topic Kerberos SSO for Share (and Alfresco) struggles in Alfresco Archive

Kerberos SSO for Share (and Alfresco) struggles

john_pen — Mon, 10 Nov 2014 18:57:30 GMT

Hi folks,I'm looking for some help on this subject really, and any assistance is greatly appreciated.I basically followed the instructions in the below guides to get to the position I am currently in now:http://docs.alfresco.com/4.0/tasks/auth-kerberos-ADconfig.htmlhttp://docs.alfresco.com/4.0/tasks

Re: Kerberos SSO for Share (and Alfresco) struggles

sab — Thu, 20 Nov 2014 03:07:23 GMT

I noticed this in your file:
keyTab="/etc/keys/http.keytab"

If you look here:
http://wiki.alfresco.com/wiki/Alfresco_Authentication_Subsystems#Kerberos
An example is keyTab="/etc/alfrescohttp.keytab"

So you have a folder in between were the file should be???
Just an idea.

I myself have tried and failed to get Kerberos to work, so i know little about this software also. All i got working was passthru & LDAP-AD.

Regards

Re: Kerberos SSO for Share (and Alfresco) struggles

swatnew1 — Mon, 01 Dec 2014 18:20:00 GMT

I have tried and implemented Kerberos successfully . It works.
John ,
Pricipal can not be just HTTP/

It should be like below
AlfrescoHTTP {
   com.sun.security.auth.module.Krb5LoginModule required
   storeKey=true
   useKeyTab=true
   keyTab="/etc/keys/prod_int_merged.keytab"
   principal="HTTP/edms.deltads.ent";
   };

   ShareHTTP {
   com.sun.security.auth.module.Krb5LoginModule required
   storeKey=true
   useKeyTab=true
   keyTab="/etc/keys/prod_int_merged.keytab"
   principal="HTTP/edms.deltads.ent";
   };
Http/servername

Re: Kerberos SSO for Share (and Alfresco) struggles

john_pen — Wed, 03 Dec 2014 10:48:52 GMT

Hi Sab,

Firstly thanks for taking the time to reply, I appreciate it. Secondly, apologies for the delayed response.

Yes, the keytab files are stored in '/etc/keys/', but as long as the keytabs can be found in the path specified in the java.login.config file I don't think this is the issue. Kerberos SSO was working with this config but for the life of me I can't find what has changed to break it. That said, I'm completely out of ideas at this point so I'm willing to try anything.

Regards,
John

Re: Kerberos SSO for Share (and Alfresco) struggles

john_pen — Wed, 03 Dec 2014 11:00:22 GMT

Hi Swatnew1,

Thanks for your response, again it's greatly appreciated.

Sorry - I've removed a number of references to our domain/network from the config files but overlooked the fact I hadn't padded out the principal with some dummy info. The principals are actually more like 'principal="HTTP/servername.domain.local"' and "cifs/servername.domain.local". These point at the users/SPN's created in Active Directory and keytab authentication against these principals (using kinit command in Ubuntu) is successful.

I also did have kerberos SSO working for a brief period of time and as far as I can tell nothing has changed in terms of config, but now I get a basic authentication prompt from the browser (IE or Chrome) when accessing alfresco and share sites.

Re: Kerberos SSO for Share (and Alfresco) struggles

a_varvitsiotis — Tue, 24 Mar 2015 05:18:32 GMT

Did you have any luck in resolving this? We have hit the exact same problem (or if not,
something very similar anyway). I would be interested to hear if you have found a solution.

Regards,

Angelos

Re: Kerberos SSO for Share (and Alfresco) struggles

a_varvitsiotis — Fri, 27 Mar 2015 04:20:00 GMT

…and it may help you, too, so I am giving out some hints here.
Your logs state that Kerberos is not attempted at all by your browser:


 15:27:48,110 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] New Kerberos auth request from x.x.x.x  (x.x.x.x:38935)
 15:27:48,115 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] Client sent an NTLMSSP security blob
‍‍‍‍

"Client sent an NTLMSSP security blob" means that the Authorize: HTTP header that your browser is sending
does not contain a Kerberos ticket, but instead an NTLMSSP protocol blob, containing negotiation data. The
next question is, why?

