Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

NTLM works great... except with webclient

adrian
Champ in-the-making
Champ in-the-making

‎07-16-2007 09:36 AM

Hi,

I have configured Alfresco to use NTLM authentication. It works fine with CIFS or WebDAV : I can browse my files without being asked for a login/password.
But I got an error when trying to use web-browser.

When I type http://localhost:8080/alfresco/ I'm not asked anymore for a login/password (as expected) but I get this page :

net.sf.acegisecurity.AuthenticationServiceException: Failed to open passthru auth session 
at org.alfresco.repo.security.authentication.ntlm.NTLMAuthenticationComponentImpl.authenticatePassthru(NTLMAuthenticationComponentImpl.java:793) 
at org.alfresco.repo.security.authentication.ntlm.NTLMAuthenticationComponentImpl.authenticate(NTLMAuthenticationComponentImpl.java:550) 
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) 
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) 
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) 
at java.lang.reflect.Method.invoke(Method.java:585) 
at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:281) 
at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:187) 
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:154) 
at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:107) 
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:176) 
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:210) 
at $Proxy18.authenticate(Unknown Source) 
at org.alfresco.web.app.servlet.NTLMAuthenticationFilter.processType1(NTLMAuthenticationFilter.java:523) 
at org.alfresco.web.app.servlet.NTLMAuthenticationFilter.doFilter(NTLMAuthenticationFilter.java:395) 
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215) 
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188) 
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:210) 
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:174) 
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) 
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117) 
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:108) 
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:151) 
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:870) 
at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:665) 
at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:528) 
at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:81) 
at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:685) 
at java.lang.Thread.run(Thread.java:595)
I'm using Alfresco 2.1 on WinXP.
I tried with IE6 and Firefox : it's always the same error (I also put Alfresco as a trusted website in the options).
I don't think there is a problem with my config files since CIFS and WebDAV access work, but I can post them if you wish.
Is there an option I may have forgotten ?
Labels:
0 Kudos
6 REPLIES 6

jpfi
Champ in-the-making
Champ in-the-making

‎07-26-2007 02:50 AM

Hi,

I 've the same problem. But I figured out, that if I configure the alfresco URL only to be in the internet zone of IE, I get an the browser authentication window (not the alfresco login page). Entering there the domain login data works fine.
I don've any explanation why the direct hidden authentication via browser causes th passthru exception and a manual input via browser authentication window works.
Any idea?
Thanks, jpfi
0 Kudos

adrian
Champ in-the-making
Champ in-the-making

‎07-26-2007 04:18 AM

Hi jpfi

So I'm not the only one. :wink: I don't know why it's happening. From CIFS, if I use the drag'n'drop on one of the 3 Alfresco icons, Firefox asks for a login/password with its own authentication window (not with Alfresco login page, like you).
I looked into the source code of NTLMAuthenticationComponentImpl.java , the error happens in the bold line :
[ … ]
if ( authSess == null)
{
            // Check if the token has a challenge, if it does then the associated session has been
            // timed out
           
            if ( ntlmToken.getChallenge() != null)
                throw new CredentialsExpiredException("Authentication session expired");
           
            // Open an authentication session for the new token and add to the active session list
           
            authSess = m_passthruServers.openSession( false, ntlmToken.getClientDomain());
           
            // Check if the session was opened to the passthru server
           
            if ( authSess == null)
               throw new AuthenticationServiceException("Failed to open passthru auth session");
           
            ntlmToken.setAuthenticationExpireTime(System.currentTimeMillis() + getSessionTimeout());
           
            // Get the challenge from the initial session negotiate stage
           
            ntlmToken.setChallenge(new NTLMChallenge(authSess.getEncryptionKey()));
[ … ]
I found this : http://issues.alfresco.com/browse/AR-1555
The problem is similar, but I don't know if it's the same.
Anyway I didn't get  NTLM passthru working with web-client, so I put back
the default filter (org.alfresco.web.app.servlet.AuthenticationFilter) for web-client in web.xml. Users have to log manually, but at least there's not an error message.
0 Kudos

andy
Champ on-the-rise
Champ on-the-rise

‎07-26-2007 04:30 AM

Hi

In your config file, prefix your entry with the domain for the server.


        <property name="servers">
           <value>DOMAIN\192.168.1.1</value>
        </property>


Andy
0 Kudos

andy
Champ on-the-rise
Champ on-the-rise

‎07-26-2007 04:31 AM

Hi

… this is for the NTLM authentication component config.

Andy
0 Kudos

adrian
Champ in-the-making
Champ in-the-making

‎08-09-2007 10:36 AM

Hi

Thank you for answering

I already tried this, but it didn't work.
I did a new install but this time with the 2.1 final on a Red Hat server, and the problem is still there. (and CIFS, webDAV work well with SSO)

Anyway it's not really a problem for us : we want to use the classic web-client filter so external people can log in from the Internet.
0 Kudos

andy
Champ on-the-rise
Champ on-the-rise

‎09-03-2007 10:47 AM

Hi

There is something going on related to network connections and urls. I have various nets connections - using different urls to access alfresco some work and some not.

If localhost fails - try the hostname or ip address.

I have raise the issue.

Cheers

Andy
0 Kudos
Getting started

Tags

Find what you came for

We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.

Copyright © 2025 Khoros, LLC