Hi,
i'm fully confused with configuring ntlm authentication and CIFS. Version of Alfresco is 2.1 Community Edition on Windows 2003 server/Tomcat. So far I tried 2 ways:
1) Configuring NTLM for webaccess. As described in "Configuring NTLM" in Wiki. Work perfectly fine. I was able access http://servername:8080/alfresco with domain user. IE automatically log me in. For cifs i've tried to follow "Configuring the CIFS server for Kerberos/Active Directory integration" but i can't access my server. I don't have any exceptions in tomcat log. I have successfull logon in security event viewer both on computer alfresco installed and on domain controller. But still when i'm trying to access servername_a it shows login dialog and said login failed.
2) Tried to configure jaas authentication for CIFS. At the end i'm getting same results as in previous example.
My question is what exactly need to be configured if i'm using NTLM authentication for web access and like to use AD users to access CIFS.
StasTsarevsky- Posts
- 3
- Achievements
- 0
- Member for
- 6 years 4 months
Stats
Still was not able to configure any access via CIFS using either patthru or Kerberos authentication. Here is my configuration files:
java.login.config
java.security
C:\WINNT\kb5.ini
file-servers.xml
jaas-authentication-context.xml
alfresco.log
savs
- Posts
- 6
- Achievements
- 1
- Member for
- 5 years 10 months
- From
- Sourcesense UK
Stats
Can anyone at Alfresco comment on this? We've also got NTLM authentication working, but cannot make CIFS work in conjunction with it. (We're not using LDAP or JAAS, as we're not sure that they are also required.)
When using enterprise authenticator we get:
When using passthru authenticator we see no errors, but on trying to connect with e.g. smbclient we see:
We've reviewed http://forums.alfresco.com/viewtopic.php?t=5169 and http://forums.alfresco.com/viewtopic.php?t=3777 and http://forums.alfresco.com/viewtopic.php?t=6887 and http://wiki.alfresco.com/wiki/CIFS_linux and http://wiki.alfresco.com/wiki/CIFS and http://wiki.alfresco.com/wiki/CIFS_Server_Authentication, but apart from providing conflicting advice, none of those resources help.
So - what's the definitive way of configuring CIFS and NTLM together?
mindthegab
- Posts
- 68
- Achievements
- 3
- Member for
- 6 years 3 months
- From
- Amsterdam, The Nederlands
Alfresco Employee
Stats
With respect to the previous post (we're working together) after raising a little bit the log level we get some more info when using enterprise authentication:
After this (quite positive) message we still get the error mentioned by savs.
Help lovely appreciated :)
Artificial intelligence in one statement:
Keyboard not found. Press F1 to continue.
savs
- Posts
- 6
- Achievements
- 1
- Member for
- 5 years 10 months
- From
- Sourcesense UK
Stats
It seems that CIFS only works with NTLM authentication when you use the 'alfresco' authenticator. See http://wiki.alfresco.com/wiki/Enterprise_Security_and_Authentication_Configuration#Which_authentication_components_are_compatible_with_which_web_authentication_filters_and_filesystem_security.3F for details
mikef
- Posts
- 103
- Achievements
- 4
- Member for
- 6 years 2 months
Alfresco Employee
Stats
Just to confirm. You have sso working via IE and not CIFS, correct?
What is your authenticator type set to in file-servers?
savs
- Posts
- 6
- Achievements
- 1
- Member for
- 5 years 10 months
- From
- Sourcesense UK
Stats
That's correct. We can connect to the alfresco network share using smbclient, but Windows / Mac native clients fail to connect.
It's set to 'alfresco'.
We've tried passthru, enterprise etc. but they don't seem to work.
mindthegab
- Posts
- 68
- Achievements
- 3
- Member for
- 6 years 3 months
- From
- Amsterdam, The Nederlands
Alfresco Employee
Stats
Just FYI,
we got it working (both IE and CIFS) after having checked AD user permissions.
So now we're able to have NTLM SSO in both environments, which is cool indeed ;-)
Gab
PS.
