Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SSO + Passthru

nm_santos
Champ in-the-making
Champ in-the-making

‎04-20-2012 12:02 PM

Hi everyone,

I'm trying to configure a passthru authentication with SSO but I keep getting an error when I access Alfresco Share. Can anyone help?


org.springframework.extensions.surf.exception.PlatformRuntimeException: 03200006 Incorrectly configured endpoint ID: alfresco
org.alfresco.web.site.servlet.SSOAuthenticationFilter.challengeOrPassThrough(SSOAuthenticationFilter.java:593)
org.alfresco.web.site.servlet.SSOAuthenticationFilter.doFilter(SSOAuthenticationFilter.java:378)

Here's my alfresco global properties file (only the passthru configuration):
authentication.chain=passthru1:passthru

ntlm.authentication.sso.enabled=true
ntlm.authentication.mapUnknownUserToGuest=false
passthru.authentication.domain=domain
passthru.authentication.servers=domain\\logonserver
passthru.authentication.authenticateCIFS=false
passthru.authentication.authenticateFTP=false
passthru.authentication.guestAccess=false
passthru.authentication.defaultAdministratorUserNames=myUser

I used the following command in the command line: echo %USERDOMAIN% %LOGONSERVER% and it showed the appropriate names "domain" and "logonserver" respectively.

My share-custom-config.xml file:

<alfresco-config>
   
   <!– Repository Library config section –>
   <config evaluator="string-compare" condition="RepositoryLibrary" replace="true">
      <!–
         Whether the link to the Repository Library appears in the header component or not.
      –>
      <visible>true</visible>
   </config>

   <config evaluator="string-compare" condition="Remote">
      <remote>
         <endpoint>
            <id>alfresco-noauth</id>
            <name>Alfresco - unauthenticated access</name>
            <description>Access to Alfresco Repository WebScripts that do not require authentication</description>
            <connector-id>alfresco</connector-id>
            <endpoint-url>http://localhost:8080/alfresco/s</endpoint-url>
            <identity>none</identity>
         </endpoint>

         <endpoint>
            <id>alfresco</id>
            <name>Alfresco - user access</name>
            <description>Access to Alfresco Repository WebScripts that require user authentication</description>
            <connector-id>alfresco</connector-id>
            <endpoint-url>http://localhost:8080/alfresco/s</endpoint-url>
            <identity>user</identity>
         </endpoint>

         <endpoint>
            <id>alfresco-feed</id>
            <name>Alfresco Feed</name>
            <description>Alfresco Feed - supports basic HTTP authentication via the EndPointProxyServlet</description>
            <connector-id>http</connector-id>
            <endpoint-url>http://localhost:8080/alfresco/s</endpoint-url>
            <basic-auth>true</basic-auth>
            <identity>user</identity>
         </endpoint>
      </remote>
   </config>
   
   <!– 
        Overriding endpoints to reference an Alfresco server with external SSO enabled
        NOTE: If utilising a load balancer between web-tier and repository cluster, the "sticky
              sessions" feature of your load balancer must be used.
        NOTE: If alfresco server location is not localhost:8080 then also combine changes from the
              "example port config" section below.
        *Optional* keystore contains SSL client certificate + trusted CAs.
        Used to authenticate share to an external SSO system such as CAS
        Remove the keystore section if not required i.e. for NTLM.
        
        NOTE: For Kerberos SSO rename the "KerberosDisabled" condition above to "Kerberos"
        
        NOTE: For external SSO switch the endpoint connector to "AlfrescoHeader" and set
              the userHeader to the name of the HTTP header that the external SSO
              uses to provide the authenticated user name.
–>
   <config evaluator="string-compare" condition="Remote">
      <remote>
         <keystore>
             <path>alfresco/web-extension/alfresco-system.p12</path>
             <type>pkcs12</type>
             <password>alfresco-system</password>
         </keystore>
         
         <connector>
            <id>alfrescoCookie</id>
            <name>Alfresco Connector</name>
            <description>Connects to an Alfresco instance using cookie-based authentication</description>
            <class>org.alfresco.web.site.servlet.SlingshotAlfrescoConnector</class>
            <userHeader>SsoUserHeader</userHeader>
         </connector>
         
          <connector>
            <id>alfrescoHeader</id>
            <name>Alfresco Connector</name>
            <description>Connects to an Alfresco instance using header and cookie-based authentication</description>
            <class>org.alfresco.web.site.servlet.SlingshotAlfrescoConnector</class>
            <userHeader>SsoUserHeader</userHeader>
         </connector>

