https://connect.hyland.com/t5/alfresco-archive/sso-kerberos/m-p/291039#M244169 <HTML><HEAD></HEAD><BODY><P>Can you include your&nbsp;<STRONG>krb5.ini</STRONG> content?</P></BODY></HTML> Mon, 28 Nov 2016 09:50:39 GMT angelborroy 2016-11-28T09:50:39Z https://connect.hyland.com/t5/alfresco-archive/sso-kerberos/m-p/291038#M244168 I want to make SSO environment with ActiveDirectory but I can't...I worked in accordance with below;&nbsp;http://docs.alfresco.com/5.0/tasks/auth-kerberos-ADconfig.html&nbsp;http://docs.alfresco.com/5.0/tasks/auth-kerberos-shareSSO.htmlPlease teach me right way to configure SSO.&lt;Environment&gt;ActiveDirect Mon, 28 Nov 2016 07:29:53 GMT https://connect.hyland.com/t5/alfresco-archive/sso-kerberos/m-p/291038#M244168 tkim 2016-11-28T07:29:53Z https://connect.hyland.com/t5/alfresco-archive/sso-kerberos/m-p/291039#M244169 <HTML><HEAD></HEAD><BODY><P>Can you include your&nbsp;<STRONG>krb5.ini</STRONG> content?</P></BODY></HTML> Mon, 28 Nov 2016 09:50:39 GMT https://connect.hyland.com/t5/alfresco-archive/sso-kerberos/m-p/291039#M244169 angelborroy 2016-11-28T09:50:39Z https://connect.hyland.com/t5/alfresco-archive/sso-kerberos/m-p/291040#M244170 <HTML><HEAD></HEAD><BODY><P>This is my krb5.ini.</P><P>---</P><P>[logging]<BR />&nbsp;default = FILE:C:\work\krb5libs.log<BR />&nbsp;kdc = FILE:C:\work\krb5kdc.log<BR />&nbsp;admin_server = FILE:C:\work\kadmind.log<BR />&nbsp;<BR />[libdefaults]<BR />default_realm = OURDOMAIN.LOCAL<BR />default_tkt_enctypes = rc4-hmac<BR />default_tgs_enctypes = rc4-hmac</P><P></P><P>[realms]<BR />OURDOMAIN.LOCAL = {<BR />&nbsp;&nbsp; kdc = dcsvr.ourdomain.local<BR />&nbsp;&nbsp; admin_server = dcsvr.ourdomain.local<BR />}</P><P></P><P>[domain_realm]<BR />dcsvr.ourdomain.local = OURDOMAIN.LOCAL<BR />.dcsvr.ourdomain.local = OURDOMAIN.LOCAL</P><P>---</P></BODY></HTML> Mon, 28 Nov 2016 10:40:34 GMT https://connect.hyland.com/t5/alfresco-archive/sso-kerberos/m-p/291040#M244170 tkim 2016-11-28T10:40:34Z https://connect.hyland.com/t5/alfresco-archive/sso-kerberos/m-p/291041#M244171 <HTML><HEAD></HEAD><BODY><P>Try removing encryption lines:</P><P></P><P><SPAN style="color: #727174; background-color: #ffffff;">default_tkt_enctypes = rc4-hmac</SPAN><BR style="color: #727174;" /><SPAN style="color: #727174; background-color: #ffffff;">default_tgs_enctypes = rc4-hmac</SPAN></P></BODY></HTML> Mon, 28 Nov 2016 11:33:05 GMT https://connect.hyland.com/t5/alfresco-archive/sso-kerberos/m-p/291041#M244171 angelborroy 2016-11-28T11:33:05Z https://connect.hyland.com/t5/alfresco-archive/sso-kerberos/m-p/291042#M244172 <HTML><HEAD></HEAD><BODY><P>thx for reply!</P><P><BR />I&nbsp; modified java.login.config; adding "@OURDOMAIN.LOCAL", and also removed encryption lines from krb5.ini.<BR />Now, when I started Alfresco service, no error was happened and the logs appeared like below;</P><P></P><P>2016-11-29 13:54:25,483 INFO&nbsp; [org.alfresco.repo.management.subsystems.ChildApplicationContextFactory] [localhost-startStop-1] Starting 'Authentication' subsystem, ID: [Authentication, managed, kerberos1]<BR />2016-11-29 13:54:25,593 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] [localhost-startStop-1] HTTP Kerberos login successful<BR />2016-11-29 13:54:25,593 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] [localhost-startStop-1] Logged on using principal HTTP/xxxx<BR />2016-11-29 13:54:25,624 DEBUG [org.alfresco.repo.webdav.auth.KerberosAuthenticationFilter] [localhost-startStop-1] HTTP Kerberos login successful<BR />2016-11-29 13:54:25,624 DEBUG [org.alfresco.repo.webdav.auth.KerberosAuthenticationFilter] [localhost-startStop-1] Logged on using principal HTTP/xxxx<BR />2016-11-29 13:54:25,686 INFO&nbsp; [org.alfresco.repo.management.subsystems.ChildApplicationContextFactory] [localhost-startStop-1] Startup of 'Authentication' subsystem, ID: [Authentication, managed, kerberos1] complete</P><P></P><P>But I can not do SSO.<BR />When I access alfresco from IE, the basic authentication dialog appears; maybe come from Alfrescontlm.<BR /><SPAN>IE settings is OK like </SPAN><A class="jive-link-external-small" href="http://docs.alfresco.com/4.0/tasks/auth-kerberos-clientconfig.html" rel="nofollow noopener noreferrer" target="_blank">http://docs.alfresco.com/4.0/tasks/auth-kerberos-clientconfig.html</A><SPAN>.</SPAN></P><P></P><P>1:Kerberos SSO means that no authentication dialog appears, right?<BR />2:my configuration is wrong or not enogh?</P><P></P><P>This is my config.</P><P></P><P>&lt;krb5.ini&gt;<BR />---<BR />[logging]<BR />&nbsp;default = FILE:C:\work\krb5libs.log<BR />&nbsp;kdc = FILE:C:\work\krb5kdc.log<BR />&nbsp;admin_server = FILE:C:\work\kadmind.log<BR />&nbsp;<BR />[libdefaults]<BR />default_realm = OURDOMAIN.LOCAL<BR />default_tkt_enctypes = rc4-hmac<BR />default_tgs_enctypes = rc4-hmac</P><P></P><P>[realms]<BR />OURDOMAIN.LOCAL = {<BR />&nbsp;&nbsp; kdc = dcsvr.ourdomain.local<BR />&nbsp;&nbsp; admin_server = dcsvr.ourdomain.local<BR />}</P><P></P><P>[domain_realm]<BR />dcsvr.ourdomain.local = OURDOMAIN.LOCAL<BR />.dcsvr.ourdomain.local = OURDOMAIN.LOCAL<BR />---</P><P></P><P>&lt;java.login.config&gt;<BR />---<BR />Alfresco {<BR />com.sun.security.auth.module.Krb5LoginModule sufficient;<BR />};</P><P></P><P>AlfrescoCIFS {<BR />com.sun.security.auth.module.Krb5LoginModule required<BR />&nbsp;&nbsp; storeKey=true<BR />&nbsp;&nbsp; useKeyTab=true<BR />&nbsp;&nbsp; keyTab="C:/etc/cifs.keytab"<BR />&nbsp;&nbsp; principal="cifs/alfrescoserver.ourdomain.local@OURDOMAIN.LOCAL";<BR />};</P><P></P><P>AlfrescoHTTP {<BR />com.sun.security.auth.module.Krb5LoginModule required<BR />&nbsp;&nbsp; storeKey=true<BR />&nbsp;&nbsp; useKeyTab=true<BR />&nbsp;&nbsp; keyTab="C:/etc/http7.keytab"<BR />&nbsp;&nbsp; principal="HTTP/alfrescoserver.ourdomain.local@OURDOMAIN.LOCAL";<BR />};</P><P></P><P>ShareHTTP<BR />{<BR />&nbsp;&nbsp; com.sun.security.auth.module.Krb5LoginModule required<BR />&nbsp;&nbsp; storeKey=true<BR />&nbsp;&nbsp; useKeyTab=true<BR />&nbsp;&nbsp; keyTab="C:/etc/http.keytab"<BR />&nbsp;&nbsp; principal="HTTP/alfrescoserver.ourdomain.local@OURDOMAIN.LOCAL";<BR />};<BR />com.sun.net.ssl.client {<BR />com.sun.security.auth.module.Krb5LoginModule sufficient;<BR />};<BR />other {<BR />com.sun.security.auth.module.Krb5LoginModule sufficient;<BR />};<BR />---</P><P></P><P>&lt;share-config-custom.xml(a part of)&gt;<BR />---<BR />&lt;config evaluator="string-compare" condition="Kerberos" replace="true"&gt;<BR />&nbsp;&nbsp; &lt;kerberos&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;password&gt;mypassword&lt;/password&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;realm&gt;OURDOMAIN.LOCAL&lt;/realm&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;endpoint-spn&gt;HTTP/alfrescoserver.ourdomain.local@OURDOMAIN.LOCAL&lt;/endpoint-spn&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;config-entry&gt;AlfrescoHTTP&lt;/config-entry&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp; &lt;stripUserNameSuffix&gt;true&lt;/stripUserNameSuffix&gt;<BR />&nbsp;&nbsp; &lt;/kerberos&gt;<BR />&lt;/config&gt;</P><P></P><P>and uncomment &lt;config evaluator="string-compare" condition="Remote"&gt; sections.