It still fails on macosx, but well, it's not our first priority..
Artificial intelligence in one statement:
Keyboard not found. Press F1 to continue.
mikef
- Posts
- 103
- Achievements
- 4
- Member for
- 6 years 2 months
Alfresco Employee
Stats
Good to hear you got it working.
It would be useful for other readers to provide some details on the '..checked AD user permissions'
StasTsarevsky- Posts
- 3
- Achievements
- 0
- Member for
- 6 years 4 months
Stats
Could you describe step-by-step what exactly was done on Alfresco machine to make CIFS using NTLM SSO? Also is it running on linux or on Windows?
What changes done in:
1) file-servers.xml
2) ntlm-authentication-context.xml
3) kb5.ini if it's created
4) java.login.config if it's created
5) jaas-authentication-context.xml if it's created
Also what AD user permissions were set for users and is any special done on domain server (like creating alfrescocifs user, registering service principals and so on).
Sessa
- Posts
- 20
- Achievements
- 1
- Member for
- 5 years 11 months
Stats
Hi !
I'm also working on SSO with Alfresco.
If I log me in in IE I don't need to log me in again in CIFS. But if I close IF and start it again, I'm again asked for password.
If SSO would work properly I wouldn't been asked, right ?
how do i have to configure
- file-servers.xml
- ntlm-authentication-context.xml
can someone please post an example ?
thanks,
Andy
- Posts
- 1442
- Achievements
- 6
- Member for
- 7 years 11 months
- From
- London
Alfresco Employee
Stats
Hi
You need to define the correct filters in web.xml for NTLM SSO for the UI and webDAV.
Andy
Andy Hind
Alfresco Development
Sessa
- Posts
- 20
- Achievements
- 1
- Member for
- 5 years 11 months
Stats
I don't want NTLM SSO.
I read that there is also a way with JAAS / Kerberos.
What can you suggest ?
Thanks
mindthegab
- Posts
- 68
- Achievements
- 3
- Member for
- 6 years 3 months
- From
- Amsterdam, The Nederlands
Alfresco Employee
Stats
As soon as I have a second (superbusy these after-holiday days),
I'll gather our configuration files and post them here.
BTW, for "checked AD user permissions" I just meant:
Tested with a proper user (with working credentials on that domain), instead with the on-the-fly created user (which was missing permissions on that domain).
Stay tuned then!
Artificial intelligence in one statement:
Keyboard not found. Press F1 to continue.
Andy
- Posts
- 1442
- Achievements
- 6
- Member for
- 7 years 11 months
- From
- London
Alfresco Employee
Stats
Hi
Kerberos SSO support for the web client and WebDAV is work in progress. At the moment there is NTLMv1 SSO or integration with the likes of Siteminder for SSO. There are also instructions on the forums describing how to get CAS up and working for SSO.
Andy
Andy Hind
Alfresco Development
mindthegab
- Posts
- 68
- Achievements
- 3
- Member for
- 6 years 3 months
- From
- Amsterdam, The Nederlands
Alfresco Employee
Stats
Hi all,
here follows the configuration which we successfully implemented in our company Sourcesense ([3]) and which basically provides LDAP integration and NTLM single sign-on for connecting to Alfresco through web browsers and through Windows File Sharing. Sorry for the long delay but had quite busy days with this Alfresco thing. It's cool and is definitely being increasingly accepted and used in wider and wider enterprises.
Here it goes, hopefully can help to solve and gather the whole number of unstructured forum posts talking about the subject. Sorry for the long post but I preferred to made the *whole* conf files available.