        <endpoint>
            <id>alfresco</id>
            <name>Alfresco - user access</name>
            <description>Access to Alfresco Repository WebScripts that require user authentication</description>
            <connector-id>alfrescoCookie</connector-id>
            <endpoint-url>http://localhost:8080/alfresco/wcs</endpoint-url>
            <identity>user</identity>
            <external-auth>true</external-auth>
         </endpoint>
      </remote>
   </config>

</alfresco-config>


My tomcat.out log keeps displaying this warning repeatedly:


WARN : org.alfresco.wcm.client.util.impl.GuestSessionFactoryImpl - WQS unable to connect to repository: Unauthorized

As for my tomcat.err log, this happens:


SEVERE: Servlet.service() for servlet Spring Surf Dispatcher Servlet threw exception
org.springframework.extensions.surf.exception.PlatformRuntimeException: 03200002 Incorrectly configured endpoint ID: alfresco
   at org.alfresco.web.site.servlet.SSOAuthenticationFilter.challengeOrPassThrough(SSOAuthenticationFilter.java:593)
   at org.alfresco.web.site.servlet.SSOAuthenticationFilter.doFilter(SSOAuthenticationFilter.java:378)
   at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
   at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
   at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
   at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
   at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
   at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
   at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
   at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
   at org.apache.coyote.http11.Http11AprProcessor.process(Http11AprProcessor.java:861)
   at org.apache.coyote.http11.Http11AprProtocol$Http11ConnectionHandler.process(Http11AprProtocol.java:579)
   at org.apache.tomcat.util.net.AprEndpoint$Worker.run(AprEndpoint.java:1584)
   at java.lang.Thread.run(Thread.java:662)
Labels:
0 Kudos
12 REPLIES 12

nm_santos
Champ in-the-making
Champ in-the-making

‎04-24-2012 12:18 PM

Hello,

unfortunately, I do not have a lot of practice running Alfresco on a Windows server. You said you've tried the short domain name - have you also tried me\\ADPTL202 for server? Have you checked name resolution on your Alfresco server for the addresses provided (e.g. nslookup / ping)? Have you tried without specifying passthru.authentication.domain (leaving it blank, which was the case in all installations I maintained that use passthru)?

Regards
Axel

It seems the error disappeared because I wrote it in Caps Lock. We are making progress!

Now, whenever I try to login, a popup window appears, I enter the username and password, but it doesn't work.. I read in the wiki that I should add the web site to the trusted intranet sites, and I did.  Localhost is in the list, I checked.

And then I checked the logs and found this:


17:16:12,814  ERROR [app.servlet.NTLMAuthenticationFilter] Client DT106846 using NTLMv2 logon, not valid with passthru authentication

That means what? That my ADServer only supports NTLMv2 and not v1?
0 Kudos

afaust
Legendary Innovator
Legendary Innovator

‎04-24-2012 01:14 PM

Hello,

you are apparently using a Windows 7 client. Windows 7 does not allow NTLMv1 by default, which Alfresco requires in order to achieve a working SSO. NTLMv2 is not an option as Alfresco could not intercept and extract the necessary information. Basically, passthru in Alfresco is a man-in-the-middle attack.
You need to change a setting in the registry for SSO via passthru to work on Windows 7 clients. See the technet article about the option - it needs to be set to a value of 2 to work.

There are also a few community blogs out there dealing with this, one being http://tips.kaali.co.uk/2011/05/12/alfresco-login-ntlmv2-and-passthru-issues/

Regards
Axel
0 Kudos

nm_santos
Champ in-the-making
Champ in-the-making

‎04-26-2012 05:46 AM

Hello,

you are apparently using a Windows 7 client. Windows 7 does not allow NTLMv1 by default, which Alfresco requires in order to achieve a working SSO. NTLMv2 is not an option as Alfresco could not intercept and extract the necessary information. Basically, passthru in Alfresco is a man-in-the-middle attack.
You need to change a setting in the registry for SSO via passthru to work on Windows 7 clients. See the technet article about the option - it needs to be set to a value of 2 to work.

There are also a few community blogs out there dealing with this, one being http://tips.kaali.co.uk/2011/05/12/alfresco-login-ntlmv2-and-passthru-issues/

Regards
Axel


Thank you Smiley Happy it works!
0 Kudos
Getting started

Tags

Find what you came for

We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.

Copyright © 2025 Khoros, LLC