AnsweredAssumed Answered

Webclient NTLM SSO fails behind proxy

Question asked by ofrxnz on Sep 16, 2008
I have been working on configuring an Alfresco labs 3 B server as folows. (this is the current full windows download version)
1.) NTLM Auth and LDAP Sync against AD
2.) NTLM SSO
3.) https on port 443 handled by tomcat
4.) load balancing proxy server (pound)


So far Everything works when it is not behind a proxy.  However, when i place it behind a proxy, NTLM SSO stops working on the webclient However, it DOES WORK for Webdav. 

for example, when the proxy is in place, ill navigate to https://<server>.<domain>.<suffux>/alfresco as well as https://<server>.<domain>.<suffux>/alfresco/webdav, the first time i am prompted for a login because IE is not configured to trust the full name yet.  This method works great with no issues.  Though when i use trusted zones and navigate to https://<server>/alfresco (which is trusted by default) The login fails and gives me the wonderfuly cryptic error (full error at bottom)

net.sf.acegisecurity.AuthenticationServiceException: Failed to open passthru auth session

Curriously when i navigate to https://<server>/alfresco/webdav  NTLM SSO works flawlessly.  This boggles my mind because as far as my browser and network configuration are concerned there should be no difference between this an going to the standard alfresco interface which all fall under the same rules and should use the same protocols. 

Is this a Bug???  or is there some configuration i am missing.  I have played with the proxy settings in web-client-custom-config.xml but it has no effect. 

I beleive the issue is somewhere in the redirrects between  https://<server>/alfresco/webdav and the dashboard.jsp page



any help would be great

Thanks,

Adam

Full error code

net.sf.acegisecurity.AuthenticationServiceException: Failed to open passthru auth session 
at org.alfresco.repo.security.authentication.ntlm.NTLMAuthenticationComponentImpl.authenticatePassthru(NTLMAuthenticationComponentImpl.java:740)
at org.alfresco.repo.security.authentication.ntlm.NTLMAuthenticationComponentImpl.authenticate(NTLMAuthenticationComponentImpl.java:521)
at sun.reflect.GeneratedMethodAccessor783.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:281)
at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:187)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:154)
at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:107)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:176)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:210)
at $Proxy17.authenticate(Unknown Source)
at org.alfresco.web.app.servlet.NTLMAuthenticationFilter.processType1(NTLMAuthenticationFilter.java:548)
at org.alfresco.web.app.servlet.NTLMAuthenticationFilter.doFilter(NTLMAuthenticationFilter.java:418)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
at org.alfresco.module.vti.VtiContextFilter.doFilter(VtiContextFilter.java:81)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:210)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:174)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:108)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:151)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:870)
at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:665)
at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:528)
at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:81)
at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:685)
at java.lang.Thread.run(Thread.java:619)

Outcomes