https://connect.hyland.com/t5/alfresco-archive/kerberos-issue-client-sent-an-ntlmssp-security-blob-not-able-to/m-p/292490#M245620 <HTML><HEAD></HEAD><BODY><SPAN>Hi Forum ,</SPAN><BR /><SPAN>i am setting kerberos authentication .</SPAN><BR /><SPAN>In my logs i am able to see</SPAN><BR /><PRE class="language-none line-numbers"><CODE> INFO&nbsp; [management.subsystems.ChildApplicationContextFactory] [localhost-startStop-1] Starting 'Authentication' subsystem, ID: [Authentication, managed, kerberos1]<BR /> 2015-02-09 10:52:19,943&nbsp; DEBUG [app.servlet.KerberosAuthenticationFilter] [localhost-startStop-1] HTTP Kerberos login successful<BR /><BR /> <SPAN class="line-numbers-rows"><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN></SPAN></CODE></PRE><BR /><SPAN>But when I login from client it prompts for Windows pop up for login.</SPAN><BR /><SPAN>I want to achieve SSO with kerberos to both Explorer and Share.</SPAN><BR /><SPAN>Below is my configuration</SPAN><BR /><BR /><SPAN>I have refereed below link for kerberos configuration</SPAN><BR /><A href="http://www.anotherstrangerme.com/afresco-integration-with-active-directory-using-kerberos/" rel="nofollow noopener noreferrer">http://www.anotherstrangerme.com/afresco-integration-with-active-directory-using-kerberos/</A><BR /><BR /><SPAN>Step 1: Created two accounts in AD AlfresoHTTP and AlfrescoCIFS with settings given in link above.</SPAN><BR /><SPAN>Step 2: used ktpass command</SPAN><BR /><SPAN>&lt;blockcode&gt;</SPAN><BR /><SPAN>ktpass -princ cifs/&lt;cifs-server-name&gt;.&lt;domain&gt;@&lt;realm&gt; -pass &lt;password&gt; -mapuser &lt;domainnetbios&gt;\alfrescocifs -crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL -mapop set +desonly -out c:\temp\alfrescocifs.keytab</SPAN><BR /><BR /><SPAN>ktpass -princ HTTP/&lt;web-server-name&gt;.&lt;domain&gt;@&lt;realm&gt; -pass &lt;password&gt; -mapuser &lt;domainnetbios&gt;\alfrescohttp -crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL -mapop set +desonly -out c:\temp\alfrescohttp.keytab</SPAN><BR /><BR /><SPAN>&lt;/blockcode&gt;</SPAN><BR /><BR /><SPAN>Please note I have used -crypto DES-CBC-MD5&nbsp; will this really matters??am i right here?can i use this??Please suggest right approach.</SPAN><BR /><BR /><SPAN>Step 3: krb5.ini&nbsp; (ini file as i am doing it on windows server 2008 R2 )</SPAN><BR /><PRE class="language-none line-numbers"><CODE><BR />[libdefaults]<BR />default_realm = ALFRESCO.ORG<BR />[realms]<BR />ALFRESCO.ORG = {<BR />kdc = adsrv.alfresco.org<BR />admin_server = adsrv.alfresco.org<BR />}<BR />[domain_realm]<BR />adsrv.alfresco.org = ALFRESCO.ORG<BR />.adsrv.alfresco.org = ALFRESCO.ORG<BR /><BR /><SPAN class="line-numbers-rows"><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN></SPAN></CODE></PRE><SPAN> with my appropriate settings</SPAN><BR /><SPAN>But here i have not mentioned </SPAN><BR /><SPAN>default_tkt_enctypes =&nbsp; and</SPAN><BR /><SPAN>default_tgs_enctypes =&nbsp;&nbsp;&nbsp; </SPAN><BR /><BR /><SPAN>i tried with using DES-CBC-MD5 but it did not work</SPAN><BR /><BR /><SPAN>step 4 :</SPAN><BR /><PRE class="language-none line-numbers"><CODE><BR />Alfresco {<BR />com.sun.security.auth.module.Krb5LoginModule sufficient;<BR />};<BR />AlfrescoCIFS {<BR />com.sun.security.auth.module.Krb5LoginModule required<BR />storeKey=true<BR />useKeyTab=true<BR />keyTab=”C:/temp/alfrescocifs.keytab”<BR />principal=”cifs/&lt;cifs-server-name&gt;.&lt;domain&gt;”;<BR />};<BR />AlfrescoHTTP {<BR />com.sun.security.auth.module.Krb5LoginModule required<BR />storeKey=true<BR />useKeyTab=true<BR />keyTab=”C:/temp/alfrescohttp.keytab”<BR />principal=”HTTP/&lt;web-server-name&gt;.&lt;domain&gt;”;<BR />};<BR />com.sun.net.ssl.client {<BR />com.sun.security.auth.module.Krb5LoginModule sufficient;<BR />};<BR />other {<BR />com.sun.security.auth.module.Krb5LoginModule sufficient;<BR />}<BR /><SPAN class="line-numbers-rows"><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN></SPAN></CODE></PRE><BR /><BR /><SPAN>step 5: in JRE\lib\security\java.security.</SPAN><BR /><PRE class="language-none line-numbers"><CODE>login.config.url.1=file:C:/Alfresco/java/jre/lib/security/java.login.config <SPAN class="line-numbers-rows"><SPAN>‍</SPAN></SPAN></CODE></PRE><SPAN> </SPAN><BR /><SPAN>and chain as below:</SPAN><BR /><SPAN>authentication.chain=kerberos1:kerberos,ldap1:ldap-ad</SPAN><BR /><BR /><SPAN>My Qproblem :</SPAN><BR /><SPAN>1) not able to SSO on Alfresco ( Share not yet configured )</SPAN><BR /><SPAN>2) On attempt to login with link</SPAN><BR /><A href="http://server-name:8080/alfresco/" rel="nofollow noopener noreferrer">http://server-name:8080/alfresco/</A><BR /><SPAN>It prompt me windows login screen and then alfresco login screen if my password is correct.