Project

General

Profile

Actions

Support #4631

closed

Accès à redmine via oupiou difficile pour utilisateurs CTA

Added by Hoffmann Dirk over 8 years ago. Updated over 6 years ago.

Status:
Closed
Priority:
Low
Assigned To:
Start date:
06/09/2013
Due date:
% Done:

100%

Estimated time:

Description

Nous avons plusieurs cas rapportés, où l'accès par Mac/Safari est problématique.
(Cf. cta-svn mailing list)

Complément d'informations (cf. rapport référencé ci-dessus):

Utilisateur n°1 obtient :
Problem Schlenstedt
qui l'emmenè sur une piste "sans issue" : Peu importe, si il clique sur "Cancel" ou "Continue", l'accès est refusé.

Utilisateur n°2 (David A Williams <>, 8 juin 2013 06:31:23 HAEC) :
When I click on the CAS Sign In  I am asked to provide a client certificate and none of the three choices listed work for me.  None of the three choices that I am presented work.  All are declined by the website.  So this seems to be locked down a bit too well.

Résumé de Jürgen (Fri, 7 Jun 2013 23:07:43 +0200) :
Pour le moment je sais que ça ne marche pas avec Safari 5.1.9 (Mac OS X 10.6), mais également pas avec Safari 6.0.5 (voir en bas). Ce qui est bizzare: ça marchait avant, quand j'ai eu mon problème avec le téléchargement de l'image, sinon je n'aurais jamais pu connecter avec Safari. Donc quelque chose a du changer les dernier 1-2 semaines.


Files

attachment-0001.png (48.6 KB) attachment-0001.png Problem Schlenstedt Hoffmann Dirk, 06/09/2013 11:07 AM
PastedGraphic-1.png (48.6 KB) PastedGraphic-1.png Problem Williams Hoffmann Dirk, 06/09/2013 11:29 AM
PastedGraphic-1.png (114 KB) PastedGraphic-1.png Hoffmann Dirk, 06/09/2013 11:31 AM
certificat.jpg (67.4 KB) certificat.jpg Knödlseder Jürgen, 06/09/2013 03:15 PM
Actions #2

Updated by Hoffmann Dirk over 8 years ago

Remarque à côté : On peut voir que redmine a un petit problème avec le traitement de deux attachments à nom identique.

Actions #3

Updated by Knödlseder Jürgen over 8 years ago

Here also another problem report for me. Safari 5.1.9 on Mac OS X 10.6. It even does not ask for anything, I just get an error.

Actions #4

Updated by Hoffmann Dirk over 8 years ago

  • Assigned To set to ROUET Jean-René

Juste pour essayer de dessiner une esquisser claire de la situation : Tous ces utilisateurs réussissent-ils à utiliser redmine avec Firefox sur leur Mac ?

Actions #5

Updated by Knödlseder Jürgen over 8 years ago

Dirk Hoffmann wrote:

Juste pour essayer de dessiner une esquisser claire de la situation : Tous ces utilisateurs réussissent-ils à utiliser redmine avec Firefox sur leur Mac ?

Je pense que oui, car après avoir dit que Safari pose problème, tous (sauf un) on réussi de se connecter avec un autre navigateur). D'ailleurs: ça marche aussi avec l'iPhone.

Actions #6

Updated by Hoffmann Dirk over 8 years ago

This looks very similar to the problem as reported by David:
http://xml.pcpc.org/workspace/files/fixingclientcertificateonsafarimac.pdf

Actions #7

Updated by Hoffmann Dirk over 8 years ago

Dirk Hoffmann wrote:

This looks very similar to the problem as reported by David:
http://xml.pcpc.org/workspace/files/fixingclientcertificateonsafarimac.pdf

And here is another report that states Safari unexpectedly pops up the client certificat dialog, although it has not been requested from the server:
https://discussions.apple.com/thread/3871083?start=0&tstart=0

However, Jürgen's symptoms (comment on #4631#note-3) are different. (And they have not appeard two weeks ago to him.) Maybe we have two different problems here.

