topic Kerberos cross domain auth fails with KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN in Alfresco Archive

Kerberos cross domain auth fails with KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN

betawayoflife — Thu, 22 Dec 2016 11:55:48 GMT

Hi guys,i've a problem authenticating kerberos with multiple domains.I'm using Alfresco 4.2f on Windows Server 2012 R2 and i've a forest trust (function level 2008 r2) between two domains.My kerberos cross domain setup is like in the word document from here:[MNT-10368] support for cross-domain kerbe

Re: Kerberos cross domain auth fails with KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN

afaust — Sun, 25 Dec 2016 17:41:01 GMT

Can you provide more details, e.g. the principal set to authenticate on the Share tier (which is typically different from the Repository tier, which you have provided). I know you said you have configured it "like in the word document" but that word document is lacking some details I would have expected and all too often I have also seen slight errors / oversight tha turned out to be the cause of problems.

Also you can activate Java debug output for Kerberos authentication (system property sun.security.krb5.debug set to true) and provide the details here so that people have more to go on.

Re: Kerberos cross domain auth fails with KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN

betawayoflife — Mon, 02 Jan 2017 07:47:22 GMT

Hi Axel,

i edit my first post and add more details.

I've already activatet the krb5.debug but i get no message / error in the alfrescout-stdout.

I only get following messages:

 2017-01-02 08:43:40,386 DEBUG [app.servlet.KerberosAuthenticationFilter] [http-apr-8080-exec-2] New Kerberos auth request from 1.2.3.4 (1.2.3.4:65030)
 2017-01-02 08:43:40,386 DEBUG [app.servlet.KerberosAuthenticationFilter] [http-apr-8080-exec-2] Issuing login challenge to browser.
 2017-01-02 08:43:40,464 DEBUG [app.servlet.KerberosAuthenticationFilter] [http-apr-8080-exec-3] Login page requested, chaining ...‍‍‍

In the webinterface i only get following error:

Unable to login - unknown username/password.

Thx,
Beta

Re: Kerberos cross domain auth fails with KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN

afaust — Mon, 02 Jan 2017 10:12:22 GMT

If krb5.debug is activated correctly the catalina.out / alfrescout-stdout log file should contain significant technical details about all Kerberos interactions. If that is not the case I would advise to check the krb5.debug activation. The property cannot be set via alfresco-global.properties and must be provided as a JVM parameter. When using the Windows Service for Tomcat this requires a reconfiguration of the service itself.

Re: Kerberos cross domain auth fails with KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN

betawayoflife — Mon, 02 Jan 2017 11:29:45 GMT

Thx, i forget the "D" for the tomcat config...

The right entry for the tomcat config:

-Dsun.security.krb5.debug=true‍‍

Now i see following error in the log:

2017-01-02 12:25:31,912 DEBUG [app.servlet.KerberosAuthenticationFilter] [http-apr-8080-exec-2] Login page requested, chaining ...
 default etypes for default_tkt_enctypes: 23.
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=dc01.domain1.loc UDP:88, timeout=30000, number of retries =3, #bytes=145
>>> KDCCommunication: kdc=dc01.domain1.loc UDP:88, timeout=30000,Attempt =1, #bytes=145
>>> KrbKdcReq send: #bytes read=100
>>> KdcAccessibility: remove dc01.domain1.loc:88
>>> KDCRep: init() encoding tag is 126 req type is 11
>>>KRBError:
 sTime is Mon Jan 02 12:25:31 CET 2017 1483356331000
 suSec is 895582
 error code is 6
 error Message is Client not found in Kerberos database
 realm is DOMAIN1.LOC
 sname is krbtgt/DOMAIN1.LOC
 msgType is 30‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

The strange thing is that i try to login with a user from domain2.loc.

Thx,

Joe

Re: Kerberos cross domain auth fails with KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN

afaust — Mon, 02 Jan 2017 12:54:47 GMT

But you have configured a specific kerberos.authentication.realm which is used as the default real / domain. Did you provide the domain as an explicit realm when trying to login, e.g. use a prinicipal name like user.name@domain2.loc?

Re: Kerberos cross domain auth fails with KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN

betawayoflife — Mon, 02 Jan 2017 13:07:02 GMT

Yes, in the kerberos subsystem config.

kerberos.authentication.realm=DOMAIN1.LOC‍

If i remove this line alfresco won't come up because of a missing propertie.

I've tried with "DOMAIN2\username", "username@domain2" and "username@domain2.loc".

Same error for all of them.

If i try to login with a user from domain1 the DEBUG log looks like this:
(it works and the log is much longer)

2017-01-02 13:53:10,844 DEBUG [app.servlet.KerberosAuthenticationFilter] [http-apr-8080-exec-5] Login page requested, chaining ...
 default etypes for default_tkt_enctypes: 23.
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=dc01.domain1.loc UDP:88, timeout=30000, number of retries =3, #bytes=141
>>> KDCCommunication: kdc=dc01.domain1.loc UDP:88, timeout=30000,Attempt =1, #bytes=141
>>> KrbKdcReq send: #bytes read=185
>>>Pre-Authentication Data:
 PA-DATA type = 11
 PA-ETYPE-INFO etype = 23, salt = 

>>>Pre-Authentication Data:
 PA-DATA type = 19
 PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null

>>>Pre-Authentication Data:
 PA-DATA type = 2
 PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
 PA-DATA type = 16

>>>Pre-Authentication Data:
 PA-DATA type = 15

>>> KdcAccessibility: remove dc01.domain1.loc:88
>>> KDCRep: init() encoding tag is 126 req type is 11
>>>KRBError:
 sTime is Mon Jan 02 13:53:10 CET 2017 1483361590000
 suSec is 363334
 error code is 25
 error Message is Additional pre-authentication required
 realm is DOMAIN1.LOC
 sname is krbtgt/DOMAIN1.LOC
 eData provided.
 msgType is 30
>>>Pre-Authentication Data:
 PA-DATA type = 11
 PA-ETYPE-INFO etype = 23, salt = 

>>>Pre-Authentication Data:
 PA-DATA type = 19
 PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null

>>>Pre-Authentication Data:
 PA-DATA type = 2
 PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
 PA-DATA type = 16

>>>Pre-Authentication Data:
 PA-DATA type = 15

KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
default etypes for default_tkt_enctypes: 23.
default etypes for default_tkt_enctypes: 23.
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=dc01.domain1.loc UDP:88, timeout=30000, number of retries =3, #bytes=219
>>> KDCCommunication: kdc=dc01.domain1.loc UDP:88, timeout=30000,Attempt =1, #bytes=219
>>> KrbKdcReq send: #bytes read=1393
>>> KdcAccessibility: remove dc01.domain1.loc:88
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbAsRep cons in KrbAsReq.getReply informix‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

Re: Kerberos cross domain auth fails with KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN

betawayoflife — Wed, 11 Jan 2017 13:15:23 GMT

Any ideas Axel or anyone else?