AnsweredAssumed Answered

enabled SSO with passthru ?

Question asked by nancygaillard on Jan 18, 2016
Hello,

Alfresco 4.2.f is installed on Windows Server 2008 R2 x64bits, and I connect myself on Windows 7.

I have three questions :

I would like to know if SSO can allow automatic connection on Webdav?
If yes, if it is possible with passthru ?
If it can, how can I configure Alfresco (and my Windows server?) to succeed connection using SSO with passthru?


There is that I tried (helped by this french blog  http://desaille.fr/alfresco-authentification-sso-ntlm-ldap-ad/ )


- In Internet Options I added the IP address and the domain name in trusted sites
- I added the self-signed certificate "browser.p12" in the trusted root certificate authorities
- I set the authentication level in send LM and NTLM use NTLMv2 session security if negotiated

In alfresco-global.properties, I updated the authentication chain and I added passthru and ntlm configuration to use SSO and LDAP authentication.

<blockcode>
###############################
## Common Alfresco Properties #
###############################

dir.root=C:/Alfresco/alf_data
dir.contentstore=D:/Alfresco/contentstore/contentstore
dir.contentstore.deleted=D:/Alfresco/contentstore/contentstore.deleted

alfresco.context=alfresco
alfresco.host=IP SERVER IP
alfresco.port=8081
alfresco.protocol=http

share.context=share
share.host=SERVER IP
share.port=8081
share.protocol=http

### database connection properties ###
db.driver=org.postgresql.Driver
db.username=alfresco
db.password=admin
db.name=alfresco
db.url=jdbc:postgresql://localhost:5433/${db.name}

### FTP Server Configuration ###
ftp.enabled=true
ftp.port=22

### RMI service ports ###
alfresco.rmi.services.port=50501
avm.rmi.service.port=0
avmsync.rmi.service.port=0
attribute.rmi.service.port=0
authentication.rmi.service.port=0
repo.rmi.service.port=0
action.rmi.service.port=0
deployment.rmi.service.port=0

### External executable locations ###
ooo.exe=C:/Alfresco/libreoffice/App/libreoffice/program/soffice.exe
ooo.enabled=true
ooo.port=8101
img.root=C:\\Alfresco\\imagemagick
img.coders=${img.root}\\modules\\coders
img.config=${img.root}\\config
img.gslib=${img.root}\\lib
img.exe=${img.root}\\convert.exe
swf.exe=C:/Alfresco/swftools/pdf2swf.exe
swf.languagedir=C:/Alfresco/swftools/japanese

jodconverter.enabled=false
jodconverter.officeHome=C:/Alfresco/libreoffice/App/libreoffice
jodconverter.portNumbers=8101

### Initial admin password ###
alfresco_user_store.adminpassword=209c6174da490caeb422f3fa5a7ae634

### E-mail site invitation setting ###
notification.email.siteinvite=false

### License location ###
dir.license.external=C:/Alfresco

### Solr indexing ###
index.subsystem.name=solr
dir.keystore=${dir.root}/keystore
solr.port.ssl=8444

### BPM Engine ###
system.workflow.engine.jbpm.enabled=true

### Protocoles d’authentification ###
authentication.chain=passthru1:passthru,ldap-ad1:ldap-ad,alfrescoNtlm1:alfrescoNtlm


ntlm.authentication.sso.enabled=true
passthru.authentication.defaultAdministratorUserNames=user1-ldap,user2-ldap,ldap-admin,admin
passthru.authentication.domain=DOMAIN.local
passthru.authentication.servers=DOMAIN\\LDAP SERVER IP


#IMAP Configuration
imap.server.enabled=true
imap.server.port=143
imap.server.host=SERVER IP
imap.config.home.folderPath=cm:Imap Home
#—
imap.config.server.mountPoints.value.AlfrescoIMAP.mountPointName=Alfresco IMAP
imap.config.server.mountPoints.value.AlfrescoIMAP.modeName=MIXED

#configuration pour Sharepoint, port défini dans le fichier Alfresco2\configuration-manuelle-port-alf.txt
vti.server.port=7071
vti.server.external.host=${localname}
vti.server.external.port=${vti.server.port}

#POUR TRANSFERT DE DOCUMENT
#system.preserve.modificationData=true
system.enableTimestampPropagation=false
#system.auditableData.preserve=true
#system.auditableData.FileFolderService=true
#system.auditableData.ACLs=true

