AnsweredAssumed Answered

NTLM Authentication with Active Directory

Question asked by ianp on Aug 17, 2012
Latest reply on Aug 24, 2012 by ianp
Hi all,

Im using community 4.0.d on a vanilla Tomcat 6.0.35 install.

I've been struggling for several days with this, so I'm hoping someone here might have an answer for me.  I'm trying to achieve SSO in IE8 so that a user doesn't have to enter a username or password.  I've managed to successfully log in (via the standard Alfresco login page) using my AD credentials.  I've also managed to synchronise my AD users, so that I can see them in Alfresco.  However if I try to log in using NTLM it fails (IE8 still pops up a dialog box, but it relates to the domain so I'm not sure what that's about).  I've turned up logging on the NTLMAuthenticationFilter, and I get the following output:


2012-08-17 16:11:03,691  DEBUG [org.alfresco.web.app.servlet.NTLMAuthenticationFilter] [http-8080-1] New NTLM auth request from 192.168.10.10 (192.168.10.10:49567) SID:0F8D2CE2C82AE1F6655227A21B4EF9B5
2012-08-17 16:11:11,010  DEBUG [org.alfresco.web.app.servlet.NTLMAuthenticationFilter] [http-8080-1] Received type1 [Type1:0xa2088207,Domain:<NotSet>,Wks:<NotSet>]
2012-08-17 16:11:11,013  INFO  [org.alfresco.web.app.servlet.NTLMAuthenticationFilter] [http-8080-1] NTLM filter using server name magrathea
2012-08-17 16:11:11,017  DEBUG [org.alfresco.web.app.servlet.NTLMAuthenticationFilter] [http-8080-1] Sending NTLM type2 to client - [Type2:0xa0080201,Target:magrathea,Ch:f387bc44a15b65f0]
2012-08-17 16:11:11,021  DEBUG [org.alfresco.web.app.servlet.NTLMAuthenticationFilter] [http-8080-1] Received type3 [Type3:,LM:000000000000000000000000000000000000000000000000,NTLM:c0eb1440bce9ced98dbcfdf8e7d5842e0101000000000000aa6416898a7ccd01d965cfb6682f75a400000000020012006d00610067007200610074006800650061000000000000000000,Dom:TEST,User:fred,Wks:WINDOWS7]
2012-08-17 16:11:11,036  DEBUG [org.alfresco.web.app.servlet.NTLMAuthenticationFilter] [http-8080-1] User fred does not have Alfresco account
2012-08-17 16:11:11,036  DEBUG [org.alfresco.web.app.servlet.NTLMAuthenticationFilter] [http-8080-1] restartLoginChallenge…

So it's complaining that there is no account for fred, despite the fact that it was successfully imported from AD, and that I can see it if I log in as admin.

My alfresco-global.properties file has the following extra properties (passwords hidden by ****):


authentication.chain=alfrescoNtlm1:alfrescoNtlm,ldap-ad1:ldap-ad

alfresco.authentication.authenticateCIFS=false
ntlm.authentication.sso.enabled=true

#ldap.authentication.active=false
ldap.authentication.java.naming.provider.url=ldap://192.168.10.1:389
ldap.authentication.userNameFormat=%s@test.com

ldap.synchronization.active=true
ldap.synchronization.java.naming.security.authentication=simple
ldap.synchronization.java.naming.security.principal=administrator@test.com
ldap.synchronization.java.naming.security.credentials=****
ldap.synchronization.groupSearchBase=cn\=Users,dc\=test,dc\=com
ldap.synchronization.userSearchBase=cn\=Users,dc\=test,dc\=com

I'm fairly new to this, but I think I've read most of the documentation, forum posts, and so on, and I'm now up against a bit of a brick wall.  Any help would be very much appreciated!

Thanks in advance,
Ian

Outcomes