Kerberos SSO with FQDN in Firefox

Zhoel — Wed, 04 Mar 2020 06:42:45 GMT

When i enter alfresco site with FQDN i get sso fallback to prompt hostname and password.

If i use just hostname, SSO works in Firefox

Chrome works in both ways

Is it firefox related case?

Log:

SEVERE: Servlet.service() for servlet [wcapiServlet] in context with path [/alfresco] threw exception
org.alfresco.rest.framework.core.exceptions.NotFoundException: 02040001 /sites/query not found
at org.alfresco.rest.api.PublicApiDeclarativeRegistry.findWebScript(PublicApiDeclarativeRegistry.java:250)
at org.alfresco.repo.webdav.auth.BaseSSOAuthenticationFilter.doFilter(BaseSSOAuthenticationFilter.java:204)
at jdk.internal.reflect.GeneratedMethodAccessor475.invoke(Unknown Source)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at org.alfresco.repo.management.subsystems.ChainingSubsystemProxyFactory$1.invoke(ChainingSubsystemProxyFactory.java:119)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:212)
at com.sun.proxy.$Proxy150.doFilter(Unknown Source)
at org.alfresco.repo.web.filter.beans.BeanProxyFilter.doFilter(BeanProxyFilter.java:89)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.alfresco.web.app.servlet.WebScriptSSOAuthenticationFilter.doFilter(WebScriptSSOAuthenticationFilter.java:124)
at jdk.internal.reflect.GeneratedMethodAccessor475.invoke(Unknown Source)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at org.alfresco.repo.management.subsystems.ChainingSubsystemProxyFactory$1.invoke(ChainingSubsystemProxyFactory.java:119)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:212)
at com.sun.proxy.$Proxy150.doFilter(Unknown Source)
at org.alfresco.repo.web.filter.beans.BeanProxyFilter.doFilter(BeanProxyFilter.java:89)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.alfresco.web.app.servlet.WebscriptCookieAuthenticationFilter.doFilter(WebscriptCookieAuthenticationFilter.java:77)
at jdk.internal.reflect.GeneratedMethodAccessor475.invoke(Unknown Source)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at org.alfresco.repo.management.subsystems.ChainingSubsystemProxyFactory$1.invoke(ChainingSubsystemProxyFactory.java:132)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:212)
at com.sun.proxy.$Proxy150.doFilter(Unknown Source)
at org.alfresco.repo.web.filter.beans.BeanProxyFilter.doFilter(BeanProxyFilter.java:89)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.alfresco.web.app.servlet.GlobalLocalizationFilter.doFilter(GlobalLocalizationFilter.java:68)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.alfresco.web.app.servlet.ClearSecurityContextFilter.doFilter(ClearSecurityContextFilter.java:53)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:200)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:543)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)
at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:678)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:609)
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:810)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1623)
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.base/java.lang.Thread.run(Thread.java:834)

Re: Kerberos SSO with FQDN in Firefox

Zhoel — Wed, 04 Mar 2020 07:20:56 GMT

Also SSO doesnt work until i log in on chrome

Re: Kerberos SSO with FQDN in Firefox

EddieMay — Wed, 04 Mar 2020 09:35:13 GMT

Hi @Zhoel,

I'm not sure if you've seen this thread, but there is some useful information about debugging kerberos & FQDN.

HTH,

Re: Kerberos SSO with FQDN in Firefox

Zhoel — Wed, 04 Mar 2020 09:51:52 GMT

Yeah ive seen that post. I follow check list, but all was fine. I will be using hostname instead FQDN thats no problem

Re: Kerberos SSO with FQDN in Firefox

Zhoel — Thu, 05 Mar 2020 08:48:22 GMT

I added nginx reverse proxy. Chrome (and even IE) works fine, but Firefox

ERROR [alfresco.web.site] [http-nio-8080-exec-1] javax.servlet.ServletException: Possible CSRF attack noted when asserting referer header 'https://alf601.clinic.odb45.ru/share/page?pt=login'. Request: POST /share/page/dologin, FAILED TEST: Assert referer POST /share/page/dologin :: referer: 'https://alf601.clinic.odb45.ru/share/page?pt=login' vs server & context: http://alf601.clinic.odb45.ru/ (string) or (regexp)

If i use hostname in link, sso works and no error in log. Dirty black magic

Re: Kerberos SSO with FQDN in Firefox

Zhoel — Thu, 05 Mar 2020 09:56:38 GMT

So it seems ther is misconfiguration in official doc for 6.0. I did conf like

And sso works only for hostname. Now i made chage in GPO user-adm template-mozilla-firefox-authentication:

Delegated - i enter http://alf601.clinic.odb45.ru:8080
NTLM i did as 1
SPNEGO i did as 1

Now i can do SSO in firefox with fqnd

topic Re: Kerberos SSO with FQDN in Firefox in Alfresco Forum

Kerberos SSO with FQDN in Firefox

Re: Kerberos SSO with FQDN in Firefox

Re: Kerberos SSO with FQDN in Firefox

Re: Kerberos SSO with FQDN in Firefox

Re: Kerberos SSO with FQDN in Firefox

Re: Kerberos SSO with FQDN in Firefox