topic Re: Apache Reverse Proxy with Kerberos SSO in Alfresco Forum

Apache Reverse Proxy with Kerberos SSO

phivuu-2 — Fri, 06 Dec 2019 12:03:29 GMT

I have succesfully configured Kerberos and generated SPN + Keytabs to work when the Reverse Proxy is disabled. However I want it to work with the reverse proxy. From what I understand, I need to generate generate new SPN + Keytabs for the proxy DNS. Alfresco server runs on the same server as Apache reverse server.

Do I need to reconfigure krb5.ini, java.login.config and share-config-custom.xml anything?

krb5.ini: Points to the AD server
java.login.config: Currently points to the alfresco server which runs apache reverse proxy(not using the proxy DNS).
share-config-custom.xml: Kerberos endpoint-spn points to the alfresco server which runs apache reverse proxy(not using the proxy DNS). Remote section uses localhost.

The proxy DNS is alfrescotest.jonkoping.se. Are the commands correct or did I add one .jonkoping.se too many?

setspn -a cifs/alfrescotest.jonkoping.se alfrescocifs
setspn -a cifs/alfrescotest.jonkoping.se.jonkoping.se alfrescocifs
setspn -a HTTP/alfrescotest.jonkoping.se alfrescohttp
setspn -a HTTP/alfrescotest.jonkoping.se.jonkoping.se alfrescohttp

ktpass -princ cifs/alfrescotest.jonkoping.se.jonkoping.se@jonkoping.se -pass Password -mapuser jonkoping\alfrescocifs -crypto ALL -ptype KRB5_NT_PRINCIPAL -out d:\temp\alfrescocifs.keytab -kvno 0

ktpass -princ HTTP/alfrescotest.jonkoping.se.jonkoping.se@jonkoping.se -pass Password -mapuser jonkoping\alfrescohttp -crypto ALL -ptype KRB5_NT_PRINCIPAL -out d:\temp\alfrescohttp.keytab -kvno 0

Lastly, do I need to configure Apache httpd.conf anything to forward the headers to alfresco repository?

Re: Apache Reverse Proxy with Kerberos SSO

c-0815 — Thu, 14 May 2020 15:18:14 GMT

I have the same problem. Have you found a solution in the meantime?

regards

Ralph

Re: Apache Reverse Proxy with Kerberos SSO

phivuu-2 — Thu, 14 May 2020 15:29:59 GMT

Yes, this link was also somewhat helpful https://docs.alfresco.com/sso/topics/kerberos.html
Here's my notes:

1. If there is a reverse proxy, make sure it's used to create SPN and kerberos keytabs.
Example: Proxy DNS alfresco.example.com Realm: EXAMPLE.COM
setspn -a HTTP/alfresco.example.com alfrescohttp
ktpass -princ HTTP/alfresco.example.com@EXAMPLE.COM -pass Password -mapuser example\alfrescohttp -crypto ALL -ptype KRB5_NT_PRINCIPAL -out d:\temp\alfrescohttp.keytab -kvno 0
2. Make sure AlfrescoHTTP AlfrescoCIFS AD users can be found in alfresco after a sync.
3. krb5.ini - Point at the AD server here.
4. share-config-custom.xml - Make sure endpoint-spn is pointed to the reverse proxy DNS if there is one.
5. No Kerberos module should be needed for Reverse Proxy. It should forward the Kerberos headers to alfresco repository for authentication if the SPN and keytabs are created with proxy DNS.
6. java/lib/security/java.login.config - Make sure principal is pointed to reverse proxy DNS.

Re: Apache Reverse Proxy with Kerberos SSO

c-0815 — Tue, 26 May 2020 13:39:37 GMT

Thank you. Now it works.

kind regards

Ralph