Alfreco session broken while using HTTPS

oscar_2016 — Fri, 09 Dec 2016 15:42:38 GMT

Hello Are environment is as followsWindows 2008 R2 Apache Tomcat/7.0.53Alfresco 4.2.4 enterprise editionThe issue we are experience in alfresco share is as follows1. Authentication NTLM SSO on active directory2. We only are authenticating share and explorer3 Using http and ht

Re: Alfreco session broken while using HTTPS

openpj — Fri, 16 Dec 2016 11:20:09 GMT

This issue could depends on some networking issue between Alfresco and the specific user machine.

Have you tried to understand if these users have the same subnet or similar constraints compared to the other users?

It could be a problem related to a proxy setting but I'm not sure.

If you are using Alfresco Enterprise Edition you should have a dedicated account for creating a ticket to the Alfresco Support:

http://support.alfresco.com/

In this way the Alfresco Engineers will help you on this specific issue.

Re: Alfreco session broken while using HTTPS

oscar_2016 — Fri, 16 Dec 2016 13:35:21 GMT

First of all, Thanks very much for your response; was already starting to disappoint to see that nobody showed interest in this.

The https connector configuration is ignoring the parameter maxHttpHeaderSize, see what tomcat documentation says about this parameter:

The maximum size of the request and response HTTP header, specified in bytes. If not specified, this attribute is set to 8192 (8 KB).

We are using NTLM SSO again Active directory, the NTLM authentication uses http headers WWWAuthenticate and Authorization (this header could be big), in addition there are other headers on each http request and response messages like session header, cookies etc

In http or https A request with too long headers is rejected by the webserver before it reaches a web application (alfresco share or alfresco)

The above means that randomly the end user might get and error or be prompted to enter credentials, I have play with

maxHttpHeaderSize, setting small values and what I got is either and error Web page cannot be display (Tomcat is rejecting the request and sending HTTP status bad request) or I am being prompted to enter credential through the alfresco login page (this means that the header size is not big enough and the NTLM SSO failed).

What the end user are getting is the Windows security POP up Windows, this Windows is displays when Basic authentication has been configured for a web application, this kind of authentication is Done my TOMCAT and is enable through security constrains in the web application deployment descriptor, I have checked

The deployment descriptor of Share, alfresco and SOLR and there are security constrains in Alfresco and SOLR but they do not use Basic authentication).

Since Anonymous authentication is disable in Tomcat, Alfresco, SOLR and Share, it could be happening

That when a request with too long headers arrives TOMCAT is rejecting it before it reaches share and silently drop connection and from this point tomcat is switching to basic authentication (the NTLM SSO is performed by Alfresco) and reply any request containing the header WWWAuthenticate = basic, that makes IE display the Windows security pop ups, then the user enter their credential but Tomcat does not find this credential in the xml find that is used for Basic authentication and the authentication fail and keep asking for credentials.

topic Alfreco session broken while using HTTPS in Alfresco Archive

Alfreco session broken while using HTTPS

Re: Alfreco session broken while using HTTPS

Re: Alfreco session broken while using HTTPS