topic Re: Alfresco authenticate against domain or servername? (AD2003) in Alfresco Archive

Alfresco authenticate against domain or servername? (AD2003)

tpeelen — Thu, 27 Sep 2007 14:10:16 GMT

Hi All,Sometimes I get Alfresco up and running to authenticate & sync against AD2003 (Web Client). However, I get a question from the IT department:"Does Alfresco authenticate against the domain (and find the AD itself) or against a configured named server." We use JAAS/Kerberos on RedHat5, Java

Re: Alfresco authenticate against domain or servername? (AD2003)

tpeelen — Tue, 02 Oct 2007 09:49:04 GMT

The background is the following. I understand from the IT guys over here, Microsoft Active Directory is designed for (un/expected) reboot. Therefore they have at least two instances of AD. Because you can never guarantee that one named server is up and available, they expect an application to ask the domain where the AD(s) can be found.

It appears to me in the Alfresco config there is a reference to named (KDC) servers instead: (http://wiki.alfresco.com/wiki/Configuring_the_CIFS_and_web_servers_for_Kerberos/AD_integration)

file-servers-custom.xml:


<config evaluator="string-compare" condition="Filesystem Security">
  <authenticator type="enterprise">
    <KDC>adsrv.alfresco.org</KDC>
    <Realm>ALFRESCO.ORG</Realm>
    <Password>…</Password>
  </authenticator>
</config>
‍‍‍‍‍‍‍‍‍

and in /etc/krb5.conf


[libdefaults]
 default_realm = ALFRESCO.ORG


[realms]
 ALFRESCO.ORG = {
  kdc = adsrv.alfresco.org
  admin_server = adsrv.alfresco.org
 }


[domain_realm]
 adsrv.alfresco.org = ALFRESCO.ORG
 .adsrv.alfresco.org = ALFRESCO.ORG
‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

The local IT guys need to know if the named-server option can be configured in such a manner it can handle the AD-uncertainty of which of the AD servers is up…

PS: there is something similar in the ldap auth en sync xml configs, although the auth can look for multiple named AD servers…

Re: Alfresco authenticate against domain or servername? (AD2003)

gary_spencer — Mon, 15 Oct 2007 13:57:24 GMT

Hi,

The Kerberos setup details are not under our control. All of the samples I've seen or used have named servers in them, but it may be possible to name multiple servers.

In the Alfresco config the KDC value is used to do the initial service logon using the key table that is generated during the setup. I'm not sure if having a list of servers there would work unless there is some replication between the AD servers so that the key table is still valid. The key has a version number in it which is bumped each time the key table is generated with the ktpass command, the version numbers must match.

If you follow the Kerberos setup then list the SPNs on the backup AD server for the account are the mappings there ?.

If the values are being replicated then it could be possible to make the KDC property a list of servers, but it might require the krb5.ini setup to match as some of the Java API code references those settings.

Cheers

Gary