Uploaded image for project: 'Alfresco'
  1. Alfresco
  2. ALF-21757

Kerberos SSO brokes WebDAV, SPP and CMIS authentication chain

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Unprioritized
    • Resolution: Not a bug
    • Affects Version/s: Community Edition 201605 GA
    • Fix Version/s: None
    • Component/s: Repository
    • Security Level: external (External user)
    • Labels:
      None

      Description

      We had a 4.2.c installation working for 3 years with following configuration

      authentication.chain=alfrescoNtlm1:alfrescoNtlm,kerberos1:kerberos,ldap1:ldap-ad
      
      kerberos.authentication.realm=KEENSOFT.LOCAL
      kerberos.authentication.user.configEntryName=Alfresco
      kerberos.authentication.defaultAdministratorUserNames=admin
      kerberos.authentication.cifs.configEntryName=AlfrescoCIFS
      kerberos.authentication.cifs.password=keensoft
      kerberos.authentication.http.configEntryName=AlfrescoHTTP
      kerberos.authentication.http.password=keensoft
      kerberos.authentication.sso.enabled=true
      
      

      Users were accessing via IE browser with SSO but the other protocols (WebDAV, SPP and CMIS) were accepting basic auth.

      We are migrating to 5.1.g and we have applied the same configuration. Kerberos SSO is working, but the other protocols are producing a non ending loop of Kerberos challenges:

      Unable to find source-code formatter for language: bash. Available languages are: actionscript, html, java, javascript, none, sql, xhtml, xml
      2016-09-30 14:19:46,593 DEBUG [org.alfresco.repo.webdav.auth.KerberosAuthenticationFilter] [http-apr-8080-exec-12] New Kerberos auth request from 172.19.0.1 (172.19.0.1:32952)
      2016-09-30 14:19:46,593 DEBUG [org.alfresco.repo.webdav.auth.KerberosAuthenticationFilter] [http-apr-8080-exec-12] Issuing login challenge to browser.
      2016-09-30 14:19:46,632 DEBUG [org.alfresco.repo.webdav.auth.KerberosAuthenticationFilter] [http-apr-8080-exec-6] New Kerberos auth request from 172.19.0.1 (172.19.0.1:32952)
      2016-09-30 14:19:46,632 DEBUG [org.alfresco.repo.webdav.auth.KerberosAuthenticationFilter] [http-apr-8080-exec-6] Issuing login challenge to browser.
      
      

      It seems that this feature has been broken in some point between 4.2.c and 5.1.g

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                closedissues Closed Issues
                Reporter:
                angel.borroy Angel Borroy
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:
                  Date of First Response: