AnsweredAssumed Answered

Kerberos SSO - browser do not send krb ticket

Question asked by mcraj on Feb 28, 2017
Latest reply on Mar 1, 2017 by mcraj

Hi,

 

I have configured Kerberos authentication on Alfresco 5.1 according to this manual Configuring Kerberos against Active Directory | Alfresco Documentation and authentication works fine againt Windows AD. But I have to write the credentials manually. When I open any browser as a domain user the browser will not send any kerberos communication (in wireshark) and always return header 

WWW-Authenticate: Basic realm="Alfresco"

instead of 

WWW-Authenticate:Negotiate

which I would expect.

 

Same behaviour is for URLs http://server.mydomain.local:8080/alfresco/s/enterprise/admin and http://server.mydomain.local:8080/share

only in first case it is browser dialog and in second case HTML dialog. Both are manully working but neither automatically.

 

I am trying it from different Windows server than where Tomcat application server is (on Windows in domain) and I have site in IE in Intranet zone, checked automatically login, tried described configuration in FF but still no communication with kerberos at all. There are no errors about problems with authentication, there is nothing. Could you please advise what else I can check? I believe that keytabs and kerberos setting is correct when I can authenticate user manually.

 

This is what I have in alfresco-global.properties
authentication.chain=kerberos1:kerberos,alfrescoNtlm1:alfrescoNtlm

### Kerberos properties ###
ntlm.authentication.sso.enabled=false
kerberos.authentication.sso.enabled=true
kerberos.authentication.defaultAdministratorUserNames=admin
kerberos.authentication.user.configEntryName=Alfresco
kerberos.authentication.cifs.configEntryName=AlfrescoCIFS
kerberos.authentication.cifs.password=mypass
kerberos.authentication.http.configEntryName=AlfrescoHTTP
kerberos.authentication.http.password=mypass
kerberos.authentication.authenticateCIFS=true
kerberos.authentication.realm=MYDOMAIN.LOCAL
kerberos.authentication.stripUsernameSuffix=true
kerberos.authentication.browser.ticketLogons=true
kerberos.authentication.sso.fallback.enabled=false

Outcomes