Alfresco NTLM 身份验证失败
Alfresco NTLM Authentication fails
使用 NTLM 身份验证查询 Alfresco CMIS 时出现问题:第三次握手时身份验证失败。
* Trying 192.168.1.1...
* Connected to ecm.corp.knastu.ru (192.168.1.1) port 8080 (#0)
* Server auth using NTLM with user 'alf_user'
> GET /alfresco/api/-default-/public/cmis/versions/1.1/browser/ HTTP/1.1
> Host: 192.168.1.1:8080
> Authorization: NTLM TlUAAB........AAAAKANcDw==
> User-Agent: curl/7.46.0
> Accept: */*
>
< HTTP/1.1 401 Unauthorized
< Server: Apache-Coyote/1.1
< Set-Cookie: JSESSIONID=CEED8E135E6D57BCF8A99A027C08EB; Path=/alfresco/; HttpOnly
< WWW-Authenticate: NTLM TRTHgAAAA+AD4AkAA........vJfTeuwAAAACAAYAZQBjA0AAAAAAAAAAA=
< Transfer-Encoding: chunked
< Date: Mon, 20 Nov 2017 07:25:16 GMT
<
> GET /alfresco/api/-default-/public/cmis/versions/1.1/browser/ HTTP/1.1
> Host: 192.168.1.1:8080
> Authorization: NTLM TRTHgAAAA+AD4AkAA........vJfTeuwAAAACAAYAZQBjA0AAAAAAAAAAA=
> User-Agent: curl/7.46.0
> Accept: */*
> Cookie: JSESSIONID=CEED8E135E6D57BCF8A99A027C08EB
>
< HTTP/1.1 401 Unauthorized
< Server: Apache-Coyote/1.1
* NTLM handshake rejected
* Authentication problem. Ignoring this.
< WWW-Authenticate: NTLM
< Content-Type: text/html;charset=UTF-8
< Content-Length: 238
< Date: Mon, 20 Nov 2017 07:25:16 GMT
<
* Connection #0 to host 192.168.1.1 left intact
我看到你给了用户,但没有任何域:
* Server auth using NTLM with user 'alf_user'
所以,在添加域的时候再试试,比如:
curl -v -u mydomain/alf_user:mypassword ...
Alfresco Content Services supports NTLM v2 protocol, which is more
secure than NTLM v1 protocol. However, NTLM v2 cannot be used with
pass-through authentication. You will have to switch to NTLM v1 if you
want to use pass-through authentication, where the log on request is
passed to an Active Directory or other server to validate the login
credentials.
要使用 NTLM v1 进行身份验证,请在您的客户端计算机上设置以下注册表项:
[HKLM\SYSTEM\CurrentControlSet\Control\Lsa] "LmCompatibilityLevel"=dword:00000001
This problem is most likely caused by enhanced security in Windows 7,
Vista and Windows 2008. Previous versions of Windows (XP) would fall
back to NTLM v1, if NTLM v2 failed.
- On Windows 7 clients, navigate to Control Panel > Administrative
Tools > Local Security Policy.
- In the left pane, navigate to Security Settings > Local Policies > Security Options.
- In the right pane, find Network Security: LAN Manager authentication level.
- By default, the value of Network Security: LAN Manager authentication level is set to Send NTLMv2 response only. Refuse LM
& NTLM.
- Set the value of Network Security: LAN Manager authentication level to Send LM and NTLM - use NTLMv2 session security if
negotiated.
This setting allows Windows 7 to use the more secure NTLM v2, if
available, and fall back to NTLM v1 for Alfresco Content Services. If
the machines are in a domain, it is possible to change this setting on
all of them by using the group policy editor on the domain controller.
使用 NTLM 身份验证查询 Alfresco CMIS 时出现问题:第三次握手时身份验证失败。
* Trying 192.168.1.1...
* Connected to ecm.corp.knastu.ru (192.168.1.1) port 8080 (#0)
* Server auth using NTLM with user 'alf_user'
> GET /alfresco/api/-default-/public/cmis/versions/1.1/browser/ HTTP/1.1
> Host: 192.168.1.1:8080
> Authorization: NTLM TlUAAB........AAAAKANcDw==
> User-Agent: curl/7.46.0
> Accept: */*
>
< HTTP/1.1 401 Unauthorized
< Server: Apache-Coyote/1.1
< Set-Cookie: JSESSIONID=CEED8E135E6D57BCF8A99A027C08EB; Path=/alfresco/; HttpOnly
< WWW-Authenticate: NTLM TRTHgAAAA+AD4AkAA........vJfTeuwAAAACAAYAZQBjA0AAAAAAAAAAA=
< Transfer-Encoding: chunked
< Date: Mon, 20 Nov 2017 07:25:16 GMT
<
> GET /alfresco/api/-default-/public/cmis/versions/1.1/browser/ HTTP/1.1
> Host: 192.168.1.1:8080
> Authorization: NTLM TRTHgAAAA+AD4AkAA........vJfTeuwAAAACAAYAZQBjA0AAAAAAAAAAA=
> User-Agent: curl/7.46.0
> Accept: */*
> Cookie: JSESSIONID=CEED8E135E6D57BCF8A99A027C08EB
>
< HTTP/1.1 401 Unauthorized
< Server: Apache-Coyote/1.1
* NTLM handshake rejected
* Authentication problem. Ignoring this.
< WWW-Authenticate: NTLM
< Content-Type: text/html;charset=UTF-8
< Content-Length: 238
< Date: Mon, 20 Nov 2017 07:25:16 GMT
<
* Connection #0 to host 192.168.1.1 left intact
我看到你给了用户,但没有任何域:
* Server auth using NTLM with user 'alf_user'
所以,在添加域的时候再试试,比如:
curl -v -u mydomain/alf_user:mypassword ...
Alfresco Content Services supports NTLM v2 protocol, which is more secure than NTLM v1 protocol. However, NTLM v2 cannot be used with pass-through authentication. You will have to switch to NTLM v1 if you want to use pass-through authentication, where the log on request is passed to an Active Directory or other server to validate the login credentials.
要使用 NTLM v1 进行身份验证,请在您的客户端计算机上设置以下注册表项:
[HKLM\SYSTEM\CurrentControlSet\Control\Lsa] "LmCompatibilityLevel"=dword:00000001
This problem is most likely caused by enhanced security in Windows 7, Vista and Windows 2008. Previous versions of Windows (XP) would fall back to NTLM v1, if NTLM v2 failed.
- On Windows 7 clients, navigate to Control Panel > Administrative Tools > Local Security Policy.
- In the left pane, navigate to Security Settings > Local Policies > Security Options.
- In the right pane, find Network Security: LAN Manager authentication level.
- By default, the value of Network Security: LAN Manager authentication level is set to Send NTLMv2 response only. Refuse LM & NTLM.
- Set the value of Network Security: LAN Manager authentication level to Send LM and NTLM - use NTLMv2 session security if negotiated.
This setting allows Windows 7 to use the more secure NTLM v2, if available, and fall back to NTLM v1 for Alfresco Content Services. If the machines are in a domain, it is possible to change this setting on all of them by using the group policy editor on the domain controller.