Type: Service Pack Request
Affects Version/s: 4.2.2
Fix Version/s: 4.2.5
Environment:any with kerberos and stripUsernameSuffix=false and IE8,9,11
How to reproduce?
1) create a 4.2.2 kerberos setup (linux pg tomcat) with ldap sync
This kerberos setup creates users that includes the domain name in the username, i.e:
and in share-config-custom.xml
Modify also the sync such that:
(see full JMX dump attached attached)
2) from a win7 client with IE8, as 'user1', go to your share server page
a) you get SSO
b) you are redirected to:
3) now, hit in the web browser CTRL+T to create a new tab, and in that new tab, go to:
That tab fails to access the dashboard.
It loops in an infinite 302 loop, see
302_loop.pcap (network trace)
302_loop.txt (text network trace)
That new tab can also access the dashboard.
There is no infinite 302 loop.
1) I reproduced this with IE8, customer reproduced it wit IE9 and IE11. Firefox is OK.
2) it is probably a case sensitivity issue.
Indeed, if we look just at the redirect, grepping the Location header:
(each url appears twice because of my setup), we see that the first redirect
does not generate a loop, but that the second redirect does generate the loop:
Note the different case of the realm part of the username.
3) one thing that is mysterious though, is that when using the 'curl' client, and asking for the upper case URL, I get a valid redirect to a lower case. I thus cannot reproduce the issue with curl, I do need IE:
Now, let's follow the redirect:
Conclusion: the loop cannot be reproduced using the command line.
A workaround does exist: it is based on having a proxy in front of Share:
the proxy needs to intercept requests to:
and do the redirect itself to: