Do you have an Active Directory server, and want to set up Single-Sign-On (SSO), so that everyone in the domain can log into Alfresco without providing their credentials? Then this article is for you!
While downloading, find and take note of the information below, you will need it:
If you have not specified any particular port, then Alfresco is running on port 8080. If you have chosen a different port, just adapt the occurrences of 8080 in the following.
Add the following lines at the top of file tomcat\shared\classes\alfresco-global.properties :
Find the block that says <config evaluator="string-compare" condition="Remote"> (it is towards the end)
Delete this entire block, and also delete the <!-- and --> commenting around it.
Instead, paste this:
Gpedit is the group policy editor, with which you can modify policies for the whole domain. With this tool, we will just need to modify a single parameter.
In the tree in the left pane, select Local Computer Policy> Windows Settings> Security Settings> Local Policies> Security Options.
A long list of items with similar names will appear in the right pane. Select Network Security: LAN Manager authentication level.
![]()
A dialog will appear.
In the dropdown box, set the value to Send LM & NTLM - use NTLMv2 session security if negotiated, as highlighted below:
![]()
Press OK and quit the policy editor.
Open Internet Explorer (you know, that tool you use to download Firefox)
Click Tools> Internet options> Security> Local intranet> Sites> Advanced.
![]()
![]()
If you want to access your Alfresco server via HTTP (not HTTPS), then you might need to first uncheck Require server verification (https:) for all sites in this zone.
Type in the protocol and machine name of your Alfresco server, as seen above, then press Add and close.
Other browsers like Firefox and Chrome also have settings for this.
Open http://kate:8080/alfresco in Internet Explorer.
It should show your documents immediately, without asking for for any username/password.
1) Read alfresco.log and spot any exception.
2) Run the LDAP queries (ldap.synchronization.groupSearchBase and ldap.synchronization.userSearchBase) in an LDAP browser like Apache Directory Studio.
What you will need
Obviously, you need to download Alfresco, if you don't have it already. The newer the better, but I guess the instructions below would work for any Alfresco above 3.2.While downloading, find and take note of the information below, you will need it:
- Name of the Active Directory server (let's say it is kate)
- Name of the domain (let's say it is aegif.local)
- Name of the domain administrator (let's say it is Administrator)
- Password of the domain administrator (let's say it is thepassword)
- For tests, you will also need a machine that belongs to the domain, different from the domain server itself.
Set up Alfresco
Install Alfresco on the Active Directory server, and run it once to check that it works.If you have not specified any particular port, then Alfresco is running on port 8080. If you have chosen a different port, just adapt the occurrences of 8080 in the following.
Add the following lines at the top of file tomcat\shared\classes\alfresco-global.properties :
authentication.chain=passthru1:passthru,ldap-ad1:ldap-ad,alfrescoNtlm1:alfrescoNtlm
ldap.authentication.active=false
ldap.authentication.userNameFormat=%s@aegif
ldap.authentication.java.naming.provider.url=ldap://kate:389
ldap.synchronization.java.naming.security.principal=Administrator@aegif
ldap.synchronization.java.naming.security.credentials=thepassword
ldap.synchronization.groupSearchBase=cn\=Users,dc\=aegif,dc\=local
ldap.synchronization.userSearchBase=cn\=Users,dc\=aegif,dc\=local
synchronization.import.cron=0 0 5 * * ?
ntlm.authentication.sso.enabled=true
passthru.authentication.defaultAdministratorUserNames=Administrator
passthru.authentication.useLocalServer=true
passthru.authentication.domain=
passthru.authentication.servers=
- Replace aegif with your domain name minus the .local part
- Replace kate with your the name of your Active Directory server.
passthru.authentication.domain=aegif
passthru.authentication.servers=aegif\\nameoftheactivedirectoryserver
passthru.authentication.defaultAdministratorUserNames=Administrato
Set up Alfresco Share
Open tomcat/shared/classes/alfresco/web-extension/share-config-custom.xmlFind the block that says <config evaluator="string-compare" condition="Remote"> (it is towards the end)
Delete this entire block, and also delete the <!-- and --> commenting around it.
Instead, paste this:
alfrescoCookie Alfresco Connector Connects to an Alfresco instance using cookie-based authentication org.alfresco.web.site.servlet.SlingshotAlfrescoConnector alfresco Alfresco - user access Access to Alfresco Repository WebScripts that require user authentication alfrescoCookie http://kate:8080/alfresco/wcs user true
Configure the domain server
Logged as the administrator of the domain, press Win+R and execute gpedit.msc .Gpedit is the group policy editor, with which you can modify policies for the whole domain. With this tool, we will just need to modify a single parameter.
In the tree in the left pane, select Local Computer Policy> Windows Settings> Security Settings> Local Policies> Security Options.
A long list of items with similar names will appear in the right pane. Select Network Security: LAN Manager authentication level.
A dialog will appear.
In the dropdown box, set the value to Send LM & NTLM - use NTLMv2 session security if negotiated, as highlighted below:
Press OK and quit the policy editor.
Configure each client
Yes, you will need to perform the following on ALL client machines :-/Open Internet Explorer (you know, that tool you use to download Firefox)
Click Tools> Internet options> Security> Local intranet> Sites> Advanced.
You will get the dialog below:
If you want to access your Alfresco server via HTTP (not HTTPS), then you might need to first uncheck Require server verification (https:) for all sites in this zone.
Type in the protocol and machine name of your Alfresco server, as seen above, then press Add and close.
Other browsers like Firefox and Chrome also have settings for this.
Test
That's all, time to test!Open http://kate:8080/alfresco in Internet Explorer.
It should show your documents immediately, without asking for for any username/password.
Troubleshooting
If things don't go as well as expected:1) Read alfresco.log and spot any exception.
2) Run the LDAP queries (ldap.synchronization.groupSearchBase and ldap.synchronization.userSearchBase) in an LDAP browser like Apache Directory Studio.
Nicolas Raoul