cancel
Showing results for 
Search instead for 
Did you mean: 

[SOLVED] NTLM Authentication on Share

jtp
Champ in-the-making
Champ in-the-making
I've got NTLM authentication and passthrough configured per the Labs3Stable PDF.  Logging in to the /Alfresco interface works great.  Going to /share causes a 500 server error.  The key line out of the error page seems to be this:

java.lang.IllegalArgumentException: UserId is mandatory.
   org.alfresco.connector.ConnectorService.getCredentialVault(ConnectorService.java:510)
   org.alfresco.connector.ConnectorService.getCredentialVault(ConnectorService.java:491)
   org.alfresco.web.site.FrameworkHelper.getCredentialVault(FrameworkHelper.java:296)
   org.alfresco.web.site.FrameworkHelper.getCredentialVault(FrameworkHelper.java:310)

I've got logging enabled on both interfaces, but nothing is logged when i try to access /share

Anyone have any ideas on what might be off?
39 REPLIES 39

mikeh
Star Contributor
Star Contributor

jtp
Champ in-the-making
Champ in-the-making
Yes.  I followed that section too, even noticing that the Wiki and install PDF show this:
<endpoint>
            <id>alfresco</id>
            <name>Alfresco - user access</name>
            <description>Access to Alfresco Repository WebScripts that require user authentication</description>
            <connector-id>alfresco</connector-id>
            <endpoint-url>http://yourserver:8080/alfresco/wcs</endpoint-url>
            <identity>user</identity>
         </endpoint>

But the file that comes with Labs3Stable shows this:
         <endpoint>
            <id>alfresco</id>
            <name>Alfresco - user access</name>
            <description>Access to Alfresco Repository WebScripts that require user authentication</description>
            <connector-id>alfresco</connector-id>
            <endpoint-url>http://yourserver:8080/alfresco/wcs</endpoint-url>
            <identity>user</identity>
            <external-auth>true</external-auth>
         </endpoint>

Along with changing the endpoint url of course, I tried commenting out the external-auth section but the same result.

Also in the Installing labs3stable PDF, I think there's an error because when talking about Share, it tells you to change the alfresco web.xml (again).  See below:

To use NTLM with Share, you must first enable NTLM for Alfresco Explorer web application. Then edit the
web.xml file in the <TOMCAT_HOME>\webapps\alfresco\WEB-INF folder and change the servlet
filter that is used for Share.


The Wiki words it differently.

jtp
Champ in-the-making
Champ in-the-making
I tried replacing just the share web.xml with the original, with no other changes.  /Alfresco works the same with passthrough working fine.  /Share brings up the login page now, but logging in with correct credentials takes me back to a 500 error, but with different information.  This one says:

javax.servlet.ServletException: org.alfresco.web.site.exception.RequestContextException: Exception running UserFactory in HttpRequestContextFactory
   org.alfresco.web.site.servlet.DispatcherServlet.service(DispatcherServlet.java:130)
   javax.servlet.http.HttpServlet.service(HttpServlet.java:717)

and

org.alfresco.web.site.exception.UserFactoryException: Unable to create user - failed to retrieve user metadata: 
   org.alfresco.web.site.AlfrescoUserFactory.loadUser(AlfrescoUserFactory.java:159)
   org.alfresco.web.site.UserFactory.faultUser(UserFactory.java:169)
   org.alfresco.web.site.UserFactory.faultUser(UserFactory.java:110)


In either situation the user ID just isn't making it through.  I wouldn't be surprised if I misconfigured something but I'm just not sure what.

mikeh
Star Contributor
Star Contributor
Here's the NTLM passthru config we've got running on our internal Engineering Share instance:

ntlm-authentication-context.xml
<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE beans PUBLIC '-//SPRING//DTD BEAN//EN' 'http://www.springframework.org/dtd/spring-beans.dtd'>

