Kerberos SSO configuration

statira — Thu, 14 Jan 2021 06:28:22 GMT

Hi guys. I'm trying to set up Kerberos + SSO on alfresco 5.2 server based on this tutorial https://hub.alfresco.com/t5/alfresco-content-services-hub/configuring-the-cifs-and-web-servers-for-kerberos-ad-integration/ba-p/289479.
But I'm getting
ERROR [org.alfresco.web.site.servlet.SSOAuthenticationFilter] [localhost-startStop-1] HTTP Kerberos web filter error
javax.security.auth.login.LoginException: Unable to obtain password from user

Any

I've created AD users myalfcifs and myalfhttp and enabled Do not require Kerberos preauthentication options in the Account Options. Created key tables with
ktpass -princ cifs/alfresco.mycomp.com@MYCOMP.COM -pass D password1 -mapuser mycomp\myalfcifs -crypto all -ptype KRB5_NT_PRINCIPAL -out c:\temp\myalfcifs .keytab -kvno 0
and
ktpass -princ HTTP/alfresco.mycomp.com@MYCOMP.COM -pass D password2 -mapuser mycomp\myalfhttp -crypto all -ptype KRB5_NT_PRINCIPAL -out c:\temp\myalfhttp .keytab -kvno 0
Created SPN
setspn -a cifs/alfresco myalfcifs
setspn -a cifs/alfresco myalfhttp

I'm not sure whether I should my username myalfcifs/http instead of AlfrescoCIFS/HTTP to in java.login.config (tried both ways with no difference)

AlfrescoCIFS {
com.sun.security.auth.module.Krb5LoginModule required
storeKey=true
useKeyTab=true
keyTab="/etc/keys/myalfcifs.keytab"
principal="cifs/alfresco.mycomp.com";
};

related alfresco-global.properties configuration:

authentication.chain=ldap1:ldap-ad,kerberos1:kerberos

ntlm.authentication.sso.enabled=false
ntlm.authentication.browser.ticketLogons=true
ldap.authentication.active=false
ldap.authentication.userNameFormat=%s
ldap.authentication.allowGuestLogin=false
ldap.authentication.escapeCommasInBind=false
ldap.authentication.escapeCommasInUid=false
ldap.authentication.java.naming.security.authentication=simple
ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
ldap.authentication.java.naming.provider.url=ldap://dc.mycomp.com:389

synchronization.synchronizeChangesOnly=false
synchronization.import.cron=0 2 * * * ?
synchronization.syncWhenMissingPeopleLogIn=true
synchronization.autoCreatePeopleOnLogin=true

ldap.synchronization.active=true
ldap.synchronization.queryBatchSize=1000
ldap.synchronization.java.naming.security.authenticaton=simple
ldap.synchronization.java.naming.security.principal=user_alfresco@mycomp.com
ldap.synchronization.java.naming.security.credentials=Password
ldap.synchronization.groupSearchBase=dc\=mycomp,dc\=com
ldap.synchronization.userSearchBase=dc\=mycomp,dc\=com

### Kerberos properties ###
kerberos.authentication.sso.enabled=true
kerberos.authentication.defaultAdministratorUserNames=admin
kerberos.authentication.user.configEntryName=Alfresco
kerberos.authentication.cifs.configEntryName=myalfcifs
kerberos.authentication.cifs.password=password1
kerberos.authentication.http.configEntryName=myalfhttp
kerberos.authentication.http.password=password2
kerberos.authentication.authenticateCIFS=true
kerberos.authentication.realm=MYCOMP.COM
kerberos.authentication.stripUsernameSuffix=true
kerberos.authentication.browser.ticketLogons=true
kerberos.authentication.sso.fallback.enabled=true

share-config-custom.xml Kerberos settings:

<config evaluator="string-compare" condition="Kerberos" replace="true">
<kerberos>
<password>password2</password>
<realm>MYCOMP.COM</realm>
<endpoint-spn>HTTP/alfresco.mycomp.com@MYCOMP.COM</endpoint-spn>
<config-entry>ShareHTTP</config-entry>
<stripUserNameSuffix>true</stripUserNameSuffix>
</kerberos>
</config>

+ uncommented <config evaluator="string-compare" condition="Remote"> sections

topic Kerberos SSO configuration in Alfresco Forum

Kerberos SSO configuration