topic Re: Could we make the kerberos users alfrescocifs and alfrescohttp to allow customers to have several alfresco instances (e.g: test, validation and production environments) authenticate against the same AD server in Alfresco Forum https://connect.hyland.com/t5/alfresco-forum/could-we-make-the-kerberos-users-alfrescocifs-and-alfrescohttp/m-p/13122#M5775 <HTML><HEAD></HEAD><BODY><P>You cannot use Kerberos on an IP-based host. Give UAT a proper domain name and use that to address it, and it should work with Kerberos (provided you set up the SPN in AD as well).</P><P>Also, make sure that the user has the SPNs for all the relevant systems, and use the most up-to-date keytab for all systems. Ideally, you would create separate system users in AD for each environment and only have them&nbsp;associated with the SPNs of their environment.</P></BODY></HTML> Wed, 16 Aug 2017 13:32:53 GMT afaust 2017-08-16T13:32:53Z Could we make the kerberos users alfrescocifs and alfrescohttp to allow customers to have several alfresco instances (e.g: test, validation and production environments) authenticate against the same AD server https://connect.hyland.com/t5/alfresco-forum/could-we-make-the-kerberos-users-alfrescocifs-and-alfrescohttp/m-p/13121#M5774 Two Instances:UAT (ip1), PROD(ip2)Steps Performed:First kerberos configuration on UAT - successfulSecond&nbsp;kerberos configuration on PROD - successfulthen,On UAT,when, 1.1.1.1:8080/share, it gives cannot found.alfresco and share application throws exception.Reason:****-**-**&nbsp;**:**:**,925 ERROR [org.al Wed, 16 Aug 2017 11:33:44 GMT https://connect.hyland.com/t5/alfresco-forum/could-we-make-the-kerberos-users-alfrescocifs-and-alfrescohttp/m-p/13121#M5774 tanmaysalve 2017-08-16T11:33:44Z Re: Could we make the kerberos users alfrescocifs and alfrescohttp to allow customers to have several alfresco instances (e.g: test, validation and production environments) authenticate against the same AD server https://connect.hyland.com/t5/alfresco-forum/could-we-make-the-kerberos-users-alfrescocifs-and-alfrescohttp/m-p/13122#M5775 <HTML><HEAD></HEAD><BODY><P>You cannot use Kerberos on an IP-based host. Give UAT a proper domain name and use that to address it, and it should work with Kerberos (provided you set up the SPN in AD as well).</P><P>Also, make sure that the user has the SPNs for all the relevant systems, and use the most up-to-date keytab for all systems. Ideally, you would create separate system users in AD for each environment and only have them&nbsp;associated with the SPNs of their environment.</P></BODY></HTML> Wed, 16 Aug 2017 13:32:53 GMT https://connect.hyland.com/t5/alfresco-forum/could-we-make-the-kerberos-users-alfrescocifs-and-alfrescohttp/m-p/13122#M5775 afaust 2017-08-16T13:32:53Z Re: Could we make the kerberos users alfrescocifs and alfrescohttp to allow customers to have several alfresco instances (e.g: test, validation and production environments) authenticate against the same AD server https://connect.hyland.com/t5/alfresco-forum/could-we-make-the-kerberos-users-alfrescocifs-and-alfrescohttp/m-p/13123#M5776 <HTML><HEAD></HEAD><BODY><P>Hi Axel,</P><P></P><P>Thanks for your reply</P><P>We only have two <SPAN>kerberos&nbsp;</SPAN>users alfrescohttp and alfrescocifs currently which worked for one host server (UAT),&nbsp;then we ran the ktpass command which change the principal name&nbsp;with a different host(prod) for the same mentioned kerberos users. It worked for prod but stopped working for UAT (which is obvious)</P><P>We are supposed to run several instances of alfresco in our organisation and it would be difficult to manage creation of these users again and again.</P><P>Hence I need to know if there is a way out where we can use the same users for several alfresco&nbsp;instances to authenticate against the same AD server though not recommended</P></BODY></HTML> Wed, 16 Aug 2017 14:01:30 GMT https://connect.hyland.com/t5/alfresco-forum/could-we-make-the-kerberos-users-alfrescocifs-and-alfrescohttp/m-p/13123#M5776 tanmaysalve 2017-08-16T14:01:30Z