AnsweredAssumed Answered

Alfresco Share 3.2 NTLM SSO fails

Question asked by ofrxnz on Jul 8, 2009
Latest reply on Nov 13, 2009 by kevinr
So, i have configured Alfresco proper to use NTLM SSO against a windows 2k3 R2 Active directory server.  everything is working well. 

I followed the instructions here http://wiki.alfresco.com/wiki/Alfresco_Authentication_Subsystems
but when i tried to switch Share over to use SSO against passthru/ntlm authentication, Everything caught on fire. 

I have tried both firefox 3.5 and IE8 and in IE8 have set it for both trusted and untrusted the server so it will prompt for basic and try to sso.  when it prompts for basic auth, i have also tried explicitly specifying the domain and only using a username

This is alfresco 3.2 running on windows 2k3 R2 using the full windows installer and an xp sp3 client

here is the alfresco.log portion with NTLM debugging turned on in both alfresco and share

11:32:43,008 DEBUG [org.alfresco.web.app.servlet.NTLMAuthenticationFilter] Processing request: /alfresco/wcs/touch SID:null
11:32:43,024 DEBUG [org.alfresco.web.app.servlet.NTLMAuthenticationFilter] Received type1 [Type1:0xa2088207,Domain:<NotSet>,Wks:<NotSet>]
11:32:43,024 DEBUG [org.alfresco.web.app.servlet.NTLMAuthenticationFilter] Failed to map client IP 192.168.1.240 to a domain
11:32:43,024 DEBUG [org.alfresco.web.app.servlet.NTLMAuthenticationFilter] Client domain null
11:32:43,274 DEBUG [org.alfresco.web.app.servlet.NTLMAuthenticationFilter] Sending NTLM type2 to client - [Type2:0x80000203,Target:MYSERVERA,Ch:dac3eaf23cc2d44b]
11:32:43,305 DEBUG [org.alfresco.web.app.servlet.NTLMAuthenticationFilter] Processing request: /alfresco/wcs/touch SID:00905931528ED05F731F8DECA79DCDE7
11:32:43,321 DEBUG [org.alfresco.web.app.servlet.NTLMAuthenticationFilter] Received type3 [Type3:,LM:5d5120f1585f9d9f21e828685e4941c9811c4dafd80b2fc3,NTLM:c11f6698d7800d095a555d048e1f450ea520566b816cba3c,Dom:PHARPOINT,User:myuser.name,Wks:MyWorkStation]
11:32:43,430 DEBUG [org.alfresco.web.app.servlet.NTLMAuthenticationFilter] Updated cached NTLM details
11:32:43,446 DEBUG [org.alfresco.web.app.servlet.NTLMAuthenticationFilter] User logged on via NTLM, [myuser.name,Wks:MyWorkStation,Dom:MYDOMAIN,AuthSrv:MyServer,Wed Jul 08 11:32:43 EDT 2009]
11:32:43,446 DEBUG [org.alfresco.web.app.servlet.NTLMAuthenticationFilter] Login page requested, chaining …
11:32:43,555 DEBUG [org.alfresco.web.app.servlet.NTLMAuthenticationFilter] Processing request: /alfresco/wcs/webframework/content/metadata SID:00905931528ED05F731F8DECA79DCDE7
11:32:43,555 DEBUG [org.alfresco.web.app.servlet.NTLMAuthenticationFilter] User myuser.name validate ticket
11:32:43,571 DEBUG [org.alfresco.web.app.servlet.NTLMAuthenticationFilter] Authentication not required (user), chaining …
11:32:43,571 ERROR [org.alfresco.web.scripts.AbstractRuntime] Exception from executeScript - redirecting to status template error: 06080019 Web Script org/alfresco/webframework/metadata.get requires user authentication; however, a guest has attempted access.
org.alfresco.web.scripts.WebScriptException: 06080019 Web Script org/alfresco/webframework/metadata.get requires user authentication; however, a guest has attempted access.
   at org.alfresco.repo.web.scripts.RepositoryContainer.executeScript(RepositoryContainer.java:257)
   at org.alfresco.web.scripts.AbstractRuntime.executeScript(AbstractRuntime.java:262)
   at org.alfresco.web.scripts.AbstractRuntime.executeScript(AbstractRuntime.java:139)
   at org.alfresco.web.scripts.servlet.WebScriptServlet.service(WebScriptServlet.java:122)
   at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
   at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
   at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
   at org.alfresco.repo.webdav.auth.BaseNTLMAuthenticationFilter.doFilter(BaseNTLMAuthenticationFilter.java:264)
   at org.alfresco.web.app.servlet.WebScriptNTLMAuthenticationFilter.doFilter(WebScriptNTLMAuthenticationFilter.java:94)
   at sun.reflect.GeneratedMethodAccessor411.invoke(Unknown Source)
   at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
   at java.lang.reflect.Method.invoke(Method.java:597)
   at org.alfresco.repo.management.subsystems.ChainingSubsystemProxyFactory$1.invoke(ChainingSubsystemProxyFactory.java:109)
   at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
   at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
   at $Proxy188.doFilter(Unknown Source)
   at org.alfresco.repo.web.filter.beans.BeanProxyFilter.doFilter(BeanProxyFilter.java:88)
   at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
   at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
   at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
   at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
   at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
   at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
   at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
   at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286)
   at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:845)
   at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
   at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
   at java.lang.Thread.run(Thread.java:619)

