in the browser with modified headers. If I click cancel I get the normal web login screen.

In this video ( http://www.youtube.com/watch?v=5tS0XrC_-rw ) it seems that it is possible to achieve External Authentication SSO by simply modifying the headers (No NTLM, CAS, Kerberos or anything like that). There is no mention made of having to enable SSO for NTLM for instance.

E.g. if I modify the headers with X-Alfresco-Remote-User as the name and admin as the value I expect to be logged in as the admin user. If I use e.g. peter as the value I should be logged in as Peter irrespective of which Windows user I am logged in as. That's what I understood from Mehdi Belmekki's video. Am I understanding this correctly?

Thanks again,
Barry

mrogers · ‎06-29-2014

If your authentication chain only has a single authenticator of type external then there's only one way of authenticating. You don't have any "normal web authentication" in your chain. The authenticator of type alfrescoNtlm is badly named it should really just be alfresco or alfresco internal. What it will do is authenticate the username / password against the hash value stored within alfresco.

Also I don't like seeing hacking files under web-inf. don't do it. you will loose your changes on redeploy.

bdaniel · ‎06-29-2014

Thanks mrogers,

I have added alfrescoNtlm to my chain and thus regained normal web login functionality. However, I still don't have SSO via modifying HTTP headers as per the http://www.youtube.com/watch?v=5tS0XrC_-rw video. I now get a popup asking for username and password.

Also, you mention that I should not 'hack' files under WEB-INF. Could you specify the correct place to make these sort of changes instead?

Much appreciated,
Barry

afaust · ‎06-30-2014

Hello,

all configuration should go in the tomcat/shared/classes/alfresco/extension directory or the tomcat/shared/classes/alfresco-global.properties file.
Regarding external authentication it is important to know that by default, Alfresco tries to validate the client passing the modified headers via a client certificate check. Unless you are actually using SSL and a client certificate, you have to disable that or Alfresco won't actually accept the modified headers. Last time I used this for a development setup, this amounted to setting the "external.authentication.proxyUserName" property to the empty value / string.

The reason you need to enable SSO on a different authentication subsystem is that the external subsystem alone only overs the Explorer UI and web scripts via the /wcs or /wcservice endpoint. The SSO filter for NTLM / Kerberos call the logic for header evaluation (of the external subsystem) on the other HTTP servlets…
At least that was the case the last time I worked with external on 4.2.x. There might be differences between the Alfresco versions concerning default configuration.

Regards
Axel

bdaniel · ‎11-09-2014

Hi there, on Alfresco 5.0.b it seems the URL for external SSO via http headers has changed. In any case I can't seem to get it working again.

Can anyone help me out with the correct URL? In Alfresco 4.2 I was using http://mydomain:8080/alfresco

Thanks

bdaniel · ‎06-30-2014

Hi Axel,

Thanks, I managed to get the external SSO working now via modified headers using curl in my terminal. I have set ntlm.authentication.sso.enabled=false and the login popup has now gone and the external SSO is still working. I suppose my Firefox Modify headers plugin was not working somehow. I also moved the configs into alfresco global properties file.

Now that I am logged in I need to get a ticket for the logged in user as I want to make CMIS calls (using Apache Chemistry PHP client). Is there an easy way to do this?

Much appreciated,

afaust · ‎07-01-2014

Hello Barry,

I recently had to do the same thing. There is no out-of-the-box web script you can call to "just" give you a ticket - the one web script that does exists requires you to actually provide username and password. I just wrote myself a tiny custom web script that I then called with active external authentication.
The web script is as simple as the following FTL:


{<#escape x as jsonUtils.encodeJSONString(x)>
    "ticket" : "${session.ticket}"
</#escape>}
‍‍‍‍‍

Regards
Axel

bdaniel · ‎07-01-2014

Hi Axel,

Thanks, this works brilliantly!

Hyland Connect

External SSO via http headers not working.