Actions #8

Updated by ROUET Jean-René over 8 years ago

I confirm the following comportment :
you can use safari 6.0.5 with oupiou.in2p3.fr without a certificate : you have to click cancel on the window proposing the certificates.
before, it may be necessary to remove the "identity preference" set in keychain application for oupiou.in2p3.fr (safari remember the tuple website/certificate to present). quit safari and restart it, if you click cancel (keychain don't save any identity preference).
for safari 5.1.9 on snow leopard (10.6.8), i can't test it to confirm or not.

regards

Actions #9

Updated by Knödlseder Jürgen over 8 years ago

I have a report from a user which seems to contradict this:

I am trying to log in to the Redmine system, following the procedure in the PDF attached. However I am not getting past step 2. I am using safari 6.0.5 on mac os x 10.8.4

When I hit 'CAS Sign in' I get s popup which says

WebProcess wants to sign using key "Apple ID Authentication 2012-08-20 15:30:26 GMT +01:00" in your keychain

If I deny this then I do not get access to the web page. If I allow it I am presented with a popup which says

The website "oupiou.in2p3.fr" did not accept the certificate "unknown"

I am offered 2 certificates to choose from, but selecting either results in the first popup listed above again.

Advice welcome

Actions #10

Updated by Hoffmann Dirk over 8 years ago

Jürgen Knödlseder wrote:

I have a report from a user which seems to contradict this:

I am not sure about this (not a Mac user and no way to reproduce Mac behaviour).

But:

WebProcess wants to sign using key "Apple ID Authentication 2012-08-20 15:30:26 GMT +01:00" in your keychain

This seems to indicate that the user still has interfering certificates in his keychain, doesn't he?

Actions #11

Updated by Knödlseder Jürgen over 8 years ago

Dirk Hoffmann wrote:

Jürgen Knödlseder wrote:

I have a report from a user which seems to contradict this:

I am not sure about this (not a Mac user and no way to reproduce Mac behaviour).

But:

WebProcess wants to sign using key "Apple ID Authentication 2012-08-20 15:30:26 GMT +01:00" in your keychain

This seems to indicate that the user still has interfering certificates in his keychain, doesn't he?

Probably. But I think most user will not manage to remove properly interfering keychains anyways, so if it goes to this level of system management required, it'll hard to be used by anyone having Safari.

And on my system I even have no clue which certificates to remove ...

Actions #12

Updated by Hoffmann Dirk over 8 years ago

  • % Done changed from 0 to 80

My conclusion would be: "Safari is not suitable for use of modern tools like Redmine or SharePoint."

Suggest to close this ticket.

Actions #13

Updated by ROUET Jean-René over 8 years ago

Dirk Hoffmann wrote:

My conclusion would be: "Safari is not suitable for use of modern tools like Redmine or SharePoint."

Suggest to close this ticket.

I use safari on MacOS X 10.8 without any problem, but i admit that modify keychain preferences is not easy even if it's more powerful than firefox. I understand that the solution to migrate to 10.8 is not a really good solution. May be Chrome is the good alternative.

Actions #14

Updated by Hoffmann Dirk almost 8 years ago

I add S. Schlenstedt as observer to this ticket, as he reported the same problem again to the ACTL list. I am afraid, it is void, but in case you can give him a hint how to solve his problems on Safari / Mac.

Otherwise, the ticket may be closed, I think.

Actions #15

Updated by Barbier Cecile over 7 years ago

  • Assigned To changed from ROUET Jean-René to Barbier Cecile
Actions #16

Updated by Barbier Cecile over 7 years ago

  • Status changed from New to Closed
  • % Done changed from 80 to 100

Updated user documentation (https://portal.cta-observatory.org/WG/DM/DM_wiki/SW_DEV/Software%20tools%20library/CTA_SWTOOLS.pdf currently under modification) with "use Firefox or Chrome or Mac OS X 10.8+"

Actions #17

Updated by Okumura Akira over 7 years ago

Does the workaround written in the following thread help this issue?
https://discussions.apple.com/message/23846596#23846596
Please try changing an Apache setting "SSLVerifyClient optional".

Actions #18

Updated by Okumura Akira over 6 years ago

Hello Cecile,

I would like to inform you that this login issue also appears when the user is using OS X 10.8+ and Safari 6+. I use OS X 10.9.5 (Mavericks) and Safari 7.1.2, and still encounter this issue occasionally. Because "com.apple.idms..." suddenly appears in my Keychain repeatedly. But I do not know what system change triggers this.

I would appreciate it if you could add a short explanation about the workaround (i.e. removing "com.apple.idms..." from Apple Keychain) in a future version of the documentation. In addition, it would be also appreciated if the server manager could try the proposal I posted 8 months ago.

Akira

Actions

Also available in: Atom PDF