cancel
Showing results for 
Search instead for 
Did you mean: 

Failover for SSO (Kerberos) not working

bnice
Champ in-the-making
Champ in-the-making
Hi,

after two days of troubleshooting, I've now a running kerberos configuration with SSO.
Now I need a possibility to manually log in with an AlfrescoNTLM user.
I know, there is a backdoor to login manually (http://ip/:8080/alfresco/faces/jsp/login.jsp), but it then always switches back to kerberos.

Btw: Both user (ADS and AlfrescoNTLM) have the same username.
6 REPLIES 6

loftux
Star Contributor
Star Contributor
This is fixed in 3.4.a (not released yet), you will be redirected to a forms based login if kerberos did not work.

bnice
Champ in-the-making
Champ in-the-making
So there's no other way to use Kerberos and local authentication simultaneously?

loftux
Star Contributor
Star Contributor
Then I misunderstood, you should be able to use both alfresco logins and kerberos simultaneosly if you have set up the authentication chain properly (you should have both alfrescoNtlm and kerberos in the chain).
So what is not working is Alfresco Explorer doing a redirect to the manual login page if the browser does not support kerberos login (or if the ticket is invalid). You should be able to navigate directly to login.jsp, and then login with you AD username/password or Alfresco username/password.

bnice
Champ in-the-making
Champ in-the-making
The issue seems to be more difficult…
I changed my global.properties to use only AlfrescoNTLM.
Then I added a new (admin) user named admin-user.
After that, I changed back authentication chain to

authentication.chain=kerberos1:kerberos,ldap-ad1:ldap-ad,alfrescoNtlm1:alfrescoNtlm

After that, I can login via the login.jsp, and it's showing "admin-user" as logged in account.
But as soon as I click on any icon, it's switching to my kerberos login (which is not a admin-account) and my admin right are gone (as it should be for that account).

Is this a bug or a configuration error?

loftux
Star Contributor
Star Contributor
That is how Alfresco Explorer works. It has a filter that detects that you have a kerberos ticket for each web page request, and authenticates your request.
So for you to login with a non-kerberos account, install a second browser like firefox or google chrome (that without any config does not use kerberos), and you can do you admin tasks using that browser.
And this is not anything that will change in next version to my knowledge.

bnice
Champ in-the-making
Champ in-the-making
Ahhh… Great, that really works, so I can use firefox for administration and IE for normal login via kerberos.
Thanks for you help!