topic Re: Kerberos Share SSO - trying out whats new in HEAD in Alfresco Archive

Kerberos Share SSO - trying out whats new in HEAD

loftux — Tue, 15 Jun 2010 10:43:53 GMT

I'm trying to set up the new SSO mechanism found in HEAD that will support Kerberos SSO for Share.And of course there is a lot of guesswork when playing with the latest stuff I'm getting this error12:11:11,580 WARN [org.alfresco.web.site.servlet.KerberosSessionSetupPrivilegedAction] credentials

Re: Kerberos Share SSO - trying out whats new in HEAD

jbarros — Sun, 21 Nov 2010 21:07:38 GMT

Hi,
have you found solution for kerberos share SSO?

Re: Kerberos Share SSO - trying out whats new in HEAD

loftux — Mon, 22 Nov 2010 07:19:15 GMT

Yes, you can get SSO with Kerberos for Share using 3.4.b (and possibly 3.4.a, I haven't tested)
You have the config example in share-config-custom.xml.sample.
If you have Share and Alfresco on the same server, you can use the same account/keytab. If Share is on a separate server, you need to create a separate account for the Share server, and this server needs to access AD directly; My understanding is that Share validates your ticket directly with AD server.

There is however one issue, and that is that you do not get fallback to form based login if the browser doesn't support Kerberos, or you are not logged in to you AD domain.
I've reported the issue http://issues.alfresco.com/jira/browse/ALF-5159
There you also can find config files attached to the issue that you can use as a sample.

Re: Kerberos Share SSO - trying out whats new in HEAD

mody25egy — Mon, 01 Aug 2011 23:30:17 GMT

I have the same issue :s how did you fixed it ?

Re: Kerberos Share SSO - trying out whats new in HEAD

dward — Sun, 10 Jun 2012 13:49:27 GMT

I just tried this out on Alfresco 3.4.10 and hit the same issue. I eventually found that the documented configuration does work, but it's VERY important to access the alfresco server in your browser through its fully qualified domain name used in the Kerberos configuration (not localhost) and to make sure this name is added to your local intranet security zone in Internet Explorer. Without it in my local intranet zone I was getting the "credentials can not be delegated" message - it seems that the browser indicates that the credentials supplied are not delegatable (delagable?) when authenticating outside the intranet. Hope this saves someone else a few hours!

I also discovered a bug with the handling of NegoEx requests in https://issues.alfresco.com/jira/browse/ALF-14462 . Expect a fix for this in HEAD very soon!

Re: Kerberos Share SSO - trying out whats new in HEAD

jean-rémyrevy — Tue, 29 Oct 2013 10:29:37 GMT

A (really) long time after, for someone like me in this kind of trouble, I suggest you to read this : http://serverfault.com/questions/399384/credentials-can-not-be-delegated-alfresco-share
In a few words you may comment / remove those lines from /etc/krb5.conf :

<blockcode>
forwardable = true
proxiable = true
</blockcode>