Hyland Connect

luminary_mb · ‎08-27-2009

Hi,

What is the simplest method to enable single sign on so that when users try to access the Alfresco web client, they are automatically logged in via their Windows login credentials? We would still like to maintain the list of users within Alfresco. What type of configuration is required to do this?

I am using Alfresco Enterprise 3.1 on a Linux Ubuntu server.

Thanks.

luminary_mb · ‎09-10-2009

Any help much appreciated.

dward · ‎09-10-2009

No need to use IP addresses.

set useLocalServer=false

servers=NAMEOFDOMAIN\nameofserver,nameofserver

If you are doing this in a .properties file, the backslash has to be escaped with another backslash. If you are doing it in the XML file directly, it won't.

You should include your server with and without a domain prefix so that JLAN knows where to send it to when the client doesn't send a domain (weird I know).

luminary_mb · ‎09-10-2009

Just tried that but its not working. When I try to access the web client it pops up a Window asking for my credentials, and when I enter my Windows username and password or the username and password of a previously created user in Alfresco, it doesnt accept the credentials and just prompts me for them again.

When you say nameofsever you mean the name of the server where our Active Directory is located right? I have looked in the log files and it says the following…

15:58:01,228 User

ystem ERROR [smb.protocol.auth] No valid CIFS authentication combination available
15:58:01,228 User

ystem ERROR [smb.protocol.auth] Either enable Kerberos support or use an authentication component that supports MD4 hashed passwords
15:58:01,230 User

ystem ERROR [alfresco.smb.protocol] CIFS server configuration error, Invalid CIFS authenticator configuration
16:00:10,662 ERROR [app.servlet.NTLMAuthenticationFilter] Client EU01956 using NTLMv2 logon, not valid with passthru authentication

Also do I need to set anything in the other properties (personService, nodeService, transactionService, guestAccess, protocolOrder) in the ntlm-authentication-context.xml file?

dward · ‎09-10-2009

The CIFS server isn't happy. You will have to configure the enterprise CIFS authenticator (see file-servers.xml). But that doesn't explain why you can't log in.

The reason why you can't log in is because you must be using a post-XP Windows installation that has NTLM v1 support switched off by default.

To use passthru, you need to enable NTLM v1 on the client machines. Otherwise it might be best to use Kerberos SSO. See

http://wiki.alfresco.com/wiki/Configuring_the_CIFS_and_web_servers_for_Kerberos/AD_integration

luminary_mb · ‎09-10-2009

OK I've fixed the CIFS error I was getting by configuring the file-servers.xml file, and it doesnt show those errors in the log file anymore.

But how do I enable NTLM v1 on the client machines?

dward · ‎09-10-2009

Is your Google broken or something?

dward · ‎09-10-2009

Try http://www.technologyquestions.com/technology/windows-vista/50823-force-ntlm-vista-home-premium.html

luminary_mb · ‎09-10-2009

I tried Googling for it but couldnt find much on enabling NTLM v1, everything seemed to point me towards enabling NTLM v2.

But anyway I tried your link, changed the settings on my computer to use NTLM v1 and it works perfect!!! I also got another two users to enable NTLM v1 and access the Alfresco web client and it worked for them too!

Thanks a lot!

dward · ‎09-10-2009

Maybe my Google is better than yours!

luminary_mb · ‎09-11-2009

Just a question, in the article http://wiki.alfresco.com/wiki/3.0_Configuring_NTLM, it says:

Note that since Alfresco 3.0 NTLMv2 is now supported which is more secure that the NTLMv1 previously supported - and NTLMv2 will automatically downgrade to NTLMv1 if the client does not support it.

So if our client machines do not support NTLMv2 and only support NTLMv1, then why doesnt the Alfresco server automatically downgrade to NTLMv1 if thats what it says in the article?

Hyland Connect

Single Sign On using Windows Authentication