Uploaded image for project: 'Service Packs and Hot Fixes'
  1. Service Packs and Hot Fixes
  2. MNT-16931

Kerberos: Non-domain user on Firefox results in infinite login loop when accessing webdav, aos, or cmis

    Details

      Description

      [Technical Description of the issue]
      Enabling Kerberos SSO and using a non-domain user with Firefox, accessing WebDAV, AOS or CMIS results in an infinite 401 Unauthorised loop being generated and no fallback to other authentication methods in the authentication chain. Share access failback correctly to Share login page.

      Workaround on Firefox is to configure the browser using our documentation here. However, we cannot guarantee that all potential clients will be properly configured.

      Chrome (latest) and IE11 fall back to basic auth for non-domain users.

      [Steps to reproduce]

      [Prerequisites]
      1. Install Alfresco
      2. Configure Kerberos authentication in the alfresco-global.properties

      authentication.chain=kerberos1:kerberos,alfrescoNtlm1:alfrescoNtlm
      kerberos.authentication.realm=DS.LOCAL
      kerberos.authentication.authenticateCIFS=true
      kerberos.authentication.sso.enabled=true
      kerberos.authentication.user.configEntryName=Alfresco
      kerberos.authentication.defaultAdministratorUserNames=test7
      kerberos.authentication.cifs.configEntryName=AlfrescoCIFS
      kerberos.authentication.cifs.password=<password>
      kerberos.authentication.http.configEntryName=AlfrescoHTTP
      kerberos.authentication.http.password=<password>
      kerberos.authentication.browser.ticketLogons=true
      kerberos.authentication.stripUsernameSuffix=true
      

      3. Configure Share for SSO by editing share-config-custom.xml

      4. Enable additional debugging:

      log4j.logger.org.alfresco.web.app.servlet.KerberosAuthenticationFilter=debug
      log4j.logger.org.alfresco.repo.webdav.auth.KerberosAuthenticationFilter=debug
      log4j.logger.org.alfresco.web.app.servlet=debug
      

      4. Using domain-based PC, confirm SSO is working by going to:

      • Share URL http://dario-ubuntu-vm:8080/share
        2016-10-06 12:09:33,191 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] [http-apr-8080-exec-9] Create the User environment for: User1873
        2016-10-06 12:09:33,263 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] [http-apr-8080-exec-9] User User1873 logged on via Kerberos
        2016-10-06 12:09:33,269 DEBUG [org.alfresco.web.app.servlet.AuthenticationHelper] [http-apr-8080-exec-9] Setting up the request thread.
        2016-10-06 12:09:33,278 DEBUG [org.alfresco.web.app.servlet.AuthenticationHelper] [http-apr-8080-exec-9] The general locale is : en_GB
        2016-10-06 12:09:33,315 DEBUG [org.alfresco.web.app.servlet.AuthenticationHelper] [http-apr-8080-exec-9] The UserPreferencesBean is : null
        2016-10-06 12:09:33,318 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] [http-apr-8080-exec-9] Authenticated through Kerberos.
        
      • WebDAV URL: http:// dario-ubuntu-vm:8080/alfresco/webdav
        2016-10-06 12:11:58,781 DEBUG [org.alfresco.repo.webdav.auth.KerberosAuthenticationFilter] [http-apr-8080-exec-10] User User1873 logged on via Kerberos
        2016-10-06 12:11:58,781 DEBUG [org.alfresco.repo.webdav.auth.KerberosAuthenticationFilter] [http-apr-8080-exec-10] Authenticated through Kerberos.
        
      • Alfresco AOS URL http://dario-ubuntu-vm:8080/alfresco/aos
        2016-10-06 12:11:24,926 DEBUG [org.alfresco.repo.webdav.auth.KerberosAuthenticationFilter] [http-apr-8080-exec-11] New Kerberos auth request from 192.168.5.250 (192.168.5.250:49257)
        2016-10-06 12:11:24,930 DEBUG [org.alfresco.repo.webdav.auth.KerberosAuthenticationFilter] [http-apr-8080-exec-11] Issuing login challenge to browser.
        2016-10-06 12:11:24,947 DEBUG [org.alfresco.repo.webdav.auth.KerberosAuthenticationFilter] [http-apr-8080-exec-1] Create the User environment for: User1873
        2016-10-06 12:11:24,951 DEBUG [org.alfresco.repo.webdav.auth.KerberosAuthenticationFilter] [http-apr-8080-exec-1] User User1873 logged on via Kerberos
        2016-10-06 12:11:24,951 DEBUG [org.alfresco.repo.webdav.auth.KerberosAuthenticationFilter] [http-apr-8080-exec-1] Authenticated through Kerberos.
        

