Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Hyland Connect
- Enterprise Platforms
- Alfresco
- Alfresco Archive
- Re: alfresco 5.0c and kerberos
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
alfresco 5.0c and kerberos
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-06-2015 09:22 AM
Hi,
I'm facing issues to setup kerberos authentication against 2008R2 AD
domain controller on an Alfresco Community 5c platform (on linux debian 7).
I followed the procedure that we applied on alf 4.2, which was working fine.
I made the following:
- create services accounts on AD (alfrescoCIFS & alfrescoHTTP), with correct settings (SPN, UPN, disable Kerberos preauth)
- create keytab files and put it on alfresco server
- create krb5.conf on alfresco server with correct settings
- test kerberos auth from alfresco server (using krb5-user MIT tools)
> kinit cifs/myhostname.mydomain.loc@MYDOMAIN.LOC -k -t /etc/keys/keytab
-> success. It should confirm that AD, keytab and krb5.conf configurations are correct. Am'I correct ?
Configure auth chain, CIFS, Kerberos auth in alfresco-global.properties
Now the JAAS config :
- update the /opt/alfresco-5.0.c/java/lib/security/java.security file and add following line:
login.config.url.1=file:${java.home}/lib/security/java.login.config
- create java.login.config file
Restart Alfresco
-> seems to be OK: INFO [management.subsystems.ChildApplicationContextFactory] [localhost-startStop-1] Starting 'Authentication' subsystem, ID: [Authentication, managed, kerberos1]
The problem:
When trying to access to alfresco using CIFS, I get a 'logon failure' on my windows client, and following output in catalina.out:
2015-02-06 15:14:48,630 ERROR [org.alfresco.fileserver] [AlfJLANWorker18] Error from JLAN
GSSException: Failure unspecified at GSS-API level (Mechanism level: Specified version of key is not available (44))
at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
at org.alfresco.jlan.server.auth.kerberos.SessionSetupPrivilegedAction.run(SessionSetupPrivilegedAction.java:102)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Unknown Source)
at org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator.doKerberosLogon(EnterpriseCifsAuthenticator.java:1536)
at org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator.doSpnegoSessionSetup(EnterpriseCifsAuthenticator.java:1420)
at org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator.access$200(EnterpriseCifsAuthenticator.java:87)
at org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator$2.execute(EnterpriseCifsAuthenticator.java:897)
at org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator$2.execute(EnterpriseCifsAuthenticator.java:881)
at org.alfresco.repo.transaction.RetryingTransactionHelper.doInTransaction(RetryingTransactionHelper.java:454)
at org.alfresco.filesys.auth.cifs.CifsAuthenticatorBase.doInTransaction(CifsAuthenticatorBase.java:641)
at org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator.processAlfrescoSessionSetup(EnterpriseCifsAuthenticator.java:880)
at org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator.processSessionSetup(EnterpriseCifsAuthenticator.java:682)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at org.alfresco.repo.management.subsystems.ChainingSubsystemProxyFactory$1.invoke(ChainingSubsystemProxyFactory.java:112)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
at com.sun.proxy.$Proxy188.processSessionSetup(Unknown Source)
at org.alfresco.jlan.smb.server.NTProtocolHandler.procSessionSetup(NTProtocolHandler.java:417)
at org.alfresco.jlan.smb.server.NTProtocolHandler.runProtocol(NTProtocolHandler.java:223)
at org.alfresco.jlan.smb.server.SMBSrvSession.processPacket(SMBSrvSession.java:1480)
at org.alfresco.jlan.smb.server.nio.NIOCIFSThreadRequest.runRequest(NIOCIFSThreadRequest.java:150)
at org.alfresco.jlan.server.thread.ThreadRequestPool$ThreadWorker.run(ThreadRequestPool.java:153)
at java.lang.Thread.run(Unknown Source)
Caused by: KrbException: Specified version of key is not available (44)
at sun.security.krb5.EncryptionKey.findKey(Unknown Source)
at sun.security.krb5.KrbApReq.authenticate(Unknown Source)
at sun.security.krb5.KrbApReq.<init>(Unknown Source)
at sun.security.jgss.krb5.InitSecContextToken.<init>(Unknown Source)
… 29 more
2015-02-06 15:14:48,633 ERROR [auth.cifs.EnterpriseCifsAuthenticator] [AlfJLANWorker18] No SPNEGO response, Kerberos logon failed
2015-02-06 15:14:48,834 ERROR [org.alfresco.fileserver] [AlfJLANWorker19] Error from JLAN
GSSException: Failure unspecified at GSS-API level (Mechanism level: Specified version of key is not available (44))
at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
at org.alfresco.jlan.server.auth.kerberos.SessionSetupPrivilegedAction.run(SessionSetupPrivilegedAction.java:102)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Unknown Source)
at org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator.doKerberosLogon(EnterpriseCifsAuthenticator.java:1536)
at org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator.doSpnegoSessionSetup(EnterpriseCifsAuthenticator.java:1420)