<beans>

   <bean id="authenticationDao" class="org.alfresco.repo.security.authentication.DefaultMutableAuthenticationDao" >
         <property name="allowSetEnabled" value="true" />
         <property name="allowGetEnabled" value="true" />
         <property name="allowDeleteUser" value="true" />
         <property name="allowCreateUser" value="true" />
   </bean>


   <!– The authentication component.                                      –>

   <!– Use the passthru authentication component to authenticate using    –>
   <!– user accounts on one or more Windows servers.                      –>

   <!– Properties that specify the server(s) to use for passthru          –>
   <!– authentication :-                                                  –>
   <!–   useLocalServer   use the local server for authentication         –>
   <!–   domain           use domain controllers from the specified domain–>
   <!–   servers          comma delimted list of server addresses or      –>
   <!–                    names                                           –>

   <bean id="authenticationComponent"
         class="org.alfresco.repo.security.authentication.ntlm.NTLMAuthenticationComponentImpl"
         parent="authenticationComponentBase">
       <property name="useLocalServer">
           <value>false</value>
       </property>
       <property name="servers">
           <value>*** YOUR PDC/BDC SERVER IP ADDRESS HERE ***</value>
       </property>
       <property name="personService">
           <ref bean="personService" />
       </property>
       <property name="nodeService">
           <ref bean="nodeService" />
       </property>
       <property name="transactionService">
           <ref bean="transactionComponent" />
       </property>
       <property name="guestAccess">
           <value>false</value>
       </property>
   </bean>

</beans>

And Share's web.xml
<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "http://java.sun.com/dtd/web-app_2_3.dtd">

<web-app>

   <display-name>Alfresco Project Slingshot</display-name>   
   <description>Alfresco Project Slingshot application</description>
  
   <context-param>
      <param-name>contextConfigLocation</param-name>
      <param-value>
         classpath:alfresco/webscript-framework-application-context.xml
         classpath:alfresco/web-framework-application-context.xml
         classpath:alfresco/web-framework-model-context.xml
         classpath:alfresco/slingshot-application-context.xml
      </param-value>
      <description>Spring config file locations</description>
   </context-param>
  
   <!– For NTLM authentication support use the following filter –>
   <!– –>
   <filter>
      <filter-name>Authentication Filter</filter-name>
      <filter-class>org.alfresco.web.site.servlet.NTLMAuthenticationFilter</filter-class>
      <init-param>
         <param-name>endpoint</param-name>
         <param-value>alfresco</param-value>
      </init-param>
   </filter>
 
  
   <!– For NTLM authentication support enable the following mappings –>
   <!– after enabling the NTLMAuthenticationFilter filter class above –>
   <!– –>
   <filter-mapping>
      <filter-name>Authentication Filter</filter-name>
      <url-pattern>/page/*</url-pattern>
   </filter-mapping>
  
   <filter-mapping>
      <filter-name>Authentication Filter</filter-name>
      <url-pattern>/p/*</url-pattern>
   </filter-mapping>
  
   <filter-mapping>
      <filter-name>Authentication Filter</filter-name>
      <url-pattern>/s/*</url-pattern>
   </filter-mapping>
 
  
   <listener>
      <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
   </listener>
  
   <servlet>
      <servlet-name>apiServlet</servlet-name>
      <servlet-class>org.alfresco.web.scripts.servlet.WebScriptServlet</servlet-class>
      <init-param>
         <param-name>container</param-name>
         <param-value>webframework.webscripts.container</param-value>
      </init-param>
   </servlet>
  
   <servlet>
      <servlet-name>feedApiServlet</servlet-name>
      <servlet-class>org.alfresco.web.site.servlet.WebScriptFeedServlet</servlet-class>
      <init-param>
         <param-name>container</param-name>
         <param-value>webframework.webscripts.container</param-value>
      </init-param>
      <init-param>
         <param-name>authenticator</param-name>
         <param-value>webscripts.authenticator.delegatingbasic</param-value>
      </init-param>
   </servlet>

