cancel
Showing results for 
Search instead for 
Did you mean: 

Alfresco with Active Directory

sla1733
Champ in-the-making
Champ in-the-making

Hello. Made setting for communication Alfresco with Active Directory on windows 2012, all users were transferred to alfresco, was created for each home user space and there is an opportunity to be authorized by the domain user through a web browser, but authorization through the Windows Explorer works only for the users added manually in Alfresco. Tell me how to make it possible to log in and domain users through Windows Explorer. Integration with Active Directory made by adding in /alfresco-global.properties of the following records:

# MS Active Directory Integration
authentication.chain=alfinst:alfrescoNtlm,ldap1:ldap-ad
ntlm.authentication.sso.enabled=false

ldap.authentication.active=true
ldap.authentication.allowGuestLogin=true
ldap.authentication.userNameFormat=%s@domain.lan
ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
ldap.authentication.java.naming.provider.url=ldap://dc.domain.lan:389
ldap.authentication.java.naming.security.authentication=simple
ldap.authentication.escapeCommasInBind=false
ldap.authentication.escapeCommasInUid=false
ldap.authentication.defaultAdministratorUserNames=admin
ldap.synchronization.active=true
ldap.synchronization.java.naming.security.authentication=simple
ldap.synchronization.java.naming.security.principal=admin@domain.lan
ldap.synchronization.java.naming.security.credentials=password
ldap.synchronization.queryBatchSize=1000
ldap.synchronization.attributeBatchSize=1000
ldap.synchronization.groupQuery=(objectclass\=group)
ldap.synchronization.groupDifferentialQuery=(&(objectclass\=group)(!(whenChanged<\={0})))
ldap.synchronization.personQuery=(&(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512))
ldap.synchronization.personDifferentialQuery=(&(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512)(!(whenChanged<\={0})))
ldap.synchronization.groupSearchBase=DC\=domain,DC\=lan
ldap.synchronization.userSearchBase=DC\=domain,DC\=lan
ldap.synchronization.modifyTimestampAttributeName=whenChanged
ldap.synchronization.timestampFormat=yyyyMMddHHmmss'.0Z'
ldap.synchronization.userIdAttributeName=sAMAccountName
ldap.synchronization.userFirstNameAttributeName=givenName
ldap.synchronization.userLastNameAttributeName=sn
ldap.synchronization.userEmailAttributeName=mail
ldap.synchronization.userOrganizationalIdAttributeName=cn
ldap.synchronization.defaultHomeFolderProvider=userHomesHomeFolderProviderr
ldap.synchronization.groupIdAttributeName=cn
ldap.synchronization.groupDisplayNameAttributeName=displayName
ldap.synchronization.groupType=group
ldap.synchronization.personType=user
ldap.synchronization.groupMemberAttributeName=member
ldap.synchronization.enableProgressEstimation=true
ldap.authentication.java.naming.read.timeout=5000

7 REPLIES 7

jpotts
World-Class Innovator
World-Class Innovator

If you have AD configured and you can successfully log in to Alfresco Share as one of the AD users, then you already have what you need to be able to map a drive from Windows Explorer using WebDAV. The URL would look something like:

http://localhost:8080/alfresco/webdav

When Windows prompts you for your credentials, provide your AD username and password and it will work.

If instead what you want is to automatically log in a user who is already logged in to the Windows domain, then what you need is to configure Alfresco for Kerberos authentication which is covered in the documentation here:

https://docs.alfresco.com/6.0/concepts/auth-kerberos-intro.html

sla1733
Champ in-the-making
Champ in-the-making

The fact is that when you try to go to: http://IP:8080/alfresco/webdav through any web browser, domain user authorization works and the directory listing and home user space is opened. For windows Explorer:
Open up Windows Explorer and click 'Map network drive'
Click 'Connect to a Web site that you can use to store your documents and pictures'
Click 'Next' twice in the windows that opens.
http://IP:8080/alfresco/webdav
error is "windows cannot access"

jpotts
World-Class Innovator
World-Class Innovator

Have you done the steps outlined in the "Kerberos Client Config for WebDAV" section here:

https://docs.alfresco.com/5.2/concepts/auth-kerberos-clientconfig.html

sla1733
Champ in-the-making
Champ in-the-making

Thank you, I completed the steps in the "Kerberos Client Config for WebDAV" section now began to appear the authorization window to the alfresco server, but you can only log in by a user created in alfresco itself, domain users can not log in. Through a web browser authorization of domain users works

Did you try UNC path \\hostname@8080\alfresco\webdav\ ?

Additionally there are some Windows requirements for the "Web Client" windows services which is handling the communication between windows explorer and the webdav server (Alfresco) using IE.

I highly recommend to use https with trusted certs and port 443 to work around these restrictions.

Additionally if your clients don't have a proxy configured in IE and you use FQN hostname you need to configure AuthForwardServerList in Windows.

Be careful by using sso (kerberos.authentication.sso.enabled=true😞 Alfresco does not support fallback to "normal" authentication which may lock out non domain members.

sla1733
Champ in-the-making
Champ in-the-making

"AuthForwardServerList" is configured. I tried UNC path \\ hostname @ 8080 \ alfresco \ webdav \, also changed the value of the BasicAuthLevel parameter to 2 in HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ WebClient \ Parameters. The result is the same, I can’t log in as a domain user.

fedorow
Elite Collaborator
Elite Collaborator

Make shure WebClient service is started.

https://docs.alfresco.com/5.2/concepts/troubleshoot-webdav.html

p.s. for microsoft clients alfresco recomend use aos insted webdav. Try http://localhost:8080/alfresco/aos

Welcome to the new Hyland Connect. Get started or submit feedback.