Skip to content
  • Categories
  • Recent
  • Popular
Collapse
Brand Logo
  1. Home
  2. Categories
  3. Technical subjects
  4. Authentication for edit-from-my-PC

Authentication for edit-from-my-PC

Scheduled Pinned Locked Moved Technical subjects
sso
15 Posts 3 Posters 958 Views
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • aclassenA Offline
    aclassenA Offline
    aclassen
    Utilisateur GoFAST Entreprise
    wrote on last edited by cpotter
    #1

    I am wondering about the connection between SSO, LDAP, passwords and GoFAST or edit-from-my-PC.
    We have an LDAP from which user information is fetched, and an SSO (potentially with 2fa). We authenticate against the SSO.

    Now we may have a specific situation in that the LDAP is not the main source for the SSO user directory. (Synchronisation setup is a different topic which is on our side, let us just say we use the LDAP as a list of valid users and source of userlists, and all authentication is done against SSO). The main point is that passwords may differ between LDAP and SSO, if the SSO account has a changed password and the LDAP not.

    SSO and user information are fine and work together. We log in to GoFAST and do all kinds of things. But for edit-from-my-PC, I need to provide a different username/password, and I found I sometimes need to use an old password, and sometimes I cannot make it work at all.
    My questions:

    • Am I right that the edit-from-my-PC ignores the SSO?
    • If yes, does it try to connect to LDAP on the fly at the moment of the start of the service? Or is there some other mechanism?
    • What may make the service block (bearing in mind that this has worked for a long time and now stopped working?)
    cpotterC 1 Reply Last reply
    0
    • aclassenA aclassen

      I am wondering about the connection between SSO, LDAP, passwords and GoFAST or edit-from-my-PC.
      We have an LDAP from which user information is fetched, and an SSO (potentially with 2fa). We authenticate against the SSO.

      Now we may have a specific situation in that the LDAP is not the main source for the SSO user directory. (Synchronisation setup is a different topic which is on our side, let us just say we use the LDAP as a list of valid users and source of userlists, and all authentication is done against SSO). The main point is that passwords may differ between LDAP and SSO, if the SSO account has a changed password and the LDAP not.

      SSO and user information are fine and work together. We log in to GoFAST and do all kinds of things. But for edit-from-my-PC, I need to provide a different username/password, and I found I sometimes need to use an old password, and sometimes I cannot make it work at all.
      My questions:

      • Am I right that the edit-from-my-PC ignores the SSO?
      • If yes, does it try to connect to LDAP on the fly at the moment of the start of the service? Or is there some other mechanism?
      • What may make the service block (bearing in mind that this has worked for a long time and now stopped working?)
      cpotterC Offline
      cpotterC Offline
      cpotter
      ADMIN
      wrote on last edited by
      #2

      Dear @aclassen,

      Am I right that the edit-from-my-PC ignores the SSO?

      To our knowledge yes SSO is ignored by MS-Office, unless perhaps your SSO is creating also a Kerberos ticket (Windows own SSO) see: https://www.keycloak.org/docs/6.0/server_admin/#_kerberos

      If yes, does it try to connect to LDAP on the fly at the moment of the start of the service? Or is there some other mechanism?

      The usual behavior is that MS-Office requests a webdav authorization to Alfresco with the GoFAST login and password. This password can be the GoFAST password or the LDAP/AD password if authentication/delegation is in place (SASL). Keep in mind that in MS-Office 2016 and newer version, Office "remember" the login/password and the authentication popup is not displayed at each document open.

      What may make the service block (bearing in mind that this has worked for a long time and now stopped working?)

      Can you explain what you mean by "service blocks" ?

      Thank you,

      Christopher Potter
      Fondateur & Président / Founder & President,
      CEO-Vision S.A.S

      aclassenA 1 Reply Last reply
      0
      • cpotterC cpotter

        Dear @aclassen,

        Am I right that the edit-from-my-PC ignores the SSO?

        To our knowledge yes SSO is ignored by MS-Office, unless perhaps your SSO is creating also a Kerberos ticket (Windows own SSO) see: https://www.keycloak.org/docs/6.0/server_admin/#_kerberos

        If yes, does it try to connect to LDAP on the fly at the moment of the start of the service? Or is there some other mechanism?

        The usual behavior is that MS-Office requests a webdav authorization to Alfresco with the GoFAST login and password. This password can be the GoFAST password or the LDAP/AD password if authentication/delegation is in place (SASL). Keep in mind that in MS-Office 2016 and newer version, Office "remember" the login/password and the authentication popup is not displayed at each document open.

