Uploaded image for project: 'Service Packs and Hot Fixes'
  1. Service Packs and Hot Fixes
  2. MNT-14367

Unable to connect to CMIS 1.0 and CMIS 1.1 API URL only with Kerberos SSO enabled

    Details

    • Type: Service Pack Request
    • Status: Closed (View Workflow)
    • Resolution: Fixed
    • Affects Version/s: 5.0.1
    • Fix Version/s: 5.0.3
    • Labels:
      None
    • Environment:
      Authentication: Kerberos SSO
      Database: SQL Server
      App Server: Tomcat
      Mobile Version: Not Applicable
      OS: Windows
      Workdesk Version: 4.1.1.1

      Description

      Steps to replicate
      1) Startup v5.0.1 configured with Kerberos SSO.
      2) Open CMIS Workbench, connect with Kerberos login credential and old CMIS 1.0 url :
      For example,
      URL: http://localhost:8080/alfresco/cmisatom
      Binding: AtomPub
      Username:

      {Kerberos Username}
      Password: {Kerberos user password}
      Authentication: Standard
      Compression: On
      Client Compression: off

      Actual result
      Connect to Repository successfully.

      alfresco.log has following log entries:

      2015-07-10 11:41:17,651 DEBUG [webdav.auth.KerberosAuthenticationFilter] [http-apr-8080-exec-8] Performing fallback authentication...
      default etypes for default_tkt_enctypes: 23.
      >>> KrbAsReq creating message
      >>> KrbKdcReq send: kdc=10.245.240.208 UDP:88, timeout=30000, number of retries =3, #bytes=135
      >>> KDCCommunication: kdc=10.245.240.208 UDP:88, timeout=30000,Attempt =1, #bytes=135
      >>> KrbKdcReq send: #bytes read=183
      >>>Pre-Authentication Data:
      PA-DATA type = 11
      PA-ETYPE-INFO etype = 23, salt =

      >>>Pre-Authentication Data:
      PA-DATA type = 19
      PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null

      >>>Pre-Authentication Data:
      PA-DATA type = 2
      PA-ENC-TIMESTAMP
      >>>Pre-Authentication Data:
      PA-DATA type = 16

      >>>Pre-Authentication Data:
      PA-DATA type = 15

      >>> KdcAccessibility: remove 10.245.240.208
      >>> KDCRep: init() encoding tag is 126 req type is 11
      >>>KRBError:
      sTime is Fri Jul 10 11:40:45 EDT 2015 1436542845000
      suSec is 935425
      error code is 25
      error Message is Additional pre-authentication required
      sname is krbtgt/JT.DOMAIN.COM@JT.DOMAIN.COM
      eData provided.
      msgType is 30
      >>>Pre-Authentication Data:
      PA-DATA type = 11
      PA-ETYPE-INFO etype = 23, salt =

      >>>Pre-Authentication Data:
      PA-DATA type = 19
      PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null

      >>>Pre-Authentication Data:
      PA-DATA type = 2
      PA-ENC-TIMESTAMP
      >>>Pre-Authentication Data:
      PA-DATA type = 16

      >>>Pre-Authentication Data:
      PA-DATA type = 15

      KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
      default etypes for default_tkt_enctypes: 23.
      default etypes for default_tkt_enctypes: 23.
      >>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
      >>> KrbAsReq creating message
      >>> KrbKdcReq send: kdc=10.245.240.208 UDP:88, timeout=30000, number of retries =3, #bytes=213
      >>> KDCCommunication: kdc=10.245.240.208 UDP:88, timeout=30000,Attempt =1, #bytes=213
      >>> KrbKdcReq send: #bytes read=1330
      >>> KdcAccessibility: remove 10.245.240.208
      >>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
      >>> KrbAsRep cons in KrbAsReq.getReply win7
      2015-07-10 11:41:17,668 DEBUG [webdav.auth.KerberosAuthenticationFilter] [http-apr-8080-exec-8] Fallback authentication succeeded.



      Expected result
      Connect to Repository successfully.

      2) Connect with new CMIS 1.0 (API) url :
      e.g.
      URL : http://localhost:8080/alfresco/api/-default-/public/cmis/versions/1.0/atom
      Binding: AtomPub
      Username: {Kerberos Username}

      Password:

      {Kerberos user password}
      Authentication: Standard
      Compression: On
      Client Compression: off
      Cookies: On

      Actual result
      Error thrown. Failed to connect to Repository.
      In log file,

      2015-07-10 11:41:41,643 DEBUG [app.servlet.KerberosAuthenticationFilter] [http-apr-8080-exec-2] Unknown SPNEGO token type
      2015-07-10 11:41:41,643 DEBUG [app.servlet.KerberosAuthenticationFilter] [http-apr-8080-exec-2] Clearing session.
      2015-07-10 11:41:41,643 DEBUG [app.servlet.KerberosAuthenticationFilter] [http-apr-8080-exec-2] Issuing login challenge to browser.


      Expected result
      Connect to Repository successfully.

      3) Connect with new CMIS 1.1 (API) url :
      e.g.
      URL : http://localhost:8080/alfresco/api/-default-/public/cmis/versions/1.1/atom
      Binding: AtomPub
      Username: {Kerberos Username}
      Password: {Kerberos user password}

      Authentication: Standard
      Compression: On
      Client Compression: off
      Cookies: On

      Actual result
      Error thrown. Failed to connect to Repository.

      In log file:

      2015-07-10 11:41:34,636 DEBUG [app.servlet.KerberosAuthenticationFilter] [http-apr-8080-exec-9] Unknown SPNEGO token type
      2015-07-10 11:41:34,637 DEBUG [app.servlet.KerberosAuthenticationFilter] [http-apr-8080-exec-9] Clearing session.
      2015-07-10 11:41:34,637 DEBUG [app.servlet.KerberosAuthenticationFilter] [http-apr-8080-exec-9] Issuing login challenge to browser.

      Expected result
      Connect to Repository successfully.

      Investigation Findings
      Try to replicate the issue with alfrescoNTLM only, Kerberos without SSO, and Kerberos with SSO enabled. This issue only replicated in v5.0.1 when configureed with Kerberos SSO. Not replicate with alfrescoNTLM and Kerberos without SSO.

      Per the log stack trace, it seems like this is due to Kerberos SSO failed to fall back to basic NTLM in 5.0.1, and I found one currently opened jira with this issue: ACE-2678 remain unfix. Another bug in v5.0.1 with Kerberos SSO related to rss feed and ical feed also blocked by ACE-2678 is ACE-3767.

      The customer confirmed that he did not experience this issue in 4.1/5.0.1 when using /alfresco/cmisatom Atom Binding URL.

      http://wiki.alfresco.com/wiki/CMIS#RESTful_AtomPub_Binding

      Please assist.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                closedbugs Closed Bugs
                Reporter:
                sliaw Seng Liaw
              • Votes:
                3 Vote for this issue
                Watchers:
                18 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 2 days, 6 hours, 30 minutes
                  2d 6h 30m