Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Alfresco does not seem to correctly chain Kerberos auth

xkahn
Champ in-the-making
Champ in-the-making

‎01-06-2010 11:42 AM

I have filed this as an issue (https://issues.alfresco.com/jira/browse/ALFCOM-3752), but wanted to raise it here too; maybe I'm missing something important.

I am authenticating users through Kerberos.  Some users will have a ticket already and will have their web browsers set up to handle Negotiate authentication and some will not.  So I would like Alfresco to try SSO first, and if it fails, request a username and password.

In testing this, I can set up password auth via Kerberos and failures chain to the next auth subsystem.  But SSO Kerberos does not.  Users simply see a blank page if the authentication fails.

Testing in Internet Explorer, users see a Windows Security dialog until they either enter valid credentials. (or they press cancel and see the blank page)  In Chrome, which doesn't support negotiate at all, users only see a blank page.  In firefox, users can only access the site if it is set up correctly AND they have a valid ticket; otherwise they see a blank page.

Nothing appears in the logs.  The last message my server reports is:
17:22:28,377 INFO  [org.alfresco.web.scripts.AbstractRuntimeContainer] Initialised WebFramework Web Script Container (in 62.619ms)
17:22:29,231 INFO  [org.alfresco.web.site.FrameworkHelper] Successfully Initialized Web Framework
Labels:
0 Kudos
2 REPLIES 2

xkahn
Champ in-the-making
Champ in-the-making

‎01-06-2010 04:27 PM

So the forum rules ask me not to reply to myself, but …  well, I have more information. 

The problem is the way Alfresco appears to handle Kerberos SSO authentication on the HTTP level.  When Kerberos SSO is enabled, Alfresco stops using the login page and instead uses browser based authentication.  This means it sends a "401 Unauthorized" response to the request.  This code requires a "WWW-Authenticate" header which tells the client (web browser) what authentication methods are supported.  Alfresco sends only ONE authentication method (ignoring any other methods listed in the Authentication chain) – the Negotiate method.  Alfresco leaves the body of the "401 Unauthorized" response blank.  This means that browsers which don't support Negotiate (or aren't set up correctly, or the user isn't allowed to access etc, etc) can only display a blank page.

So what should Alfresco do?  Alfresco could start supporting Basic HTTP authentication as a fallback if username/password authentication schemes are listed in the authentication chain.  In this case, the WWW-Authenticate header would list both the Negotiate method and the Basic method.  Alternatively (or additionally?) Alfresco should send some kind of message or page when sending a "401 Unauthorized" response.  Ideally, it would send the login page.  When checking if a user is authenticated, a correct cookie should be sufficient and the Basic login credentials would be as well.
0 Kudos

sriram_g77
Champ in-the-making
Champ in-the-making

‎01-12-2010 07:13 PM

I was on the same boat. I even created my own alfresco kerb filter in 3.1 to send 
WWW-Authenticate=NegotiateBasic realm="Kerberos Login"

With 3.2 it became further difficult . So I moved on to try mod_auth_kerb, but the issue again is SPP and CIFS implementations. So finally giving a try on NTLM.
I really don't want NTLM, but looks like thats the only option.
0 Kudos
Getting started

Tags

Find what you came for

We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.

Copyright © 2026 Khoros, LLC