and the page Share provides me is

HTTP Status 500 -

type Exception report

message

description The server encountered an internal error () that prevented it from fulfilling this request.

exception

javax.servlet.ServletException: org.alfresco.web.site.exception.RequestContextException: Exception running UserFactory in HttpRequestContextFactory
   org.alfresco.web.site.servlet.DispatcherServlet.service(DispatcherServlet.java:146)
   javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
   org.alfresco.web.site.servlet.NTLMAuthenticationFilter.processType3(NTLMAuthenticationFilter.java:533)
   org.alfresco.web.site.servlet.NTLMAuthenticationFilter.doFilter(NTLMAuthenticationFilter.java:251)

root cause

org.alfresco.web.site.exception.RequestContextException: Exception running UserFactory in HttpRequestContextFactory
   org.alfresco.web.site.DefaultRequestContextFactory.newInstance(DefaultRequestContextFactory.java:117)
   org.alfresco.web.site.FrameworkHelper.initRequestContext(FrameworkHelper.java:202)
   org.alfresco.web.site.servlet.DispatcherServlet.service(DispatcherServlet.java:142)
   javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
   org.alfresco.web.site.servlet.NTLMAuthenticationFilter.processType3(NTLMAuthenticationFilter.java:533)
   org.alfresco.web.site.servlet.NTLMAuthenticationFilter.doFilter(NTLMAuthenticationFilter.java:251)

root cause

org.alfresco.web.site.exception.UserFactoryException: Unable to retrieve user from repository
   org.alfresco.web.site.AlfrescoUserFactory.loadUser(AlfrescoUserFactory.java:252)
   org.alfresco.web.site.UserFactory.faultUser(UserFactory.java:169)
   org.alfresco.web.site.UserFactory.faultUser(UserFactory.java:110)
   org.alfresco.web.site.DefaultRequestContextFactory.newInstance(DefaultRequestContextFactory.java:93)
   org.alfresco.web.site.FrameworkHelper.initRequestContext(FrameworkHelper.java:202)
   org.alfresco.web.site.servlet.DispatcherServlet.service(DispatcherServlet.java:142)
   javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
   org.alfresco.web.site.servlet.NTLMAuthenticationFilter.processType3(NTLMAuthenticationFilter.java:533)
   org.alfresco.web.site.servlet.NTLMAuthenticationFilter.doFilter(NTLMAuthenticationFilter.java:251)

root cause

org.alfresco.web.site.exception.UserFactoryException: Unable to create user - failed to retrieve user metadata:
   org.alfresco.web.site.AlfrescoUserFactory.loadUser(AlfrescoUserFactory.java:160)
   org.alfresco.web.site.UserFactory.faultUser(UserFactory.java:169)
   org.alfresco.web.site.UserFactory.faultUser(UserFactory.java:110)
   org.alfresco.web.site.DefaultRequestContextFactory.newInstance(DefaultRequestContextFactory.java:93)
   org.alfresco.web.site.FrameworkHelper.initRequestContext(FrameworkHelper.java:202)
   org.alfresco.web.site.servlet.DispatcherServlet.service(DispatcherServlet.java:142)
   javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
   org.alfresco.web.site.servlet.NTLMAuthenticationFilter.processType3(NTLMAuthenticationFilter.java:533)
   org.alfresco.web.site.servlet.NTLMAuthenticationFilter.doFilter(NTLMAuthenticationFilter.java:251)

note The full stack trace of the root cause is available in the Apache Tomcat/6.0.18 logs.
Apache Tomcat/6.0.18

here is Share's web.xml

<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "http://java.sun.com/dtd/web-app_2_3.dtd">

