Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Windows XP can but Vista/7 can't login CIFS on Alfresco+AD

samphan
Champ in-the-making
Champ in-the-making

‎09-08-2010 07:16 AM

We've setup an Alfresco server with this configuration
  • Alfresco 3.3 Community Edition

  • on Ubuntu 8.04 LTS

  • authenticate with an Active Directory on Windows 2008 R2

  • using CIFS passthru
Login thru Alfresco Explorer work fine. Windows XP client (which has joined a domain) can login successfully to access the CIFS share.
However, the problem is that Windows Vista/7 client can not login to the CIFS share!
I think this is a known problem but I can't find a working solution.
Anyone?

alfresco-global.properties
dir.root=./alf_data
db.name=alfresco
db.username=alfresco
db.password=alfresco
db.host=localhost
db.port=3306
db.driver=org.gjt.mm.mysql.Driver
db.url=jdbc:mysql://localhost/alfresco
authentication.chain=alfrescoNtlm1:alfrescoNtlm,passthru1:passthru,ldap-ad1:ldap-ad
ntlm.authentication.sso.enabled=false
ntlm.authentication.authenticateCIFS=false
alfresco.authentication.authenticateCIFS=false
alfresco.authentication.allowGuestLogin=false
passthru.authentication.sso.enabled=false
passthru.authentication.allowGuestLogin=false
passthru.authentication.authenticateCIFS=true
passthru.authentication.authenticateFTP=false
passthru.authentication.servers=192.168.1.48
passthru.authentication.domain=
passthru.authentication.useLocalServer=false
passthru.authentication.guestAccess=true
passthru.authentication.defaultAdministratorUserNames=administrator
passthru.authentication.connectTimeout=5000
passthru.authentication.offlineCheckInterval=300
passthru.authentication.protocolOrder=TCPIP,NETBIOS
ldap.authentication.active=false
ldap.authentication.java.naming.security.authentication=simple
ldap.authentication.userNameFormat=%s
ldap.authentication.allowGuestLogin=false
ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
ldap.authentication.java.naming.provider.url=ldap://192.168.1.48:389
ldap.authentication.escapeCommasInBind=false
ldap.authentication.escapeCommasInUid=false
ldap.synchronization.active=true
ldap.synchronization.java.naming.security.principal=CN\=Administrator,CN\=Users,DC\=tisco,DC\=local
ldap.synchronization.java.naming.security.credentials=P@ssw0rd
ldap.synchronization.queryBatchSize=1000
ldap.synchronization.groupDifferentialQuery=(&(objectclass=nogroup)(!(modifyTimestamp<\={0})))
ldap.synchronization.personQuery=(&(objectclass=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512))
ldap.synchronization.personDifferentialQuery=(& (objectclass=user)(!(modifyTimestamp<\={0})))
ldap.synchronization.groupQuery=(objectclass\=group)
ldap.synchronization.groupSearchBase=CN\=Users,DC\=tisco,DC\=local
ldap.synchronization.userSearchBase=CN\=Users,DC\=tisco,DC\=local
ldap.synchronization.modifyTimestampAttributeName=modifyTimestamp
ldap.synchronization.timestampFormat=yyyyMMddHHmmss'.0Z'
ldap.synchronization.userIdAttributeName=sAMAccountName
ldap.synchronization.userFirstNameAttributeName=givenName
ldap.synchronization.userLastNameAttributeName=sn
ldap.synchronization.userEmailAttributeName=mail
ldap.synchronization.userOrganizationalIdAttributeName=msExchALObjectVersion
ldap.synchronization.defaultHomeFolderProvider=userHomesHomeFolderProvider
ldap.synchronization.groupIdAttributeName=cn
ldap.synchronization.groupType=group
ldap.synchronization.personType=user
ldap.synchronization.groupMemberAttributeName=member
synchronization.synchronizeChangesOnly=true
#cifs.disableNativeCode=false
cifs.enabled=true
cifs.ServerName=alfresco-demo
cifs.domain=
cifs.hostanounce=true
cifs.broadcast=255.255.255.255
cifs.sessionTimeout=500
cifs.ipv6.enabled=false
cifs.tcpipSMB.port=1445
cifs.netBIOSSMB.namePort=1137
cifs.netBIOSSMB.datagramPort=1138
cifs.netBIOSSMB.sessionPort=1139
cifs.WINS.autoDetectEnabled=true
alfresco.log when trying to use Windows XP to login to the CIFS share, successfully
10:00:51,442 DEBUG [org.alfresco.smb.protocol.auth] Mapped client /192.168.1.130 to domain null
10:00:51,443 DEBUG [org.alfresco.smb.protocol.auth] Passthru sessId=11, auth ctx=[NTLM,Challenge=ea79904645ee162b]
10:00:51,446 DEBUG [org.alfresco.smb.protocol.auth] Using Write transaction
10:00:51,459 DEBUG [org.alfresco.smb.protocol.auth] Setting current user using person sukanda (username sukanda)
10:00:51,459 DEBUG [org.alfresco.smb.protocol.auth] Passthru authenticate user=sukanda, FULL
10:00:51,460 DEBUG [org.alfresco.smb.protocol.auth] Using Write transaction
10:00:51,471 DEBUG [org.alfresco.smb.protocol.auth] Closed auth session, sessId=11
alfresco.log when trying to use Windows 7 to login to the CIFS share, unsuccessfully
10:28:29,281 DEBUG [org.alfresco.smb.protocol.auth] Mapped client /192.168.1.197 to domain null
10:28:29,283 DEBUG [org.alfresco.smb.protocol.auth] Passthru sessId=16, auth ctx=[NTLM,Challenge=21223c0054ec11cf]
10:28:29,286 DEBUG [org.alfresco.smb.protocol.auth] Using Write transaction
10:28:29,288 ERROR [org.alfresco.smb.protocol.auth] org.alfresco.jlan.smb.SMBException: Invalid parameter
10:28:38,872 DEBUG [org.alfresco.smb.protocol.auth] Using Write transaction
10:28:38,874 ERROR [org.alfresco.smb.protocol.auth] org.alfresco.jlan.smb.SMBException: Invalid parameter
10:28:52,072 DEBUG [org.alfresco.smb.protocol.auth] Closed auth session, sessId=16
Labels:
0 Kudos
9 REPLIES 9

