https://connect.hyland.com/t5/alfresco-archive/alfresco-does-not-seem-to-correctly-chain-kerberos-auth/m-p/224628#M177758 <HTML><HEAD></HEAD><BODY><SPAN>I have filed this as an issue (</SPAN><A href="https://issues.alfresco.com/jira/browse/ALFCOM-3752" rel="nofollow noopener noreferrer">https://issues.alfresco.com/jira/browse/ALFCOM-3752</A><SPAN>), but wanted to raise it here too; maybe I'm missing something important.</SPAN><BR /><BR /><SPAN>I am authenticating users through Kerberos.&nbsp; Some users will have a ticket already and will have their web browsers set up to handle Negotiate authentication and some will not.&nbsp; So I would like Alfresco to try SSO first, and if it fails, request a username and password.</SPAN><BR /><BR /><SPAN>In testing this, I can set up password auth via Kerberos and failures chain to the next auth subsystem.&nbsp; But SSO Kerberos does not.&nbsp; Users simply see a blank page if the authentication fails.</SPAN><BR /><BR /><SPAN>Testing in Internet Explorer, users see a Windows Security dialog until they either enter valid credentials. (or they press cancel and see the blank page)&nbsp; In Chrome, which doesn't support negotiate at all, users only see a blank page.&nbsp; In firefox, users can only access the site if it is set up correctly AND they have a valid ticket; otherwise they see a blank page.</SPAN><BR /><BR /><SPAN>Nothing appears in the logs.&nbsp; The last message my server reports is:</SPAN><BR /><PRE class="language-none line-numbers"><CODE>17:22:28,377 INFO&nbsp; [org.alfresco.web.scripts.AbstractRuntimeContainer] Initialised WebFramework Web Script Container (in 62.619ms)<BR />17:22:29,231 INFO&nbsp; [org.alfresco.web.site.FrameworkHelper] Successfully Initialized Web Framework<SPAN class="line-numbers-rows"><SPAN>‍</SPAN><SPAN>‍</SPAN></SPAN></CODE></PRE></BODY></HTML> Wed, 06 Jan 2010 16:42:33 GMT xkahn 2010-01-06T16:42:33Z https://connect.hyland.com/t5/alfresco-archive/alfresco-does-not-seem-to-correctly-chain-kerberos-auth/m-p/224628#M177758 I have filed this as an issue (https://issues.alfresco.com/jira/browse/ALFCOM-3752), but wanted to raise it here too; maybe I'm missing something important.I am authenticating users through Kerberos.&nbsp; Some users will have a ticket already and will have their web browsers set up to handle Negotiate a Wed, 06 Jan 2010 16:42:33 GMT https://connect.hyland.com/t5/alfresco-archive/alfresco-does-not-seem-to-correctly-chain-kerberos-auth/m-p/224628#M177758 xkahn 2010-01-06T16:42:33Z https://connect.hyland.com/t5/alfresco-archive/alfresco-does-not-seem-to-correctly-chain-kerberos-auth/m-p/224629#M177759 <HTML><HEAD></HEAD><BODY><SPAN>So the forum rules ask me not to reply to myself, but …&nbsp; well, I have more information.&nbsp; </SPAN><BR /><BR /><SPAN>The problem is the way Alfresco appears to handle Kerberos SSO authentication on the HTTP level.&nbsp; When Kerberos SSO is enabled, Alfresco stops using the login page and instead uses browser based authentication.&nbsp; This means it sends a "401 Unauthorized" response to the request.&nbsp; This code requires a "WWW-Authenticate" header which tells the client (web browser) what authentication methods are supported.&nbsp; Alfresco sends only ONE authentication method (ignoring any other methods listed in the Authentication chain) – the Negotiate method.&nbsp; Alfresco leaves the body of the "401 Unauthorized" response blank.&nbsp; This means that browsers which don't support Negotiate (or aren't set up correctly, or the user isn't allowed to access etc, etc) can only display a blank page.</SPAN><BR /><BR /><SPAN>So what should Alfresco do?&nbsp; Alfresco </SPAN><EM>could</EM><SPAN> start supporting Basic HTTP authentication as a fallback if username/password authentication schemes are listed in the authentication chain.&nbsp; In this case, the WWW-Authenticate header would list both the Negotiate method and the Basic method.&nbsp; Alternatively (or additionally?) Alfresco should send some kind of message or page when sending a "401 Unauthorized" response.&nbsp; Ideally, it would send the login page.&nbsp; When checking if a user is authenticated, a correct cookie should be sufficient and the Basic login credentials would be as well.</SPAN></BODY></HTML> Wed, 06 Jan 2010 21:27:33 GMT https://connect.hyland.com/t5/alfresco-archive/alfresco-does-not-seem-to-correctly-chain-kerberos-auth/m-p/224629#M177759 xkahn 2010-01-06T21:27:33Z https://connect.hyland.com/t5/alfresco-archive/alfresco-does-not-seem-to-correctly-chain-kerberos-auth/m-p/224630#M177760 <HTML><HEAD></HEAD><BODY><SPAN>I was on the same boat. I even created my own alfresco kerb filter in 3.1 to send </SPAN><BR /><PRE class="language-none line-numbers"><CODE>WWW-Authenticate=NegotiateBasic realm="Kerberos Login"<SPAN class="line-numbers-rows"><SPAN>‍</SPAN></SPAN></CODE></PRE><BR /><SPAN>With 3.2 it became further difficult . So I moved on to try mod_auth_kerb, but the issue again is SPP and CIFS implementations. So finally giving a try on NTLM.</SPAN><BR /><SPAN>I really don't want NTLM, but looks like thats the only option.</SPAN></BODY></HTML> Wed, 13 Jan 2010 00:13:00 GMT https://connect.hyland.com/t5/alfresco-archive/alfresco-does-not-seem-to-correctly-chain-kerberos-auth/m-p/224630#M177760 sriram_g77 2010-01-13T00:13:00Z