SYSTEM SPECS:
ALFRESCO SERVER:
- Alfresco 2.1 Comm
- Mysql
- Tomcat 5.5.20
- Ubuntu Linux1 7.04
CLIENTS:
- Linux + FF2
- WinXP + IE6
- OSX10.4 + FF2
REQUIREMENTS:
- Integration with Microsoft Active Directory (NTLM + webclient/CIFS + LDAP )
NOTES:
- We started from the default alfresco bundle (linux installer)
- I removed default comments from this file in order to improve readability (seems a paradox, but who will read this post will already know the basic stuff written in those comments...i guess. ;-). I added some configuration specific comments thay may be useful to understand what's going on
- Sensitive data has been removed so don't smile at my funny domain fake names :p
- Even if I integrated with AD, well, openLDAP would have rocked better :-) (i hate bill, typical...)
- Thx to savs for coaching support and for providing useful docs !
NAMING CONVENTIONS:
ALF_HOME = base installation folder of the Alfresco instance
ALF_CLASSES = $ALF_HOME/tomcat/WEB-INF/classes/alfresco
ALF_SHARED_CLASSES = $ALF_HOME/tomcat/shared/classes/alfresco/extension
STEPS:
A. Enable NTLM passtrough for SSO purposes:
- Edit the provided
- Change the $ALF_HOME/tomcat/WEB-INF/web.xml to enable the NTLMAuthentication servlet filter. So comment out the default filter and uncomment it as follows (both for webclient and webdav, in case of need):
- change the $ALF_SHARED_CLASSES/ntlm-authentication-context.xml.sample to $ALF_SHARED_CLASSES/ntlm-authentication-context.xml
- Edit the file so that it looks as follows:
- Restart alfresco and this should have already enabled NTLM SSO against your Domain Controller
NOTE:
- Both Internet Explorer and Firefox support NTLM authentication, though Firefox will prompt the user for a username and password on the first connection attempt (subsequently username and password can be stored by Firefox). Internet Explorer will pass the Windows authentication details directly to the Alfresco server. Note that single sign-on with Internet Explorer will only work if the Alfresco server is perceived to be within the local intranet zone (for example if the server has a name in the local DNS). This can also be forced within Internet Explorer's preferences (Tools, Internet Options, Security; select “Local Intranetâ€, Sites, Advanced, type in the Alfresco server name and click Add, Ok, Ok)
- Authentication seems to work only from specified domain and not from trusted domains. See [1] for more info and fixes.
C. Enable CIFS integration with AD and NTLM passtrough on the CIFS interface:
- Change the provided $ALF_SHARED_CLASSES/file-servers-custom.xml.sample --> $ALF_SHARED_CLASSES/file-servers-custom.xml
- Edit the file so that it looks as follows:
- Restart your afresco instance and automagically your NTLM SSO authentication should work also against the CIFS filesystem
NOTE:
- SSO+CIFS was only tested (obviously you may say) from Windows Explorer on Windows (with an AD registered user). We also tested the integration of just AD/CIFS (manual AD user login) with Linux/smbclient and Macosx/Finder but with a proper client- side OS configuration integration (at least on mac) it *should* be possible to have SSO working
- Although other authenticators seems to fit more in this configuration (e.g. NTLM, see [2]), "alfresco" type is the only working with this configuration. Don't get mistaken than Wink
- Authentication seems to work only from specified domain and not from trusted domains. See [1] for more info and fixes.
D. Enable LDAP users/groups scheduled import in order to be able to assign roles/permissions/notifications/ownerships/jobs to AD users (aka "to be able to use (not only log them in) AD users in alfresco" )
- Change the provided $ALF_SHARED_CLASSES/ldap-authentication-context.xml.sample --> $ALF_SHARED_CLASSES/ldap-authentication-context.xml
- Edit the file so that it looks as follows:
- Enable automatic scheduled jobs starting editing the file $ALF_CLASSES/scheduled-jobs-context.xml by setting the autoStartup property to true in the the schedulerFactory bean definition:
- Restart alfresco and you should see (after waiting the defined time + some import time) the user/groups created in Alfresco
NOTE:
- In order to have a better understanding/debugging of the import process please note that if users are correctly imported from LDAP temporary XML files are written in $ALF_HOME/tomcat/temp/Alfresco/ExportSource*
- For a finer debugging of the whole process you may want to raise log levels for interested components, by editing $ALF_HOME/webapps/alfresco/WEB-INF/classes/log4j.properties setting the following categories to debug:
~~~~~%%%%~~~~~
That should be it. Hope this helps.
