AnsweredAssumed Answered

Issue in AD authentication by NTLM using Passthru mechanism

Question asked by rahul.nagar on May 5, 2016
Hi,

I am trying to setup passthru to authenticate LDAP users using NTLM scheme.
Below is my alfresco-global.properties file authentication relevant screen:

<strong>
## Authentication ##
authentication.chain=alfinst:alfrescoNtlm,passthru1:passthru,ldap1:ldap-ad

### Passthru Config ###
passthru.authentication.useLocalServer=false
passthru.authentication.domain=
passthru.authentication.servers=DOMAIN\\LDAP_SERVER_NAME1,LDAP_SERVER_NAME1
alfresco.authentication.allowGuestLogin=false
passthru.authentication.guestAccess=false
passthru.authentication.defaultAdministratorUserNames=Administrator,admin,administrator
#Timeout value when opening a session to an authentication server, in milliseconds
passthru.authentication.connectTimeout=5000
#Offline server check interval in seconds
passthru.authentication.offlineCheckInterval=300
passthru.authentication.protocolOrder=NetBIOS,TCPIP
passthru.authentication.authenticateFTP=false
ntlm.authentication.mapUnknownUserToGuest=false

ntlm.authentication.sso.enabled=false
alfresco.authentication.authenticateCIFS=false

passthru.authentication.authenticateCIFS=true

ldap.authentication.active=false
ldap.synchronization.active=true

### LDAP Integration ###
#synchronization.import.cron=0 0/10 9-18 ? * MON-FRI
synchronization.import.cron=0 */5 * * * ?
synchronization.allowDeletions=true
synchronization.syncOnStartup=true
synchronization.synchronizeChangesOnly=false
synchronization.syncWhenMissingPeopleLogIn=true
synchronization.authCreatePeopleOnLogin=true
ldap.synchronization.active=true

ldap.synchronization.userIdAttributeName=uid
# The attribute name on people objects found in LDAP to use as the uid in Alfresco

#adres of ldap server
ldap.authentication.java.naming.provider.url=ldap://LDAP_SERVER_NAME1:389
#users with admin rights
ldap.authentication.defaultAdministratorUserNames=Administrator
#account ldap administrator on your server
ldap.synchronization.java.naming.security.principal=Administrator@DOMAIN.com
#password to ldap_admin@yourdomain.com
ldap.synchronization.java.naming.security.credentials=ADMINISTRATOR_PASSWORD
# The authentication mechanism to use for password validation
ldap.authentication.java.naming.security.authentication=simple
#groups for alfresco, cn=Security_Groups,ou=Alfresco,dc=your_domain,dc=com must exist in Your ldap
ldap.synchronization.groupSearchBase=CN\=Users,DC\=DOMAIN,DC\=com
#users for alfresco, cn=User_Accounts,ou=Alfresco,dc=your_domain,dc=com must exist in Your ldap
ldap.synchronization.userSearchBase=CN\=Users,DC\=DOMAIN,DC\=com

ldap.authentication.userNameFormat=CN\=%s,DC\=DOMAIN
</strong>

Using this configuration, i am able to synchronize my ldap users in Alfresco and also any ldap user is getting validated using its AD userPrincipleName.
Now my problem is that the AD user getting authenticated using Basic scheme not NTLM i.e. i want to authenticate user using DOMAIN\Username with password.
Also i am trying to access Alfresco APIs using HTTPClient which which have NTLM set as authentication scheme. Please have a look on code snap-shot below:

CredentialsProvider credentialsProvider = credentialsProvider.setCredentials(new AuthScope(AuthScope.ANY_HOST, AuthScope.ANY_PORT, AuthScope.ANY_REALM, AuthSchemes.NTLM), ntCredentials);
httpClientBuilder.setDefaultCredentialsProvider(credentialsProvider);

Now in above code ntCredentials have username as DOMAIN\Username(UID in AD) and corresponding password. But this one is not getting authenticated as its expecting username without domain.
So am i missing something in above configuration?
Please help me out from this problem so i can access alfresco through active directory user with domain name.

Thanks.

Outcomes