Type: Hot Fix Request
Affects Version/s: 5.2.5, 6.2.2
Hot Fix Version:220.127.116.11
Delivery Team:Customer Excellence
When Kerberos is configured along with basic authentication in a chain, all the calls to the repository will only support Kerberos. The response from the server only contains the WWW-Authenticate: Negotiate header.
In order to make kerberos and Basic auth to work together, we have added this property:
However unfortunately the above does not seem to work in ACS 5.2.5
According to customer they used to get a basic auth with ACS version 4.2
Steps to replicate:
1. install ACS 5.2.5 OOTB
2. set the following property is global properties
3.set the authentication chain to NTLM and then Kerberos ( restart Alfresco if needed for changes to take effect)
4.set up kerberos with AD , and configure kerberos on Alfrsco
5. Configure Kerberos sso in IE and Chrome but not for firefox(FF)
6. try to login to Webdav using IE and Chrome
7. make sure webdav logs in using Kerberos SSO (no credentials needed) with IE and Chrome
Expected behavior :
Login to webdav using firefox browser, this should use the fallback mechanism as Kerberos will fail because FireFox is not configured with kerberos. Alfresco should fallback to NTLM and prompt the user with the login credentials. They should be able to enter the username /password and login
User sees a white page with a link saying please login but clicking on it won’t do anything
When the user clocks the link, it loops to the same page.
The authentication call sent is always negotiate and does not fall back to basic auth
I have tested these steps on 5.2.1, 5.2.5, 5.2.6 and 6.2.2. The only differences are as follows:
1. On 5.2 versions there is a "Please log in." link displayed and when you click it you are in a loop.
2. On 6.2.2 you get a message "Login failed. Please try again." There is nothing else.
3. On all other steps all the browsers work as expected. Also, configuring Firefox to use Kerberos on the domain computer works as expected also.
I have the following settings in alfresco-global.properties for all the instances tested.
Additional Kerberos settings:
I have attached supporting images