Ciao!
[1] ihttp://wiki.alfresco.com/wiki/Configuring_NTLM#Enabling_NTLM_users
[2] http://wiki.alfresco.com/wiki/Enterprise_Security_and_Authentication_Configuration#Which_authentication_components_are_compatible_with_which_web_authentication_filters_and_filesystem_security.3F
[3] http://www.sourcesense.com
Artificial intelligence in one statement:
Keyboard not found. Press F1 to continue.
SCHNEIKA
- Posts
- 116
- Achievements
- 4
- Member for
- 6 years 1 month
- From
- Germany
Stats
You have done a great job. :!:
With your manual i was able to establish a NTLM-Autologin and a LDAP-Synchronisation against MS-ADS in 15 Minutes instead of struggling many days with trial and error. Thanx very much. Perhaps you will publish your manual in the Wiki?
mindthegab
- Posts
- 68
- Achievements
- 3
- Member for
- 6 years 3 months
- From
- Amsterdam, The Nederlands
Alfresco Employee
Stats
Thanks,
it's always important to have feedback and cross-checking when describing achievements or howto's.
As per the wiki, dunno if I can just start writing it in there or should I wait for some alfresco guy to validate the howto first?
WDYT?
Gab
Artificial intelligence in one statement:
Keyboard not found. Press F1 to continue.
SCHNEIKA
- Posts
- 116
- Achievements
- 4
- Member for
- 6 years 1 month
- From
- Germany
Stats
Its very important to set up all the configuration.xml-files exactly as described in mindthegaps HowTo (of course except local variables).
Particulary such details like ntlm-authentication-context.xml, where in the original-sample a complete property (transactionService) is missing and so on.
SCHNEIKA
- Posts
- 116
- Achievements
- 4
- Member for
- 6 years 1 month
- From
- Germany
Stats
Just one typo in log4j.properties:
You should try this for ldap-debug-logs:
mindthegab
- Posts
- 68
- Achievements
- 3
- Member for
- 6 years 3 months
- From
- Amsterdam, The Nederlands
Alfresco Employee
Stats
I updated the post. Thx!
Gonna put it into the wiki
Artificial intelligence in one statement:
Keyboard not found. Press F1 to continue.
gabehb
- Posts
- 3
- Achievements
- 0
- Member for
- 5 years 6 months
Stats
i followed the instructions for SSO/NTLM, and in firefox, after typing in credentials the first time, it works like the post explained -- but in IE, it does not let me past the pop-up. it does not single sign on, rather it prompts me with the windows user/password window and no combination of username/password will let me in (though it went through just fine in firefox)
does that sound like anything you have seen?
Bjoern
- Posts
- 43
- Achievements
- 2
- Member for
- 5 years 7 months
- From
- Germany
Stats
Hi,
I have configured Alfresco according to this manual.
It seems to work fine. I can log in ok.
But:
using the webclient i get the following error:
starting the server i get the following error:
Thanx for any hints on what i did wrong...
Cheers Bjoern
daniele001
- Posts
- 15
- Achievements
- 1
- Member for
- 7 years 7 months
Stats
Hi
your documentation is great, allowed me to have the AD authentication without any problem. I spent my last week trying to get it operational :D
Now the problem, SSO works great with Firefox or Opera, I tried SSO with Explorer 7 and I het error in passthrough function.
Looks like IE pass credentials after the web page has been displayed.
This happens JUST with IE7 !!!
On the IE browser I get thi eror:
net.sf.acegisecurity.AuthenticationServiceException: Failed to open passthru auth session
and this is the log
23:10:49,612 WARN [org.springframework.remoting.rmi.RmiRegistryFactoryBean] Could not detect RMI registry - creating new one
23:11:01,155 INFO [org.alfresco.repo.domain.schema.SchemaBootstrap] Schema managed by database dialect org.hibernate.dialect.SQLServerDialect.
