https://connect.hyland.com/t5/alfresco-forum/could-we-make-the-kerberos-users-alfrescocifs-and-alfrescohttp/m-p/13121#M5774 <HTML><HEAD></HEAD><BODY><P>Two Instances:</P><P>UAT (ip1), PROD(ip2)</P><P>Steps Performed:</P><P></P><P>First kerberos configuration on UAT - successful</P><P>Second&nbsp;<SPAN>kerberos configuration on PROD - successful</SPAN></P><P></P><P>then,</P><P>On UAT,</P><P>when, 1.1.1.1:8080/share, it gives cannot found.</P><P>alfresco and share application throws exception.</P><P></P><P></P><P>Reason:</P><P></P><P>****-**-**&nbsp;**:**:**,925 ERROR [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] [localhost-startStop-1<STRONG>] HTTP Kerberos web filter error</STRONG><BR />javax.security.auth.login.LoginException: Client not found in Kerberos database (6)<BR /> at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Unknown Source)<BR /> at com.sun.security.auth.module.Krb5LoginModule.login(Unknown Source)<BR /> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)<BR /> at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)<BR /> at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)<BR /> at java.lang.reflect.Method.invoke(Unknown Source)<BR /> at javax.security.auth.login.LoginContext.invoke(Unknown Source)<BR /> at javax.security.auth.login.LoginContext.access$000(Unknown Source)<BR /> at javax.security.auth.login.LoginContext$4.run(Unknown Source)<BR /> at javax.security.auth.login.LoginContext$4.run(Unknown Source)<BR /> at java.security.AccessController.doPrivileged(Native Method)<BR /> at javax.security.auth.login.LoginContext.invokePriv(Unknown Source)<BR /> at javax.security.auth.login.LoginContext.login(Unknown Source)<BR /> at org.alfresco.repo.webdav.auth.BaseKerberosAuthenticationFilter.init(BaseKerberosAuthenticationFilter.java:189)<BR /> at org.alfresco.web.app.servlet.KerberosAuthenticationFilter.init(KerberosAuthenticationFilter.java:63)<BR /> at org.alfresco.repo.webdav.auth.BaseSSOAuthenticationFilter.afterPropertiesSet(BaseSSOAuthenticationFilter.java:153)<BR /> at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.invokeInitMethods(AbstractAutowireCapableBeanFactory.java:1573)<BR /> at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1511)<BR /> at .</P><P>.</P><P>.</P><P>.</P><P>.</P><P>.</P><P>.</P><P>.</P><P>.</P><P>.org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:938)<BR /> at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:479)<BR /> at org.springframework.web.context.ContextLoader.configureAndRefreshWebApplicationContext(ContextLoader.java:410)<BR /> at org.springframework.web.context.ContextLoader.initWebApplicationContext(ContextLoader.java:306)<BR /> at org.springframework.web.context.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:112)<BR /> at org.alfresco.web.app.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:70)<BR /> at org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:5016)<BR /> at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5524)<BR /> at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)<BR /> at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:901)<BR /> at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:877)<BR /> at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:649)<BR /> at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:672)<BR /> at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1859)<BR /> at java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source)<BR /> at java.util.concurrent.FutureTask.run(Unknown Source)<BR /> at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)<BR /> at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)<BR /> at java.lang.Thread.run(Unknown Source)<BR />Caused by: KrbException: <STRONG>Client not found in Kerberos database (6)</STRONG><BR /> at sun.security.krb5.KrbAsRep.&lt;init&gt;(Unknown Source)<BR /> at sun.security.krb5.KrbAsReqBuilder.send(Unknown Source)<BR /> at sun.security.krb5.KrbAsReqBuilder.action(Unknown Source)<BR /> ... 65 more<BR />Caused by: KrbException: <STRONG>Identifier doesn't match expected value (906)</STRONG><BR /> at sun.security.krb5.internal.KDCRep.init(Unknown Source)<BR /> at sun.security.krb5.internal.ASRep.init(Unknown Source)<BR /> at sun.security.krb5.internal.ASRep.&lt;init&gt;(Unknown Source)<BR /> ... 68 more</P></BODY></HTML> Wed, 16 Aug 2017 11:33:44 GMT tanmaysalve 2017-08-16T11:33:44Z https://connect.hyland.com/t5/alfresco-forum/could-we-make-the-kerberos-users-alfrescocifs-and-alfrescohttp/m-p/13121#M5774 Two Instances:UAT (ip1), PROD(ip2)Steps Performed:First kerberos configuration on UAT - successfulSecond&nbsp;kerberos configuration on PROD - successfulthen,On UAT,when, 1.1.1.1:8080/share, it gives cannot found.alfresco and share application throws exception.Reason:****-**-**&nbsp;**:**:**,925 ERROR [org.al Wed, 16 Aug 2017 11:33:44 GMT https://connect.hyland.com/t5/alfresco-forum/could-we-make-the-kerberos-users-alfrescocifs-and-alfrescohttp/m-p/13121#M5774 tanmaysalve 2017-08-16T11:33:44Z https://connect.hyland.com/t5/alfresco-forum/could-we-make-the-kerberos-users-alfrescocifs-and-alfrescohttp/m-p/13122#M5775 <HTML><HEAD></HEAD><BODY><P>You cannot use Kerberos on an IP-based host. Give UAT a proper domain name and use that to address it, and it should work with Kerberos (provided you set up the SPN in AD as well).</P><P>Also, make sure that the user has the SPNs for all the relevant systems, and use the most up-to-date keytab for all systems. Ideally, you would create separate system users in AD for each environment and only have them&nbsp;associated with the SPNs of their environment.</P></BODY></HTML> Wed, 16 Aug 2017 13:32:53 GMT https://connect.hyland.com/t5/alfresco-forum/could-we-make-the-kerberos-users-alfrescocifs-and-alfrescohttp/m-p/13122#M5775 afaust 2017-08-16T13:32:53Z https://connect.hyland.com/t5/alfresco-forum/could-we-make-the-kerberos-users-alfrescocifs-and-alfrescohttp/m-p/13123#M5776 <HTML><HEAD></HEAD><BODY><P>Hi Axel,</P><P></P><P>Thanks for your reply</P><P>We only have two <SPAN>kerberos&nbsp;</SPAN>users alfrescohttp and alfrescocifs currently which worked for one host server (UAT),&nbsp;then we ran the ktpass command which change the principal name&nbsp;with a different host(prod) for the same mentioned kerberos users. It worked for prod but stopped working for UAT (which is obvious)</P><P>We are supposed to run several instances of alfresco in our organisation and it would be difficult to manage creation of these users again and again.</P><P>Hence I need to know if there is a way out where we can use the same users for several alfresco&nbsp;instances to authenticate against the same AD server though not recommended</P></BODY></HTML> Wed, 16 Aug 2017 14:01:30 GMT https://connect.hyland.com/t5/alfresco-forum/could-we-make-the-kerberos-users-alfrescocifs-and-alfrescohttp/m-p/13123#M5776 tanmaysalve 2017-08-16T14:01:30Z