Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Understanding Alfresco subsystems for authentication (3.3)

bnice
Champ in-the-making
Champ in-the-making

‎09-14-2010 08:51 AM

Hi,

I need to get my fresh Alfresco 3.3 installation to run together with a W2K3 ADS - SSON is not a must, but would be nice to have.
I tried to configure Kerberos for that reason with help of the wiki http://wiki.alfresco.com/wiki/Alfresco_Authentication_Subsystems#Kerberos, but still got some difficulties getting the Alfresco Explorer to work with AD authentication. Share is working fine with AD.
I'm quiet sure I have to do some further changes to alfresco-global.properties and/or other files, but not understanding the use of the subsystems in release 3.3 (used 3.0 before).
Do I have to create new .properties files for that purpose and where? I have no path /opt/Alfresco/tomcat/shared/classes/extensions, so do I have to create it?

Where do I have to add these lines (if needed):

kerberos.authentication.realm
    The Kerberos realm to authenticate with. The realm should be the domain upper cased; example if the domain is alfresco.org then the realm should be ALFRESCO.ORG 
kerberos.authentication.sso.enabled
    A Boolean that when true enables SPNEGO/Kerberos based Single Sign On (SSO) functionality in the Web client. When false and no other members of the authentication chain support SSO, password-based login will be used. 
kerberos.authentication.authenticateCIFS
    A Boolean that when true enables Kerberos authentication in the CIFS server. When false and no other members of the authentication chain support CIFS authentication, the CIFS server will be disabled. 
kerberos.authentication.user.configEntryName
    The name of the entry in the JAAS configuration file that should be used for password-based authentication. The default value Alfresco is a good choice here. 
kerberos.authentication.cifs.configEntryName
    The name of the entry in the JAAS configuration file that should be used for CIFS authentication. The default value AlfrescoCIFS is a good choice here. 
kerberos.authentication.http.configEntryName
    The name of the entry in the JAAS configuration file that should be used for web-based single-sign on (SSO). The default value AlfrescoHTTP is a good choice here. 
kerberos.authentication.cifs.password
    The password for the CIFS Kerberos principal 
kerberos.authentication.http.password
    The password for the HTTP Kerberos principal 
kerberos.authentication.defaultAdministratorUserNames
    A comma separated list of user names who should be considered administrators by default 
kerberos.authentication.browser.ticketLogons (new in v3.3 SP3)
    Can a ticket parameter in the request URL be used to authenticate with the Alfresco Explorer application? Default is true. Note that WebDAV URLs always accept ticket parameters.
Labels:
0 Kudos
7 REPLIES 7

rhoefer
Champ in-the-making
Champ in-the-making

‎09-14-2010 11:40 AM

From my understanding you can:
1) put your properties inside alfresco-global.properties (which is what I have tested with and seems to work fine)

2) you can make a new directory inside WEB-INF/classes/alfresco/subsystems/Authentication/kerberos/ called kerebos1 and then override.

Spring Beans

For advanced purposes, you can also extend or override the Spring Bean definitions of the subsystem.

If you add a Spring Bean file to your application server's global classpath (e.g. under $TOMCAT_HOME/shared/classes) with a path matching the following pattern you can add to or override the subsystem bean definitions.

alfresco/extension/subsystems/<category>/<type>/<id>/*-context.xml

Here, the ID is the subsystem instance identifier, which will be default for single instance subsystems, or the provided ID for chained subsystems.

So, for example, suppose your authentication chain looked like this:

authentication.chain=alfrescoNtlm1:alfrescoNtlm,ldap1:ldap

Then you could put bean definition overrides for alfrescoNtlm1 in

alfresco/extension/subsystems/Authentication/alfrescoNtlm/alfrescoNtlm1/custom-context.xml

Remembering that the default type and ID of non-chained subsystems is default you could put overrides for file server beans in

alfresco/extension/subsystems/fileServers/default/default/custom-file-servers-context.xml

*Edit

After re-reading your question I realized that this really only pertains to your question regarding properties and locations. I thought I have read that everything should at the bare minimum work with Explorer before it works with Share (someone please correct me if I'm wrong).
0 Kudos

mrogers
Star Contributor
Star Contributor

‎09-15-2010 04:01 AM

Please don't change anything in the WEB-INF folder.
0 Kudos

bnice
Champ in-the-making
Champ in-the-making

‎09-15-2010 04:25 AM

So every changes have to be done in alfresco-global.properties? I'll try this.
0 Kudos

bnice
Champ in-the-making
Champ in-the-making

‎09-15-2010 07:46 AM

I followed this guide
http://wiki.alfresco.com/wiki/Alfresco_Authentication_Subsystems#Kerberos
and I've added the following in the alfresco-global.properties:


