cancel
Showing results for 
Search instead for 
Did you mean: 

AOS and SSO Security settings (Zones)

loftux
Star Contributor
Star Contributor

Hi,

I've been trying to get a definitive answer on what security zones the Repository Server needs to be in order to get SSO to work for Alfresco Office Services (AOS).

What we have to play with:

Local Intranet Zone - Here is where you normally put the repo server for SSO to work.

Trusted Sites - Here is where you need to put the repo server if you want to avoid the nagging warning message when opening an office file from Share.

Trusted sites, however, does not have "forward credentials" by default, and this is not something you can set for an individual site, and in Sysadmin in this case does not want to change that for all.

Some say that the server should be in both zones, such as this for Office365

https://www.tuomi.ca/2015/04/09/office-365-internet-explorer-security-settings-the-final-frontier/ 

I have also found this to avoid getting randomly prompted for credentials.

SharePoint prompting for password when saving word document 

My problem is that whatever combination of adding Alfresco servers in different zones I've tested, it either warns or prompts for credentials when opening an office file.

So what combination of putting Alfresco servers in Security Zones have you used to get this working?

2 REPLIES 2

afaust
Legendary Innovator
Legendary Innovator

It may be a bit late but I never had any issues when adding the site to the "Trusted Site" configuration in IE. That worked both with SSO and non-SSO use cases to suppress the "you are about to open" warning and for SSO to actually use the Windows integrated authentication. This has worked on Windows 7 and 10, IE 10+ or Edge, using either passthru or kerberos SSO mechanisms - for various customers with both AOS integrated in Enterprise 5.0 (before it was even called AOS) and AOS on 5.1.g (201705 + AOS 1.1.3)

niele
Champ on-the-rise
Champ on-the-rise

Sorry to bring this back but I came across this post when revisiting the issue of SSO with the forthcoming Chromium-based Edge.  We have our repository in the "Trusted Site" zone in IE which has always allowed for automatic sign-in with IE and Chrome on any version of Windows (we have Kerberos SSO enabled).  Automatic signin has never worked for us in Edge and does not appear to work in the Chromium Edge beta unless you put the repository in the "Intranet Site" zone but doing that will cause warnings in Office when using AOS.  The Microsoft forum posts or KB articles that I read seemed to say that Edge doesn't respect the zone settings and will not forward credentials unless it is in the intranet zone.

So I guess my basic question is this, is it possible to have Kerberos SSO automatic sign-in with Edge (or Chromium Edge) without Microsoft Office warnings when using AOS?  If so, which security zone is used?

Thanks,

Neil