https://connect.hyland.com/t5/alfresco-archive/kerberos-setup-with-cluster-and-load-balancer/m-p/284077#M237207 <HTML><HEAD></HEAD><BODY><SPAN>I'm setting up a 4.2.4 cluster with two nodes (node1.example.comn, node2.example.com). Each have alfresco and share running.</SPAN><BR /><SPAN>Users access an apache front-end that acts as a load balancer (alfresco.example.com) using Apache.</SPAN><BR /><BR /><SPAN>The goal is to have users SSO when accessing the loadbalancer.</SPAN><BR /><BR /><SPAN>I've been able to create the ticket and get SSO working when accessing the nodes directly, both for http and cifs. What I still struggle with is to getting SSO working from load balancer.</SPAN><BR /><BR /><SPAN>What I have tried is in java.login.config</SPAN><BR /><PRE class="language-none line-numbers"><CODE><BR />Alfresco {<BR />&nbsp;&nbsp; com.sun.security.auth.module.Krb5LoginModule sufficient;<BR />};<BR /><BR />AlfrescoCIFS {<BR />&nbsp;&nbsp; com.sun.security.auth.module.Krb5LoginModule required<BR />&nbsp;&nbsp; storeKey=true<BR />&nbsp;&nbsp; useKeyTab=true<BR />&nbsp;&nbsp; doNotPrompt=true<BR />&nbsp;&nbsp; keyTab="/etc/cifsnode1.keytab"<BR />&nbsp;&nbsp; principal="cifs/node1.example.com";<BR />};<BR /><BR />AlfrescoHTTP<BR />{<BR />&nbsp;&nbsp; com.sun.security.auth.module.Krb5LoginModule required<BR />&nbsp;&nbsp; storeKey=true<BR />&nbsp;&nbsp; useKeyTab=true<BR />&nbsp;&nbsp; doNotPrompt=true<BR />&nbsp;&nbsp; keyTab="/etc/httpnode1.keytab"<BR />&nbsp;&nbsp; principal="HTTP/node1.example.com";<BR />};<BR /><BR />ShareHTTP<BR />{<BR />&nbsp;&nbsp; com.sun.security.auth.module.Krb5LoginModule required<BR />&nbsp;&nbsp; storeKey=true<BR />&nbsp;&nbsp; useKeyTab=true<BR />&nbsp;&nbsp; doNotPrompt=true<BR />&nbsp;&nbsp; keyTab="/etc/sharehttp.keytab"<BR />&nbsp;&nbsp; principal="HTTP/alfresco.example.com";<BR />};<BR /><BR />com.sun.net.ssl.client {<BR />&nbsp;&nbsp; com.sun.security.auth.module.Krb5LoginModule sufficient;<BR />};<BR /><BR />other {<BR />&nbsp;&nbsp; com.sun.security.auth.module.Krb5LoginModule sufficient;<BR />};<BR /><SPAN class="line-numbers-rows"><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN></SPAN></CODE></PRE><BR /><SPAN>When I got Share SSO working I hade the same keytab for Share as for repo HTTP. When involving the load balancer I tested if it would work if I use a third account fro ShareHTTP (HTTP/alfresco.example.com) as this matches the url users access.</SPAN><BR /><BR /><SPAN><SPAN>In share-config-custom.xml, there is in the Kerberos config section the setting endpoint-spn, this should be the principal for node1/node2, i.e. </SPAN><A class="jive-link-email-small" href="mailto:HTTP/node1.example.com@EXAMPLE.COM" rel="nofollow noopener noreferrer">HTTP/node1.example.com@EXAMPLE.COM</A><SPAN> if I am correct?</SPAN></SPAN><BR /><BR /><SPAN>Is there any specific setting that needs to be in apache configuration for it to forward kerberos tickets? The load balancer uses ajp.</SPAN></BODY></HTML> Wed, 10 Jun 2015 08:45:51 GMT loftux 2015-06-10T08:45:51Z https://connect.hyland.com/t5/alfresco-archive/kerberos-setup-with-cluster-and-load-balancer/m-p/284077#M237207 I'm setting up a 4.2.4 cluster with two nodes (node1.example.comn, node2.example.com). Each have alfresco and share running.Users access an apache front-end that acts as a load balancer (alfresco.example.com) using Apache.The goal is to have users SSO when accessing the loadbalancer.I've been able t Wed, 10 Jun 2015 08:45:51 GMT https://connect.hyland.com/t5/alfresco-archive/kerberos-setup-with-cluster-and-load-balancer/m-p/284077#M237207 loftux 2015-06-10T08:45:51Z https://connect.hyland.com/t5/alfresco-archive/kerberos-setup-with-cluster-and-load-balancer/m-p/284078#M237208 <HTML><HEAD></HEAD><BODY><SPAN>Hi Loftux, </SPAN><BR /><BR /><SPAN>Have you seen anything to make you think that Apache is not forwarding on the Kerberos ticket?&nbsp; Generally the Kerberos ticket is included in the request from a client in the "Authentication" header, as part of a GSSAPI token, so I don't know if there's anything in Apache that strips this - I assume you're not using auth_mod_kerb since you want Alfresco to do the authentication?</SPAN><BR /><BR /><SPAN>Do you know if you can authenticate with the Alfresco Explorer app using SSO through Apache?&nbsp; I just ask because Share delegates back to Alfresco for Kerrberos authentication and that extra layer of complexity can often have its own issues.</SPAN><BR /><BR /><SPAN>I'd be very interested in if you find a solution for this as I'm in a similar situation currently as well (using hardware load balancer instead of Apache), looking into how we can get&nbsp; SSO to work properly through the load balancer.&nbsp; Similarly we had successfully tested in single server environments and in clustered environments going directly to the server, but we're still having issues with SSO through the balancer.&nbsp; </SPAN><BR /><BR /><SPAN>I have a hunch that our problem at least is to do with aligning the SPNs &amp; associated keytabs on both hosts with the name of the load balanced service rather than the host names, but I'm not sure.&nbsp; </SPAN><BR /><BR /><SPAN>Regards</SPAN><BR /><BR /><SPAN>Steven</SPAN></BODY></HTML> Tue, 01 Sep 2015 15:36:03 GMT https://connect.hyland.com/t5/alfresco-archive/kerberos-setup-with-cluster-and-load-balancer/m-p/284078#M237208 steven_okennedy 2015-09-01T15:36:03Z