[Occurrence condition]
It occurs when using Cerberus authentication.
[Cause]
Internet Explorer (IE) fails Cerberus authentication.
[Workaround]
First of all, configure Internet Information Services (IIS) to return static contents.
This setting is required when using integrated Windows authentication. Please refer to the following URL and set it.
・ When only a specific URL is 401 on the IM-Workflow application screen, workflowOpenPage, etc.
Please identify the request (URL) that is HTTP 401 in the request log or browser developer tools, etc.
For example, if the URL where 401 occurs is "/im_workflow/common/session_timeout_check/session_timeout_check", create a WEB-INF/conf/im-sso-windows-path-config/{Any file name}.xml file and add a <path regex="false">/im_workflow/common/session_timeout_check/session_timeout_check</path> under a <no-authentication> tag.
For example, if the following URL "/im(5f)workflow(2f)common(2f)session(5f)timeout(5f)check(2f)session(5f)timeout(5f)check.jsps" is the 401, also add a <path regex="false">/im(5f)workflow(2f)common(2f)session(5f)timeout(5f)check(2f)session(5f)timeout(5f)check.jssps</path> under a <no-authentication> tag. For setting examples, please refer to the attached im-sso-windows-path-config_disable_auth.xml. If there are other requests that will be the 401, also add a <path> tag to the URL. The URL you add to this file will no longer have integrated Windows authentication and will result in normal AccelPlatform authentication.
For information about im-sso-windows-path-config, see integrated Windows authentication path settings.
Next, place the attached ConstantConfigBassedWindowsTenantIdResolver.java directly under the WEB-INF/classes/jp/co/intra_mart/foundation/admin/tenant/context.
Finally, rewrite the contents of WEB-INF/plugin/jp.co.intra_mart.foundation.admin.tenant.context.tenant.resolver.windows_8.0.1/plugin.xml as follows:
Before the change
<?xml version="1.0" encoding="UTF-8"?>
<plugin>
<extension point="jp.co.intra_mart.foundation.admin.tenant.context.tenant.resolvers">
<tenant-id-resolvers
id="jp.co.intra_mart.foundation.admin.tenant.context.tenant.resolver.windows"
name="Windows Tenant Id Resolver"
version="8.0.1"
rank="90">
<!— Resolver with a domain as a tenant ID
Resolve the participating domain as a tenant ID. -->
<!--tenant-id-resolver class="jp.co.intra_mart.foundation.admin.tenant.context.DomainBasedWindowsTenantIdResolver"/-->
<!-- Resolver with the fixed value set as a tenant ID
Resolve the value set in the tenant_id parameter as a tenant ID. -->
<!--tenant-id-resolver class="jp.co.intra_mart.foundation.admin.tenant.context.FixedConfigBasedWindowsTenantIdResolver">
<init-param>
<param-name>tenant_id</param-name>
<param-value>default</param-value>
</init-param>
</tenant-id-resolver-->
</tenant-id-resolvers>
</extension>
</plugin>
After the change
<?xml version="1.0" encoding="UTF-8"?>
<plugin>
<extension point="jp.co.intra_mart.foundation.admin.tenant.context.tenant.resolvers">
<tenant-id-resolvers
id="jp.co.intra_mart.foundation.admin.tenant.context.tenant.resolver.windows"
name="Windows Tenant Id Resolver"
version="8.0.1"
rank="90">
<!-- Resolver with a domain as a tenant ID
Resolve the participating domain as a tenant ID. -->
<!--tenant-id-resolver class="jp.co.intra_mart.foundation.admin.tenant.context.DomainBasedWindowsTenantIdResolver"/-->
<!-- Resolver with the fixed value set as a tenant ID
Resolve the value set in the tenant_id parameter as a tenant ID. -->
<tenant-id-resolver class="jp.co.intra_mart.foundation.admin.tenant.context.ConstantConfigBasedWindowsTenantIdResolver">
<init-param>
<param-name>tenant_id</param-name>
<param-value>default</param-value>
</init-param>
</tenant-id-resolver>
</tenant-id-resolvers>
</extension>
</plugin>
Please change "default" of the tenant ID in the file accordingly.
·When it becomes 401 in an unspecific URL
There might be a problem in Cerberus authentication.
Uncheck "Use integrated Windows authentication" located in the "Security" section in "Detail settings" tab of "Tools", "Internet options" in Internet Explorer (IE).
This allows NTLM authentication to be performed instead of Cerberus authentication.
We've found that Firefox ESR 31.7 performs NTLM authentication by default, so use it to know if it is a Cerberus-authenticated issue.
Additionally, it has been confirmed that Chrome 43.0.2357.81 m and after versions use Cerberus authentication by default instead of NTLM authentication, as well as Internet Explorer (IE), so use it to know if it is a browser-induced authentication issue.
Or, if you are using integrated Windows authentication module versions 8.0.1_PATCH-001 or later, 8.0.2_PATCH-001 or later, or 8.0.3_PATCH-001 or later, you can add the following settings to conf\im-sso-windows-config.xml. It is possible to force NTLM authentication without changing the Internet explorer (IE) settings above.
<parameter>
<param-name>waffle.servlet.spi.NegotiateSecurityFilterProvider/protocols</param-name>
<param-value>NTLM</param-value>
</parameter>
-- Target ----------------------------------------------------------------------
iAP/Accel Platform/2014 Spring(Granada) or later
--------------------------------------------------------------------------------
FAQID:532