CIFS Server Authentication

Document created by resplin Employee on Jun 6, 2015
Version 1Show Document
  • View in full screen mode

Obsolete Pages{{Obsolete}}

The official documentation is at: http://docs.alfresco.com



CIFSAuthentication

2.x3.03.1

This page describes configuration methods prior to Alfresco Version 3.2. Refer to Alfresco Authentication Subsystems for Alfresco Versions 3.2 and up.

This page applies to Alfresco 2.x and earlier. In alfresco 3.0 - 3.1, the syntax changed and instead of a global <config evaluator='string-compare' condition='Filesystem Security'> section, there was one authenticator per file service.



The Alfresco CIFS server has several different authenticator implementations. The default authenticator provides user authentication against the Alfresco user database using NTLMv1 password hashing. The default authenticator is configured using :-

<config evaluator='string-compare' condition='Filesystem Security'>
  <authenticator type='alfresco'>
  </authenticator>
</config>

The default authenticator has configuration options to allow guest access when the client uses the guest user name to connect, <allowGuest/>, and to map client user names that are not in the Alfresco user database to the guest user, <mapUnknownUserToGuest/>.

There are two other CIFS authenticators included with Alfresco that provide passthru authentication and Enterprise authentication support.


Passthru Authenticator


The CIFS passthru authenticator provides the ability to use existing Windows file servers to authenticate users accessing the Alfresco CIFS server. To configure the passthru authenticator use :-

<config evaluator='string-compare' condition='Filesystem Security'>
  <authenticator type='passthru'>
   <Server>192.168.0.1,adsrv.alfresco.org</Server>
  </authenticator>
</config>

The configuration options available for the passthru authenticator are :-


  • <Server>

Specifies a comma delimeted list of servers to use for passthru authentication.


  • <LocalServer/>

Use the local server for passthru authentication.


  • <Domain>

Specifies the Windows domain/workgroup to use for passthru authentication. The CIFS server will locate the domain controllers.


  • <LocalDomain/>

Use the domain/workgroup that the local server belongs to when finding the domain controllers.


  • <protocolOrder>

Specifies the type of protocols and the order of connection for passthru authentication sessions. The default is to use NetBIOS, if that fails then try to connect using native SMB/port 445.
Specify either a single protocol type or a comma delimited list with a primary and secondary protocol type. The available protocol types are 'NetBIOS' for NetBIOS over TCP and 'TCPIP' for native SMB.


  • <offlineCheckInterval>

Specifies how often passthru servers that are marked as offline are checked to see if they are now online. The default check interval is 5 minutes.
The check interval is specified in seconds.

You should only specify one of the above options.

The passthru authenticator can only be configured when the main authentication component is configured to use the LDAP or JAAS component.

For 3.0, see this article


Enterprise Authenticator


The Enterprise authenticator provides support for many types of logon that a CIFS client may send. It supports the following logon types :-


  • NTLMv1 hashed passwords
  • NTLMv2 hashed passwords/blob
  • NTLMSSP two stage session setup with NTLMv1/NTLMv2
  • SPNEGO session setup with Kerberos or NTLMSSP

To enable the Enterprise authenticator use :-

<config evaluator='string-compare' condition='Filesystem Security'>
  <authenticator type='enterprise'>
  </authenticator>
</config>

The default configuration will enable NTLMv1/NTLMv2 and NTLMSSP support using the Alfresco user database.



The weaker NTLMv1 hashed password support can be disabled using <disallowNTLMv1/>.

To enable support for Kerberos against Active Directory you will need to setup an account under Active Directory, follow the instructions Configuring_the_CIFS_and_web_servers_for_Kerberos/AD_integration.




NTLMv2


Note that NTLMv2 is NOT compatible with passthru authentication. The only NTLMv2 support is when hashed passwords are stored with the alfresco database.
Indeed, NTLMv2 has been designed to avoid 'Man-in-the-middle' attacks, and when alfresco is configured as a passthru server, it in fact behaves as a 'Man-in-the-middle'.

Attachments

    Outcomes