Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Hyland Connect
- Enterprise Platforms
- Alfresco
- Alfresco Archive
- Alfresco 4 Community + Kerberos
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Alfresco 4 Community + Kerberos
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-15-2011 02:03 PM
Situation:
I am an IT developer for a department at a university and users want a fileshare that they can access from anywhere with any computer, including a "mapped drive" and I figured Alfresco Share with webdav and/or CIFS would be a great way. Note, most computers are not on the same domain or even the same network as the Alfresco server, so SSO is not an option, but I wanted a secure way of authentication that would allow CIFS so that left alfrescoNtlm or Kerberos. I set up the Alfresco Community Edition 4.0 server using the wizard (except changed tomcat ports to 80 and 443) on a Windows Server 2008 64-bit and got it working fairly well with built in permissions. However, I would prefer not having to manage a separate list of users/passwords so I thought Kerberos authentication is the best option and am trying to configure it according to documentation at http://docs.alfresco.com/4.0/topic/com.alfresco.enterprise.doc/concepts/auth-kerberos-intro.html but as I am a newbie am having trouble getting it to work and (but I will have to change it back to alfrescoNtlm if I can't get it to work. Any help is appreciated.
We have a very unique set-up for Kerberos, so let me give you that info first. I have replaced the name of our university with [university] in all documentation below.
NetBIOS domain name: ADS
servers: ADS.UNIVERSITY.EDU
ADS realm/domain name is ADS.UNIVERSITY.EDU
MIT Kerberos Realm name: INS.UNIV.EDU (note this is a different domain name then the AD server)
So when we log onto computers on the domain we use ADS as our domain but I must run these ksetup commands on a PC before it joins:
ksetup /addkdc INS.UNIV.EDU KERBEROS.UNIV.EDU
ksetup /addkdc INS.UNIV.EDU KERBEROS2.UNIV.EDU
ksetup /addkdc INS.UNIV.EDU KERBEROS3.UNIV.EDU
I followed the instructions on the DOC page for configuring Kerberos authentication to the best of my ability but have an error on alfresco explorer and cannot get CIFS or WebDAV to map. Hers is some stripped-down relevant files:
alfresco-global.properties
When I open the address for alfresco explorer, I get this error:
Anything I did wrong or still need to do to get Kerberos to work?
I am an IT developer for a department at a university and users want a fileshare that they can access from anywhere with any computer, including a "mapped drive" and I figured Alfresco Share with webdav and/or CIFS would be a great way. Note, most computers are not on the same domain or even the same network as the Alfresco server, so SSO is not an option, but I wanted a secure way of authentication that would allow CIFS so that left alfrescoNtlm or Kerberos. I set up the Alfresco Community Edition 4.0 server using the wizard (except changed tomcat ports to 80 and 443) on a Windows Server 2008 64-bit and got it working fairly well with built in permissions. However, I would prefer not having to manage a separate list of users/passwords so I thought Kerberos authentication is the best option and am trying to configure it according to documentation at http://docs.alfresco.com/4.0/topic/com.alfresco.enterprise.doc/concepts/auth-kerberos-intro.html but as I am a newbie am having trouble getting it to work and (but I will have to change it back to alfrescoNtlm if I can't get it to work. Any help is appreciated.
We have a very unique set-up for Kerberos, so let me give you that info first. I have replaced the name of our university with [university] in all documentation below.
