02-28-2017 09:29 AM
Hi,
I have configured Kerberos authentication on Alfresco 5.1 according to this manual Configuring Kerberos against Active Directory | Alfresco Documentation and authentication works fine againt Windows AD. But I have to write the credentials manually. When I open any browser as a domain user the browser will not send any kerberos communication (in wireshark) and always return header
WWW-Authenticate: Basic realm="Alfresco"
instead of
WWW-Authenticate:Negotiate
which I would expect.
Same behaviour is for URLs http://server.mydomain.local:8080/alfresco/s/enterprise/admin and http://server.mydomain.local:8080/share
only in first case it is browser dialog and in second case HTML dialog. Both are manully working but neither automatically.
I am trying it from different Windows server than where Tomcat application server is (on Windows in domain) and I have site in IE in Intranet zone, checked automatically login, tried described configuration in FF but still no communication with kerberos at all. There are no errors about problems with authentication, there is nothing. Could you please advise what else I can check? I believe that keytabs and kerberos setting is correct when I can authenticate user manually.
This is what I have in alfresco-global.properties
authentication.chain=kerberos1:kerberos,alfrescoNtlm1:alfrescoNtlm
### Kerberos properties ###
ntlm.authentication.sso.enabled=false
kerberos.authentication.sso.enabled=true
kerberos.authentication.defaultAdministratorUserNames=admin
kerberos.authentication.user.configEntryName=Alfresco
kerberos.authentication.cifs.configEntryName=AlfrescoCIFS
kerberos.authentication.cifs.password=mypass
kerberos.authentication.http.configEntryName=AlfrescoHTTP
kerberos.authentication.http.password=mypass
kerberos.authentication.authenticateCIFS=true
kerberos.authentication.realm=MYDOMAIN.LOCAL
kerberos.authentication.stripUsernameSuffix=true
kerberos.authentication.browser.ticketLogons=true
kerberos.authentication.sso.fallback.enabled=false
03-01-2017 05:07 AM
I found out some news about this issue.
When I open first http://server.mydomain.local:8080/alfresco/api then I am logged in with SSO and within the same session in browser I can log in to http://server.mydomain.local:8080/alfresco/s/enterprise/admin without password.
When I open first http://server.mydomain.local:8080/alfresco/webdav then i am logged in with SSO and within the same session in browser I cannot log in to http://server.mydomain.local:8080/alfresco/s/enterprise/admin without password with error.
So in second scenario even when I am logged in the same way the ticket is somehow different. In first scenario it is almost as expected but the first opening of api page is step I do not want.
Please, can anybody explain this?
Explore our Alfresco products with the links below. Use labels to filter content by product module.