In order to debug this, you should use a sniffer like Wireshark to capture the conversation between your
client and your KDC/AS (your domain controller). Look for a possible failure when the client sends a
TGS-REQ request to the KDC/AS, asking for the service ticket to Alfresco.

In our case, we found that the culprit was a misconfiguration in the encrytpion types. I noticed that in
your krb5.conf, you allow only arcfour-hmac-md5, and it may be the case that one of your service accts
is using DES or some other encryption type.

In our case, DES was set for the service account (and that was dropped by the default security policies
of Windows 7). In your case it may be something similar, having to do with encryption types, but it can
equally well be a misspelling in the service name.

Alas, these misconfigurations seem to be common and it I could not find many good replies in forums
(this one, stackoverflow or others). I hope this one will help you.

Regards,

Angelos

Re: Kerberos SSO for Share (and Alfresco) struggles

john_pen — Thu, 02 Apr 2015 09:59:41 GMT

Hi Angelos,

Apologies for the delayed response. I'd given up checking on this post due to lack of replies, but I did manage to get kerberos SSO working in the end. However, it was not using Alfresco Community Edition 4.0.d mentioned in this post, as our development team made the decision to make use of Alfresco Community Edition 4.2.f instead. If you're not using the same version of Alfresco as ourselves, I'm not sure whether my config will work in your environment, but I did make some notes detailing the steps I took to configure SSO if you're interested. I'd have to clean them up a little, but I'd gladly send them to yourself if you want them. I'll check back on the post every now and again to see if you have replied.

Regards,
John

Re: Kerberos SSO for Share (and Alfresco) struggles

borisstankov — Tue, 07 Apr 2015 07:57:37 GMT

Hello,

Would you mind send me your settings for the Kerberos so I can check it? I'm having issues with it too, so I want to check the configurations.

Re: Kerberos SSO for Share (and Alfresco) struggles

john_pen — Wed, 13 May 2015 11:53:57 GMT

Hi Boris,

Apologies for the delay, I don't really check this post any longer. However attached is the contents of our /etc/krb5.conf. I had to rename the file ".txt" in order to upload it, if you need to open the file in a text editor use something like Notepad++, as Windows Notepad loses the formatting.

I've replaced any reference to our domain/server names, obviously you'll need to replace "DOMAIN.NAME" with your own domain information and reference your own domain controller, and note that some values are UPPER CASE. If you were looking for any other information please post a reply and I'll see if I can help.

Re: Kerberos SSO for Share (and Alfresco) struggles

tanmaysalve — Wed, 14 Jun 2017 08:37:14 GMT

Question: NOT ABLE TO ESTABLISH SSO using Kerberos.

Environment Details:

alfresco-community-installer-201611-EA-win-x64

Windows server 2008 R2 Standard.

***** Find all the files in the attachments

Steps Performed:

1) created two LDAP users - name: AlfrescoHTTP, password: ***, name: AlfrescoCIFS, password: ***

2) a) Enable Password never expires.
    b) Disable User must change password at next logon.
    c) Select the Account tab and enable the Do not require Kerberos preauthentication option in the Account         Options section.
    d) In the user Delegation tab, select the Trust this user for delegation to any service (Kerberos only) check box.

3) Created Keytab files for both users, kept at location C:\alf\ on server (aaa),

4) Created "krb5.ini" file on server (aaa) at location, C:\Windows\

5) Created "java.login.config" file at location <install-path>:\Alfresco\instance\java\lib\security\

6) Edited "java.security" file at <install-path>:\Alfresco\instance\java\lib\security\ path and appended following,

7) Edited alfresco-global.properties file.

😎 Edited share-config-custom.xml file.

9) Restarted the alfresco services.

