SSO Kerberos

tkim — Mon, 28 Nov 2016 07:29:53 GMT

I want to make SSO environment with ActiveDirectory but I can't...I worked in accordance with below; http://docs.alfresco.com/5.0/tasks/auth-kerberos-ADconfig.html http://docs.alfresco.com/5.0/tasks/auth-kerberos-shareSSO.htmlPlease teach me right way to configure SSO.<Environment>ActiveDirect

Re: SSO Kerberos

angelborroy — Mon, 28 Nov 2016 09:50:39 GMT

Can you include your krb5.ini content?

Re: SSO Kerberos

tkim — Mon, 28 Nov 2016 10:40:34 GMT

This is my krb5.ini.

---

[logging]
default = FILE:C:\work\krb5libs.log
kdc = FILE:C:\work\krb5kdc.log
admin_server = FILE:C:\work\kadmind.log

[libdefaults]
default_realm = OURDOMAIN.LOCAL
default_tkt_enctypes = rc4-hmac
default_tgs_enctypes = rc4-hmac

[realms]
OURDOMAIN.LOCAL = {
kdc = dcsvr.ourdomain.local
admin_server = dcsvr.ourdomain.local
}

[domain_realm]
dcsvr.ourdomain.local = OURDOMAIN.LOCAL
.dcsvr.ourdomain.local = OURDOMAIN.LOCAL

---

Re: SSO Kerberos

angelborroy — Mon, 28 Nov 2016 11:33:05 GMT

Try removing encryption lines:

default_tkt_enctypes = rc4-hmac
default_tgs_enctypes = rc4-hmac

Re: SSO Kerberos

tkim — Tue, 29 Nov 2016 05:09:04 GMT

thx for reply!

I modified java.login.config; adding "@OURDOMAIN.LOCAL", and also removed encryption lines from krb5.ini.
Now, when I started Alfresco service, no error was happened and the logs appeared like below;

2016-11-29 13:54:25,483 INFO [org.alfresco.repo.management.subsystems.ChildApplicationContextFactory] [localhost-startStop-1] Starting 'Authentication' subsystem, ID: [Authentication, managed, kerberos1]
2016-11-29 13:54:25,593 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] [localhost-startStop-1] HTTP Kerberos login successful
2016-11-29 13:54:25,593 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] [localhost-startStop-1] Logged on using principal HTTP/xxxx
2016-11-29 13:54:25,624 DEBUG [org.alfresco.repo.webdav.auth.KerberosAuthenticationFilter] [localhost-startStop-1] HTTP Kerberos login successful
2016-11-29 13:54:25,624 DEBUG [org.alfresco.repo.webdav.auth.KerberosAuthenticationFilter] [localhost-startStop-1] Logged on using principal HTTP/xxxx
2016-11-29 13:54:25,686 INFO [org.alfresco.repo.management.subsystems.ChildApplicationContextFactory] [localhost-startStop-1] Startup of 'Authentication' subsystem, ID: [Authentication, managed, kerberos1] complete

But I can not do SSO.
When I access alfresco from IE, the basic authentication dialog appears; maybe come from Alfrescontlm.
IE settings is OK like http://docs.alfresco.com/4.0/tasks/auth-kerberos-clientconfig.html.

1:Kerberos SSO means that no authentication dialog appears, right?
2:my configuration is wrong or not enogh?

This is my config.

<krb5.ini>
---
[logging]
default = FILE:C:\work\krb5libs.log
kdc = FILE:C:\work\krb5kdc.log
admin_server = FILE:C:\work\kadmind.log

[libdefaults]
default_realm = OURDOMAIN.LOCAL
default_tkt_enctypes = rc4-hmac
default_tgs_enctypes = rc4-hmac

[realms]
OURDOMAIN.LOCAL = {
kdc = dcsvr.ourdomain.local
admin_server = dcsvr.ourdomain.local
}

[domain_realm]
dcsvr.ourdomain.local = OURDOMAIN.LOCAL
.dcsvr.ourdomain.local = OURDOMAIN.LOCAL
---

<java.login.config>
---
Alfresco {
com.sun.security.auth.module.Krb5LoginModule sufficient;
};