at org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator.access$200(EnterpriseCifsAuthenticator.java:87)
at org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator$2.execute(EnterpriseCifsAuthenticator.java:897)
at org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator$2.execute(EnterpriseCifsAuthenticator.java:881)
at org.alfresco.repo.transaction.RetryingTransactionHelper.doInTransaction(RetryingTransactionHelper.java:454)
at org.alfresco.filesys.auth.cifs.CifsAuthenticatorBase.doInTransaction(CifsAuthenticatorBase.java:641)
at org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator.processAlfrescoSessionSetup(EnterpriseCifsAuthenticator.java:880)
at org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator.processSessionSetup(EnterpriseCifsAuthenticator.java:682)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at org.alfresco.repo.management.subsystems.ChainingSubsystemProxyFactory$1.invoke(ChainingSubsystemProxyFactory.java:112)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
at com.sun.proxy.$Proxy188.processSessionSetup(Unknown Source)
at org.alfresco.jlan.smb.server.NTProtocolHandler.procSessionSetup(NTProtocolHandler.java:417)
at org.alfresco.jlan.smb.server.NTProtocolHandler.runProtocol(NTProtocolHandler.java:223)
at org.alfresco.jlan.smb.server.SMBSrvSession.processPacket(SMBSrvSession.java:1480)
at org.alfresco.jlan.smb.server.nio.NIOCIFSThreadRequest.runRequest(NIOCIFSThreadRequest.java:150)
at org.alfresco.jlan.server.thread.ThreadRequestPool$ThreadWorker.run(ThreadRequestPool.java:153)
at java.lang.Thread.run(Unknown Source)
Caused by: KrbException: Specified version of key is not available (44)
at sun.security.krb5.EncryptionKey.findKey(Unknown Source)
at sun.security.krb5.KrbApReq.authenticate(Unknown Source)
at sun.security.krb5.KrbApReq.<init>(Unknown Source)
at sun.security.jgss.krb5.InitSecContextToken.<init>(Unknown Source)
… 29 more
2015-02-06 15:14:48,837 ERROR [auth.cifs.EnterpriseCifsAuthenticator] [AlfJLANWorker19] No SPNEGO response, Kerberos logon failed
2015-02-06 15:14:48,854 ERROR [org.alfresco.fileserver] [AlfJLANWorker20] Error from JLAN
GSSException: Failure unspecified at GSS-API level (Mechanism level: Specified version of key is not available (44))
at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
at org.alfresco.jlan.server.auth.kerberos.SessionSetupPrivilegedAction.run(SessionSetupPrivilegedAction.java:102)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Unknown Source)
at org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator.doKerberosLogon(EnterpriseCifsAuthenticator.java:1536)
at org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator.doSpnegoSessionSetup(EnterpriseCifsAuthenticator.java:1420)
at org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator.access$200(EnterpriseCifsAuthenticator.java:87)
at org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator$2.execute(EnterpriseCifsAuthenticator.java:897)
at org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator$2.execute(EnterpriseCifsAuthenticator.java:881)
at org.alfresco.repo.transaction.RetryingTransactionHelper.doInTransaction(RetryingTransactionHelper.java:454)
at org.alfresco.filesys.auth.cifs.CifsAuthenticatorBase.doInTransaction(CifsAuthenticatorBase.java:641)
at org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator.processAlfrescoSessionSetup(EnterpriseCifsAuthenticator.java:880)
at org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator.processSessionSetup(EnterpriseCifsAuthenticator.java:682)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at org.alfresco.repo.management.subsystems.ChainingSubsystemProxyFactory$1.invoke(ChainingSubsystemProxyFactory.java:112)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
at com.sun.proxy.$Proxy188.processSessionSetup(Unknown Source)
at org.alfresco.jlan.smb.server.NTProtocolHandler.procSessionSetup(NTProtocolHandler.java:417)
at org.alfresco.jlan.smb.server.NTProtocolHandler.runProtocol(NTProtocolHandler.java:223)
at org.alfresco.jlan.smb.server.SMBSrvSession.processPacket(SMBSrvSession.java:1480)
at org.alfresco.jlan.smb.server.nio.NIOCIFSThreadRequest.runRequest(NIOCIFSThreadRequest.java:150)
at org.alfresco.jlan.server.thread.ThreadRequestPool$ThreadWorker.run(ThreadRequestPool.java:153)
at java.lang.Thread.run(Unknown Source)
Caused by: KrbException: Specified version of key is not available (44)
at sun.security.krb5.EncryptionKey.findKey(Unknown Source)
at sun.security.krb5.KrbApReq.authenticate(Unknown Source)
at sun.security.krb5.KrbApReq.<init>(Unknown Source)
at sun.security.jgss.krb5.InitSecContextToken.<init>(Unknown Source)
… 29 more
2015-02-06 15:14:48,857 ERROR [auth.cifs.EnterpriseCifsAuthenticator] [AlfJLANWorker20] No SPNEGO response, Kerberos logon failed
I dont't understand the cause of this error "Specified version of key is not available", as kvno between AD and keytab are matching, and kerberos
auth has been tested successfully using kinit. Could somebody help me ?
