Kerberos SSO - browser do not send krb ticket

cancel
Showing results for 
Search instead for 
Did you mean: 
mcraj
Member II

Kerberos SSO - browser do not send krb ticket

Hi,

I have configured Kerberos authentication on Alfresco 5.1 according to this manual Configuring Kerberos against Active Directory | Alfresco Documentation and authentication works fine againt Windows AD. But I have to write the credentials manually. When I open any browser as a domain user the browser will not send any kerberos communication (in wireshark) and always return header 

WWW-Authenticate: Basic realm="Alfresco"

instead of 

WWW-Authenticate:Negotiate

which I would expect.

Same behaviour is for URLs http://server.mydomain.local:8080/alfresco/s/enterprise/admin and http://server.mydomain.local:8080/share

only in first case it is browser dialog and in second case HTML dialog. Both are manully working but neither automatically.

I am trying it from different Windows server than where Tomcat application server is (on Windows in domain) and I have site in IE in Intranet zone, checked automatically login, tried described configuration in FF but still no communication with kerberos at all. There are no errors about problems with authentication, there is nothing. Could you please advise what else I can check? I believe that keytabs and kerberos setting is correct when I can authenticate user manually.

This is what I have in alfresco-global.properties
authentication.chain=kerberos1:kerberos,alfrescoNtlm1:alfrescoNtlm

### Kerberos properties ###
ntlm.authentication.sso.enabled=false
kerberos.authentication.sso.enabled=true
kerberos.authentication.defaultAdministratorUserNames=admin
kerberos.authentication.user.configEntryName=Alfresco
kerberos.authentication.cifs.configEntryName=AlfrescoCIFS
kerberos.authentication.cifs.password=mypass
kerberos.authentication.http.configEntryName=AlfrescoHTTP
kerberos.authentication.http.password=mypass
kerberos.authentication.authenticateCIFS=true
kerberos.authentication.realm=MYDOMAIN.LOCAL
kerberos.authentication.stripUsernameSuffix=true
kerberos.authentication.browser.ticketLogons=true
kerberos.authentication.sso.fallback.enabled=false

1 Reply
mcraj
Member II

Re: Kerberos SSO - browser do not send krb ticket

I found out some news about this issue.

When I open first http://server.mydomain.local:8080/alfresco/api then I am logged in with SSO and within the same session in browser I can log in to http://server.mydomain.local:8080/alfresco/s/enterprise/admin without password. 

When I open first http://server.mydomain.local:8080/alfresco/webdav then i am logged in with SSO and within the same session in browser I cannot log in to http://server.mydomain.local:8080/alfresco/s/enterprise/admin without password with error.

So in second scenario even when I am logged in the same way the ticket is somehow different. In first scenario it is almost as expected but the first opening of api page is step I do not want.

Please, can anybody explain this?