AnsweredAssumed Answered

AD+Kerberos and alfrescoUserStore cooperation

Question asked by milesif on May 7, 2009
Latest reply on May 28, 2009 by flefoll
Hi everybody,

In a previous post I described an authentication problem with AD+kerberos, but later I discovered that AD+Kerberos was working fine and the problem was of a different nature. I discovered that:

1. if I manually create a user in Alfresco, when kerberos is turned off, and then in AD I have no problem using CIFS shares with kerberos (I can see that kerberos authentication is completed succesfully)
2. if I create a user in AD that does not exist in ALfresco, an equivalent user is automatically created in Alfresco the first time I try to access a share. In this case whenever I try to access the share the AD+Kerberos authentication is completed correctly but the user cannot login because the RepositoryAuthenticatonDao cannot find it in the alfrescoUserStore, althogh it exists (getUserOrNull method returns null), and I am presented with the login dialog until I insert the data of one of the users pre-created in ALfresco, that can login succesfully.

So I have a few question
1. Is it absolutely necessary to create users first in ALfresco, or there is a way to "promote" users created by AD so that the process login can be completed succesfully? Can I switch off the alfrescoUserStore or should I configure the LDAP synchronization? Or should I do something else?
2. When I try to login using IE7 I am requested username and password, even if I am using a user that was pre-created in ALfresco. What should I do to make IE7 automatically and transparently send username and password in its headers (I thought that I there was nothing to do here…)?

Thanks in advance to anybody helping me

Ciao Francesco

Outcomes