Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Alfreco session broken while using HTTPS

oscar_2016
Champ in-the-making
Champ in-the-making

‎12-09-2016 10:42 AM

Hello 

Are  environment is as  follows

Windows  2008  R2 

Apache Tomcat/7.0.53

Alfresco 4.2.4 enterprise  edition

The  issue  we  are  experience in alfresco  share  is as  follows

1. Authentication NTLM SSO  on  active  directory

2. We  only  are  authenticating  share and  explorer

3 Using  http  and  https.

what’s happening is that for some users they are randomly y being prompted to enter their user credentials through the Windows  security pop up  windows, the user enter  their active  directory  credentials but  the pop  up will continuosly appear thus not letting the user use Alfresco.  The page usually freezes and users have to close their browsers if they can as the page is “Not Responding” or reboot their computer.  Once they go back into Alfresco it will work for a while then the pop will appear again.

The  above  issue only occurs while  they are using  https, his makes me think that the problem is not caused by the authentication but by the configuration of the connector in TOMCAT, below is my  configuration,  could  you  help  me  to understand  why the  session  is  broken  and  the user  are  prompted to  enter  credential if we  set up  NTLM-SSO.  Thanks  so much  for  your help 

<Connector port="8445" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true"
               maxthreads="400" scheme="https" secure="true"
               keystoreFile="D:\Alfresco\alf_data\keystore\ssl.serv.keystore"
               keystorePass="kT9X6oe68t" keystoreType="JCEKS"
               clientAuth="false" sslProtocol="TLS" />       

Labels:
0 Kudos
2 REPLIES 2

openpj
Elite Collaborator
Elite Collaborator

‎12-16-2016 06:20 AM

This issue could depends on some networking issue between Alfresco and the specific user machine.

Have you tried to understand if these users have the same subnet or similar constraints compared to the other users?

It could be a problem related to a proxy setting but I'm not sure.

If you are using Alfresco Enterprise Edition you should have a dedicated account for creating a ticket to the Alfresco Support:

http://support.alfresco.com/ 

In this way the Alfresco Engineers will help you on this specific issue.

0 Kudos

oscar_2016
Champ in-the-making
Champ in-the-making

‎12-16-2016 08:35 AM

First  of  all,  Thanks  very much   for  your  response; was already starting to disappoint to see that nobody showed interest in this.  

The  https  connector  configuration is ignoring the parameter  maxHttpHeaderSize, see   what  tomcat   documentation  says   about   this  parameter:

The maximum size of the request and response HTTP header, specified in bytes. If not specified, this attribute is set to 8192 (8 KB).

 

We  are  using  NTLM SSO  again  Active  directory,  the  NTLM authentication  uses  http  headers  WWWAuthenticate and    Authorization (this  header could be big),  in addition there  are  other  headers  on  each  http  request and  response messages  like  session header, cookies  etc

In http or  https   A request with too long headers is rejected  by the  webserver before it reaches a web application (alfresco  share or  alfresco)

The  above means  that  randomly  the end user might  get  and  error  or  be  prompted  to enter   credentials,  I have play  with       

 maxHttpHeaderSize, setting  small  values and  what  I  got   is  either  and  error Web page  cannot  be  display  (Tomcat is  rejecting the  request and  sending  HTTP  status  bad  request)  or  I am being prompted  to enter  credential  through  the  alfresco login page (this means  that the  header  size is  not  big  enough  and   the NTLM  SSO failed).

 

What the end  user  are getting  is  the Windows   security  POP up  Windows,   this  Windows is  displays  when  Basic authentication has been  configured  for a  web  application,  this kind of  authentication is  Done my  TOMCAT  and   is  enable  through  security  constrains  in the  web application deployment  descriptor, I have  checked

The  deployment  descriptor of  Share,  alfresco and  SOLR  and there  are   security  constrains in  Alfresco    and  SOLR  but they  do not use  Basic  authentication).

 

Since  Anonymous  authentication  is  disable in  Tomcat, Alfresco, SOLR and  Share, it   could be happening   

That  when  a  request with too long headers arrives TOMCAT is rejecting  it  before it reaches  share and silently drop connection and  from  this point  tomcat  is  switching  to basic  authentication (the  NTLM SSO is  performed  by  Alfresco)     and   reply any  request  containing   the  header WWWAuthenticate =  basic, that  makes IE  display  the  Windows  security pop ups, then the user  enter  their  credential    but  Tomcat  does not  find    this  credential  in  the  xml  find  that is  used  for  Basic authentication and the authentication fail and  keep  asking  for  credentials.

 

0 Kudos
Getting started

Tags

Find what you came for

We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.

Copyright © 2025 Khoros, LLC