# The default authentication chain
# To configure external authentication subsystems see:
# http://wiki.alfresco.com/wiki/Alfresco_Authentication_Subsystems
#————-
#authentication.chain=alfrescoNtlm1:alfrescoNtlm
authentication.chain=alfrescoNtlm1:alfrescoNtlm, kerberos:kerberos
kerberos.authentication.realm=MYDOMAIN.LOCAL
kerberos.authentication.sso.enabled=false
kerberos.authentication.authenticateCIFS=true
kerberos.authentication.user.configEntryName=alfresco
kerberos.authentication.cifs.configEntryName=alfrescocifs
kerberos.authentication.http.configEntryName=alfrescohttp
kerberos.authentication.cifs.password=***
kerberos.authentication.http.password=***
kerberos.authentication.defaultAdministratorUserNames=admin

But must have missed something - Trying login with domain acounts fails:
The Remote Server is unreachable, or your credentials were not recognized.
(I translated that from German…)
0 Kudos

bnice
Champ in-the-making
Champ in-the-making

‎09-15-2010 08:50 AM

I found a hint how to work with the subsystems here: http://forums.alfresco.com/en/viewtopic.php?f=9&t=28656
Now trying to adopt this for my system.

So I copied the files from
/opt/Alfresco/tomcat/webapps/alfresco/WEB-INF/classes/alfresco/subsystems/Authentication/…
to
opt/Alfresco/shared/classes/extension/subsystems/Authentication/…
(/ldap-ad/ldap-ad1, /alfrescoNtlm/alfrescoNtlm1, /passthru/passthru1, …)
where I edited these (when necessary).

Am I correct so far?

My alfresco-global.properties is now only containing
authentication.chain=alfrescoNtlm1:alfrescoNtlm,ldap-ad1:ldap-ad
for authentication, I'll later extend this to kerberos
0 Kudos

bnice
Champ in-the-making
Champ in-the-making

‎09-15-2010 10:40 AM

Found the problem regarding the subsystems:
Was caused by a "File not found"

tail -f alfresco.log
is always your friend… 
Caused by: java.io.FileNotFoundException: 
/opt/Alfresco/tomcat/shared/classes/alfresco/extension/subsystems/Authentication/ldap-ad/ldap-ad1/../common-ldap-context.xml (No such file or directory)

The file "common-ldap-context.xml" has to be located under
/opt/Alfresco/shared/classes/extension/subsystems/Authentication/ldap-ad
respective
/opt/Alfresco/shared/classes/extension/subsystems/Authentication/ldap
(for non Windows-LDAP)

At first, I copied it to
/opt/Alfresco/shared/classes/extension/subsystems/Authentication/ldap-ad/ldap-ad1

After correcting that, LDAP was used for authentication.
Share is now running with LDAP-login, Alfresco explorer still has an error, as it is not supporting NTLMv2:

16:24:13,865 DEBUG [org.alfresco.web.app.servlet.NTLMAuthenticationFilter] Received type3 [Type3:,LM:000000000000000000000000000000000000000000000000,
NTLM:35fb5be1dba846ea300a95190c2ff33d0101000000000000af8ab392e154cb01578d66ff7ea7475a000000000200060061006c0066000000000000000000,
Dom:,User:user@mydomain.local,Wks:Workstationname]
16:24:13,866 ERROR [org.alfresco.web.app.servlet.NTLMAuthenticationFilter] Client Workstationname using NTLMv2 logon, not valid with passthru authentication

So, I'll have to use Kerberos for that (please correct me if I'm wrong)

I'll stick to this guide http://www.anotherstrangerme.com/afresco-integration-with-active-directory-using-kerberos/ for configuring Kerberos.
0 Kudos

bnice
Champ in-the-making
Champ in-the-making

‎09-15-2010 11:32 AM

UPDATE

Seems to be working now  Smiley Very Happy

Used authentication chain

authentication.chain=kerberos1:kerberos,ldap-ad1:ldap-ad

and configured everything else in the config files for the authentication subsystem.
0 Kudos
Getting started

Tags

Find what you came for

We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.

Copyright © 2025 Khoros, LLC