</SPAN><BR /><BR /><SPAN>My Log says as bwlow :</SPAN><BR /><PRE class="language-none line-numbers"><CODE><BR /> 2015-02-09 10:54:36,959&nbsp; INFO&nbsp; [site.servlet.SSOAuthenticationFilter] [localhost-startStop-1] SSOAuthenticationFilter initialised.<BR /> 2015-02-09 10:55:39,407&nbsp; DEBUG [app.servlet.KerberosAuthenticationFilter] [http-apr-8080-exec-3] New Kerberos auth request from 10.0.2.22 (10.0.2.22:60268)<BR /> 2015-02-09 10:55:39,407&nbsp; DEBUG [app.servlet.KerberosAuthenticationFilter] [http-apr-8080-exec-3] Issuing login challenge to browser.<BR /> 2015-02-09 10:55:39,438&nbsp; DEBUG [app.servlet.KerberosAuthenticationFilter] [http-apr-8080-exec-4] Client sent an NTLMSSP security blob<BR /> 2015-02-09 10:55:39,438&nbsp; DEBUG [app.servlet.KerberosAuthenticationFilter] [http-apr-8080-exec-4] Clearing session.<BR /> 2015-02-09 10:55:39,438&nbsp; DEBUG [app.servlet.KerberosAuthenticationFilter] [http-apr-8080-exec-4] Issuing login challenge to browser.<BR /> 2015-02-09 10:56:06,785&nbsp; DEBUG [app.servlet.KerberosAuthenticationFilter] [http-apr-8080-exec-6] Login page requested, chaining …<BR /> 2015-02-09 10:56:07,503&nbsp; DEBUG [app.servlet.KerberosAuthenticationFilter] [http-apr-8080-exec-8] Authentication not required (filter), chaining …<BR /><SPAN class="line-numbers-rows"><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN></SPAN></CODE></PRE><BR /><BR /><BR /><SPAN>version using 4.2e</SPAN><BR /><BR /><SPAN>Please help me to understand and to solve where i am going wrong</SPAN><BR /><SPAN>Please let me know if any other information is required.</SPAN><BR /><BR /></BODY></HTML> Mon, 09 Feb 2015 05:52:54 GMT aditya_chaudhar 2015-02-09T05:52:54Z https://connect.hyland.com/t5/alfresco-archive/kerberos-issue-client-sent-an-ntlmssp-security-blob-not-able-to/m-p/292490#M245620 Hi Forum ,i am setting kerberos authentication .In my logs i am able to see INFO&nbsp; [management.subsystems.ChildApplicationContextFactory] [localhost-startStop-1] Starting 'Authentication' subsystem, ID: [Authentication, managed, kerberos1] 2015-02-09 10:52:19,943&nbsp; DEBUG [app.servlet.KerberosAuthentic Mon, 09 Feb 2015 05:52:54 GMT https://connect.hyland.com/t5/alfresco-archive/kerberos-issue-client-sent-an-ntlmssp-security-blob-not-able-to/m-p/292490#M245620 aditya_chaudhar 2015-02-09T05:52:54Z https://connect.hyland.com/t5/alfresco-archive/kerberos-issue-client-sent-an-ntlmssp-security-blob-not-able-to/m-p/292491#M245621 <HTML><HEAD></HEAD><BODY><SPAN>Hi Forum,</SPAN><BR /><BR /><SPAN>I have configured Kerberos Authentication with SSO on explorer and share.</SPAN><BR /><BR /><SPAN>I was stuck at above mentioned error.</SPAN><BR /><SPAN>i.e&nbsp; Client sent an NTLMSSP security blob</SPAN><BR /><BR /><SPAN>I change one property in AD .</SPAN><BR /><SPAN>the Use DES encryption types for this account&nbsp; is unchecked. And few related settings and all works great.</SPAN><BR /><BR /><SPAN>After a week of struggle i able to configure this , i feel like happiest person on the earth when i achieve this.</SPAN><BR /><BR /><SPAN>Thanks to forum all comments here helps a lot.</SPAN><BR /><BR /><SPAN>Feel free to ask me if you want all my configuration . I would be happy to help you.</SPAN><BR /><BR /><SPAN>Thanks and Regards</SPAN><BR /><SPAN>Aditya C Chaudhari</SPAN></BODY></HTML> Thu, 12 Feb 2015 11:42:45 GMT https://connect.hyland.com/t5/alfresco-archive/kerberos-issue-client-sent-an-ntlmssp-security-blob-not-able-to/m-p/292491#M245621 aditya_chaudhar 2015-02-12T11:42:45Z https://connect.hyland.com/t5/alfresco-archive/kerberos-issue-client-sent-an-ntlmssp-security-blob-not-able-to/m-p/292492#M245622 <HTML><HEAD></HEAD><BODY><P>Hello Aditya,</P><P></P><P>Could you please let us know what configuration changes are required on AD side and how can we achieve that.</P><P>Thanks and Regards,</P><P>Supriya</P></BODY></HTML> Wed, 17 Apr 2019 09:49:32 GMT https://connect.hyland.com/t5/alfresco-archive/kerberos-issue-client-sent-an-ntlmssp-security-blob-not-able-to/m-p/292492#M245622 supriya_verma 2019-04-17T09:49:32Z