Alfresco, Kerberos and Office 2016 credential pop-ups

How to make Alfresco SSO through Apache cooperate with Microsoft Office 2016: Turn off modern authentication.

I recently had some difficulties to get Microsoft Word 2016 cooperate with Alfresco (5.2 Community Edition) using Single Sign On through an Apache reverse proxy (external authentication, Kerberos, mod_auth_kerb version 5.4-2.3 on Debian). The setup works quite well (once you configure the client side using GPO).

However, we now wanted to activate Alfresco Office Services. This let's you edit an office document without prior downloading and is quite a handy feature. Our support partner had this working using MS Office 2013. Using Office 2016 single sign on did not work, but we were always asked for credentials. Apart from that we could edit documents online. Search brought up KB 2019105 and KB 943280. We already correctly configured AuthForwardServerList.

I noticed that the problem was not really Alfresco related, since in Word 2016 I could open the front page of our intranet (running on IIS) with working SSO (just paste the URL in the browse dialog). On Apache I could open info.php with SSO using IE, Firefox and Chrome. But Word 2016 would ask for credentials. I used mod_dumpio to see what Word was doing (so far I only saw the 401 Authorization Required in the logs). This is what Word was doing:

dumpio_in [getline-blocking] 0 readbytes
dumpio_in (data-TRANSIENT): 29 bytes
dumpio_in (data-TRANSIENT): OPTIONS /info.php/ HTTP/1.1\r\n
dumpio_in [getline-blocking] 0 readbytes
dumpio_in (data-TRANSIENT): 24 bytes
dumpio_in (data-TRANSIENT): Connection: Keep-Alive\r\n 
dumpio_in [getline-blocking] 0 readbytes
dumpio_in (data-TRANSIENT): 23 bytes
dumpio_in (data-TRANSIENT): Authorization: Bearer\r\n
dumpio_in [getline-blocking] 0 readbytes
dumpio_in (data-TRANSIENT): 68 bytes
dumpio_in (data-TRANSIENT): User-Agent: Microsoft Office Word 2014 (16.0.4639) Windows NT 10.0\r\n
dumpio_in [getline-blocking] 0 readbytes
dumpio_in (data-TRANSIENT): 28 bytes
dumpio_in (data-TRANSIENT): X-Office-Major-Version: 16\r\n
dumpio_in [getline-blocking] 0 readbytes
dumpio_in (data-TRANSIENT): 29 bytes
dumpio_in (data-TRANSIENT): X-MS-CookieUri-Requested: t\r\n
dumpio_in [getline-blocking] 0 readbytes
dumpio_in (data-TRANSIENT): 21 bytes
dumpio_in (data-TRANSIENT): X-FeatureVersion: 1\r\n
dumpio_in [getline-blocking] 0 readbytes
dumpio_in (data-TRANSIENT): 18 bytes
dumpio_in (data-TRANSIENT): X-MSGETWEBURL: t\r\n
dumpio_in [getline-blocking] 0 readbytes
dumpio_in (data-TRANSIENT): 21 bytes
dumpio_in (data-TRANSIENT): X-IDCRL_ACCEPTED: t\r\n
dumpio_in [getline-blocking] 0 readbytes
dumpio_in (data-TRANSIENT): 35 bytes
dumpio_in (data-TRANSIENT): Host: my-alfresco.examplehost.com\r\n
dumpio_in [getline-blocking] 0 readbytes
dumpio_in (data-TRANSIENT): 2 bytes
dumpio_in (data-TRANSIENT): \r\n

Notice the Authorization: Bearer. This is part of what MS calls modern authentication. In Office 2013 it was still optional. In Office 2016 it became the default. This could be the problem. You can turn it off by setting the registry entry EnableADAL to 0.

reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Identity /v EnableADAL /t REG_DWORD /d 0

Et voilà, Word 2016 can open info.php with SSO:

dumpio_in - 70007
dumpio_in [init-blocking] 0 readbytes
dumpio_in [getline-blocking] 0 readbytes
dumpio_in (data-TRANSIENT): 29 bytes
dumpio_in (data-TRANSIENT): OPTIONS /info.php/ HTTP/1.1\r\n
dumpio_in [getline-blocking] 0 readbytes
dumpio_in (data-TRANSIENT): 24 bytes
dumpio_in (data-TRANSIENT): Connection: Keep-Alive\r\n 
dumpio_in [getline-blocking] 0 readbytes
dumpio_in (data-TRANSIENT): 68 bytes
dumpio_in (data-TRANSIENT): User-Agent: Microsoft Office Word 2014 (16.0.4639) Windows NT 10.0\r\n
dumpio_in [getline-blocking] 0 readbytes
dumpio_in (data-TRANSIENT): 28 bytes
dumpio_in (data-TRANSIENT): X-Office-Major-Version: 16\r\n
dumpio_in [getline-blocking] 0 readbytes
dumpio_in (data-TRANSIENT): 18 bytes
dumpio_in (data-TRANSIENT): X-MSGETWEBURL: t\r\n
dumpio_in [getline-blocking] 0 readbytes
dumpio_in (data-TRANSIENT): 21 bytes
dumpio_in (data-TRANSIENT): X-IDCRL_ACCEPTED: t\r\n
dumpio_in [getline-blocking] 0 readbytes
dumpio_in (data-TRANSIENT): 35 bytes
dumpio_in (data-TRANSIENT): Host: my-alfresco.examplehost.com\r\n
dumpio_in [getline-blocking] 0 readbytes
dumpio_in (data-TRANSIENT): 2 bytes
dumpio_in (data-TRANSIENT): \r\n
dumpio_in [speculative-nonblocking] 1 readbytes
dumpio_in - 11
dumpio_in [getline-blocking] 0 readbytes
dumpio_in (data-TRANSIENT): 29 bytes
dumpio_in (data-TRANSIENT): OPTIONS /info.php/ HTTP/1.1\r\n
dumpio_in [getline-blocking] 0 readbytes
dumpio_in (data-TRANSIENT): 24 bytes
dumpio_in (data-TRANSIENT): Connection: Keep-Alive\r\n 
dumpio_in [getline-blocking] 0 readbytes
dumpio_in (data-TRANSIENT): 68 bytes
dumpio_in (data-TRANSIENT): User-Agent: Microsoft Office Word 2014 (16.0.4639) Windows NT 10.0\r\n
dumpio_in [getline-blocking] 0 readbytes
dumpio_in (data-TRANSIENT): 28 bytes
dumpio_in (data-TRANSIENT): X-Office-Major-Version: 16\r\n
dumpio_in [getline-blocking] 0 readbytes
dumpio_in (data-TRANSIENT): 18 bytes
dumpio_in (data-TRANSIENT): X-MSGETWEBURL: t\r\n
dumpio_in [getline-blocking] 0 readbytes
dumpio_in (data-TRANSIENT): 21 bytes
dumpio_in (data-TRANSIENT): X-IDCRL_ACCEPTED: t\r\n
dumpio_in [getline-blocking] 0 readbytes
dumpio_in (data-TRANSIENT): 35 bytes
dumpio_in (data-TRANSIENT): Host: my-alfresco.examplehost.com\r\n
dumpio_in [getline-blocking] 0 readbytes
dumpio_in (data-TRANSIENT): 5947 bytes
dumpio_in (data-TRANSIENT): Authorization: Negotiate YIIRVA.....

Note the Kerberos header Authorization: Negotiate YIIRVA….. at the end.

After that Alfresco online-edit worked like charm with Office 2016.

References: