topic 4.2e kerberos auth error in Alfresco Archive

4.2e kerberos auth error

vincent-kali — Tue, 19 Nov 2013 15:55:36 GMT

[Alfresco CE 4.2e on linux debian, MS2008R2 AD Ctrl]Hi,I'm trying to setup kerberos auth with MSAD / SSO for fileserver and HTTP.I'm always facing the same error when starting alfresco: javax.security.auth.login.LoginException: Client not found in Kerberos database (6)I did the following:1) Cre

Re: 4.2e kerberos auth error

vincent-kali — Wed, 20 Nov 2013 14:02:29 GMT

Some updates:
I'm facing EXACTLY the problem described here: http://social.technet.microsoft.com/Forums/windowsserver/fr-FR/1fcca58d-ea35-423e-9c59-9c1329642e16/client-not-found-in-kerberos-database-while-getting-initial-credentials

Not an Alfresco Issue, but a Kerberos/Keytab issue.
When creating a keytab file for a regular user using KTPASS.EXE on AD Contrl, everything is OK (tested using kinit from alfresco server)
When creating a keytab for the service account HTTP/alfrescoserver.mydomain.local, the following error occurs:
   > kinit -V AlfrescoHTTP -k -t keys/AlfrescoHTTP.keytab
    Using default cache: /tmp/krb5cc_0
    Using principal: AlfrescoHTTP@MYDOMAIN.LOCAL
    Using keytab: keys/AlfrescoHTTP.keytab
    kinit: Key table entry not found while getting initial credentials

The domain controller send back "PRINCIPAL UNKNOWN", but the SPN is correcly set.
It seeam that the syntact "HTTP/myserver…." using "/" is not supported.

Did one of you implement kerberos auth against 2008R2 DC successfully ?
Any idea ?

Thank in advance

Re: 4.2e kerberos auth error

vincent-kali — Fri, 22 Nov 2013 10:09:40 GMT

I finally found the issues:
- Duplicate UPN (I checked for duplicate SPN using setspn -X not for UPN. Finally did it using ldap query, and remove duplicates).
- Issue with ktpass using /mapuser option: this reset user password on 2008R2 DC (at least in my context); Then I had to map user manually, and run ktpass without this option.

Vincent