Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

NTLM Authentication with Active Directory

ianp
Champ in-the-making
Champ in-the-making

‎08-17-2012 11:41 AM

Hi all,

Im using community 4.0.d on a vanilla Tomcat 6.0.35 install.

I've been struggling for several days with this, so I'm hoping someone here might have an answer for me.  I'm trying to achieve SSO in IE8 so that a user doesn't have to enter a username or password.  I've managed to successfully log in (via the standard Alfresco login page) using my AD credentials.  I've also managed to synchronise my AD users, so that I can see them in Alfresco.  However if I try to log in using NTLM it fails (IE8 still pops up a dialog box, but it relates to the domain so I'm not sure what that's about).  I've turned up logging on the NTLMAuthenticationFilter, and I get the following output:


 2012-08-17 16:11:03,691  DEBUG [org.alfresco.web.app.servlet.NTLMAuthenticationFilter] [http-8080-1] New NTLM auth request from 192.168.10.10 (192.168.10.10:49567) SID:0F8D2CE2C82AE1F6655227A21B4EF9B5
 2012-08-17 16:11:11,010  DEBUG [org.alfresco.web.app.servlet.NTLMAuthenticationFilter] [http-8080-1] Received type1 [Type1:0xa2088207,Domain:<NotSet>,Wks:<NotSet>]
 2012-08-17 16:11:11,013  INFO  [org.alfresco.web.app.servlet.NTLMAuthenticationFilter] [http-8080-1] NTLM filter using server name magrathea
 2012-08-17 16:11:11,017  DEBUG [org.alfresco.web.app.servlet.NTLMAuthenticationFilter] [http-8080-1] Sending NTLM type2 to client - [Type2:0xa0080201,Target:magrathea,Ch:f387bc44a15b65f0]
 2012-08-17 16:11:11,021  DEBUG [org.alfresco.web.app.servlet.NTLMAuthenticationFilter] [http-8080-1] Received type3 [Type3:,LM:000000000000000000000000000000000000000000000000,NTLM:c0eb1440bce9ced98dbcfdf8e7d5842e0101000000000000aa6416898a7ccd01d965cfb6682f75a400000000020012006d00610067007200610074006800650061000000000000000000,Dom:TEST,User:fred,Wks:WINDOWS7]
 2012-08-17 16:11:11,036  DEBUG [org.alfresco.web.app.servlet.NTLMAuthenticationFilter] [http-8080-1] User fred does not have Alfresco account
 2012-08-17 16:11:11,036  DEBUG [org.alfresco.web.app.servlet.NTLMAuthenticationFilter] [http-8080-1] restartLoginChallenge…

So it's complaining that there is no account for fred, despite the fact that it was successfully imported from AD, and that I can see it if I log in as admin.

My alfresco-global.properties file has the following extra properties (passwords hidden by ****):


authentication.chain=alfrescoNtlm1:alfrescoNtlm,ldap-ad1:ldap-ad

alfresco.authentication.authenticateCIFS=false
ntlm.authentication.sso.enabled=true

#ldap.authentication.active=false
ldap.authentication.java.naming.provider.url=ldap://192.168.10.1:389
ldap.authentication.userNameFormat=%s@test.com

ldap.synchronization.active=true
ldap.synchronization.java.naming.security.authentication=simple
ldap.synchronization.java.naming.security.principal=administrator@test.com
ldap.synchronization.java.naming.security.credentials=****
ldap.synchronization.groupSearchBase=cn\=Users,dc\=test,dc\=com
ldap.synchronization.userSearchBase=cn\=Users,dc\=test,dc\=com

I'm fairly new to this, but I think I've read most of the documentation, forum posts, and so on, and I'm now up against a bit of a brick wall.  Any help would be very much appreciated!

Thanks in advance,
Ian
Labels:
0 Kudos
3 REPLIES 3

benswitzer
Champ in-the-making
Champ in-the-making

‎08-17-2012 02:48 PM

Hi Ian,

What Windows OS are you running.  If you're running anything newer than Windows XP, you'll have to change how authentication is handled for NTLM.  Alfresco can only use NTLMv1 session security.  By default, Vista and Windows 7 don't allow NTLMv1.  This can be change though.

See this thread: https://forums.alfresco.com/en/viewtopic.php?f=9&t=24610#p80352

Ben
0 Kudos

ianp
Champ in-the-making
Champ in-the-making

‎08-20-2012 11:57 AM

Hi Ben,

Thanks for your reply.  I'm a little confused here though.  According to the documentation (http://docs.alfresco.com/4.0/topic/com.alfresco.enterprise.doc/concepts/auth-alfrescontlm-ntlm.html), what I'm trying to achieve should be possible:

The alfrescoNtlm subsystem supports optional NTLM Single Sign-On (SSO) functions for WebDAV and the Alfresco Explorer client.
NTLM v2 is supported, which is more secure that the NTLM v1. If the client does not support NTLMv2, it will automatically downgrade to NTLMv1.
By using NTLM authentication to access Alfresco Explorer and Alfresco WebDAV sites, the web browser can automatically log in.

When SSO is enabled, Internet Explorer will use your Windows log in credentials when requested by the web server. Firefox and Mozilla also support the use of NTLM but you need to add the URI to the Alfresco site that you want to access to network.automatic-ntlm-auth.trusted-uris option (available through writing about:config in the URL field) to allow the browser to use your current credentials for login purposes.
The above describes almost (maybe that's the problem?) exactly what I'm trying to do.

The link you posted seemed to be primarily about CIFS, which I'm not trying to do (well, not yet, anyway).  Have I missed something?

Many thanks,
Ian
0 Kudos

ianp
Champ in-the-making
Champ in-the-making

‎08-24-2012 09:34 AM

Anybody?
0 Kudos
Getting started

Tags

Find what you came for

We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.

Copyright © 2025 Khoros, LLC