        What may make the service block (bearing in mind that this has worked for a long time and now stopped working?)

        Can you explain what you mean by "service blocks" ?

        Thank you,

        aclassenA Offline
        aclassenA Offline
        aclassen
        Utilisateur GoFAST Entreprise
        wrote on last edited by
        #3

        @cpotter
        Thank you!. Indeed, that is helpful already; so the webdav authentication would be against whatever is the valid auth provider in GoFAST, which would be the LDAP.

        "What makes the service block"...~What I mean: On my laptop with Office 2016 I got the webdav auth request displayed, and after some trial and error I managed to login using the former password (not valid anymore in any instance but in the special LDAP instance used by GoFAST). OK.
        On the VM at the Office that still has Office 2010, no password, neither old nor new, works on teh same webdav auth form; that is what I meant with blocking.

        I had used the same many many times during the last few weeks without being asked for the username/password, and without problem (One of the reasons why I was so puzzled when it stoopped working). I now think that somehow until last week, the webdav auth might have been still valid without special check, and the system did not ask. With the latest restart and updates last week, that may have been the point when it stopped, as somehow something does not fit anymore.

        I have no idea why it now works with teh old password on the laptop but not on the VM. Ideas are welcome, but not very important; I need to have the configurations between LDAP and keycloak synched.

        1 Reply Last reply
        0
        • jlemangarinJ Offline
          jlemangarinJ Offline
          jlemangarin
          ADMIN SUPPORT-PROD DEV
          wrote on last edited by
          #4

          Hello @aclassen,

          We made a security fix recently (3.8.0 Hotfix 6) that may be the cause of your issue.

          Could you try to open a document with another computer running Office 2010 if you are able ?

          Also could you send me the error(s) message(s) you get ?

          Thanks in advance for you help !

          Best,

          LEMAN-GARIN Jérôme - CEO-Vision IT
          jerome.leman@ceo-vision.com
          Alliance - Porte A, 178 rue des Frères Lumière 74160 Archamps Technopole, FRANCE
          +33 (0) 811 693 111 et depuis l'étranger +33 (0) 972 236 057
          https://www.ceo-vision.com

          1 Reply Last reply
          0
          • aclassenA Offline
            aclassenA Offline
            aclassen
            Utilisateur GoFAST Entreprise
            wrote on last edited by aclassen
            #5

            I tested now with a different user (who kept the same password as weeks ago), on the same machine with Office 2010 and on a second machine with Office 2010. It is indeed the same problem, so it is not anything about a changed password.
            Error message: Well, there is no obvious error message. Word is being opened, with the alfresco ticket being downloaded 0%, and the windows security dialogue opens again and again and asks for the password

            20200908login2a.jpg

            There is no explicit error message that I can find. In the event viewer, the information is just
            "Microsoft Word
            Could not open 'https://servername/TICKET_925c048779dcc2c50f70df835ac8853e09a9b70d/alfresco/webdav/Sites/_Path-to-doc/doc.docx'.
            700468
            14.0.7015.1000
            wdhx
            0x80070002 "

            1 Reply Last reply
            0
            • jlemangarinJ Offline
              jlemangarinJ Offline
              jlemangarin
              ADMIN SUPPORT-PROD DEV
              wrote on last edited by
              #6

              Hello @aclassen ,

              Thank you for your help ! Yes it seems to be related to the desactivation of these unsecured cyphers :

              • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) ECDH secp256r1 (eq. 3072 bits RSA) FS WEAK 128
              • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) ECDH secp256r1 (eq. 3072 bits RSA) FS WEAK 128
              • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) ECDH secp256r1 (eq. 3072 bits RSA) FS WEAK 256
              • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) ECDH secp256r1 (eq. 3072 bits RSA) FS WEAK 256

              Do you know when the Office 2010 workstations will be updated ? I think it should be soon because the EOL of Office 2010 is the next month.

              Thanks in advance !

