The Alfresco authentication chain processes requests by trying each configured subsystem in a defined sequence. When an authentication request (including one for SSO) is received, the chain is traversed until one subsystem successfully authenticates the user. At that point, the process stops. An SSO authentication event is handled by a single, specific subsystem (e.g., Kerberos, External) within the chain; it is not "targeted at multiple subsystem instances" for a single authentication attempt. This sequential, first-success-wins model is fundamental to the chain's operation.

A. CIFS file system authentication is a core function provided by authentication subsystems such as NTLM and Kerberos, which are designed to integrate with Windows-based network environments.

C. This is a primary function. Subsystems like alfrescoNtlm and ldap-ad are explicitly designed to handle username/password authentication for Alfresco's various protocols and endpoints.

D. This describes user/group synchronization. Subsystems that connect to external directories (e.g., LDAP, Active Directory) are responsible for both authentication and synchronizing user data into the Alfresco database.

1. Alfresco Content Services 7.4 Documentation, "Authentication subsystems": This section provides an overview of authentication subsystems, stating their purpose is to provide authentication and user registry export (synchronization). It lists various protocols they support, including CIFS, FTP, WebDAV, and the SharePoint Protocol.

Reference: Alfresco Content Services 7.4 > Administering > Managing authentication and security > Authentication subsystems.

2. Alfresco Content Services 7.4 Documentation, "Chained authentication": This document explicitly describes the sequential nature of the authentication chain. It states, "Alfresco supports a chain of authentication subsystems... Alfresco will try to authenticate a user against each of the subsystems in the chain, in order, until it finds one that can successfully authenticate the user." This directly contradicts the concept in option B.

Reference: Alfresco Content Services 7.4 > Administering > Managing authentication and security > Chained authentication.

3. Alfresco Content Services 7.4 Documentation, "Configuring authentication subsystems": This page details the properties for configuring the authentication chain (authentication.chain). The examples for SSO (like Kerberos) show the SSO-specific subsystem placed at a single point in the chain, reinforcing that it is one step in a sequence, not a parallel target.

Reference: Alfresco Content Services 7.4 > Administering > Managing authentication and security > Configuring authentication subsystems.