23:11:07,608 INFO [org.alfresco.repo.domain.schema.SchemaBootstrap] No changes were made to the schema.
23:11:14,274 WARN [org.alfresco.repo.admin.ConfigurationChecker] The Alfresco 'dir.root' property is set to a relative path './alf_data'. 'dir.root' should be overridden to point to a specific folder.
23:11:14,275 INFO [org.alfresco.repo.admin.ConfigurationChecker] The Alfresco root data directory ('dir.root') is: ./alf_data
23:11:14,357 INFO [org.alfresco.repo.admin.patch.PatchExecuter] Checking for patches to apply ...
23:11:16,620 INFO [org.alfresco.repo.module.ModuleServiceImpl] Found 0 module(s).
23:11:17,239 INFO [org.alfresco.service.descriptor.DescriptorService] Alfresco JVM - v1.6.0_04-b12; maximum heap size 506.313MB
23:11:17,240 INFO [org.alfresco.service.descriptor.DescriptorService] Alfresco started (Community Network): Current version 2.9.0 (B 683) schema 116 - Installed version 2.9.0 (B 683) schema 116
23:12:05,730 ERROR [org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/alfresco].[Faces Servlet]] Servlet.service() for servlet Faces Servlet threw exception
net.sf.acegisecurity.AuthenticationServiceException: Failed to open passthru auth session
at org.alfresco.repo.security.authentication.ntlm.NTLMAuthenticationComponentImpl.authenticatePassthru(NTLMAuthenticationComponentImpl.java:793)
at org.alfresco.repo.security.authentication.ntlm.NTLMAuthenticationComponentImpl.authenticate(NTLMAuthenticationComponentImpl.java:550)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:281)
at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:187)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:154)
at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:107)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:176)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:210)
at $Proxy17.authenticate(Unknown Source)
at org.alfresco.web.app.servlet.NTLMAuthenticationFilter.processType1(NTLMAuthenticationFilter.java:523)
at org.alfresco.web.app.servlet.NTLMAuthenticationFilter.doFilter(NTLMAuthenticationFilter.java:395)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:210)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:174)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:108)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:151)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:870)
at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:665)
at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:528)
at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:81)
at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:685)
at java.lang.Thread.run(Thread.java:619)
Any idea? evantually I I need to swith off SSO keeping operational the AD authentication, what's I've to modify?
Thnks in advance
Regards
Daniele
durianwool
- Posts
- 26
- Achievements
- 2
- Member for
- 7 years 2 months
- From
- China
Stats
Hi,
I've the same problem - did anyone managed to get around the problem. Can you please share the solution? Actually, I don't even need passthru - it is fine that IE prompts for the AD username and password, but this is not working. I'm using IE6.
BR,
Durian
mindthegab
- Posts
- 68
- Achievements
- 3
- Member for
- 6 years 3 months
- From
- Amsterdam, The Nederlands
Alfresco Employee
Stats
Guys:
Alfresco forum migration broken my post.
So now we only have until step A while there were 4 steps and the complete configuration.
I'm discussing this with Alfresco privately, but otherwise I'll try to found some time to rewrite the post (and save it myself...)
Hateful :(
Artificial intelligence in one statement:
Keyboard not found. Press F1 to continue.
duxtinto
- Posts
- 25
- Achievements
- 2
- Member for
- 5 years 10 months
- From
- Shanghai (China)
Stats
I'm facing just now this problem, and it's a pity we can't count on your post.
Do you have any news about this topic?
Thanks.
mindthegab
- Posts
- 68
- Achievements
- 3
- Member for
- 6 years 3 months
- From
- Amsterdam, The Nederlands
Alfresco Employee
Stats
I'm discussing the topic with Alfresco, we will restore it ASAP.
