Uploaded image for project: 'Service Packs and Hot Fixes'
  1. Service Packs and Hot Fixes
  2. MNT-14367

Unable to connect to CMIS 1.0 and CMIS 1.1 API URL only with Kerberos SSO enabled

    Details

    • Type: Service Pack Request
    • Status: Closed (View Workflow)
    • Resolution: Fixed
    • Affects Version/s: 5.0.1
    • Fix Version/s: 5.0.3
    • Labels:
      None
    • Environment:
      Authentication: Kerberos SSO
      Database: SQL Server
      App Server: Tomcat
      Mobile Version: Not Applicable
      OS: Windows
      Workdesk Version: 4.1.1.1

      Description

      Steps to replicate
      1) Startup v5.0.1 configured with Kerberos SSO.
      2) Open CMIS Workbench, connect with Kerberos login credential and old CMIS 1.0 url :
      For example,
      URL: http://localhost:8080/alfresco/cmisatom
      Binding: AtomPub
      Username:

      {Kerberos Username}
      Password: {Kerberos user password}
      Authentication: Standard
      Compression: On
      Client Compression: off

      Actual result
      Connect to Repository successfully.

      alfresco.log has following log entries:

      2015-07-10 11:41:17,651 DEBUG [webdav.auth.KerberosAuthenticationFilter] [http-apr-8080-exec-8] Performing fallback authentication...
      default etypes for default_tkt_enctypes: 23.
      >>> KrbAsReq creating message
      >>> KrbKdcReq send: kdc=10.245.240.208 UDP:88, timeout=30000, number of retries =3, #bytes=135
      >>> KDCCommunication: kdc=10.245.240.208 UDP:88, timeout=30000,Attempt =1, #bytes=135
      >>> KrbKdcReq send: #bytes read=183
      >>>Pre-Authentication Data:
      PA-DATA type = 11
      PA-ETYPE-INFO etype = 23, salt =

      >>>Pre-Authentication Data:
      PA-DATA type = 19
      PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null

      >>>Pre-Authentication Data:
      PA-DATA type = 2
      PA-ENC-TIMESTAMP
      >>>Pre-Authentication Data:
      PA-DATA type = 16

      >>>Pre-Authentication Data:
      PA-DATA type = 15

      >>> KdcAccessibility: remove 10.245.240.208
      >>> KDCRep: init() encoding tag is 126 req type is 11
      >>>KRBError:
      sTime is Fri Jul 10 11:40:45 EDT 2015 1436542845000
      suSec is 935425
      error code is 25
      error Message is Additional pre-authentication required
      sname is krbtgt/JT.DOMAIN.COM@JT.DOMAIN.COM
      eData provided.
      msgType is 30
      >>>Pre-Authentication Data:
      PA-DATA type = 11
      PA-ETYPE-INFO etype = 23, salt =

      >>>Pre-Authentication Data:
      PA-DATA type = 19
      PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null

      >>>Pre-Authentication Data:
      PA-DATA type = 2
      PA-ENC-TIMESTAMP
      >>>Pre-Authentication Data:
      PA-DATA type = 16

      >>>Pre-Authentication Data:
      PA-DATA type = 15

      KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
      default etypes for default_tkt_enctypes: 23.
      default etypes for default_tkt_enctypes: 23.
      >>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
      >>> KrbAsReq creating message
      >>> KrbKdcReq send: kdc=10.245.240.208 UDP:88, timeout=30000, number of retries =3, #bytes=213
      >>> KDCCommunication: kdc=10.245.240.208 UDP:88, timeout=30000,Attempt =1, #bytes=213
      >>> KrbKdcReq send: #bytes read=1330
      >>> KdcAccessibility: remove 10.245.240.208
      >>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
      >>> KrbAsRep cons in KrbAsReq.getReply win7
      2015-07-10 11:41:17,668 DEBUG [webdav.auth.KerberosAuthenticationFilter] [http-apr-8080-exec-8] Fallback authentication succeeded.



      Expected result
      Connect to Repository successfully.

      2) Connect with new CMIS 1.0 (API) url :
      e.g.
      URL : http://localhost:8080/alfresco/api/-default-/public/cmis/versions/1.0/atom
      Binding: AtomPub
      Username: {Kerberos Username}

      Password:

      {Kerberos user password}
      Authentication: Standard
      Compression: On
      Client Compression: off
      Cookies: On

      Actual result
      Error thrown. Failed to connect to Repository.
      In log file,

      2015-07-10 11:41:41,643 DEBUG [app.servlet.KerberosAuthenticationFilter] [http-apr-8080-exec-2] Unknown SPNEGO token type
      2015-07-10 11:41:41,643 DEBUG [app.servlet.KerberosAuthenticationFilter] [http-apr-8080-exec-2] Clearing session.
      2015-07-10 11:41:41,643 DEBUG [app.servlet.KerberosAuthenticationFilter] [http-apr-8080-exec-2] Issuing login challenge to browser.


      Expected result
      Connect to Repository successfully.

      3) Connect with new CMIS 1.1 (API) url :
      e.g.
      URL : http://localhost:8080/alfresco/api/-default-/public/cmis/versions/1.1/atom
      Binding: AtomPub
      Username: {Kerberos Username}
      Password: {Kerberos user password}

      Authentication: Standard
      Compression: On
      Client Compression: off
      Cookies: On

      Actual result
      Error thrown. Failed to connect to Repository.

      In log file:

      2015-07-10 11:41:34,636 DEBUG [app.servlet.KerberosAuthenticationFilter] [http-apr-8080-exec-9] Unknown SPNEGO token type
      2015-07-10 11:41:34,637 DEBUG [app.servlet.KerberosAuthenticationFilter] [http-apr-8080-exec-9] Clearing session.
      2015-07-10 11:41:34,637 DEBUG [app.servlet.KerberosAuthenticationFilter] [http-apr-8080-exec-9] Issuing login challenge to browser.

      Expected result
      Connect to Repository successfully.

      Investigation Findings
      Try to replicate the issue with alfrescoNTLM only, Kerberos without SSO, and Kerberos with SSO enabled. This issue only replicated in v5.0.1 when configureed with Kerberos SSO. Not replicate with alfrescoNTLM and Kerberos without SSO.

      Per the log stack trace, it seems like this is due to Kerberos SSO failed to fall back to basic NTLM in 5.0.1, and I found one currently opened jira with this issue: ACE-2678 remain unfix. Another bug in v5.0.1 with Kerberos SSO related to rss feed and ical feed also blocked by ACE-2678 is ACE-3767.

      The customer confirmed that he did not experience this issue in 4.1/5.0.1 when using /alfresco/cmisatom Atom Binding URL.

      http://wiki.alfresco.com/wiki/CMIS#RESTful_AtomPub_Binding

      Please assist.

        Attachments

          Issue Links

            Structure

              Activity

                People

                • Assignee:
                  closedbugs Closed Bugs
                  Reporter:
                  sliaw Seng Liaw
                • Votes:
                  3 Vote for this issue
                  Watchers:
                  18 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved:

                    Time Tracking

                    Estimated:
                    Original Estimate - Not Specified
                    Not Specified
                    Remaining:
                    Remaining Estimate - 0 minutes
                    0m
                    Logged:
                    Time Spent - 2 days, 6 hours, 30 minutes
                    2d 6h 30m

                      Structure Helper Panel