              Best,

              LEMAN-GARIN Jérôme - CEO-Vision IT
              jerome.leman@ceo-vision.com
              Alliance - Porte A, 178 rue des Frères Lumière 74160 Archamps Technopole, FRANCE
              +33 (0) 811 693 111 et depuis l'étranger +33 (0) 972 236 057
              https://www.ceo-vision.com

              1 Reply Last reply
              0
              • aclassenA Offline
                aclassenA Offline
                aclassen
                Utilisateur GoFAST Entreprise
                wrote on last edited by
                #7

                Well, we won't manage before the end of the year, it seems.
                Thanks for the clarification!

                cpotterC 1 Reply Last reply
                0
                • aclassenA aclassen

                  Well, we won't manage before the end of the year, it seems.
                  Thanks for the clarification!

                  cpotterC Offline
                  cpotterC Offline
                  cpotter
                  ADMIN
                  wrote on last edited by cpotter
                  #8

                  Dear @aclassen please have this in mind went you take the decision https://community.ceo-vision.com/topic/406/end-of-life-ms-office-2010-and-opportunities

                  Christopher Potter
                  Fondateur & Président / Founder & President,
                  CEO-Vision S.A.S

                  aclassenA 1 Reply Last reply
                  0
                  • cpotterC cpotter

                    Dear @aclassen please have this in mind went you take the decision https://community.ceo-vision.com/topic/406/end-of-life-ms-office-2010-and-opportunities

                    aclassenA Offline
                    aclassenA Offline
                    aclassen
                    Utilisateur GoFAST Entreprise
                    wrote on last edited by
                    #9

                    @cpotter Yes, I've seen that post already. Not for me to decide...

                    1 Reply Last reply
                    1
                    • jlemangarinJ Offline
                      jlemangarinJ Offline
                      jlemangarin
                      ADMIN SUPPORT-PROD DEV
                      wrote on last edited by
                      #10

                      Hello @aclassen,

                      Could you give me the permission to temporary enable these cyphers again to check if this is the cause of the issue ?

                      Even if we don't recommand that we may be able to re enable these cyphers keeping your support licencing active with a signed agreement, waiting for the Office 2010 update.

                      Best regards,

                      LEMAN-GARIN Jérôme - CEO-Vision IT
                      jerome.leman@ceo-vision.com
                      Alliance - Porte A, 178 rue des Frères Lumière 74160 Archamps Technopole, FRANCE
                      +33 (0) 811 693 111 et depuis l'étranger +33 (0) 972 236 057
                      https://www.ceo-vision.com

                      1 Reply Last reply
                      0
                      • aclassenA Offline
                        aclassenA Offline
                        aclassen
                        Utilisateur GoFAST Entreprise
                        wrote on last edited by
                        #11

                        Yes please

                        1 Reply Last reply
                        0
                        • jlemangarinJ Offline
                          jlemangarinJ Offline
                          jlemangarin
                          ADMIN SUPPORT-PROD DEV
                          wrote on last edited by
                          #12

                          That's done ! 🙂

                          LEMAN-GARIN Jérôme - CEO-Vision IT
                          jerome.leman@ceo-vision.com
                          Alliance - Porte A, 178 rue des Frères Lumière 74160 Archamps Technopole, FRANCE
                          +33 (0) 811 693 111 et depuis l'étranger +33 (0) 972 236 057
                          https://www.ceo-vision.com

                          1 Reply Last reply
                          0
                          • aclassenA Offline
                            aclassenA Offline
                            aclassen
                            Utilisateur GoFAST Entreprise
                            wrote on last edited by aclassen
                            #13

                            And the edit-from-my-PC works again with Office 2010.
                            I'm asking my colleagues about the exception

                            1 Reply Last reply
                            0
                            • jlemangarinJ Offline
                              jlemangarinJ Offline
                              jlemangarin
                              ADMIN SUPPORT-PROD DEV
                              wrote on last edited by
                              #14

                              Thanks for the update !

                              Please tell me if you want to make this configuration permanent so I'll prepare an agreement for us.

                              Best !

                              LEMAN-GARIN Jérôme - CEO-Vision IT
                              jerome.leman@ceo-vision.com
                              Alliance - Porte A, 178 rue des Frères Lumière 74160 Archamps Technopole, FRANCE
                              +33 (0) 811 693 111 et depuis l'étranger +33 (0) 972 236 057
                              https://www.ceo-vision.com

                              1 Reply Last reply
                              0
                              • aclassenA Offline
                                aclassenA Offline
                                aclassen
                                Utilisateur GoFAST Entreprise
                                wrote on last edited by
                                #15

                                Yes, we'd like to have this permanent... for the time being, so as not to stop users from experimenting with it,

                                1 Reply Last reply
                                0
                                Reply
                                • Reply as topic
                                Log in to reply
                                • Oldest to Newest
                                • Newest to Oldest
                                • Most Votes


                                • Login

                                • Don't have an account? Register

                                • Search
                                • First post
                                  Last post
                                0
                                • Categories
                                • Recent
                                • Popular
                                • Search