I'll come back to you,
Gab
Artificial intelligence in one statement:
Keyboard not found. Press F1 to continue.
mindthegab
- Posts
- 68
- Achievements
- 3
- Member for
- 6 years 3 months
- From
- Amsterdam, The Nederlands
Alfresco Employee
Stats
Old post (before migration) can be found here:
link removed by admin - this post has been restored
I'm asking Alfresco to restore this one, please report it in case you see other problems like this one.
Ciao and HTH,
Gab
Artificial intelligence in one statement:
Keyboard not found. Press F1 to continue.
duxtinto
- Posts
- 25
- Achievements
- 2
- Member for
- 5 years 10 months
- From
- Shanghai (China)
Stats
Thanks so much.
By the way, do you know if it is still working on Alfresco 2.9?
Regards.
duxtinto
- Posts
- 25
- Achievements
- 2
- Member for
- 5 years 10 months
- From
- Shanghai (China)
Stats
Thanks for this post.
It's really useful.
On the version 2.9b is a little bit different, but i got it working.
ostein
- Posts
- 11
- Achievements
- 1
- Member for
- 5 years 3 months
- From
- Germany
Stats
On 2.9C, we get the following log file entries when enabling NTLM passthru for CIFS. Is this a known issue?
07:06:15,811 DEBUG [smb.protocol.auth] No PassthruDetails for WSNB0
07:06:15,826 DEBUG [smb.protocol.auth] No PassthruDetails for WSNB0
07:06:15,826 DEBUG [smb.protocol.auth] No PassthruDetails for WSNB0
07:06:15,826 DEBUG [smb.protocol.auth] No PassthruDetails for WSNB0
07:06:18,967 DEBUG [smb.protocol.auth] No PassthruDetails for WSNB1
07:06:18,967 DEBUG [smb.protocol.auth] No PassthruDetails for WSNB1
07:06:27,045 DEBUG [smb.protocol.auth] No PassthruDetails for WSNB0
07:08:54,402 DEBUG [smb.protocol.auth] No PassthruDetails for WSNB2
07:08:54,496 DEBUG [smb.protocol.auth] No PassthruDetails for WSNB2
07:08:58,668 DEBUG [smb.protocol.auth] No PassthruDetails for WSNB2
07:08:58,699 DEBUG [smb.protocol.auth] No PassthruDetails for WSNB2
07:08:58,715 DEBUG [smb.protocol.auth] No PassthruDetails for WSNB2
07:08:58,840 DEBUG [smb.protocol.auth] No PassthruDetails for WSNB2
07:08:58,887 DEBUG [smb.protocol.auth] No PassthruDetails for WSNB2
07:08:58,918 DEBUG [smb.protocol.auth] No PassthruDetails for WSNB2
Regards,
Oliver Stein
mindthegab
- Posts
- 68
- Achievements
- 3
- Member for
- 6 years 3 months
- From
- Amsterdam, The Nederlands
Alfresco Employee
Stats
Being a DEBUG line, I don't think this is a issue. You can stop it from logging by lowering the appropriate log category.
Unless you have functional issues related to that one.
Ciao!
Artificial intelligence in one statement:
Keyboard not found. Press F1 to continue.
ostein
- Posts
- 11
- Achievements
- 1
- Member for
- 5 years 3 months
- From
- Germany
Stats
sorry for the confusion - the log file entries are not the problem per se, it's the fact that the passthrough is not working for CIFS...
Can anybody post a working configuration with AD authentification for 2.9C please?
Regards,
Oliver Stein
ostein
- Posts
- 11
- Achievements
- 1
- Member for
- 5 years 3 months
- From
- Germany
Stats
Anybody please?
Regards,
Oliver Stein
aniruddh
- Posts
- 20
- Achievements
- 1
- Member for
- 6 years 6 months
Stats
This is a very good post. For Alfresco 2.2 Enterprise and additional step is required to disable Tomcats session persistence. Please look at this post for details http://forums.alfresco.com/viewtopic.php?f=9&t=12156&p=40893#p40656.