<web-app>

   <display-name>Alfresco Project Slingshot</display-name>   
   <description>Alfresco Project Slingshot application</description>
  
   <context-param>
      <param-name>org.jboss.jbossfaces.WAR_BUNDLES_JSF_IMPL</param-name>
      <param-value>true</param-value>
   </context-param>

   <context-param>
      <param-name>contextConfigLocation</param-name>
      <param-value>
         classpath:alfresco/webscript-framework-application-context.xml
         classpath:alfresco/web-framework-model-context.xml
         classpath:alfresco/web-framework-application-context.xml
         classpath*:alfresco/web-extension/custom-web-framework-application-context.xml
         classpath:alfresco/slingshot-application-context.xml
         classpath*:alfresco/web-extension/custom-slingshot-application-context.xml
      </param-value>
      <description>Spring config file locations</description>
   </context-param>
  
   <context-param>
      <param-name>contextClass</param-name>
      <param-value>org.alfresco.config.JBossEnabledWebApplicationContext</param-value>
      <description>Spring context class</description>
   </context-param>
  
   <!– For NTLM authentication support use the following filter –>
  
   <filter>
      <filter-name>Authentication Filter</filter-name>
      <filter-class>org.alfresco.web.site.servlet.NTLMAuthenticationFilter</filter-class>
      <init-param>
         <param-name>endpoint</param-name>
         <param-value>alfresco</param-value>
      </init-param>
   </filter>
 
  
   <!– For NTLM authentication support enable the following mappings –>
   <!– after enabling the NTLMAuthenticationFilter filter class above –>
  
   <filter-mapping>
      <filter-name>Authentication Filter</filter-name>
      <url-pattern>/page/*</url-pattern>
   </filter-mapping>
  
   <filter-mapping>
      <filter-name>Authentication Filter</filter-name>
      <url-pattern>/p/*</url-pattern>
   </filter-mapping>
  
   <filter-mapping>
      <filter-name>Authentication Filter</filter-name>
      <url-pattern>/s/*</url-pattern>
   </filter-mapping>
 
  
   <listener>
      <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
   </listener>
  
   <servlet>
      <servlet-name>apiServlet</servlet-name>
      <servlet-class>org.alfresco.web.scripts.servlet.WebScriptServlet</servlet-class>
      <init-param>
         <param-name>container</param-name>
         <param-value>webframework.webscripts.container</param-value>
      </init-param>
      <!–
      <init-param>
         <param-name>authenticator</param-name>
         <param-value>webscripts.authenticator.basic</param-value>
      </init-param>
      –>
   </servlet>
  
   <servlet>
      <servlet-name>feedApiServlet</servlet-name>
      <servlet-class>org.alfresco.web.site.servlet.WebScriptFeedServlet</servlet-class>
      <init-param>
         <param-name>container</param-name>
         <param-value>webframework.webscripts.container</param-value>
      </init-param>
      <init-param>
         <param-name>authenticator</param-name>
         <param-value>webscripts.authenticator.delegatingbasic</param-value>
      </init-param>
   </servlet>

   <servlet>
      <servlet-name>proxyServlet</servlet-name>
      <servlet-class>org.alfresco.web.scripts.servlet.EndPointProxyServlet</servlet-class>
   </servlet>

   <servlet>
      <servlet-name>uriTemplateServlet</servlet-name>
      <servlet-class>org.alfresco.web.uri.UriTemplateServlet</servlet-class>
   </servlet>

   <!– The Web Framework Dispatcher Servlet –>
   <servlet>
      <servlet-name>pageRendererServlet</servlet-name>
      <servlet-class>org.alfresco.web.site.servlet.DispatcherServlet</servlet-class>
      <load-on-startup>1</load-on-startup>
   </servlet>
  
   <servlet>
      <servlet-name>frameworkControlServlet</servlet-name>
      <servlet-class>org.alfresco.web.site.servlet.FrameworkControlServlet</servlet-class>
   </servlet>
  
   <servlet>
      <servlet-name>loginServlet</servlet-name>
      <servlet-class>org.alfresco.web.site.servlet.LoginServlet</servlet-class>
   </servlet>

