Support #4631
closed
Accès à redmine via oupiou difficile pour utilisateurs CTA
100%
Description
Nous avons plusieurs cas rapportés, où l'accès par Mac/Safari est problématique.
(Cf. cta-svn mailing list)
Complément d'informations (cf. rapport référencé ci-dessus):
Utilisateur n°1 obtient :
qui l'emmenè sur une piste "sans issue" : Peu importe, si il clique sur "Cancel" ou "Continue", l'accès est refusé.
Utilisateur n°2 (David A Williams <daw@ucsc.edu>, 8 juin 2013 06:31:23 HAEC) :
When I click on the CAS Sign In I am asked to provide a client certificate and none of the three choices listed work for me. None of the three choices that I am presented work. All are declined by the website. So this seems to be locked down a bit too well.
Résumé de Jürgen (Fri, 7 Jun 2013 23:07:43 +0200) :
Pour le moment je sais que ça ne marche pas avec Safari 5.1.9 (Mac OS X 10.6), mais également pas avec Safari 6.0.5 (voir en bas). Ce qui est bizzare: ça marchait avant, quand j'ai eu mon problème avec le téléchargement de l'image, sinon je n'aurais jamais pu connecter avec Safari. Donc quelque chose a du changer les dernier 1-2 semaines.
Files
Updated by Hoffmann Dirk almost 12 years ago
- File PastedGraphic-1.png PastedGraphic-1.png added
Updated by Hoffmann Dirk almost 12 years ago
Remarque à côté : On peut voir que redmine a un petit problème avec le traitement de deux attachments à nom identique.
Updated by Knödlseder Jürgen almost 12 years ago
- File certificat.jpg certificat.jpg added
Here also another problem report for me. Safari 5.1.9 on Mac OS X 10.6. It even does not ask for anything, I just get an error.
Updated by Hoffmann Dirk almost 12 years ago
- Assigned To set to ROUET Jean-René
Juste pour essayer de dessiner une esquisser claire de la situation : Tous ces utilisateurs réussissent-ils à utiliser redmine avec Firefox sur leur Mac ?
Updated by Knödlseder Jürgen almost 12 years ago
Dirk Hoffmann wrote:
Juste pour essayer de dessiner une esquisser claire de la situation : Tous ces utilisateurs réussissent-ils à utiliser redmine avec Firefox sur leur Mac ?
Je pense que oui, car après avoir dit que Safari pose problème, tous (sauf un) on réussi de se connecter avec un autre navigateur). D'ailleurs: ça marche aussi avec l'iPhone.
Updated by Hoffmann Dirk almost 12 years ago
This looks very similar to the problem as reported by David:
http://xml.pcpc.org/workspace/files/fixingclientcertificateonsafarimac.pdf
Updated by Hoffmann Dirk almost 12 years ago
Dirk Hoffmann wrote:
This looks very similar to the problem as reported by David:
http://xml.pcpc.org/workspace/files/fixingclientcertificateonsafarimac.pdf
And here is another report that states Safari unexpectedly pops up the client certificat dialog, although it has not been requested from the server:
https://discussions.apple.com/thread/3871083?start=0&tstart=0
However, Jürgen's symptoms (comment on #4631#note-3) are different. (And they have not appeard two weeks ago to him.) Maybe we have two different problems here.
Updated by ROUET Jean-René almost 12 years ago
I confirm the following comportment :
you can use safari 6.0.5 with oupiou.in2p3.fr without a certificate : you have to click cancel on the window proposing the certificates.
before, it may be necessary to remove the "identity preference" set in keychain application for oupiou.in2p3.fr (safari remember the tuple website/certificate to present). quit safari and restart it, if you click cancel (keychain don't save any identity preference).
for safari 5.1.9 on snow leopard (10.6.8), i can't test it to confirm or not.
regards
Updated by Knödlseder Jürgen almost 12 years ago
I have a report from a user which seems to contradict this:
I am trying to log in to the Redmine system, following the procedure in the PDF attached. However I am not getting past step 2. I am using safari 6.0.5 on mac os x 10.8.4
When I hit 'CAS Sign in' I get s popup which says
WebProcess wants to sign using key "Apple ID Authentication 2012-08-20 15:30:26 GMT +01:00" in your keychain
If I deny this then I do not get access to the web page. If I allow it I am presented with a popup which says
The website "oupiou.in2p3.fr" did not accept the certificate "unknown"
I am offered 2 certificates to choose from, but selecting either results in the first popup listed above again.
