topic Re: Kerberos difficulties in Alfresco Archive

Kerberos difficulties

doiheartwentyon — Wed, 05 Aug 2009 17:00:30 GMT

Hi,I have been trying to get Kerberos and LDAP chaining to work using the instructions athttp://wiki.alfresco.com/wiki/Alfresco_Authentication_SubsystemsIn Share, I can log in through the login screen and authenticate against Kerberos users; LDAP synchronization is also working.However, I can't log

Re: Kerberos difficulties

dward — Thu, 06 Aug 2009 10:04:58 GMT

1. I think you have exposed a problem with the Kerberos authentication subsystem. The http.password indeed should only be relevant when kerberos.authentication.sso.enabled=true but it is trying to validate everything at startup. For now, you will have to work around this by creating the HTTP principal anyway (as you have done). I have logged

https://issues.alfresco.com/jira/browse/ETHREEOH-2617

2. Does any of this help:

http://forums.sun.com/thread.jspa?threadID=5250326
http://jhelvoort.wordpress.com/2009/01/02/integrity-check-on-decrypted-field-failed-31/
http://mailman.mit.edu/pipermail/kerberos/2006-November/010849.html

?

3. Good question. It shouldn't and soon won't.

Re: Kerberos difficulties

doiheartwentyon — Thu, 06 Aug 2009 10:41:31 GMT

1. I think you have exposed a problem with the Kerberos authentication subsystem. The http.password indeed should only be relevant when kerberos.authentication.sso.enabled=true but it is trying to validate everything at startup. For now, you will have to work around this by creating the HTTP principal anyway (as you have done)

OK, good - FYI the same is true of the CIFS principal - I needed to create it even with kerberos.authentication.authenicateCIFS set to false.

2. Does any of this help:

http://forums.sun.com/thread.jspa?threadID=5250326
http://jhelvoort.wordpress.com/2009/01/02/integrity-check-on-decrypted-field-failed-31/
http://mailman.mit.edu/pipermail/kerberos/2006-November/010849.html

1. No, realm is already in uppercase.
2. This poster gets the message from kinit, but I have no problems logging in with kinit (including java kinit)
3. I think this poster had problems with the enctype - I suppose this may be possible, but I haven't found out how I can force JAAS to use a particular one, and surely that would also impact kinit.java ?

I tried switching from keytab to password and providing this password in the properties file (and the principal in java.login.config). kinit and kinit.java were fine, but no luck with Alfresco.
Finally, I get the 'integrity check' message from kinit.java if I supply the wrong password, so I'm now wondering if the keytab file is being misread somehow

Re: Kerberos difficulties

doiheartwentyon — Tue, 11 Aug 2009 12:40:55 GMT

To followup…

I changed the java.login.config to use my own principal instead of HTTP/server.x.y.z , supplying my password in the properties file, and this worked[1], so I guess it's something on the kerberos side. The only thing I can think of is that for some reason Alfresco needs a user principal not a host principal, but I'm not clear on the difference.

[1] Well, it allowed me to access the Alfresco web client with SSO disabled, at least.

Re: Kerberos difficulties

dward — Thu, 13 Aug 2009 11:53:22 GMT

FYI a fix has been checked in to HEAD, revision 15729. Here's the change comment:

ETHREEOH-2617: When SSO is disabled in a subsystem, disable initialization of its filters 
- Do not validate filter configuration parameters in NTLM and Kerberos authentication filters when the filter is disabled‍‍

FYI there did not appear to be a problem with the CIFS authenticators, which already suppress their initialization when disabled.

