Friday, October 25, 2013

NTLM SSO with Alfresco 4.2 and Active Directory

Do you have an Active Directory server, and want to set up Single-Sign-On (SSO), so that everyone in the domain can log into Alfresco without providing their credentials? Then this article is for you!

What you will need

Obviously, you need to download Alfresco, if you don't have it already. The newer the better, but I guess the instructions below would work for any Alfresco above 3.2.

While downloading, find and take note of the information below, you will need it:
  1. Name of the Active Directory server (let's say it is kate)
  2. Name of the domain (let's say it is aegif.local)
  3. Name of the domain administrator (let's say it is Administrator)
  4. Password of the domain administrator (let's say it is thepassword)
  5. For tests, you will also need a machine that belongs to the domain, different from the domain server itself.
Now let's get started!

Set up Alfresco

Install Alfresco on the Active Directory server, and run it once to check that it works.
If you have not specified any particular port, then Alfresco is running on port 8080. If you have chosen a different port, just adapt the occurrences of 8080 in the following.

Add the following lines at the top of file tomcat\shared\classes\alfresco-global.properties :

authentication.chain=passthru1:passthru,ldap-ad1:ldap-ad,alfrescoNtlm1:alfrescoNtlm
ldap.authentication.active=false
ldap.authentication.userNameFormat=%s@aegif
ldap.authentication.java.naming.provider.url=ldap://kate:389
ldap.synchronization.java.naming.security.principal=Administrator@aegif
ldap.synchronization.java.naming.security.credentials=thepassword
ldap.synchronization.groupSearchBase=cn\=Users,dc\=aegif,dc\=local
ldap.synchronization.userSearchBase=cn\=Users,dc\=aegif,dc\=local
synchronization.import.cron=0 0 5 * * ?
ntlm.authentication.sso.enabled=true
passthru.authentication.defaultAdministratorUserNames=Administrator
passthru.authentication.useLocalServer=true
passthru.authentication.domain=
passthru.authentication.servers=
  1. Replace aegif with your domain name minus the .local part
  2. Replace kate with your the name of your Active Directory server.
Note: The above supposes that Alfresco is on the same server as Active Directory. If not, just replace the last 3 lines with these ones:

passthru.authentication.domain=aegif
passthru.authentication.servers=aegif\\nameoftheactivedirectoryserver
passthru.authentication.defaultAdministratorUserNames=Administrator

Set up Alfresco Share

Open tomcat/shared/classes/alfresco/web-extension/share-config-custom.xml

Find the block that says <config evaluator="string-compare" condition="Remote"> (it is towards the end)
Delete this entire block, and also delete the <!-- and --> commenting around it.
Instead, paste this:


   
      
         alfrescoCookie
         Alfresco Connector
         Connects to an Alfresco instance using cookie-based authentication
         org.alfresco.web.site.servlet.SlingshotAlfrescoConnector
      
      
         alfresco
         Alfresco - user access
         Access to Alfresco Repository WebScripts that require user authentication
         alfrescoCookie
         http://kate:8080/alfresco/wcs
         user
         true
      
   


Configure the domain server

Logged as the administrator of the domain, press Win+R and execute gpedit.msc .
Gpedit is the group policy editor, with which you can modify policies for the whole domain. With this tool, we will just need to modify a single parameter.

In the tree in the left pane, select Local Computer Policy > Windows Settings > Security Settings > Local Policies > Security Options.
A long list of items with similar names will appear in the  right pane. Select Network Security: LAN Manager authentication level.











A dialog will appear.
In the dropdown box, set the value to Send LM & NTLM - use NTLMv2 session security if negotiated, as highlighted below:



Press OK and quit the policy editor.

Configure each client

Yes, you will need to perform the following on ALL client machines :-/

Open Internet Explorer (you know, that tool you use to download Firefox)
Click Tools > Internet options > Security > Local intranet > Sites > Advanced.



You will get the dialog below:



If you want to access your Alfresco server via HTTP (not HTTPS), then you might need to first uncheck Require server verification (https:) for all sites in this zone.

Type in the protocol and machine name of your Alfresco server, as seen above, then press Add and close.

Other browsers like Firefox and Chrome also have settings for this.

Test

That's all, time to test!
Open http://kate:8080/alfresco in Internet Explorer.
It should show your documents immediately, without asking for for any username/password.

Troubleshooting

If things don't go as well as expected:

1) Read alfresco.log and spot any exception.

2) Run the LDAP queries (ldap.synchronization.groupSearchBase and ldap.synchronization.userSearchBase) in an LDAP browser like Apache Directory Studio.
Nicolas Raoul

1 comment:

  1. Hi, Your blog is very useful ..
    Thanks for posting nice thing.
    You told for only http://kate:8080/alfresco, it wont ask any username/password.
    Can it possible for http://kate:8080/share.
    And I need to configure SSO with Alfresco & Share in one Server , LDAP in different server..
    Can you tell me the procedure for that

    ReplyDelete