#Tuning/Optimisation
alfresco.cluster.enabled=false

#customization transformers - openoffice
#C:\Alfresco\tomcat\webapps\alfresco\WEB-INF\classes\alfresco\subsystems\Transformers\default\transformers.properties
content.transformer.OpenOffice.extensions.*.docx.supported=true
content.transformer.OpenOffice.extensions.*.xlsx.supported=true
content.transformer.OpenOffice.extensions.*.pptx.supported=true
content.transformer.OpenOffice.extensions.*.txt.supported=true
content.transformer.OpenOffice.extensions.html.pdf.supported=true
content.transformer.OpenOffice.extensions.docx.pdf.maxSourceSizeKBytes=4096
content.transformer.OpenOffice.extensions.doc.pdf.maxSourceSizeKBytes=4096
content.transformer.OpenOffice.2Pdf.available=true
content.transformer.complex.OpenOffice.Pdf2swf.extensions.docx.swf.maxSourceSizeKBytes=4096
content.transformer.Pdf2swf.maxSourceSizeKBytes=20480

#désactiver les notification feed emails
activities.feed.notifier.enabled=false
</blockcode>

I extended ldap subsystem creating :
<blockcode>
C:\Alfresco\tomcat\shared\classes\alfresco\extension\subsystems\Authentication\ldap-ad:
- ldap-ad1
   |_ldap-ad-authentication.properties
   |_ldap-ad-authentication-context.xml
- common-ldap-context.xml
</blockcode>

ldap-ad-authentication.properties:
<blockcode>
ldap.authentication.active=true

ldap.authentication.allowGuestLogin=true
ldap.authentication.userNameFormat=%s@domaine.local

ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory

ldap.authentication.java.naming.provider.url=ldap://IP SERVEUR LDAP:389

ldap.authentication.java.naming.security.authentication=simple

ldap.authentication.escapeCommasInBind=false
ldap.authentication.escapeCommasInUid=false

ldap.authentication.defaultAdministratorUserNames=Administrateur,alfresco

ldap.synchronization.active=false
ldap.synchronization.java.naming.security.authentication=simple
ldap.synchronization.java.naming.security.principal=alfresco@domaine.local
ldap.synchronization.java.naming.security.credentials=secret

ldap.synchronization.queryBatchSize=1000
ldap.synchronization.attributeBatchSize=1000

ldap.synchronization.groupQuery=(objectclass\=group)
ldap.synchronization.groupDifferentialQuery=(&(objectclass\=group)(!(whenChanged<\={0})))
ldap.synchronization.personQuery=(&(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512))
ldap.synchronization.personDifferentialQuery=(&(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512)(!(whenChanged<\={0})))
ldap.synchronization.groupSearchBase=dc\=domaine,dc=local
ldap.synchronization.userSearchBase=dc\=domaine,dc=local
ldap.synchronization.modifyTimestampAttributeName=whenChanged
ldap.synchronization.timestampFormat=yyyyMMddHHmmss'.0Z'
ldap.synchronization.userIdAttributeName=sAMAccountName
ldap.synchronization.userFirstNameAttributeName=givenName
ldap.synchronization.userLastNameAttributeName=sn
ldap.synchronization.userEmailAttributeName=mail
ldap.synchronization.userOrganizationalIdAttributeName=company
ldap.synchronization.defaultHomeFolderProvider=largeHomeFolderProvider
ldap.synchronization.groupIdAttributeName=cn
ldap.synchronization.groupDisplayNameAttributeName=displayName
ldap.synchronization.groupType=group
ldap.synchronization.personType=user
ldap.synchronization.groupMemberAttributeName=member
ldap.synchronization.enableProgressEstimation=true
ldap.authentication.java.naming.read.timeout=0
</blockcode>

In share-config-custom.xml, I added :
<blockcode>
   <config evaluator="string-compare" condition="Remote">
      <remote>
         <keystore>
             <path>alfresco/web-extension/alfresco-system.p12</path>
             <type>pkcs12</type>
             <password>alfresco-system</password>
         </keystore>
        
         <connector>
            <id>alfrescoCookie</id>
            <name>Alfresco Connector</name>
            <description>Connects to an Alfresco instance using cookie-based authentication</description>
            <class>org.alfresco.web.site.servlet.SlingshotAlfrescoConnector</class>
         </connector>
        
         <connector>
            <id>alfrescoHeader</id>
            <name>Alfresco Connector</name>
            <description>Connects to an Alfresco instance using header and cookie-based authentication</description>
            <class>org.alfresco.web.site.servlet.SlingshotAlfrescoConnector</class>
            <userHeader>SsoUserHeader</userHeader>
         </connector>

         <endpoint>
            <id>alfresco</id>
            <name>Alfresco - user access</name>
            <description>Access to Alfresco Repository WebScripts that require user authentication</description>
            <connector-id>alfrescoCookie</connector-id>
            <endpoint-url>http://localhost:8081/alfresco/wcs</endpoint-url>
            <identity>user</identity>
            <external-auth>true</external-auth>
         </endpoint>
      </remote>
   </config>
</blockcode>

Outcomes