Hi,
I've been trying to get a definitive answer on what security zones the Repository Server needs to be in order to get SSO to work for Alfresco Office Services (AOS).
What we have to play with:
Local Intranet Zone - Here is where you normally put the repo server for SSO to work.
Trusted Sites - Here is where you need to put the repo server if you want to avoid the nagging warning message when opening an office file from Share.
Trusted sites, however, does not have "forward credentials" by default, and this is not something you can set for an individual site, and in Sysadmin in this case does not want to change that for all.
Some say that the server should be in both zones, such as this for Office365
https://www.tuomi.ca/2015/04/09/office-365-internet-explorer-security-settings-the-final-frontier/
I have also found this to avoid getting randomly prompted for credentials.
SharePoint prompting for password when saving word document
My problem is that whatever combination of adding Alfresco servers in different zones I've tested, it either warns or prompts for credentials when opening an office file.
So what combination of putting Alfresco servers in Security Zones have you used to get this working?
It may be a bit late but I never had any issues when adding the site to the "Trusted Site" configuration in IE. That worked both with SSO and non-SSO use cases to suppress the "you are about to open" warning and for SSO to actually use the Windows integrated authentication. This has worked on Windows 7 and 10, IE 10+ or Edge, using either passthru or kerberos SSO mechanisms - for various customers with both AOS integrated in Enterprise 5.0 (before it was even called AOS) and AOS on 5.1.g (201705 + AOS 1.1.3)
Sorry to bring this back but I came across this post when revisiting the issue of SSO with the forthcoming Chromium-based Edge. We have our repository in the "Trusted Site" zone in IE which has always allowed for automatic sign-in with IE and Chrome on any version of Windows (we have Kerberos SSO enabled). Automatic signin has never worked for us in Edge and does not appear to work in the Chromium Edge beta unless you put the repository in the "Intranet Site" zone but doing that will cause warnings in Office when using AOS. The Microsoft forum posts or KB articles that I read seemed to say that Edge doesn't respect the zone settings and will not forward credentials unless it is in the intranet zone.
So I guess my basic question is this, is it possible to have Kerberos SSO automatic sign-in with Edge (or Chromium Edge) without Microsoft Office warnings when using AOS? If so, which security zone is used?
Thanks,
Neil
Ask for and offer help to other Alfresco Content Services Users and members of the Alfresco team.
Related links:
By using this site, you are agreeing to allow us to collect and use cookies as outlined in Alfresco’s Cookie Statement and Terms of Use (and you have a legitimate interest in Alfresco and our products, authorizing us to contact you in such methods). If you are not ok with these terms, please do not use this website.