NetBIOS domain name: ADS
servers: ADS.UNIVERSITY.EDU
ADS realm/domain name is ADS.UNIVERSITY.EDU
MIT Kerberos Realm name: INS.UNIV.EDU (note this is a different domain name then the AD server)
So when we log onto computers on the domain we use ADS as our domain but I must run these ksetup commands on a PC before it joins:
ksetup /addkdc INS.UNIV.EDU KERBEROS.UNIV.EDU
ksetup /addkdc INS.UNIV.EDU KERBEROS2.UNIV.EDU
ksetup /addkdc INS.UNIV.EDU KERBEROS3.UNIV.EDU
I followed the instructions on the DOC page for configuring Kerberos authentication to the best of my ability but have an error on alfresco explorer and cannot get CIFS or WebDAV to map. Hers is some stripped-down relevant files:
alfresco-global.properties
dir.root=E:/Alfresco/alf_data
alfresco.context=alfresco
alfresco.host=127.0.0.1
alfresco.port=80
alfresco.protocol=http
share.context=share
share.host=127.0.0.1
share.port=80
share.protocol=http
### authentication ###
# alfrescoNtlm1:alfrescoNtlm,passthru1:passthru,ldap1:ldap
# alfrescoNtlm1:alfrescoNtlm
alfrescoNtlm1:alfrescoNtlm,kerberos1:kerberos
### CIFS settings ###
cifs.enabled=true
cifs.serverName=alfresco
cifs.domain=
cifs.hostannounce=true
cifs.sessionTimeout=900authentication.chain=alfrescoNtlm1:alfrescoNtlm,kerberos1:kerberosntlm.authentication.sso.enabled=false
alfresco.authentication.allowGuestLogin=true
alfresco.authentication.authenticateCIFS=truekerberos.authentication.realm=INS.UNIV.EDU
kerberos.authentication.sso.enabled=false
kerberos.authentication.user.configEntryName=Alfresco
kerberos.authentication.cifs.configEntryName=AlfrescoCIFS
kerberos.authentication.cifs.password=password1 ### I put text of real AD user password here
kerberos.authentication.http.configEntryName=AlfrescoHTTP
kerberos.authentication.http.password=password1 ### I put text of real AD user password here
kerberos.authentication.defaultAdministratorUserNames=admin,auser ### auser1 is a username that is both in AD as well as alfresco - I don't know what this refers to
kerberos.authentication.authenticateCIFS=truektpass -princ cifs/alfresco.university.edu@INS.UNIV.EDU -pass password1 -mapuser ADS\AlfrescoCIFS -crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL -out E:\Alfresco\AlfrescoCIFS.keytab -kvno 0
ktpass -princ HTTP/alfresco.university.edu@INS.UNIV.EDU -pass password1 -mapuser ADS\AlfrescoHTTP -crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL -out E:\Alfresco\AlfrescoHTTP.keytab -kvno 0
setspn -a cifs/alfresco AlfrescoCIFS
setspn -a cifs/alfresco.university.edu AlfrescoCIFS
setspn -a HTTP/alfresco AlfrescoHTTP
setspn -a HTTP/alfresco.university.edu AlfrescoHTTP
setspn -l AlfrescoCIFS
setspn -l AlfrescoHTTP
Alfresco {
com.sun.security.auth.module.Krb5LoginModule sufficient;
};
AlfrescoCIFS {
com.sun.security.auth.module.Krb5LoginModule required
storeKey=true
useKeyTab=true
keyTab="E:/Alfresco/AlfrescoCIFS.keytab"
principal="cifs/alfresco.university.edu";
};
AlfrescoHTTP {
com.sun.security.auth.module.Krb5LoginModule required
storeKey=true
useKeyTab=true
keyTab="E:/Alfresco/AlfrescoCIFS.keytab"
principal="HTTP/alfresco.university.edu";
};
com.sun.net.ssl.client {
com.sun.security.auth.module.Krb5LoginModule sufficient;
};
other {
com.sun.security.auth.module.Krb5LoginModule sufficient;
};When I open the address for alfresco explorer, I get this error:
org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'globalAuthenticationFilter' defined in file [E:\Alfresco\tomcat\webapps\alfresco\WEB-INF\classes\alfresco\subsystems\Authentication\kerberos\kerberos-filter-context.xml]: Invocation of init method failed; nested exception is javax.servlet.ServletException: Failed to login HTTP server service
org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1420)
org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:519)
org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:456)
org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:291)
org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:222)
org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:288)
org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:190)
org.springframework.context.support.AbstractApplicationContext.getBean(AbstractApplicationContext.java:1075)
org.alfresco.repo.management.subsystems.ChainingSubsystemProxyFactory$1.invoke(ChainingSubsystemProxyFactory.java:96)
org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:202)
$Proxy244.doFilter(Unknown Source)
org.alfresco.repo.web.filter.beans.BeanProxyFilter.doFilter(BeanProxyFilter.java:82)
org.alfresco.web.app.servlet.GlobalLocalizationFilter.doFilter(GlobalLocalizationFilter.java:58)
root cause
javax.servlet.ServletException: Failed to login HTTP server service
org.alfresco.repo.webdav.auth.BaseKerberosAuthenticationFilter.init(BaseKerberosAuthenticationFilter.java:179)
