AnsweredAssumed Answered

Same username in Multiple domains > authentication problems

Question asked by jgranjal on Dec 15, 2011
Latest reply on Jun 12, 2012 by jgranjal
Hello everybody!!
First of all let me thank you all for being here reading this. Simply that already helps!!

My knowledge of alfresco is not as good as I'd like, so please, don't hesitate to ask for any further information you may need to help me to solve this.

I'm willing to finish an Alfresco 3.4.d setup, but i've got some problems with users authentication.

We've got two Windows domains (DomA and DomB) with some usernames duplicated. I mean, we have a 'DOMA\johndoe' and 'DOMB\johndoe' wich identify two differente people in our organization which, simply, are named the same.

The problem we're facing, in a plain user language is this:
1.- User DOMA\johndoe logs in its windows machine (DOMA integrated), and access to http://hostip:8080/alfresco.  ===>>> DOMA\johndoe logs into alfresco without problem. Through the alfresco administration panel, you can see a new user generated named simply "johndoe" (no domain sufix).
2.- User DOMB\johndoe logs into its windows machine (DOMB integrated), and tries to acces http://hostip:8080/alfresco  ===>>> DOMB\Johndoe can't log in. He's redirected to alfresco default login screen.

If I delete the created user through the admin panel, and repeat the process in reverse order (first DOMB\johndoe), then DOMB user logs in perfectly, and DOMA user is redirected.

That's simply the problem.
The expected behaviour was it to create two completly different users in Alfresco, just as they are in AD, and other apps.

If, as the second user, when you get redirected to the default alfresco login screen you input your domain username and password (ex: DOMB\johndoe, passwordB), you get logged as "johndoe" and get access to the "johndoe" userspace created by user DOMA\johndoe, who logged through what I understand as the passthru authentication.

To my understand, second user is rejected by the passthru authentication, but accepted by the user/password authentication against the AD; and then confused in the alfresco users database with the first logged user.

I supposse there must be a way (parameter or different configuration) to indicate alfresco to pass domain suffix to its username database, so it doesn't confuse same username in different domains. But I can't figure it out.

To set this mess, this is what I did:

1.- $CATALINA_HOME/shared/classes/alfresco-global.properties
authentication.chain=passthru1:passthru

2.-  $CATALINA_HOME/shared/classes/alfresco/extension/subsystems/Authentication/passthru/passthru1/passthru-authentication-context.properties
passthru.authentication.useLocalServer=false
passthru.authentication.domain=
passthru.authentication.servers=DOMA\\hostA.doma.es,DOMB\\hostb.domb.es
passthru.authentication.guestAccess=false
passthru.authentication.defaultAdministratorUserNames=testadmin
#Timeout value when opening a session to an authentication server, in milliseconds
passthru.authentication.connectTimeout=5000
#Offline server check interval in seconds
passthru.authentication.offlineCheckInterval=300
passthru.authentication.protocolOrder=NetBIOS,TCPIP
passthru.authentication.authenticateCIFS=true
passthru.authentication.authenticateFTP=true

May someone give me some advice to configure this in a proper way!?!?
I'm not sure it's even possible to use same usernames in different domains (mandatory in this organization) and Alfresco.
Is it possible?
Does someone has this (or similar) setup?

Thank you in advance

Outcomes