AnsweredAssumed Answered

SSO broken by adding custom person properties

Question asked by chrisokelly on Oct 17, 2012
Hi all,

We have been using SSO over AD for some time now in an alfresco 4.0e community installation (on ubuntu 10.06, postgres, tomcat6). Yesterday I followed in order to add an aspect with two custom properties: my:cl_extension and my:cl_mobile. This worked fine and I can see the edit profile page has the additional sections added. However there are 2 problems - the first (and the one I have been concentrating on) is that SSO has stopped working. Rather than being automatically logged on by domain credentials users are presented with the login page (which they can log in to no problem). In the logs I see:

 2012-10-18 08:10:06,428  DEBUG [webscripts.servlet.WebScriptServlet] [http-8080-22] Processing request (GET) http://localhost:8080/alfresco/s/api/admin/restrictions?guest=true
2012-10-18 08:10:06,428  DEBUG [extensions.webscripts.AbstractRuntime] [http-8080-22] (Runtime=ServletRuntime, Container=Repository) Processing script url (GET) /api/admin/restrictions
2012-10-18 08:10:06,428  DEBUG [webscripts.servlet.WebScriptServletRequest] [http-8080-22] Content Type: null
2012-10-18 08:10:06,428  DEBUG [extensions.webscripts.AbstractRuntime] [http-8080-22] Agent: null
2012-10-18 08:10:06,428  DEBUG [extensions.webscripts.AbstractRuntime] [http-8080-22] Invoking Web Script org/alfresco/repository/admin/restrictions.get (format json, style: any, default: json)
2012-10-18 08:10:06,431  DEBUG [extensions.webscripts.AbstractRuntime] [http-8080-22] Web Script org/alfresco/repository/admin/restrictions.get executed in 3.178708ms
2012-10-18 08:10:06,431  ERROR [extensions.webscripts.AbstractRuntime] [http-8080-22] Exception from executeScript - redirecting to status template error: 09180040 Guest authentication not supported 09180040 Guest authentication not supported
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(
        at java.lang.reflect.Method.invoke(
        at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(
        at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(
        at net.sf.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor.invoke(
        at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(
        at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(
        at org.alfresco.repo.audit.AuditMethodInterceptor.proceedWithAudit(
        at org.alfresco.repo.audit.AuditMethodInterceptor.proceed(
        at org.alfresco.repo.audit.AuditMethodInterceptor.invoke(
        at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(
        at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(
        at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(
        at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(
        at $Proxy60.authenticateAsGuest(Unknown Source)
        at org.alfresco.repo.web.scripts.servlet.BasicHttpAuthenticatorFactory$BasicHttpAuthenticator.authenticate(
        at org.alfresco.repo.web.scripts.RepositoryContainer.executeScript(
        at org.springframework.extensions.webscripts.AbstractRuntime.executeScript(
        at org.springframework.extensions.webscripts.AbstractRuntime.executeScript(
        at org.springframework.extensions.webscripts.servlet.WebScriptServlet.service(
        at javax.servlet.http.HttpServlet.service(
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(
        at org.apache.catalina.core.StandardWrapperValve.invoke(
        at org.apache.catalina.core.StandardContextValve.invoke(
        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(
        at org.apache.catalina.core.StandardHostValve.invoke(
        at org.apache.catalina.valves.ErrorReportValve.invoke(
        at org.apache.catalina.core.StandardEngineValve.invoke(
        at org.apache.catalina.connector.CoyoteAdapter.service(
        at org.apache.coyote.http11.Http11Processor.process(
        at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(
2012-10-18 08:10:06,432  DEBUG [webscripts.servlet.WebScriptServletRequest] [http-8080-22] Content Type: null
2012-10-18 08:10:06,443  DEBUG [extensions.webscripts.AbstractRuntime] [http-8080-22] Force success status header in response: false
2012-10-18 08:10:06,443  DEBUG [extensions.webscripts.AbstractRuntime] [http-8080-22] Sending status 500 (Template: /json.status.ftl)
2012-10-18 08:10:06,443  DEBUG [extensions.webscripts.AbstractRuntime] [http-8080-22] Rendering response: content type=application/json
2012-10-18 08:10:06,443  DEBUG [webscripts.servlet.WebScriptServletResponse] [http-8080-22] Cache - set response header Cache-Control: no-cache
2012-10-18 08:10:06,443  DEBUG [webscripts.servlet.WebScriptServletResponse] [http-8080-22] Cache - set response header Pragma: no-cache
2012-10-18 08:10:06,446  DEBUG [extensions.webscripts.AbstractRuntime] [http-8080-22] Processed script url (GET) /api/admin/restrictions in 17.845608ms

I noticed that if I hit that url as a guest I get the same error message, however if I enter admin details I see:
   "lastUpdate" : null,
   "users" : null,
   "documents" : null,
   "licenseMode" : "UNKNOWN",
   "readOnly" : false,
   "updated" : false,
   "licenseValidUntil" : null,
   "level" : 0,
   "warnings": [],
   "errors": []

which looks like a problem, but I can't find a controller or any logic for the script - it only seems to be a json template that inherits another json template from an ftl lib.