Thanks,
Vincent
I'm facing issues to setup kerberos authentication against 2008R2 AD
domain controller on an Alfresco Community 5c platform (on linux debian 7).
I followed the procedure that we applied on alf 4.2, which was working fine.
I made the following:
- create services accounts on AD (alfrescoCIFS & alfrescoHTTP), with correct settings (SPN, UPN, disable Kerberos preauth)
- create keytab files and put it on alfresco server
- create krb5.conf on alfresco server with correct settings
- test kerberos auth from alfresco server (using krb5-user MIT tools)
> kinit cifs/myhostname.mydomain.loc@MYDOMAIN.LOC -k -t /etc/keys/keytab
-> success. It should confirm that AD, keytab and krb5.conf configurations are correct. Am'I correct ?
Configure auth chain, CIFS, Kerberos auth in alfresco-global.properties
### auth chain
authentication.chain=kerberos1:kerberos,myDomain:ldap-ad,alfrescoNtlm1:alfrescoNtlm
### ldap auth
ldap.authentication.active=true
ldap.authentication.allowGuestLogin=false
ldap.authentication.userNameFormat=%s@mydomain.loc
ldap.authentication.java.naming.provider.url=ldap://x.x.x.x
ldap.authentication.java.naming.security.authentication=simple
ldap.authentication.defaultAdministratorUserNames=admin
### KERBEROS auth
kerberos.authentication.realm=MYDOMAIN.LOC
kerberos.authentication.authenticateCIFS=true
kerberos.authentication.sso.enabled=false
kerberos.authentication.user.configEntryName=Alfresco
kerberos.authentication.defaultAdministratorUserNames=admin
kerberos.authentication.cifs.configEntryName=alfrescoCIFS
kerberos.authentication.cifs.password=****************
kerberos.authentication.http.configEntryName=alfrescoHTTP
kerberos.authentication.http.password=****************
kerberos.authentication.browser.ticketLogons=true
kerberos.authentication.stripUsernameSuffix=true
### ldap sync
ldap.synchronization.active=true
ldap.synchronization.java.naming.security.authentication=simple
ldap.synchronization.java.naming.security.principal=svc-ldapsync@mydomain.loc
ldap.synchronization.java.naming.security.credentials=****************
ldap.synchronization.groupSearchBase=ou\=Groups,dc\=MYDOMAIN,dc=loc
ldap.synchronization.userSearchBase=ou\=Users,dc\=MYDOMAIN,dc=loc
ldap.synchronization.personDifferentialQuery=(&(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512)(!(whenChanged<\={0})))
### CIFS-NFS-FTP
filesystem.name=WCM
cifs.enabled=true
cifs.serverName=myhostname
cifs.domain=mydomain.loc
cifs.hostannounce=false
cifs.pseudoFiles.enabled=false
cifs.pseudoFiles.explorerURL.enabled=false
cifs.pseudoFiles.explorerURL.fileName=__Alfresco.url
cifs.pseudoFiles.shareURL.enabled=false
cifs.pseudoFiles.shareURL.fileName=__Share.url
ftp.enabled=false
nfs.enabled=false
Now the JAAS config :
- update the /opt/alfresco-5.0.c/java/lib/security/java.security file and add following line:
login.config.url.1=file:${java.home}/lib/security/java.login.config
- create java.login.config file
Alfresco {
com.sun.security.auth.module.Krb5LoginModule sufficient;
};
alfrescoCIFS {
com.sun.security.auth.module.Krb5LoginModule required
storeKey=true
useKeyTab=true
doNotPrompt=true
keyTab="/etc/keys/keytab"
principal="cifs/myhostname.mydomain.loc";
};
alfrescoHTTP {
com.sun.security.auth.module.Krb5LoginModule required
storeKey=true
useKeyTab=true
doNotPrompt=true
keyTab="/etc/keys/keytab"
principal="HTTP/myhostname.mydomain.loc";
};
com.sun.net.ssl.client {
com.sun.security.auth.module.Krb5LoginModule sufficient;
