https://connect.hyland.com/t5/alfresco-archive/sso-with-kerberos-client-sent-an-ntlmssp-security-blob/m-p/257898#M211028 <HTML><HEAD></HEAD><BODY><SPAN>Hello,</SPAN><BR /><BR /><SPAN>I'm trying to configure Alfresco to run SSO using Kerberos.</SPAN><BR /><BR /><BR /><SPAN>Here's the environment I'm working on: </SPAN><BR /><SPAN>- My PC is part of domaine.fr. That's the client in my test. It runs on Windows 7 Pro and tests are made with IE8. </SPAN><BR /><SPAN>- The Alfresco server is a CentOS 5 VM. Alfresco 3.3g is running on Tomcat 6. </SPAN><BR /><SPAN>- Finally, I've created an Active Directory on a Windows Server 2008 R2 VM. This VM is the domain controller for domaine.local (domain netbios name = DOMAINE0) that I've created specially for this test. </SPAN><BR /><BR /><SPAN>I do not have DNS, so I work with IP: </SPAN><BR /><SPAN>- Client: xx.xx.xx.35 </SPAN><BR /><SPAN>- Server Alf xx.xx.xx.60 </SPAN><BR /><SPAN>- Server AD: xx.xx.xx.28</SPAN><BR /><BR /><SPAN>First of all, I've tested my environment by setting up passthru =&gt; No problem. </SPAN><BR /><SPAN>When I access to the webapp, I have a Windows login window that appears. I enter the login / password of an account of my AD indicating DOMAINE0 and I automatically connect to Alfresco (bypassing the login page). </SPAN><BR /><BR /><SPAN>After this first test (to control that SSO with passthru is OK), I've followed the instructions in the Kerberos Alfresco wiki page. In my case, CIFS will not be activated, so I've only considered instructions concerning HTTP configuration. </SPAN><BR /><SPAN>- Create Account alfrescohttp in AD (enable options "Password never expires", "Use DES encryption types for Kerberos" and "Pre-authentication Kerberos is not necessary"). </SPAN><BR /><SPAN>- Generate the keytab on the AD server with the following parameters: </SPAN><BR /><SPAN>=&gt; @ HTTP/xx.xx.xx.60 DOMAINE.LOCAL </SPAN><BR /><SPAN>=&gt; DOMAINE0 \ alfrescohttp </SPAN><BR /><SPAN>&nbsp; That made me an SPN: </SPAN><BR /><SPAN>setspn-l alfrescohttp </SPAN><BR /><SPAN>ServicePrincipalName names registered for CN = HTTP Alfresco, OU = users, OU = ged, OR = esi, </SPAN><BR /><SPAN>DC = domain, DC = local: </SPAN><BR /><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; HTTP/xx.xx.xx.60 </SPAN><BR /><SPAN>- On my Alfresco server, I added a directory kerberos in the Tomcat directory where I placed the following files: </SPAN><BR /><SPAN>=&gt; The keytab generated previously; </SPAN><BR /><SPAN>=&gt; Krb5.conf </SPAN><BR /><PRE class="language-none line-numbers"><CODE> <BR />[Libdefaults] <BR /> default_realm = DOMAINE.LOCAL <BR /> default_tkt_enctypes = rc4-hmac <BR /> default_tgs_enctypes = rc4-hmac <BR /><BR />[Realms] <BR /> EUROGICIEL.LOCAL = { <BR />&nbsp; kdc = xx.xx.xx.28 <BR />&nbsp; admin_server = xx.xx.xx.28 <BR /> } <BR /><BR />[Domain_realm] <BR /> . Domaine.local = DOMAINE.LOCAL <BR /><SPAN class="line-numbers-rows"><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN></SPAN></CODE></PRE><SPAN> </SPAN><BR /><SPAN>=&gt; java.login.config </SPAN><BR /><PRE class="language-none line-numbers"><CODE> <BR />Alfresco { <BR />&nbsp;&nbsp; Sufficient com.sun.security.auth.module.Krb5LoginModule; <BR />}; <BR /><BR />AlfrescoHTTP { <BR />&nbsp;&nbsp; com.sun.security.auth.module.Krb5LoginModule required <BR />&nbsp;&nbsp; debug = true <BR />&nbsp;&nbsp; storeKey = true <BR />&nbsp;&nbsp; useKeyTab = true <BR />&nbsp;&nbsp; keytab = "/ usr/share/tomcat6/kerberos/alfrescohttp.keytab" <BR />&nbsp;&nbsp; main = "HTTP/xx.xx.xx.60"; <BR />}; <BR /><BR />com.sun.net.ssl.client { <BR />&nbsp;&nbsp; Sufficient com.sun.security.auth.module.Krb5LoginModule; <BR />}; <BR /><BR />Other { <BR />&nbsp;&nbsp; Sufficient com.sun.security.auth.module.Krb5LoginModule; <BR />}; <BR /><BR /><SPAN class="line-numbers-rows"><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN></SPAN></CODE></PRE><SPAN> </SPAN><BR /><BR /><SPAN>- Always on the Alfresco server, I changed the setting JAVA_OPTS to obtain: </SPAN><BR /><PRE class="language-none line-numbers"><CODE> <BR />JAVA_OPTS = "-Xmx2048m-XX: MaxPermSize = 256m-Djava.security.auth.login.config =/usr/share/tomcat6/kerberos/java.login.config-Djava.security.krb5.conf=/usr/share/tomcat6/kerberos/krb5.conf " <BR /><SPAN class="line-numbers-rows"><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN></SPAN></CODE></PRE><SPAN> </SPAN><BR /><BR /><SPAN>- I modified the file alfresco-global.properties for: </SPAN><BR /><PRE class="language-none