org.alfresco.web.app.servlet.KerberosAuthenticationFilter.init(KerberosAuthenticationFilter.java:72)
org.alfresco.repo.webdav.auth.BaseSSOAuthenticationFilter.afterPropertiesSet(BaseSSOAuthenticationFilter.java:115)
org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.invokeInitMethods(AbstractAutowireCapableBeanFactory.java:1477)
org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1417)
org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:519)
org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:456)
org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:291)
org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:222)
org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:288)
org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:190)
org.springframework.context.support.AbstractApplicationContext.getBean(AbstractApplicationContext.java:1075)
org.alfresco.repo.management.subsystems.ChainingSubsystemProxyFactory$1.invoke(ChainingSubsystemProxyFactory.java:96)
org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:202)
$Proxy244.doFilter(Unknown Source)
org.alfresco.repo.web.filter.beans.BeanProxyFilter.doFilter(BeanProxyFilter.java:82)
org.alfresco.web.app.servlet.GlobalLocalizationFilter.doFilter(GlobalLocalizationFilter.java:58) 2011-11-11 17:30:07,292 ERROR [app.servlet.KerberosAuthenticationFilter] [http-80-1] HTTP Kerberos web filter error
javax.security.auth.login.LoginException: null (68)
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:696)
at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:542)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
at org.alfresco.repo.webdav.auth.BaseKerberosAuthenticationFilter.init(BaseKerberosAuthenticationFilter.java:165)
at org.alfresco.web.app.servlet.KerberosAuthenticationFilter.init(KerberosAuthenticationFilter.java:72)
at org.alfresco.repo.webdav.auth.BaseSSOAuthenticationFilter.afterPropertiesSet(BaseSSOAuthenticationFilter.java:115)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.invokeInitMethods(AbstractAutowireCapableBeanFactory.java:1477)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1417)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:519)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:456)
at org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:291)
at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:222)
at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:288)
at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:190)
at org.springframework.context.support.AbstractApplicationContext.getBean(AbstractApplicationContext.java:1075)
at org.alfresco.repo.management.subsystems.ChainingSubsystemProxyFactory$1.invoke(ChainingSubsystemProxyFactory.java:96)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:202)
at $Proxy244.doFilter(Unknown Source)
at org.alfresco.repo.web.filter.beans.BeanProxyFilter.doFilter(BeanProxyFilter.java:82)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.alfresco.web.app.servlet.GlobalLocalizationFilter.doFilter(GlobalLocalizationFilter.java:58)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:465)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
at org.apache.coyote.http11.Http11AprProcessor.process(Http11AprProcessor.java:859)
at org.apache.coyote.http11.Http11AprProtocol$Http11ConnectionHandler.process(Http11AprProtocol.java:579)
at org.apache.tomcat.util.net.AprEndpoint$Worker.run(AprEndpoint.java:1555)
at java.lang.Thread.run(Thread.java:619)
Caused by: KrbException: null (68)
at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:66)
at sun.security.krb5.KrbAsReq.getReply(KrbAsReq.java:449)
at sun.security.krb5.Credentials.sendASRequest(Credentials.java:406)
at sun.security.krb5.Credentials.acquireTGT(Credentials.java:355)
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:662)
… 44 more
Caused by: KrbException: Identifier doesn't match expected value (906)
at sun.security.krb5.internal.KDCRep.init(KDCRep.java:133)
at sun.security.krb5.internal.ASRep.init(ASRep.java:58)
at sun.security.krb5.internal.ASRep.<init>(ASRep.java:53)
at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:50)
… 48 more
Anything I did wrong or still need to do to get Kerberos to work?
Labels:
- Labels:
-
Archive
1 REPLY 1
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-30-2012 12:13 PM
Could you post your krb5.conf? When I got this error I had omitted the krb5.conf.
Related Content
- How to call Alfresco REST APIs using OAuth instead of Basic Auth? in Alfresco Forum
- Alfresco Customer Newsletter — November 2024 in Alfresco Blog
- Alfresco Customer Newsletter — October 2024 in Alfresco Blog
- Alfresco Customer Newsletter — September 2024 in Alfresco Blog
- Requirement for Document Upload, Data Export, and RFID/Barcode Integration in Alfresco Forum
Getting started
Tags
Find what you came for
We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.
