topic Kerberos: Share fails to renew/refresh ticket in Alfresco Archive https://connect.hyland.com/t5/alfresco-archive/kerberos-share-fails-to-renew-refresh-ticket/m-p/286858#M239988 <HTML><HEAD></HEAD><BODY><SPAN>We're currently having trouble with Share, we need to restart it every 10 hours.</SPAN><BR /><BR /><SPAN>Our setup:</SPAN><BR /><SPAN>Alfresco 4.0.d (community) running on Ubuntu 12.04</SPAN><BR /><SPAN>Windows 2008R2 AD</SPAN><BR /><SPAN>Kerberos SSO</SPAN><BR /><SPAN>Windows 7 client, IE9</SPAN><BR /><BR /><SPAN>Everything works fine on the Alfresco side. Alfresco Explorer and CIFS is just fine, but as soon as Share has been running for 10 hours (default ticket life time in AD) we're unable to log in. First we'll be prompted with a browser login, then windows login and after that the Share login form. If I reload the page and enter my password a couple of times it will eventually let me in and we can run for another 10 hours.</SPAN><BR /><BR /><SPAN>If I restart Share I get straight in after it comes up. </SPAN><BR /><BR /><SPAN>Is this a common issue? For me it seems Share should be able to renew the TGT?</SPAN><BR /><BR /><SPAN>I get this exception in the logs:</SPAN><BR /><PRE class="language-none line-numbers"><CODE><BR /><BR />13:55:18,443&nbsp; DEBUG [site.servlet.SSOAuthenticationFilter] Kerberos logon error<BR />java.lang.IllegalStateException: This ticket is no longer valid<BR />&nbsp;&nbsp;&nbsp;at javax.security.auth.kerberos.KerberosTicket.toString(KerberosTicket.java:638)<BR />&nbsp;&nbsp;&nbsp;at java.lang.String.valueOf(String.java:2854)<BR />&nbsp;&nbsp;&nbsp;at java.lang.StringBuilder.append(StringBuilder.java:128)<BR />&nbsp;&nbsp;&nbsp;at sun.security.jgss.krb5.SubjectComber.findAux(SubjectComber.java:150)<BR />&nbsp;&nbsp;&nbsp;at sun.security.jgss.krb5.SubjectComber.find(SubjectComber.java:59)<BR />&nbsp;&nbsp;&nbsp;at sun.security.jgss.krb5.Krb5Util.getTicket(Krb5Util.java:155)<BR />&nbsp;&nbsp;&nbsp;at sun.security.jgss.krb5.Krb5Context$1.run(Krb5Context.java:606)<BR />&nbsp;&nbsp;&nbsp;at sun.security.jgss.krb5.Krb5Context$1.run(Krb5Context.java:599)<BR />&nbsp;&nbsp;&nbsp;at java.security.AccessController.doPrivileged(Native Method)<BR />&nbsp;&nbsp;&nbsp;at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:598)<BR />&nbsp;&nbsp;&nbsp;at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:248)<BR />&nbsp;&nbsp;&nbsp;at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:179)<BR />&nbsp;&nbsp;&nbsp;at org.alfresco.web.site.servlet.KerberosSessionSetupPrivilegedAction.run(KerberosSessionSetupPrivilegedAction.java:127)<BR />&nbsp;&nbsp;&nbsp;at org.alfresco.web.site.servlet.KerberosSessionSetupPrivilegedAction.run(KerberosSessionSetupPrivilegedAction.java:44)<BR />&nbsp;&nbsp;&nbsp;at java.security.AccessController.doPrivileged(Native Method)<BR />&nbsp;&nbsp;&nbsp;at javax.security.auth.Subject.doAs(Subject.java:356)<BR />&nbsp;&nbsp;&nbsp;at org.alfresco.web.site.servlet.SSOAuthenticationFilter.doKerberosLogon(SSOAuthenticationFilter.java:1009)<BR />&nbsp;&nbsp;&nbsp;at org.alfresco.web.site.servlet.SSOAuthenticationFilter.doFilter(SSOAuthenticationFilter.java:441)<BR />&nbsp;&nbsp;&nbsp;at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1326)<BR />&nbsp;&nbsp;&nbsp;at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:479)<BR />&nbsp;&nbsp;&nbsp;at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:119)<BR />&nbsp;&nbsp;&nbsp;at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:520)<BR />&nbsp;&nbsp;&nbsp;at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:227)<BR />&nbsp;&nbsp;&nbsp;at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:940)<BR />&nbsp;&nbsp;&nbsp;at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:409)<BR />&nbsp;&nbsp;&nbsp;at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:186)<BR />&nbsp;&nbsp;&nbsp;at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:874)<BR />&nbsp;&nbsp;&nbsp;at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:117)<BR />&nbsp;&nbsp;&nbsp;at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:250)<BR />&nbsp;&nbsp;&nbsp;at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:149)<BR />&nbsp;&nbsp;&nbsp;at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:110)<BR />&nbsp;&nbsp;&nbsp;at org.eclipse.jetty.server.Server.handle(Server.java:349)<BR />&nbsp;&nbsp;&nbsp;at org.eclipse.jetty.server.HttpConnection.handleRequest(HttpConnection.java:441)<BR />&nbsp;&nbsp;&nbsp;at org.eclipse.jetty.server.HttpConnection$RequestHandler.headerComplete(HttpConnection.java:904)<BR />&nbsp;&nbsp;&nbsp;at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:565)<BR />&nbsp;&nbsp;&nbsp;at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:217)<BR />&nbsp;&nbsp;&nbsp;at org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:46)<BR />&nbsp;&nbsp;&nbsp;at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:545)<BR />&nbsp;&nbsp;&nbsp;at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:43)<BR />&nbsp;&nbsp;&nbsp;at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:598)<BR />&nbsp;&nbsp;&nbsp;at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:533)<BR />&nbsp;&nbsp;&nbsp;at java.lang.Thread.run(Thread.java:722)<BR /><SPAN class="line-numbers-rows"><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN></SPAN></CODE></PRE><BR /><BR /><SPAN>Any info or pointers will be very welcome!</SPAN><BR /><BR /><BR /><SPAN>Some setup info:</SPAN><BR /><BR /><SPAN>share-config-custom.xml:</SPAN><BR /><PRE class="language-none line-numbers"><CODE><BR />&nbsp;&nbsp; &lt;config evaluator="string-compare" condition="Kerberos" replace="true"&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;kerberos&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;password&gt;password&lt;/password&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;realm&gt;DOMAIN.LOCAL&lt;/realm&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;endpoint-spn&gt;HTTP/alfresco.domain.local@DOMAIN.LOCAL&lt;/endpoint-spn&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;config-entry&gt;ShareHTTP&lt;/config-entry&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;/kerberos&gt;<BR />&nbsp;&nbsp; &lt;/config&gt;<BR /><SPAN class="line-numbers-rows"><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN></SPAN></CODE></PRE><BR /></BODY></HTML> Wed, 05 Jun 2013 12:16:23 GMT oleh 2013-06-05T12:16:23Z Kerberos: Share fails to renew/refresh ticket https://connect.hyland.com/t5/alfresco-archive/kerberos-share-fails-to-renew-refresh-ticket/m-p/286858#M239988 We're currently having trouble with Share, we need to restart it every 10 hours.Our setup:Alfresco 4.0.d (community) running on Ubuntu 12.04Windows 2008R2 ADKerberos SSOWindows 7 client, IE9Everything works fine on the Alfresco side. Alfresco Explorer and CIFS is just fine, but as soon as Share has Wed, 05 Jun 2013 12:16:23 GMT https://connect.hyland.com/t5/alfresco-archive/kerberos-share-fails-to-renew-refresh-ticket/m-p/286858#M239988 oleh 2013-06-05T12:16:23Z Re: Kerberos: Share fails to renew/refresh ticket https://connect.hyland.com/t5/alfresco-archive/kerberos-share-fails-to-renew-refresh-ticket/m-p/286859#M239989 <HTML><HEAD></HEAD><BODY><SPAN>Hi</SPAN><BR /><BR /><SPAN>Any update here? Same is happening to us.</SPAN><BR /><BR /><SPAN>Regards,</SPAN></BODY></HTML> Thu, 23 Oct 2014 06:25:58 GMT https://connect.hyland.com/t5/alfresco-archive/kerberos-share-fails-to-renew-refresh-ticket/m-p/286859#M239989 jspuchau 2014-10-23T06:25:58Z Re: Kerberos: Share fails to renew/refresh ticket https://connect.hyland.com/t5/alfresco-archive/kerberos-share-fails-to-renew-refresh-ticket/m-p/286860#M239990 <HTML><HEAD></HEAD><BODY><P>This post came up again (see&nbsp;<A href="https://issues.alfresco.com/jira/browse/ALF-21938" rel="nofollow noopener noreferrer">ALF-21938</A>). Talking to the team, we are confident it is a misconfiguration on the Active Directory side, rather than with the Alfresco product.</P><P></P><P>From&nbsp;Ole Hejlskov: If memory serves me correct . . .&nbsp;it was the issue with time sync. We had an issue back in the day where the AD was syncing with a different ntp server than the repo did. We ended up syncing everything with the AD server.</P></BODY></HTML> Wed, 30 Aug 2017 13:20:24 GMT https://connect.hyland.com/t5/alfresco-archive/kerberos-share-fails-to-renew-refresh-ticket/m-p/286860#M239990 resplin 2017-08-30T13:20:24Z