line-numbers"><CODE> <BR />… <BR />authentication.chain = kerberos1: kerberos <BR />kerberos.authentication.realm = DOMAINE.LOCAL <BR />kerberos.authentication.sso.enabled = true <BR />kerberos.authentication.authenticateCIFS = false <BR />Alfresco kerberos.authentication.user.configEntryName = <BR />kerberos.authentication.http.configEntryName = AlfrescoHTTP <BR />kerberos.authentication.http.password = secret <BR />kerberos.authentication.defaultAdministratorUserNames = mlagneaux <BR />kerberos.authentication.http.kerberosDebug = true <BR />… <BR /><SPAN class="line-numbers-rows"><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN></SPAN></CODE></PRE><SPAN> </SPAN><BR /><SPAN>- I also enabled logs about kerberos in log4j.properties. </SPAN><BR /><BR /><BR /><SPAN>When starting Tomcat, I get the following logs indicating that all goes well: </SPAN><BR /><PRE class="language-none line-numbers"><CODE> <BR />17:15:12,932 User: System DEBUG [webdav.auth.KerberosAuthenticationFilter] HTTP Kerberos login successful <BR />17:15:12,933 User: System DEBUG [webdav.auth.KerberosAuthenticationFilter] Logged on using main HTTP/xx.xx.xx.60 @ DOMAINE.LOCAL <BR /><SPAN class="line-numbers-rows"><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN></SPAN></CODE></PRE><SPAN> </SPAN><BR /><BR /><SPAN>But, when I try to access to the webapp with my AD user, I get the Windows login window where I enter the login and password indicating DOMAINE0 but the connection is KO. After a few tries, I get a blank page. </SPAN><BR /><SPAN>In the log file, I get the following messages: </SPAN><BR /><PRE class="language-none line-numbers"><CODE> <BR />17:24:02,121 DEBUG [app.servlet.KerberosAuthenticationFilter] Kerberos auth request from New xx.xx.xx.35 (xx.xx.xx.35: 62,790) <BR />17:24:02,130 DEBUG [app.servlet.KerberosAuthenticationFilter] Client feels NTLMSSP year security blob <BR /><SPAN class="line-numbers-rows"><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN></SPAN></CODE></PRE><BR /><SPAN>Is there a conf to do on the client? (In IE, the site is within the intranet zone and automatic authentication is enabled for intranet sites).</SPAN><BR /><SPAN>The use of IP can be a problem?</SPAN><BR /><BR /><SPAN>Are there other logs that might help me to see where is the problem?</SPAN><BR /><SPAN>Are there any other info (especially on the AD server) that could be useful?</SPAN><BR /><BR /><SPAN>Thank you in advance for your help.</SPAN></BODY></HTML> Wed, 27 Apr 2011 07:41:27 GMT mlagneaux 2011-04-27T07:41:27Z https://connect.hyland.com/t5/alfresco-archive/sso-with-kerberos-client-sent-an-ntlmssp-security-blob/m-p/257898#M211028 Hello,I'm trying to configure Alfresco to run SSO using Kerberos.Here's the environment I'm working on: - My PC is part of domaine.fr. That's the client in my test. It runs on Windows 7 Pro and tests are made with IE8. - The Alfresco server is a CentOS 5 VM. Alfresco 3.3g is running on Tomcat 6. - F Wed, 27 Apr 2011 07:41:27 GMT https://connect.hyland.com/t5/alfresco-archive/sso-with-kerberos-client-sent-an-ntlmssp-security-blob/m-p/257898#M211028 mlagneaux 2011-04-27T07:41:27Z https://connect.hyland.com/t5/alfresco-archive/sso-with-kerberos-client-sent-an-ntlmssp-security-blob/m-p/257899#M211029 <HTML><HEAD></HEAD><BODY><SPAN>As described in the following post, I've installed Java JCE on my server but doesn't work either.</SPAN><BR /><A href="http://forums1.man.alfresco.com/en/viewtopic.php?f=3&amp;t=20891" rel="nofollow noopener noreferrer">http://forums1.man.alfresco.com/en/viewtopic.php?f=3&amp;t=20891</A></BODY></HTML> Mon, 16 May 2011 14:30:32 GMT https://connect.hyland.com/t5/alfresco-archive/sso-with-kerberos-client-sent-an-ntlmssp-security-blob/m-p/257899#M211029 mlagneaux 2011-05-16T14:30:32Z https://connect.hyland.com/t5/alfresco-archive/sso-with-kerberos-client-sent-an-ntlmssp-security-blob/m-p/257900#M211030 <HTML><HEAD></HEAD><BODY><SPAN>Hello mlagneaux,</SPAN><BR /><BR /><SPAN>SSO with Alfresco Explorer only worked for me in combination with a DNS server.</SPAN><BR /><SPAN>This is also stated in the documentation. </SPAN><BR /><BR /><SPAN>Add your alfresco machines to your DNS on your Windows server and choose the</SPAN><BR /><SPAN>appropiate Service Principal names.</SPAN><BR /><BR /><SPAN>Kind regards,</SPAN><BR /><SPAN>Georg</SPAN></BODY></HTML> Mon, 30 May 2011 11:41:44 GMT https://connect.hyland.com/t5/alfresco-archive/sso-with-kerberos-client-sent-an-ntlmssp-security-blob/m-p/257900#M211030 kronzucker 2011-05-30T11:41:44Z