I assume the issue here is related in some way to my overriding the userfactory webframework, but I can't for the life of me figure out how, by adding a few custom phone numbers, I've caused SSO to attempt to login as a guest.

Passthru auth still works fine for cifs, although in the logs when accessing the cifs share I see
2012-10-18 09:05:34,281  DEBUG [smb.protocol.auth] [AlfJLANWorker25] Mapped client / to domain null
2012-10-18 09:05:34,491  DEBUG [smb.protocol.auth] [AlfJLANWorker25] Passthru sessId=3, auth ctx=[NTLM,Challenge=b215477c7499a900]
2012-10-18 09:05:34,495  DEBUG [smb.protocol.auth] [AlfJLANWorker25] Using Write transaction
2012-10-18 09:05:34,507  DEBUG [smb.protocol.auth] [AlfJLANWorker25] Setting current user using person ChrisO (username ChrisO)
2012-10-18 09:05:34,507  DEBUG [smb.protocol.auth] [AlfJLANWorker25] Passthru authenticate user=ChrisO, FULL
2012-10-18 09:05:34,509  DEBUG [smb.protocol.auth] [AlfJLANWorker25] Using Write transaction
2012-10-18 09:05:34,535  DEBUG [smb.protocol.auth] [AlfJLANWorker25] Using Write transaction
2012-10-18 09:08:02,792  ERROR [smb.protocol.auth] [AlfJLANWorker5] org.alfresco.jlan.smb.SMBException: Invalid parameter
2012-10-18 09:05:34,541  DEBUG [smb.protocol.auth] [AlfJLANWorker25] Closed auth session, sessId=3
but I don't think it is related.

Nothing that I adjust in log4j properties is giving me anything other than the guest auth not supported message when I access the login page, I am attempting to get log output for where the passthru subsystem is failing. does anyone know which log4j property controls this?

I have added to log4j properties - I still see nothing but the guest authentication not supported message when hitting the share login page, but when  hit /alfresco I am logged in perfectly well by SSO and see:
 2012-10-18 10:11:23,493  DEBUG [app.servlet.NTLMAuthenticationFilter] [http-8443-10] New NTLM auth request from ( SID:2D016B3CBE5B377843670F33191AFE07
2012-10-18 10:11:23,495  DEBUG [app.servlet.NTLMAuthenticationFilter] [http-8443-10] Received type1 [Type1:0xa2088207,Domain:<NotSet>,Wks:<NotSet>]
2012-10-18 10:11:23,496  DEBUG [app.servlet.NTLMAuthenticationFilter] [http-8443-10] Client domain null
2012-10-18 10:11:23,496  DEBUG [alfresco.passthru.auth] [http-8443-10] Authenticate Username: null; Password: [PROTECTED]; Authenticated: false; Details: null; Not granted any authorities via token
2012-10-18 10:11:23,712  DEBUG [alfresco.passthru.auth] [http-8443-10] Passthru stage 1 token Username: null; Password: [PROTECTED]; Authenticated: false; Details: MINECORP\,TCP/IP NetBIOS; Not granted any authorities
2012-10-18 10:11:23,717  DEBUG [app.servlet.NTLMAuthenticationFilter] [http-8443-10] Sending NTLM type2 to client - [Type2:0x80000203,Target:ALFRESCODOCS,Ch:d00ce0859c0e4ac0]
2012-10-18 10:11:23,719  DEBUG [app.servlet.NTLMAuthenticationFilter] [http-8443-10] Received type3 [Type3:,LM:d83309faf69b4d4eb1f14fdfee01228d0a2d28f9cd61dba8,NTLM:d83309faf69b4d4eb1f14fdfee01228d0a2d28f9cd61dba8,Dom:MINECORP,User:ChrisO,Wks:MUPC-09]
2012-10-18 10:11:23,720  DEBUG [alfresco.passthru.auth] [http-8443-10] Authenticate Username: chriso; Password: [PROTECTED]; Authenticated: false; Details: MINECORP\,TCP/IP NetBIOS; Not granted any authorities via token
2012-10-18 10:11:23,757  DEBUG [app.servlet.NTLMAuthenticationFilter] [http-8443-10] Updated cached NTLM details
2012-10-18 10:11:23,758  DEBUG [app.servlet.NTLMAuthenticationFilter] [http-8443-10] User logged on via NTLM, [ChrisO,Wks:MUPC-09,Dom:MINECORP,AuthSrv:ALFRESCODOCS,Thu Oct 18 10:11:23 EST 2012]
2012-10-18 10:11:23,758  DEBUG [app.servlet.NTLMAuthenticationFilter] [http-8443-10] Session reinitialised - redirecting to initially configured page
2012-10-18 10:11:23,767  DEBUG [app.servlet.NTLMAuthenticationFilter] [http-8443-6] Authentication not required (user), chaining …
so it seems like either a) the passthru subsystem is just not doing anything when I hit the login page or b) there is some other module I need to turn on logging for to see the share info.

any thoughts on what could be the cause here?