   <servlet>
      <servlet-name>logoutServlet</servlet-name>
      <servlet-class>org.alfresco.web.site.servlet.LogoutServlet</servlet-class>
   </servlet>

   <servlet-mapping>
      <servlet-name>logoutServlet</servlet-name>
      <url-pattern>/logout</url-pattern>
   </servlet-mapping>

   <servlet-mapping>
      <servlet-name>loginServlet</servlet-name>
      <url-pattern>/login/*</url-pattern>
   </servlet-mapping>

   <servlet-mapping>
      <servlet-name>apiServlet</servlet-name>
      <url-pattern>/service/*</url-pattern>
   </servlet-mapping>
  
   <servlet-mapping>
      <servlet-name>feedApiServlet</servlet-name>
      <url-pattern>/feedservice/*</url-pattern>
   </servlet-mapping>
  
   <servlet-mapping>
      <servlet-name>proxyServlet</servlet-name>
      <url-pattern>/proxy/*</url-pattern>
   </servlet-mapping>
  
   <servlet-mapping>
      <servlet-name>pageRendererServlet</servlet-name>
      <url-pattern>/page/*</url-pattern>
   </servlet-mapping>

   <servlet-mapping>
      <servlet-name>pageRendererServlet</servlet-name>
      <url-pattern>/p/*</url-pattern>
   </servlet-mapping>
  
   <servlet-mapping>
      <servlet-name>uriTemplateServlet</servlet-name>
      <url-pattern>/s/*</url-pattern>
   </servlet-mapping>
  
   <servlet-mapping>
      <servlet-name>frameworkControlServlet</servlet-name>
      <url-pattern>/control/*</url-pattern>
   </servlet-mapping>
  
   <session-config>
      <session-timeout>60</session-timeout>
   </session-config>

   <!– welcome file list precedence order is index.jsp, then index.html –>
   <welcome-file-list>
      <welcome-file>index.jsp</welcome-file>
      <welcome-file>index.html</welcome-file>
   </welcome-file-list>

</web-app>

and the webscript-framework-config-custom.xml.  I have tried about every combination for the server line including ipaddress, dns address and localhost

<alfresco-config>
  
   <!– Overriding endpoints to reference a remote Alfresco server –>
   <!–
   <config evaluator="string-compare" condition="Remote">
      <remote>

         <endpoint>
            <id>alfresco-noauth</id>
            <name>Alfresco - unauthenticated access</name>
            <description>Access to Alfresco Repository WebScripts that do not require authentication</description>
            <connector-id>alfresco</connector-id>
            <endpoint-url>http://yourserver:8080/alfresco/s</endpoint-url>
            <identity>none</identity>
         </endpoint>

         <endpoint>
            <id>alfresco</id>
            <name>Alfresco - user access</name>
            <description>Access to Alfresco Repository WebScripts that require user authentication</description>
            <connector-id>alfresco</connector-id>
            <endpoint-url>http://yourserver:8080/alfresco/s</endpoint-url>
            <identity>user</identity>
         </endpoint>

         <endpoint>
            <id>alfresco-feed</id>
            <name>Alfresco Feed</name>
            <description>Alfresco Feed - supports basic HTTP authentication</description>
            <connector-id>http</connector-id>
            <endpoint-url>http://yourserver:8080/alfresco/s</endpoint-url>
            <basic-auth>true</basic-auth>
            <identity>user</identity>
         </endpoint>
         
      </remote>
   </config>
   –>
   
   <!– Overriding endpoints to reference an Alfresco server with NTLM filter enabled –>
   <!– NOTE: the NTLM Authentication Filter must be enabled for both repository and web-tier web.xml –>
   <!– NOTE: if utilising a load balancer between web-tier and repository cluster, the "sticky –>
   <!–       sessions" feature of your load balancer must be used when NTLM filter is active –>
  
   <config evaluator="string-compare" condition="Remote">
      <remote>
        
         <endpoint>
            <id>alfresco</id>
            <name>Alfresco - user access</name>
            <description>Access to Alfresco Repository WebScripts that require user authentication</description>
            <connector-id>alfresco</connector-id>
            <endpoint-url>http://server.domain.com:8080/alfresco/wcs</endpoint-url>
            <identity>user</identity>
            <external-auth>true</external-auth>
         </endpoint>
         
      </remote>
   </config>
   

</alfresco-config>

Outcomes