tmanisaur
Champ in-the-making
Champ in-the-making

‎09-20-2010 01:27 AM

Bump.

I also have this trouble, but I am not using AD or SSO.
I am running Alfresgo 3.33g on Ubuntu Server 10.04 x64 LTS.
I am running Windows 7 Ultimate 64.
Using \\server_name\alfreso fails and alfresco does not show up in Windows Exploder
0 Kudos

sheijden
Champ in-the-making
Champ in-the-making

‎09-30-2010 04:38 PM

Hi,

The problem is NTLMv1 vs NTLMv2.
Windows 7 uses the latter by default and Alfresco can't deal with it. At least not in my config. (3.3 on windows, passthru auth).

I changed the following on my Windows 7:

Start > Run > secpol.msc
Local Policies > Security Options > Network Security LAN Manager authenticating level
Select Send LM & NTLM - use NTLMv2 session security if negotiated

GRtz,

S
0 Kudos

bmeyns
Champ in-the-making
Champ in-the-making

‎01-26-2011 04:14 AM

Neither I could login to Alfresco with my Win 7 client (ALF 3.3, LDAP / NTML authentication)
But your solution fixed the problem, thx S.!

Also noted on the Alfresco wiki (http://wiki.alfresco.com/wiki/CIFS_Server_Authentication)
NTLMv2
Note that NTLMv2 is NOT compatible with passthru authentication. The only NTLMv2 support is when hashed passwords are stored with the alfresco database. Indeed, NTLMv2 has been designed to avoid 'Man-in-the-middle' attacks, and when alfresco is configured as a passthru server, it in fact behaves as a 'Man-in-the-middle'.
So choosing "Send LM & NTLM - use NTLMv2 session security if negotiated" for the LAN Manager authentication level, makes login via NTMLv1 also possible on Win 7. Smiley Happy
0 Kudos

gcollomb
Champ in-the-making
Champ in-the-making

‎02-25-2011 10:42 AM

Hello,

what about if you can't change the "Network Security LAN Manager authenticating level" ?

I'm testing an Alfresco server from a Citrix session (on a 2003 server 64bit) with restrictions so it's not possible to change anything on client side.

Is there an other way to correct the problem ?
0 Kudos

johnberger
Champ in-the-making
Champ in-the-making

‎02-28-2011 05:36 AM

The problem is NTLMv1 vs NTLMv2.
Windows 7 uses the latter by default and Alfresco can't deal with it. At least not in my config. (3.3 on windows, passthru auth).

I changed the following on my Windows 7:

Start > Run > secpol.msc
Local Policies > Security Options > Network Security LAN Manager authenticating level
Select Send LM & NTLM - use NTLMv2 session security if negotiated

thank you for your help S!

I want reset ("not defined") my "Network Security LAN Manager authenticating level"…  How can I do that?

best regards
John
0 Kudos

johnberger
Champ in-the-making
Champ in-the-making

‎02-28-2011 05:49 AM

The problem is NTLMv1 vs NTLMv2.
Windows 7 uses the latter by default and Alfresco can't deal with it. At least not in my config. (3.3 on windows, passthru auth).

I changed the following on my Windows 7:

Start > Run > secpol.msc
Local Policies > Security Options > Network Security LAN Manager authenticating level
Select Send LM & NTLM - use NTLMv2 session security if negotiated

This works, but it is not always possible to make each client-computer changes.
The problem should be solved on the server side and not on the client side Smiley Sad((

best regards
John
0 Kudos

mrogers
Star Contributor
Star Contributor

‎02-28-2011 06:47 AM

Would be nice but it does not seem possible.   You are going to have to "work around" the restrictions of NTLMv2 either by falling back to the old protocol or using another authentication method.
0 Kudos

johnberger
Champ in-the-making
Champ in-the-making

‎03-01-2011 04:03 AM

Hi,

thank you very much!

best regards
0 Kudos

lotharmärkle
Champ in-the-making
Champ in-the-making

‎03-01-2011 05:48 AM

Does "Man in the middle" would mean, that in a pure MS Windows environment, with NTLMv2 (default in Win7) on the client workstations, it is not possible to have a Windows file server authenticating against an AD using NTMLv2 as well?
This sounds like a valid and common setup, however.
0 Kudos
Getting started

Tags

Find what you came for

We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.

Copyright © 2024 Khoros, LLC