- Aniruddh
samuel.penn
- Posts
- 160
- Achievements
- 5
- Member for
- 5 years 8 months
- From
- UK
Stats
I'm seeing similar warnings to ostein, running 2.9C on Windows.
If I use the configuration suggested by mindthegab, then I get the following errors on startup:
If I add the following to file-servers-custom.xml in the "CIFS Server" configuration:
Then Alfresco starts up without any errors, but when I try to login to CIFS I get "DEBUG [smb.protocol.auth] No PassthruDetails for WSNB2" logs in the console sometimes (possibly every dozen or so login attempts). Login fails, and defaults to "AXCELIA\admin". If I try to login as me, changing the user login to "AXCELIA\sam" I get an error dialog stating:
"The user name you typed is the same as the user name you logged in with. That user name has already been tried. A domain controller cannot be found to verify that user name."
I've also tried setting the field to be "AXCELIA\172.31.31.18". Our domain is AXCELIA, and 172.31.31.18 is our domain controller. I can login to the web interface using SSO from Firefox with no problem (my IE gives a DNS error, but other people's IE works fine - I think there's something wacky with IE on my machine).
Do I really need to configure Kerberos? I've seen the wiki page for this, and it looks like a lot of work, but since SSO for the web interface works fine I'm not convinced it's needed, and that it's really complaining about lack of hashed password support.
Anyone have any ideas?
Thanks,
Sam.
mindthegab
- Posts
- 68
- Achievements
- 3
- Member for
- 6 years 3 months
- From
- Amsterdam, The Nederlands
Alfresco Employee
Stats
I used to work it around with chaining, e.g. configure a chaining auth with LDAP simple and internal alfresco authentication service in chain.
This way the 2 authentication will be tried in sequence (and they have "quasi" the same users, e.g. only newly added/removed from last LDAP synchronization can be non consistent), so that web client will authenticate directly against LDAP (or whatever SSO) and CIFS goes to the synced copy on the local alfresco.
As I said, it's a workaround as it's not 100% safe (imagine a user deleted because of company infringements and he's still able to login and delete CIFS stuff before new LDAP sync occurs) but it's the best I could got to work for LDAP simple + CIFS.
HTH,
Gab
Artificial intelligence in one statement:
Keyboard not found. Press F1 to continue.
samuel.penn
- Posts
- 160
- Achievements
- 5
- Member for
- 5 years 8 months
- From
- UK
Stats
Well, I moved back to 2.2, and your original instructions worked eventually. By forcing lots of attempts to login (actually whilst trying to get some debug out of it), it finally got the authentication information and allowed me to use CIFS using my domain account. It may have had something cached, or just had a dead connection (though Alfresco had been restarted many times). Anyway, it's working now.
Thanks,
Sam.
karakartal
- Posts
- 12
- Achievements
- 1
- Member for
- 5 years 3 weeks
Stats
As of version 3.0 I am still having the problem:
I am trying to use Active Directory + NTLM + CIFS
Any comments?
ngn2008
- Posts
- 21
- Achievements
- 2
- Member for
- 4 years 10 months
Stats
hello every body
I am using alfresco 2.1 community on windows XP.
I followed the instructions for an integration NTLM+CIFS( it's ok with firefox but not for IE, i'll update my IE version and keep you abreast) + Windows AD(from the Windows Samll business Service Pack). I have problems with AD import
Gonna put my xml files I configured:
ldap-authentication-context.xml
scheduled-jobs-context.xml
dans file-servers-custom j'ai activé l'authentification alfresco (avec CIFS+NTLM)
My alfresco.log
my catalina log
I set the categories in log4j.properties for debugging too.
It seems that the problem is this error
org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'ldapInitialDirContextFactory' defined in file [C:\Alfresco\tomcat\shared\classes\alfresco\extension\ldap-authentication-context.xml]: Invocation of init method failed; nested exception is java.lang.ClassFormatError: Truncated class file Caused by:
java.lang.ClassFormatError: Truncated class file
Are there other files to configure for AD import?
