Uploaded image for project: 'Service Packs and Hot Fixes'
  1. Service Packs and Hot Fixes
  2. MNT-21702

Kerberos SSO fallback machanism does not work so unable to log in to webdav using basic Authentication

    Details

    • Bug Priority:
      Category 2
    • Escalated By:
      CSM
    • Hot Fix Version:
      5.2.5.1
    • ACT Numbers:

      01008072, 01013527

    • Delivery Team:
      Customer Excellence

      Description

      Summary:

      When Kerberos is configured along with basic authentication in a chain, all the calls to the repository will only support Kerberos. The response from the server only contains the WWW-Authenticate: Negotiate header.

      In order to make kerberos and Basic auth to work together, we have added this property:
      kerberos.authentication.sso.fallback.enabled=true

      https://docs.alfresco.com/5.1/tasks/auth-subsystem-chain-config.html

      However unfortunately the above does not seem to work in ACS 5.2.5

      According to customer they used to get a basic auth with ACS version 4.2

      Steps to replicate:

      1. install ACS 5.2.5 OOTB

      2. set the following property is global properties

      kerberos.authentication.sso.fallback.enabled=true

      3.set the authentication chain to NTLM and then Kerberos ( restart Alfresco if needed for changes to take effect)

      alfrescoNtlm1:alfrescoNtlm,kerberos1:kerberos

      4.set up kerberos with AD , and configure kerberos on Alfrsco

      https://docs.alfresco.com/6.0/tasks/kerberos-AD-config.html

      https://docs.alfresco.com/6.0/tasks/kerberos-alfresco-config.html

      5. Configure Kerberos sso in IE and Chrome but not for firefox(FF)

      https://docs.alfresco.com/6.0/concepts/auth-kerberos-clientconfig.html

      6. try to login to Webdav using IE and Chrome

      7. make sure webdav logs in using Kerberos SSO (no credentials needed) with IE and Chrome

      Expected behavior :
      Login to webdav using firefox browser, this should use the fallback mechanism as Kerberos will fail because FireFox is not configured with kerberos. Alfresco should fallback to NTLM and prompt the user with the login credentials. They should be able to enter the username /password and login

      Observed behaviour:
      User sees a white page with a link saying please login but clicking on it won’t do anything
      When the user clocks the link, it loops to the same page.
      The authentication call sent is always negotiate and does not fall back to basic auth

      ADDITIONAL NOTES:

      I have tested these steps on 5.2.1, 5.2.5, 5.2.6 and 6.2.2. The only differences are as follows:

      1. On 5.2 versions there is a "Please log in." link displayed and when you click it you are in a loop.

      2. On 6.2.2 you get a message "Login failed. Please try again." There is nothing else.

      3. On all other steps all the browsers work as expected. Also, configuring Firefox to use Kerberos on the domain computer works as expected also.

      I have the following settings in alfresco-global.properties for all the instances tested.

      authentication.chain=kerberos1:kerberos,alfrescoNtlm1:alfrescoNtlm,ldap-ad2:ldap-ad

      Additional Kerberos settings:

      kerberos.authentication.sso.enabled=true
      kerberos.authentication.browser.ticketLogons=true
      kerberos.authentication.sso.fallback.enabled=true
      kerberos.authentication.sso.login.page.link=/webdav
      
      ## turn on ldap authentication
      ldap.authentication.active=true

      I have attached supporting images

        Attachments

          Issue Links

            Structure

              Activity

                People

                • Assignee:
                  closedbugs Closed Bugs (Inactive)
                  Reporter:
                  smatoorian Shima Matoorian
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  9 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved:

                    Structure Helper Panel