Hyland Connect

luminary_mb · ‎08-27-2009

Hi,

What is the simplest method to enable single sign on so that when users try to access the Alfresco web client, they are automatically logged in via their Windows login credentials? We would still like to maintain the list of users within Alfresco. What type of configuration is required to do this?

I am using Alfresco Enterprise 3.1 on a Linux Ubuntu server.

Thanks.

dward · ‎09-11-2009

It also says two paragraphs later

Note that the support of NTLMv2 is only for configurations storing psswords (or hashes) in Alfresco. As NTLMv2 has been designed to avoid "man-in-the-middle" attacks, any passthru authentication is impossible.

In v3.2 terms this means it only works with the alfrescoNtlm subsystem - not the passthru subsystem. But that would mean storing copies of everyones password in Alfresco and would rule out LDAP sync.

luminary_mb · ‎09-11-2009

So is it possible to force Alfresco 3.1 Enterprise to use NTLM v2 possibly by storing everones passwords (or hashes) in the database or something? Or is this only an Alfresco 3.2 thing?

I am currently getting issues in that by reverting my client machine to use NTLM v1 for Alfresco single sign on, Microsoft Outlook is always prompting me for my username and password each time I start it up because Outlook was previously using NTLM v2 authentication.

dward · ‎09-12-2009

If you set

authentication.chain=alfrescoNtlm1:alfrescoNtlm
ntlm.authentication.sso.enabled=true

in alfresco-global.properties then you will have NTLM v2 SSO with the alfresco database. You'll have to create the users manually, though, as LDAP sync assumes that authentication information is stored externally.

luminary_mb · ‎09-14-2009

I cant find an alfresco-global.properties file in Alfresco 3.1 Enterprise. Is there anywhere else I can set these properties?

I can see an alfresco-shared.properties file in the WEB-INF/classes/alfresco directory.

dward · ‎09-14-2009

Sorry. Forgot we we were talking about v3.1.

You just need to configure the NTLM authentication filters. See

http://wiki.alfresco.com/wiki/3.0_Configuring_NTLM

luminary_mb · ‎09-14-2009

Do you mean follow the section in Alfresco Explorer and WebDav SSO using NTLM ? I've already done this according to how the article describes it. Which part within this section can I force the Alfresco server to use NTLM v2?

dward · ‎09-14-2009

Just DON'T do the passthru configuration stuff in this section

http://wiki.alfresco.com/wiki/3.0_Configuring_NTLM#NTLM_Passthru_Authentication

Leave the default alfresco authentication component in place. It will then favour NTLM v2 and will only downgrade to v1 if required by the client.

luminary_mb · ‎09-14-2009

If I dont do the passthru thing then where does the Alfresco server look for the Active Directory? Because previously in the 'ntlm-authentication-context.xml' file there was a servers property which contained the address of the Active Directory server. If Im not using this file anymore then where do I put the address of the Active Directory server?

dward · ‎09-14-2009

It doesn't speak to Active Directory at all in this case. It has its own copy of the username and password.

luminary_mb · ‎09-14-2009

Ah right. So I need to create a set of users in Alfresco with the same usernames and passwords as the people in our domain? And I do not need to follow the Domain Mappings section in that article either?

Hyland Connect

Single Sign On using Windows Authentication