Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

NTLM SSO with Alfresco Explorer: Login form appears

nicolasraoul
Star Contributor
Star Contributor

‎10-21-2013 05:31 AM

Hello all,

I only need SSO to test a CMIS client software.

I installed Alfresco Community 4.2d on a Windows Server 2012 that also runs Active Directory, and is the domain server.

I executed the few steps below, then restarted Alfresco, directed Internet Explorer to Alfresco (still logged in as Administrator, directly on the AD server), and… a login/password popup appears. What did I do wrong?

Everything I did, step-by-step:

1) Installed Alfresco
2) Created folder tomcat\shared\classes\alfresco\extension\subsystems\Authentication
3) Under this folder, created folders ldap-ad\ldap-ad1 and passthru\passthru1
4) Added "authentication.chain=passthru1Smiley Tongueassthru,ldap-ad1:ldap-ad" to alfresco-global.properties
5) Created tomcat\shared\classes\alfresco\extension\subsystems\Authentication\passthru\passthru1\changes.properties with this content:


passthru.authentication.useLocalServer=true
passthru.authentication.domain=
passthru.authentication.servers=
ntlm.authentication.sso.enabled=true
alfresco.authentication.allowGuestLogin=false
ntlm.authentication.mapUnknownUserToGuest=true
passthru.authentication.authenticateCIFS=false
passthru.authentication.authenticateFTP=false
passthru.authentication.guestAccess=true
passthru.authentication.defaultAdministratorUserNames=Administrator


6) Created tomcat\shared\classes\alfresco\extension\subsystems\Authentication\ldap-ad\ldap-ad1\ldap-ad-authentication.properties with this content:


ldap.authentication.active=true
ldap.authentication.allowGuestLogin=true
ldap.authentication.userNameFormat=%s@aegif.local
ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
ldap.authentication.java.naming.provider.url=ldap://themachine:389
ldap.authentication.java.naming.security.authentication=simple
ldap.authentication.escapeCommasInBind=false
ldap.authentication.escapeCommasInUid=false
ldap.authentication.defaultAdministratorUserNames=Administrator
ldap.synchronization.active=true
ldap.synchronization.java.naming.security.authentication=simple
ldap.synchronization.java.naming.security.principal=Administrator@aegif.local
ldap.synchronization.java.naming.security.credentials=iwrotethepasswordhere
ldap.synchronization.queryBatchSize=1000
ldap.synchronization.attributeBatchSize=1000
ldap.synchronization.groupQuery=(objectclass\=group)
ldap.synchronization.groupDifferentialQuery=(&(objectclass\=group)(!(whenChanged<\={0})))
ldap.synchronization.personQuery=(&(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512))
ldap.synchronization.personDifferentialQuery=(&(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512)(!(whenChanged<\={0})))
ldap.synchronization.groupSearchBase=cn=Users,dc=aegif,dc=local
ldap.synchronization.userSearchBase=cn=Users,dc=aegif,dc=local
ldap.synchronization.modifyTimestampAttributeName=whenChanged
ldap.synchronization.timestampFormat=yyyyMMddHHmmss'.0Z'
ldap.synchronization.userIdAttributeName=sAMAccountName
ldap.synchronization.userFirstNameAttributeName=givenName
ldap.synchronization.userLastNameAttributeName=sn
ldap.synchronization.userEmailAttributeName=mail
ldap.synchronization.userOrganizationalIdAttributeName=company
ldap.synchronization.defaultHomeFolderProvider=largeHomeFolderProvider
ldap.synchronization.groupIdAttributeName=cn
ldap.synchronization.groupDisplayNameAttributeName=displayName
ldap.synchronization.groupType=group
ldap.synchronization.personType=user
ldap.synchronization.groupMemberAttributeName=member
ldap.synchronization.enableProgressEstimation=true
ldap.authentication.java.naming.read.timeout=0
Labels:
0 Kudos
3 REPLIES 3

iblanco
Confirmed Champ
Confirmed Champ

‎10-21-2013 09:23 AM

I can't tell you exactly what is wrong with your setup but I think there are many factors that might be causing your problem and that you should consider:

1) In order for SSO to work the domain you are using in the browser should be a trusted domain in Internet Explorer.
2) Due to the NTLM only nature of the native alfresco authenticator's SSO mechanism Win 2012 might not accept it by default due to security reasons.
3) Being a Domain Controller might impose some additional security restrictions that might due SSO not possible, try connection from another machine in the domain.

I know is not a definitive answer but I hope it helps you to start checking what might have gone wrong.

0 Kudos

macnaughtani
Champ in-the-making
Champ in-the-making

‎11-25-2013 02:11 AM

This might be relevant. I have recently installed community 4.2.e on a CentOS 6.4 server and was just now trying to get my Windows 8.1 pc to SSO to the Explorer and Share site without success. A view of the catalina.out log showed that NTLM2 was being sent and rejected. Got it working with a change to the Local Security Policy to use NTLM1 and NTLM2 if negotiated. This is the setting:

Local Policies > Security Options > Network Security: LAN Manager authentication level > Send LM & NTLM - use NTLMv2 session security if negotiated

I suspect that Server 2012 has similar restrictions on NTLMv1.

I'm guessing Kerberos is the preferred option but cannot recall if it supports SSO.

Cheers
Ian.
0 Kudos

rubengerad
Champ in-the-making
Champ in-the-making

‎04-06-2015 02:10 AM

Hi,
  It was very useful to find this article.  Could you please guide me on how I could integrate with Office 365 online ?  What are the changes to make this possible, I will update my finding by EOD if I am able to achieve integration.

TIA !

Warm Regards,
Ruben.
0 Kudos
Getting started

Tags

Find what you came for

We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.

Copyright © 2025 Khoros, LLC