AlfrescoCIFS {
com.sun.security.auth.module.Krb5LoginModule required
   storeKey=true
   useKeyTab=true
   keyTab="C:/etc/cifs.keytab"
   principal="cifs/alfrescoserver.ourdomain.local@OURDOMAIN.LOCAL";
};

AlfrescoHTTP {
com.sun.security.auth.module.Krb5LoginModule required
   storeKey=true
   useKeyTab=true
   keyTab="C:/etc/http7.keytab"
   principal="HTTP/alfrescoserver.ourdomain.local@OURDOMAIN.LOCAL";
};

ShareHTTP
{
   com.sun.security.auth.module.Krb5LoginModule required
   storeKey=true
   useKeyTab=true
   keyTab="C:/etc/http.keytab"
   principal="HTTP/alfrescoserver.ourdomain.local@OURDOMAIN.LOCAL";
};
com.sun.net.ssl.client {
com.sun.security.auth.module.Krb5LoginModule sufficient;
};
other {
com.sun.security.auth.module.Krb5LoginModule sufficient;
};
---

<share-config-custom.xml(a part of)>
---
<config evaluator="string-compare" condition="Kerberos" replace="true">
   <kerberos>
      <password>mypassword</password>
      <realm>OURDOMAIN.LOCAL</realm>
      <endpoint-spn>HTTP/alfrescoserver.ourdomain.local@OURDOMAIN.LOCAL</endpoint-spn>
      <config-entry>AlfrescoHTTP</config-entry>
     <stripUserNameSuffix>true</stripUserNameSuffix>
   </kerberos>
</config>

and uncomment <config evaluator="string-compare" condition="Remote"> sections.
---

<kerberos-filter.properties>
---
kerberos.authentication.http.configEntryName=AlfrescoHTTP
kerberos.authentication.http.password=mypassword
kerberos.authentication.sso.enabled=true
kerberos.authentication.browser.ticketLogons=true
kerberos.authentication.sso.fallback.enabled=true
---

<alfresco-global.properties>
---

authentication.chain=kerberos1:kerberos,ldap1:ldap-ad,alfrescoNtlm1:alfrescoNtlm

#NTLM
ntlm.authentication.sso.enabled=false

#LDAP

#LADAP Sync
ldap.authentication.userNameFormat=%s@ourdomain.local

ldap.authentication.java.naming.provider.url=ldap://IPAddress for domain controller:389

ldap.synchronization.java.naming.security.principal=username@ourdomain.local
ldap.synchronization.java.naming.security.credentials=mypassword

#user

ldap.synchronization.userSearchBase=DC\=ourdomain,DC\=local
ldap.synchronization.personType=person

ldap.synchronization.userIdAttributeName=sAMAccountName
ldap.synchronization.userFirstNameAttributeName=givenName
ldap.synchronization.userLastNameAttributeName=sn

#group
ldap.synchronization.groupSearchBase=DC\=ourdomain,DC\=local
ldap.synchronization.groupType=organizationalUnit

# Sync
synchronization.synchronizeChangesOnly=false
synchronization.allowDeletions=true
synchronization.syncWhenMissingPeopleLogIn=true
synchronization.syncOnStartup=true

ldap.synchronization.enableProgressEstimation=true

ldap.synchronization.active=true
ldap.authentication.allowGuestLogin=true

synchronization.synchronizeChangesOnly=false

---

Re: SSO Kerberos

tkim — Tue, 29 Nov 2016 06:01:19 GMT

adding information.

When I accessed Alfresco from IE and appears basic authentication dialog, these logs were put out.

2016-11-29 14:50:52,728 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] [http-apr-8080-exec-5] Authentication not required (filter), chaining ...
2016-11-29 14:50:52,806 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] [http-apr-8080-exec-6] Authentication not required (filter), chaining ...
2016-11-29 14:50:52,822 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] [http-apr-8080-exec-7] New Kerberos auth request from 127.0.0.1 (127.0.0.1:58954)
2016-11-29 14:50:52,822 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] [http-apr-8080-exec-7] Issuing login challenge to browser.

topic SSO Kerberos in Alfresco Archive

SSO Kerberos

Re: SSO Kerberos

Re: SSO Kerberos

Re: SSO Kerberos

Re: SSO Kerberos

Re: SSO Kerberos