<BR />---</P><P></P><P>&lt;kerberos-filter.properties&gt;<BR />---<BR />kerberos.authentication.http.configEntryName=AlfrescoHTTP<BR />kerberos.authentication.http.password=mypassword<BR />kerberos.authentication.sso.enabled=true<BR />kerberos.authentication.browser.ticketLogons=true<BR />kerberos.authentication.sso.fallback.enabled=true<BR />---</P><P></P><P>&lt;alfresco-global.properties&gt;<BR />---</P><P></P><P>authentication.chain=kerberos1:kerberos,ldap1:ldap-ad,alfrescoNtlm1:alfrescoNtlm</P><P></P><P><BR />#NTLM<BR />ntlm.authentication.sso.enabled=false</P><P></P><P><BR />#LDAP</P><P></P><P>#LADAP Sync<BR />ldap.authentication.userNameFormat=%s@ourdomain.local</P><P></P><P>ldap.authentication.java.naming.provider.url=ldap://IPAddress for domain controller:389</P><P></P><P>ldap.synchronization.java.naming.security.principal=username@ourdomain.local<BR />ldap.synchronization.java.naming.security.credentials=mypassword</P><P></P><P>#user</P><P></P><P>ldap.synchronization.userSearchBase=DC\=ourdomain,DC\=local<BR />ldap.synchronization.personType=person</P><P></P><P>ldap.synchronization.userIdAttributeName=sAMAccountName<BR />ldap.synchronization.userFirstNameAttributeName=givenName<BR />ldap.synchronization.userLastNameAttributeName=sn</P><P></P><P>#group<BR />ldap.synchronization.groupSearchBase=DC\=ourdomain,DC\=local<BR />ldap.synchronization.groupType=organizationalUnit</P><P></P><P># Sync<BR />synchronization.synchronizeChangesOnly=false<BR />synchronization.allowDeletions=true<BR />synchronization.syncWhenMissingPeopleLogIn=true<BR />synchronization.syncOnStartup=true</P><P></P><P>ldap.synchronization.enableProgressEstimation=true</P><P></P><P>ldap.synchronization.active=true<BR />ldap.authentication.allowGuestLogin=true</P><P></P><P>synchronization.synchronizeChangesOnly=false</P><P>---</P></BODY></HTML> Tue, 29 Nov 2016 05:09:04 GMT https://connect.hyland.com/t5/alfresco-archive/sso-kerberos/m-p/291042#M244172 tkim 2016-11-29T05:09:04Z https://connect.hyland.com/t5/alfresco-archive/sso-kerberos/m-p/291043#M244173 <HTML><HEAD></HEAD><BODY><P>adding information.</P><P></P><P>When I accessed Alfresco from IE and appears basic authentication dialog, these logs were put out.</P><P></P><P>2016-11-29 14:50:52,728 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] [http-apr-8080-exec-5] Authentication not required (filter), chaining ...<BR />2016-11-29 14:50:52,806 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] [http-apr-8080-exec-6] Authentication not required (filter), chaining ...<BR />2016-11-29 14:50:52,822 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] [http-apr-8080-exec-7] New Kerberos auth request from 127.0.0.1 (127.0.0.1:58954)<BR />2016-11-29 14:50:52,822 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] [http-apr-8080-exec-7] Issuing login challenge to browser.</P></BODY></HTML> Tue, 29 Nov 2016 06:01:19 GMT https://connect.hyland.com/t5/alfresco-archive/sso-kerberos/m-p/291043#M244173 tkim 2016-11-29T06:01:19Z