Re: Kerberos difficulties

dannyboy — Wed, 19 Aug 2009 18:58:05 GMT

I am able to login with accounts in my Active Directory in the Share webapp, but I can not access the Alfresco webapp:

[img]http://imgur.com/U4Jn7l.png[/img]

11:40:57,528 ERROR [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] HTTP Kerberos web filter error

javax.security.auth.login.LoginException: Pre-authentication information was invalid (24)‍‍‍

Re: Kerberos difficulties

dannyboy — Fri, 21 Aug 2009 21:33:05 GMT

Please let me know if I am not clear. I am not an expert 😕

Also, though I have Cifs.enabled = false everywhere I can find, I still get the following error when I login via kerberos on the Share app:

14:59:41,586 ERROR [org.alfresco.web.scripts.AbstractRuntime] Exception from executeScript - redirecting to status template error: Error creating bean with name 'cifsAuthenticator' defined in file [C:\Alfresco\tomcat\webapps\alfresco\WEB-INF\classes\alfresco\subsystems\Authentication\kerberos\kerberos-authentication-context.xml]: Invocation of init method failed; nested exception is org.alfresco.jlan.server.config.InvalidConfigurationException: Failed to login CIFS server service
org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'cifsAuthenticator' defined in file [C:\Alfresco\tomcat\webapps\alfresco\WEB-INF\classes\alfresco\subsystems\Authentication\kerberos\kerberos-authentication-context.xml]: Invocation of init method failed; nested exception is org.alfresco.jlan.server.config.InvalidConfigurationException: Failed to login CIFS server service
Caused by: org.alfresco.jlan.server.config.InvalidConfigurationException: Failed to login CIFS server service‍‍‍

I thought it wasn't supposed to try Cifs authentication if it is disabled in kerberos-authentication.xml. I have file server disabled as well.

Re: Kerberos difficulties

dward — Mon, 24 Aug 2009 09:31:14 GMT

Did you include this in alfresco-global.properties ?

kerberos.authentication.authenticateCIFS=false

Re: Kerberos difficulties

dannyboy — Mon, 24 Aug 2009 15:44:42 GMT

Did you include this in alfresco-global.properties ?

kerberos.authentication.authenticateCIFS=false

Thanks for the reply!

I already had 'kerberos.authentication.authenticateCIFS=false' in my kerberos authentication properties file, but to humor the point I added it to alfresco global properties as well.

I still get the same error:

10:39:32,347 ERROR [org.alfresco.web.scripts.AbstractRuntime] Exception from executeScript - redirecting to status template error: Error creating bean with name 'cifsAuthenticator' defined in file [C:\Alfresco\tomcat\webapps\alfresco\WEB-INF\classes\alfresco\subsystems\Authentication\kerberos\kerberos-authentication-context.xml]: Invocation of init method failed; nested exception is org.alfresco.jlan.server.config.InvalidConfigurationException: Failed to login CIFS server service‍

Regardless, I am more concerened about not being able to login into the alfresco webapp when kerberos authentication is enabled, as you can see from my screenshot 3 posts up.

Re: Kerberos difficulties

dward — Tue, 25 Aug 2009 10:54:42 GMT

You need to understand how to control subsystem properties rather than randomly editing different files.

I've just double-checked the configuration and think I have found the problem. I will re-open the bug and ensure that it is fixed in HEAD.

It's this line in network-protocol-context.xml


<!– CIFS authentication –>
<bean id="cifsAuthenticatorBase" abstract="true" init-method="initialize">
…
‍‍‍‍‍

Even though CifsAuthenticatorBase implements InitializingBean, initialize() has been declared as the init-method. This means that the logic that only calls initialize() when the active flag is set will be bypassed.

A workaround is to put the following in $TOMCAT_HOME/shared/classes/alfresco/extension/temp-context.xml

<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE beans PUBLIC '-//SPRING//DTD BEAN//EN' 'http://www.springframework.org/dtd/spring-beans.dtd'>
 
<beans>

    <!– Fix initialization of CIFS authenticators –>
    <bean id="cifsAuthenticatorBase" abstract="true">
        <property name="config">
            <ref bean="fileServerConfiguration" />
        </property>
        <property name="authenticationService">
            <ref bean="authenticationService" />
        </property>
        <property name="authenticationComponent">
            <ref bean="authenticationComponent" />
        </property>
        <property name="nodeService">
            <ref bean="NodeService" />
        </property>
        <property name="personService">
            <ref bean="personService" />
        </property>
        <property name="transactionService">
            <ref bean="transactionService" />
        </property>
        <property name="authorityService">
            <ref bean="authorityService" />
        </property>
        <property name="diskInterface">
            <ref bean="contentDiskDriver" />
        </property>
    </bean>
      
</beans>‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

Re: Kerberos difficulties

dward — Tue, 25 Aug 2009 12:14:39 GMT

This is now fixed in HEAD.