      [Steps to reproduce]

      1. Use a non-Kerberos enabled browser, i.e Firefox.
      2. Go to <URL> http://dario-ubuntu-vm:8080/alfresco
      3. Go to http://dario-ubuntu-vm:8080/alfresco/aos or http://dario-ubuntu-vm:8080/alfresco/webdav
      4. Observe infinite loop with 'Please login' and log files filling up.

      [Expected Behaviour]
      Kerberos negotiation failed, failback to the next method in the authentication chain or Basic Authentication.

      [Observed Behaviour]
      User doesn't get prompted for the password at all, instead sees an infinite redirect loop. Capturing traffic shows infinite 401 Unauthorized traffic. Unless using Kerberos to authenticate, there is no possibility to login into /alfresco/aos, /alfresco/webdav or CMIS by other means.
      Debugging log shows just the login request:

      2016-10-06 14:32:49,454 DEBUG [org.alfresco.repo.webdav.auth.KerberosAuthenticationFilter] [http-apr-8080-exec-3] New Kerberos auth request from 192.168.5.250 (192.168.5.250:55244)
      2016-10-06 14:32:49,454 DEBUG [org.alfresco.repo.webdav.auth.KerberosAuthenticationFilter] [http-apr-8080-exec-3] Issuing login challenge to browser.
      2016-10-06 14:32:49,467 DEBUG [org.alfresco.repo.webdav.auth.KerberosAuthenticationFilter] [http-apr-8080-exec-12] New Kerberos auth request from 192.168.5.250 (192.168.5.250:55244)
      2016-10-06 14:32:49,467 DEBUG [org.alfresco.repo.webdav.auth.KerberosAuthenticationFilter] [http-apr-8080-exec-12] Issuing login challenge to browser.
      2016-10-06 14:32:49,485 DEBUG [org.alfresco.repo.webdav.auth.KerberosAuthenticationFilter] [http-apr-8080-exec-1] New Kerberos auth request from 192.168.5.250 (192.168.5.250:55244)
      2016-10-06 14:32:49,485 DEBUG [org.alfresco.repo.webdav.auth.KerberosAuthenticationFilter] [http-apr-8080-exec-1] Issuing login challenge to browser.
      2016-10-06 14:32:49,500 DEBUG [org.alfresco.repo.webdav.auth.KerberosAuthenticationFilter] [http-apr-8080-exec-11] New Kerberos auth request from 192.168.5.250 (192.168.5.250:55244)
      2016-10-06 14:32:49,500 DEBUG [org.alfresco.repo.webdav.auth.KerberosAuthenticationFilter] [http-apr-8080-exec-11] Issuing login challenge to browser.
      2016-10-06 14:32:49,514 DEBUG [org.alfresco.repo.webdav.auth.KerberosAuthenticationFilter] [http-apr-8080-exec-2] New Kerberos auth request from 192.168.5.250 (192.168.5.250:55244)
      2016-10-06 14:32:49,514 DEBUG [org.alfresco.repo.webdav.auth.KerberosAuthenticationFilter] [http-apr-8080-exec-2] Issuing login challenge to browser.
      

      NOTE: Using Internet Explorer produces a slightly different error (as Windows Security) dialog pops-out but credentials are not accepted and the following is logged, but users are still unable to access resources.

      2016-10-10 15:51:03,190 DEBUG [org.alfresco.repo.webdav.auth.KerberosAuthenticationFilter] [http-apr-8080-exec-7] New Kerberos auth request from 10.244.10.190 (10.244.10.190:60945)
      2016-10-10 15:51:03,190 DEBUG [org.alfresco.repo.webdav.auth.KerberosAuthenticationFilter] [http-apr-8080-exec-7] Issuing login challenge to browser.
      2016-10-10 15:51:03,193 DEBUG [org.alfresco.repo.webdav.auth.KerberosAuthenticationFilter] [http-apr-8080-exec-8] Client sent an NTLMSSP security blob
      2016-10-10 15:51:03,193 DEBUG [org.alfresco.repo.webdav.auth.KerberosAuthenticationFilter] [http-apr-8080-exec-8] Clearing session.
      

      [Customer business impact / priority / urgency]
      Blocker - users using any other method od authentication other than Kerberos are unable to access Alfresco resources via WebDAV, AOS or CMIS

      [Supporting evidence]

      • Wireshark trace attached when trying to access /alfresco/aos [share_failback-2.pcapng]
      • screenshot from Fiddler debugger tool

        Attachments

          Issue Links

            Activity

            Hide
            dhulley Derek Hulley added a comment -

            Removing fixVersion of 5.1.2; Platform will not be fixing any more of this list.

            Show
            dhulley Derek Hulley added a comment - Removing fixVersion of 5.1.2; Platform will not be fixing any more of this list.

              People

              • Assignee:
                closedbugs Closed Bugs
                Reporter:
                dsamarzija Dario Samarzija
              • Votes:
                2 Vote for this issue
                Watchers:
                12 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 3 days, 45 minutes
                  3d 45m