AnsweredAssumed Answered

Manual prompted logon fails after enabling kerberos sso and kerberos sso failing for share.

Question asked by joopmartens on Jul 29, 2015
Hi,

I'm currently setting up Alfresco Community 5.0.d and followed the guide at http://docs.alfresco.com/community/concepts/auth-kerberos-intro.html to configure Kerberos authentication towards a windows server 2012 r2 AD.

I have everything including sso working except the following 2 issues:

1. With kerberos.authentication.sso.enabled=true an (external) user without a client that is able to do sso is unable to authenticate to the sharepoint services. The user receives an (basic) authentication window to enter credentials but after submitting the username and password the same authentication window appears again.

Every time the username/password is submitted the following message is logged:
DEBUG [org.alfresco.module.vti.web.VtiFilter] No authentication details found, requesting they authenticate

Mind that kerberos sso works perfectly towards Sharepoint with an sso enabled client (Windows domain member)
I did find hints regarding basic authentication registry settings for the windows webclient service and office but these won't fix my problem.

As soon as I set kerberos.authentication.sso.enabled=false the issue is solved.
Users receive a (basic) authentication window and submitting the username/password simply works.

Remarkable is that with sso enabled the authentication windows only shows: Connecting to sharepoint.xxx.com and with sso disabled it shows: The server sharepoint.xxx.com is asking for your username and password. The server reports that it is from Alfresco Server.

Is there any way that Kerberos SSO can work together with non sso clients who need to manually logon?
What is causing this difference in manual authentication and how can this be resolved?



2. With Kerberos SSO enabled everything is working just fine with the exception of issue 1 and that SSO for Share is not working.

I have carefully followed the guide http://docs.alfresco.com/4.0/tasks/auth-kerberos-shareSSO.html.
SSO for CIFS and Sharepoint works like a charm but Share just always prompts for a username and password.
Browsing to sharepoint.xxx.com shows the "This is the Alfresco SharePoint Module" page without the need to logon. This proves that SSO is working and that the client/browser settings are fine.

I have enabled debugging for Kerberos but this does not provide any output when I logon to Share.

Any idea how I can fix this?

PS. Manual logon to share using the logon page works perfectly with both kerberos.authentication.sso.enabled enabled and disabled.

Thanks in advance for any help.














Outcomes