Re: Kerberos difficulties

dannyboy — Tue, 25 Aug 2009 16:19:29 GMT

Thank you for your time and patience. I will confess that after changing kerberos authentication properties and the error persisted I declared war on all things cifs in /alfresco.

I followed your instructions but there was a "The processing instruction target matching "[xX][mM][lL]" error when importing the file. It had to do with whitespace in the file, I think it was a formatting problem when copying it over. Anyways, deleted the whitespace and it imported and ran fine.

I no longer get the "Failed to login CIFS server service" error when each time I login with an AD account. Good catch!

I still receive the following error when trying to access the Alfresco webapp. The problem in the screenshot I posted a while back still happens.

11:40:57,528 ERROR [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] HTTP Kerberos web filter error

javax.security.auth.login.LoginException: Pre-authentication information was invalid (24)"‍‍‍

Does this mean that I am doing something wrong? Did I setup my keytab incorrectly or something? However, I am able to login with AD accounts just fine…

Re: Kerberos difficulties

dward — Tue, 25 Aug 2009 16:34:11 GMT

I don't understand. The screenshot is of the HTTP service login problem, which was fixed by

https://issues.alfresco.com/jira/browse/ETHREEOH-2617

Aren't you running with a recent 3.3 build?

As for the other error, what do you mean by "I am able to login with AD accounts just fine". What are you trying to log in with then?

If you are trying to log in as an internal Alfresco user, such as admin, you will need alfrescoNtlm in your authentication chain.

If this explains the problem, but you are still getting a nast exception on your screen when you enter an invalid password, there is still a bug somewhere.

I'm hoping to set up a Kerberos system soon so that I can investigate properly.

Re: Kerberos difficulties

dannyboy — Tue, 25 Aug 2009 16:53:16 GMT

Sorry for being unclear.

I am running Alfresco 3.2 but will download the latest build now.

I am able to login to the Share webapp with Active Directory user-names. The user is then auto-created inside of Alfresco.

Now, when I try to access the Alfresco webapp, the screenshot error occurs. I never see the login screen… nothing except for that screenshot.

So it probably is this SSO bug, I will try it out on the new build.

Edit: Tried it in 3.3 and the same error occurs. I really think it might be I misconfigured kerberos, though I can use the Share webapp just fine.

Re: Kerberos difficulties

dward — Wed, 26 Aug 2009 12:45:30 GMT

Did you build from HEAD? It does work, I promise!

I've managed to set up Kerberos on a VM and I think I've resolved the problem with the CIFS and HTTP service principals.

See this bug comment https://issues.alfresco.com/jira/browse/ETHREEOH-425?focusedCommentId=29595&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#action_29595

It seems that if you did change the accounts to use DES encryption, you would have to reset the passwords, as otherwise they are not cached with DES encryption.

And for Java 6, you can use RC4-HMAC-NT encryption instead. So the new ktpass commands are the following (after deselecting the use DES encryption option and resetting the password on both accounts). I've updated the wiki.

ktpass -princ cifs/<cifs-server-name>.<domain>@<realm> -pass <password> -mapuser <domainnetbios>\alfrescocifs -crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL -out c:\temp\alfrescocifs.keytab
ktpass -princ HTTP/<web-server-name>.<domain>@<realm> -pass <password> -mapuser <domainnetbios>\alfrescohttp -crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL -out c:\temp\alfrescohttp.keytab