Advice welcome
Updated by Hoffmann Dirk almost 12 years ago
Jürgen Knödlseder wrote:
I have a report from a user which seems to contradict this:
I am not sure about this (not a Mac user and no way to reproduce Mac behaviour).
But:
WebProcess wants to sign using key "Apple ID Authentication 2012-08-20 15:30:26 GMT +01:00" in your keychain
This seems to indicate that the user still has interfering certificates in his keychain, doesn't he?
Updated by Knödlseder Jürgen almost 12 years ago
Dirk Hoffmann wrote:
Jürgen Knödlseder wrote:
I have a report from a user which seems to contradict this:
I am not sure about this (not a Mac user and no way to reproduce Mac behaviour).
But:
WebProcess wants to sign using key "Apple ID Authentication 2012-08-20 15:30:26 GMT +01:00" in your keychain
This seems to indicate that the user still has interfering certificates in his keychain, doesn't he?
Probably. But I think most user will not manage to remove properly interfering keychains anyways, so if it goes to this level of system management required, it'll hard to be used by anyone having Safari.
And on my system I even have no clue which certificates to remove ...
Updated by Hoffmann Dirk almost 12 years ago
- % Done changed from 0 to 80
My conclusion would be: "Safari is not suitable for use of modern tools like Redmine or SharePoint."
Suggest to close this ticket.
Updated by ROUET Jean-René almost 12 years ago
Dirk Hoffmann wrote:
My conclusion would be: "Safari is not suitable for use of modern tools like Redmine or SharePoint."
Suggest to close this ticket.
I use safari on MacOS X 10.8 without any problem, but i admit that modify keychain preferences is not easy even if it's more powerful than firefox. I understand that the solution to migrate to 10.8 is not a really good solution. May be Chrome is the good alternative.
Updated by Hoffmann Dirk over 11 years ago
I add S. Schlenstedt as observer to this ticket, as he reported the same problem again to the ACTL list. I am afraid, it is void, but in case you can give him a hint how to solve his problems on Safari / Mac.
Otherwise, the ticket may be closed, I think.
Updated by Barbier Cecile about 11 years ago
- Assigned To changed from ROUET Jean-René to Barbier Cecile
Updated by Barbier Cecile about 11 years ago
- Status changed from New to Closed
- % Done changed from 80 to 100
Updated user documentation (https://portal.cta-observatory.org/WG/DM/DM_wiki/SW_DEV/Software%20tools%20library/CTA_SWTOOLS.pdf currently under modification) with "use Firefox or Chrome or Mac OS X 10.8+"
Updated by Okumura Akira almost 11 years ago
Does the workaround written in the following thread help this issue?
https://discussions.apple.com/message/23846596#23846596
Please try changing an Apache setting "SSLVerifyClient optional".
Updated by Okumura Akira about 10 years ago
Hello Cecile,
I would like to inform you that this login issue also appears when the user is using OS X 10.8+ and Safari 6+. I use OS X 10.9.5 (Mavericks) and Safari 7.1.2, and still encounter this issue occasionally. Because "com.apple.idms..." suddenly appears in my Keychain repeatedly. But I do not know what system change triggers this.
I would appreciate it if you could add a short explanation about the workaround (i.e. removing "com.apple.idms..." from Apple Keychain) in a future version of the documentation. In addition, it would be also appreciated if the server manager could try the proposal I posted 8 months ago.
Akira