Log Files:

alfrescotomcat-stdout.2017-06-12.log

2017-06-12 12:34:36,168 INFO [alfresco.repo.admin] [localhost-startStop-1] Using database URL 'jdbcostgresql://localhost:5432/alfresco' with user 'alfresco'.
2017-06-12 12:34:36,168 INFO [alfresco.repo.admin] [localhost-startStop-1] Connected to database PostgreSQL version 9.4.4
2017-06-12 12:34:45,980 INFO [domain.schema.SchemaBootstrap] [localhost-startStop-1] Ignoring script patch (post-Hibernate): patch.db-V4.2-metadata-query-indexes
2017-06-12 12:34:45,980 INFO [domain.schema.SchemaBootstrap] [localhost-startStop-1] Ignoring script patch (post-Hibernate): patch.db-V5.1-metadata-query-indexes
2017-06-12 12:34:45,980 INFO [domain.schema.SchemaBootstrap] [localhost-startStop-1] Ignoring script patch (post-Hibernate): patch.db-V5.2-remove-jbpm-tables-from-db
2017-06-12 12:34:57,667 INFO [management.subsystems.ChildApplicationContextFactory] [localhost-startStop-1] Starting 'Authentication' subsystem, ID: [Authentication, managed, kerberos1]
2017-06-12 12:34:57,902 DEBUG [app.servlet.KerberosAuthenticationFilter] [localhost-startStop-1] HTTP Kerberos login successful
2017-06-12 12:34:57,902 DEBUG [app.servlet.KerberosAuthenticationFilter] [localhost-startStop-1] Logged on using principal HTTP/HOST.comp.com@COMP.COM
2017-06-12 12:34:57,933 DEBUG [webdav.auth.KerberosAuthenticationFilter] [localhost-startStop-1] HTTP Kerberos login successful
2017-06-12 12:34:57,933 DEBUG [webdav.auth.KerberosAuthenticationFilter] [localhost-startStop-1] Logged on using principal HTTP/HOST.comp.com@COMP.COM
2017-06-12 12:34:58,042 INFO [management.subsystems.ChildApplicationContextFactory] [localhost-startStop-1] Startup of 'Authentication' subsystem, ID: [Authentication, managed, kerberos1] complete
2017-06-12 12:34:58,042 INFO [management.subsystems.ChildApplicationContextFactory] [localhost-startStop-1] Starting 'Authentication' subsystem, ID: [Authentication, managed, ldap1]
2017-06-12 12:34:58,324 INFO [management.subsystems.ChildApplicationContextFactory] [localhost-startStop-1] Startup of 'Authentication' subsystem, ID: [Authentication, managed, ldap1] complete

Alfresco.log file

2017-06-12 17:05:21,669 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] [http-apr-8080-exec-3] New Kerberos auth request from 127.0.0.1 (127.0.0.1:57333)
2017-06-12 17:05:21,669 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] [http-apr-8080-exec-3] Issuing login challenge to browser.
2017-06-12 17:05:27,888 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] [http-apr-8080-exec-7] New Kerberos auth request from 127.0.0.1 (127.0.0.1:57341)
2017-06-12 17:05:27,888 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] [http-apr-8080-exec-7] Issuing login challenge to browser.
2017-06-12 17:05:28,044 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] [http-apr-8080-exec-12] New Kerberos auth request from 127.0.0.1 (127.0.0.1:57341)
2017-06-12 17:05:28,044 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] [http-apr-8080-exec-12] Issuing login challenge to browser.
2017-06-12 17:05:28,982 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] [http-apr-8080-exec-15] New Kerberos auth request from 127.0.0.1 (127.0.0.1:57339)
2017-06-12 17:05:28,982 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] [http-apr-8080-exec-15] Issuing login challenge to browser.@#

Question: Want to know whether the steps which are performed for Kerberso sso are correct or some more config need to be done. Not able to figure out from the logs files what is the exact error. How do I proceed further in investigating and establishing SSO.