Could someone help me?
ngn2008
- Posts
- 21
- Achievements
- 2
- Member for
- 4 years 10 months
Stats
it's OK now! :D
skorde
- Posts
- 65
- Achievements
- 3
- Member for
- 5 years 2 weeks
- From
- India
Stats
Hi
I am evaluating Alfresco Enterprise version 3.0 but I am also facing the same issue:
No PassthruDetails for WSNB1
I have used Active Directory + CIFS
please help
Sudhir Korde
hannesb
- Posts
- 16
- Achievements
- 1
- Member for
- 5 years 1 day
Stats
Still no solution to the "No PassthruDetails"-error?
I've tried the enterprise today and got the same error so i guess it is a configuration-problem. I'm trying to get the cifs authentication to work with AD.
geoffrey1211
- Posts
- 30
- Achievements
- 2
- Member for
- 4 years 4 months
Stats
hello... I am having the same problem with AD + CIFS (DIGEST-MD5)...
I cannot logon, and the log shows these lines that are not errors but should mean something...
PLEASE HELP!
skorde
- Posts
- 65
- Achievements
- 3
- Member for
- 5 years 2 weeks
- From
- India
Stats
Enalbe SSO in your Alfresco server and use alfresco as authentication type insted of passthrough in your file-server.xml
Sudhir Korde
geoffrey1211
- Posts
- 30
- Achievements
- 2
- Member for
- 4 years 4 months
Stats
Hi, I am using lab 3c. I've tried everything I read in this thread, but I still have not gotten CIFS to work with NTLM SSO authentication. Mine is a very classic case of authenticating versus an Microsoft Active Directory using NTLM w/ SSO, so I am very curious of what could possibly go wrong.
I can login the alfresco website using AD credentials already, so I suppose this means NTLM SSO is working. And when I do 'nbtstat -n', I do see my "MACHINENAMEA" entry (MACHINENAMEA <00> UNIQUE Registered), so I suppose that means the CIFS server is running too, as that is also indicated in the log.
NOW, when I tried to map the drive "\\MACHINENAMEA\alfresco", it tells me this:
Is there any way I can tell what this extended error is?
If I type in "\\MACHINENAMEA\alfresco" directly in a windows exploror I see this:
and this in the log file:
Does anybody have a clue what might be preventing this to work? Do I have to do anything with in file-servers.xml?
PLEASE HELP!
Attached my config files:
ntlm-authentication-context.xml:
file-servers-custom.xml
web.xml:
geoffrey1211
- Posts
- 30
- Achievements
- 2
- Member for
- 4 years 4 months
Stats
Thank you Jesus, thank you Lord, thank you thank you thank you.
I looked at the "Event Viewer" from "My Computer" -> "Manage", and saw this:
so turns out my computer stored the wrong credentials... MUST BE CORRECTED!
Now it works =) Thanks for the useful article, mindthegab.
elakkiya
- Posts
- 5
- Achievements
- 1
- Member for
- 3 years 1 month
Stats
Hi mindthegab,
I am using Alfresco3.3 Community edition. I am using it as a standalone server wihtout deploying it with any other portal servers.
I wanna integrate it with NTLM.
I saw your post. In my web.xml file in Alfresco\tomcat\webapps\alfresco\WEB-INF i cant find the following filter
--
Authentication Filter
org.alfresco.web.app.servlet.AuthenticationFilter
--
It is having another filter class "org.alfresco.repo.web.filter.beans.BeanProxyFilter".
How can i change it.
I dont find the file "ntlm-authentication-context.xml".
Is there any other way to enable NTLM authentication and sso with Alfresco 3.3 as a standalone server
Thanks in advance
ivan.plestina
- Posts
- 81
- Achievements
- 3
- Member for
- 4 years 9 months
Stats
You need to use instructions for newer Alfresco versions 3.2+. Quick google search on active directory integration will point you to what you need.
Alfresco tutorials and solutions
Alfresco 3.3g integration with Active Directory and Google Docs