topic Re: Alfresco does not seem to correctly chain Kerberos auth in Alfresco Archive

Alfresco does not seem to correctly chain Kerberos auth

xkahn — Wed, 06 Jan 2010 16:42:33 GMT

I have filed this as an issue (https://issues.alfresco.com/jira/browse/ALFCOM-3752), but wanted to raise it here too; maybe I'm missing something important.I am authenticating users through Kerberos. Some users will have a ticket already and will have their web browsers set up to handle Negotiate a

Re: Alfresco does not seem to correctly chain Kerberos auth

xkahn — Wed, 06 Jan 2010 21:27:33 GMT

So the forum rules ask me not to reply to myself, but … well, I have more information.

The problem is the way Alfresco appears to handle Kerberos SSO authentication on the HTTP level. When Kerberos SSO is enabled, Alfresco stops using the login page and instead uses browser based authentication. This means it sends a "401 Unauthorized" response to the request. This code requires a "WWW-Authenticate" header which tells the client (web browser) what authentication methods are supported. Alfresco sends only ONE authentication method (ignoring any other methods listed in the Authentication chain) – the Negotiate method. Alfresco leaves the body of the "401 Unauthorized" response blank. This means that browsers which don't support Negotiate (or aren't set up correctly, or the user isn't allowed to access etc, etc) can only display a blank page.

So what should Alfresco do? Alfresco could start supporting Basic HTTP authentication as a fallback if username/password authentication schemes are listed in the authentication chain. In this case, the WWW-Authenticate header would list both the Negotiate method and the Basic method. Alternatively (or additionally?) Alfresco should send some kind of message or page when sending a "401 Unauthorized" response. Ideally, it would send the login page. When checking if a user is authenticated, a correct cookie should be sufficient and the Basic login credentials would be as well.

Re: Alfresco does not seem to correctly chain Kerberos auth

sriram_g77 — Wed, 13 Jan 2010 00:13:00 GMT

I was on the same boat. I even created my own alfresco kerb filter in 3.1 to send

WWW-Authenticate=NegotiateBasic realm="Kerberos Login"‍

With 3.2 it became further difficult . So I moved on to try mod_auth_kerb, but the issue again is SPP and CIFS implementations. So finally giving a try on NTLM.
I really don't want NTLM, but looks like thats the only option.