   <servlet>
      <servlet-name>proxyServlet</servlet-name>
      <servlet-class>org.alfresco.web.scripts.servlet.EndPointProxyServlet</servlet-class>
   </servlet>

   <servlet>
      <servlet-name>uriTemplateServlet</servlet-name>
      <servlet-class>org.alfresco.web.uri.UriTemplateServlet</servlet-class>
   </servlet>

   <!– The Web Framework Dispatcher Servlet –>
   <servlet>
      <servlet-name>pageRendererServlet</servlet-name>
      <servlet-class>org.alfresco.web.site.servlet.DispatcherServlet</servlet-class>
      <load-on-startup>1</load-on-startup>
   </servlet>
  
   <servlet>
      <servlet-name>frameworkControlServlet</servlet-name>
      <servlet-class>org.alfresco.web.site.servlet.FrameworkControlServlet</servlet-class>
   </servlet>
  
   <servlet>
      <servlet-name>loginServlet</servlet-name>
      <servlet-class>org.alfresco.web.site.servlet.LoginServlet</servlet-class>
   </servlet>

   <servlet>
      <servlet-name>logoutServlet</servlet-name>
      <servlet-class>org.alfresco.web.site.servlet.LogoutServlet</servlet-class>
   </servlet>

   <servlet-mapping>
      <servlet-name>logoutServlet</servlet-name>
      <url-pattern>/logout</url-pattern>
   </servlet-mapping>

   <servlet-mapping>
      <servlet-name>loginServlet</servlet-name>
      <url-pattern>/login/*</url-pattern>
   </servlet-mapping>

   <servlet-mapping>
      <servlet-name>apiServlet</servlet-name>
      <url-pattern>/service/*</url-pattern>
   </servlet-mapping>
  
   <servlet-mapping>
      <servlet-name>feedApiServlet</servlet-name>
      <url-pattern>/feedservice/*</url-pattern>
   </servlet-mapping>
  
   <servlet-mapping>
      <servlet-name>proxyServlet</servlet-name>
      <url-pattern>/proxy/*</url-pattern>
   </servlet-mapping>
  
   <servlet-mapping>
      <servlet-name>pageRendererServlet</servlet-name>
      <url-pattern>/page/*</url-pattern>
   </servlet-mapping>

   <servlet-mapping>
      <servlet-name>pageRendererServlet</servlet-name>
      <url-pattern>/p/*</url-pattern>
   </servlet-mapping>
  
   <servlet-mapping>
      <servlet-name>uriTemplateServlet</servlet-name>
      <url-pattern>/s/*</url-pattern>
   </servlet-mapping>
  
   <servlet-mapping>
      <servlet-name>frameworkControlServlet</servlet-name>
      <url-pattern>/control/*</url-pattern>
   </servlet-mapping>
  
   <session-config>
      <session-timeout>30</session-timeout>
   </session-config>

   <!– welcome file list precedence order is index.jsp, then index.html –>
   <welcome-file-list>
      <welcome-file>index.jsp</welcome-file>
      <welcome-file>index.html</welcome-file>
   </welcome-file-list>

</web-app>

Does that help at all?
Mike

jtp
Champ in-the-making
Champ in-the-making
I checked and my files are the same except for the session timeout.  Could anything else be to blame?

mikeh
Star Contributor
Star Contributor
The only other issue is that NTLM doesn't work well (at all…) with Safari/WebKit (and hence probably Chrome).

Mike

jtp
Champ in-the-making
Champ in-the-making
I'm using IE. 

Is the webscript-framework-config-custom that has to be tweaked supposed to completely replace the non custom one?  Because there's stuff in the regular one that's not in the custom.

jtp
Champ in-the-making
Champ in-the-making
MikeH,
Could I see your /alfresco web.xml and your webscript framework config custom.xml?

jtp
Champ in-the-making
Champ in-the-making
In the meantime, I changed the share web.xml and the webscript file back to normal.  Alfresco interface still signs on automatically, and share signs on manually.