Hyland Connect

cajova_houba · ‎08-27-2024

Hello,

we're using Alfresco Community 7. One of the features used is "Open file in [MS Office App]" in the Alfresco Share. Microsoft has started to block basic auth sign-in prompts, so we're unable to use this feature. Instead we have to download the file, edit it, save it, and upload it again.

We've put the instance of Alfresco behind Keycloak and assumed this would then get picked by the AOS as well and instead of basic auth sign-in, user would be redirected to the Keycloak where he would perform sign-in. However, this is not the case and when opening word/excel/... documents, the MS Office application still uses basic auth.

I figured out this could be an AOS configuration issue, as it's the component of Alfresco responsible for interaction with MS Office, however, I wasn't able to find any information on this in AOS documentation.

So, my question is, what would be the correct way to solve this? There's a similar question but without any answer. One of the responses to another question on this topic mentions changing Windows group policy settings as a workaround but we would rather use SSO.

Thanks in advance.

michele123 · ‎08-31-2024

Hello,

@cajova_houba kynectwrote:
Hello,
we're using Alfresco Community 7. One of the features used is "Open file in [MS Office App]" in the Alfresco Share. Microsoft has started to block basic auth sign-in prompts, so we're unable to use this feature. Instead we have to download the file, edit it, save it, and upload it again.
We've put the instance of Alfresco behind Keycloak and assumed this would then get picked by the AOS as well and instead of basic auth sign-in, user would be redirected to the Keycloak where he would perform sign-in. However, this is not the case and when opening word/excel/... documents, the MS Office application still uses basic auth.
I figured out this could be an AOS configuration issue, as it's the component of Alfresco responsible for interaction with MS Office, however, I wasn't able to find any information on this in AOS documentation.
So, my question is, what would be the correct way to solve this? There's a similar question but without any answer. One of the responses to another question on this topic mentions changing Windows group policy settings as a workaround but we would rather use SSO.
Thanks in advance.

To resolve the issue of Alfresco using basic authentication for MS Office integration even when behind Keycloak, it's essential to verify the correct configuration of both systems, including SSO settings and client credentials. Inspecting the AOS configuration for any specific settings related to MS Office integration is also crucial. If necessary, update Alfresco or AOS to the latest versions and consider third-party integrations for enhanced functionality. Additionally, consult the Alfresco community or support channels for tailored guidance and to address any network-related issues that might be affecting the communication between Alfresco, Keycloak, and MS Office.

View answer in original post

franktucker907 · ‎09-02-2024

Hello,
Check AOS Configuration: Ensure that AOS is correctly configured to use Keycloak for authentication. This might involve updating the AOS configuration files to point to your Keycloak instance and ensuring that the necessary authentication protocols are supported.
Update AOS Version: Make sure you are using the latest version of AOS, as newer versions may have fixes or improvements related to SSO integration. flyingtogether ual com
Keycloak Configuration: Verify that Keycloak is properly set up to handle SSO for your Alfresco instance. This includes ensuring that the correct client settings and redirect URIs are configured.
Windows Group Policy: While you prefer not to use this workaround, it’s worth noting that adjusting Windows Group Policy settings can sometimes help with SSO issues. Specifically, you might need to enable certain policies related to authentication and credential delegation.
Best Regards
franktucker907

View answer in original post

cajova_houba · ‎10-31-2025

The setup we're running is:

1. A Keycloak instance with a dedicated realm and public (=no credentials) OIDC client for Alfresco.

2. Alfresco instance configured to use the Keycloak as an authentication provider

authentication.chain=<your custom idp name>:identity-service,alfrescoNtlm1:alfrescoNtlm
identity-service.auth-server-url=<your idp url>
identity-service.realm=<name of the realm in KC>
identity-service.resource=<name of the OIDC client>

That alfrescoNtlm is an Alfresco's own inbuilt identity provider.

This has worked until recently. Couple of days/weeks ago we started getting the "Ms Office has blocked access to ..." again. I have no idea why as our setup did not change and I'm currently in the process of debugging it.

View answer in original post

acsme · ‎10-09-2025

Hi!
Any actual solution for the problem?

atTheBeach · ‎10-15-2025

I haven't found anything. I think Hyland's pretty keen to terminate the Community stuff.

acsme · ‎10-15-2025

Even with Keycloak configured, I still can't use MS Office to access Alfresco via MS Edge. The error:
"This zero machine is configured to authenticate with OIDC. Please use a client that supports OFBA to access this resource."
Any help, please?

Hyland Connect

Configuring AOS to not use basic authentication