};
other {
com.sun.security.auth.module.Krb5LoginModule sufficient;
};
Restart Alfresco
-> seems to be OK: INFO [management.subsystems.ChildApplicationContextFactory] [localhost-startStop-1] Starting 'Authentication' subsystem, ID: [Authentication, managed, kerberos1]
The problem:
When trying to access to alfresco using CIFS, I get a 'logon failure' on my windows client, and following output in catalina.out:
2015-02-06 15:14:48,630 ERROR [org.alfresco.fileserver] [AlfJLANWorker18] Error from JLAN
GSSException: Failure unspecified at GSS-API level (Mechanism level: Specified version of key is not available (44))
at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
at org.alfresco.jlan.server.auth.kerberos.SessionSetupPrivilegedAction.run(SessionSetupPrivilegedAction.java:102)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Unknown Source)
at org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator.doKerberosLogon(EnterpriseCifsAuthenticator.java:1536)
at org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator.doSpnegoSessionSetup(EnterpriseCifsAuthenticator.java:1420)
at org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator.access$200(EnterpriseCifsAuthenticator.java:87)
at org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator$2.execute(EnterpriseCifsAuthenticator.java:897)
at org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator$2.execute(EnterpriseCifsAuthenticator.java:881)
at org.alfresco.repo.transaction.RetryingTransactionHelper.doInTransaction(RetryingTransactionHelper.java:454)
at org.alfresco.filesys.auth.cifs.CifsAuthenticatorBase.doInTransaction(CifsAuthenticatorBase.java:641)
at org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator.processAlfrescoSessionSetup(EnterpriseCifsAuthenticator.java:880)
at org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator.processSessionSetup(EnterpriseCifsAuthenticator.java:682)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at org.alfresco.repo.management.subsystems.ChainingSubsystemProxyFactory$1.invoke(ChainingSubsystemProxyFactory.java:112)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
at com.sun.proxy.$Proxy188.processSessionSetup(Unknown Source)
at org.alfresco.jlan.smb.server.NTProtocolHandler.procSessionSetup(NTProtocolHandler.java:417)
at org.alfresco.jlan.smb.server.NTProtocolHandler.runProtocol(NTProtocolHandler.java:223)
at org.alfresco.jlan.smb.server.SMBSrvSession.processPacket(SMBSrvSession.java:1480)
at org.alfresco.jlan.smb.server.nio.NIOCIFSThreadRequest.runRequest(NIOCIFSThreadRequest.java:150)
at org.alfresco.jlan.server.thread.ThreadRequestPool$ThreadWorker.run(ThreadRequestPool.java:153)
at java.lang.Thread.run(Unknown Source)
Caused by: KrbException: Specified version of key is not available (44)
at sun.security.krb5.EncryptionKey.findKey(Unknown Source)
at sun.security.krb5.KrbApReq.authenticate(Unknown Source)
at sun.security.krb5.KrbApReq.<init>(Unknown Source)
at sun.security.jgss.krb5.InitSecContextToken.<init>(Unknown Source)
… 29 more
2015-02-06 15:14:48,633 ERROR [auth.cifs.EnterpriseCifsAuthenticator] [AlfJLANWorker18] No SPNEGO response, Kerberos logon failed
2015-02-06 15:14:48,834 ERROR [org.alfresco.fileserver] [AlfJLANWorker19] Error from JLAN
GSSException: Failure unspecified at GSS-API level (Mechanism level: Specified version of key is not available (44))
at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
at org.alfresco.jlan.server.auth.kerberos.SessionSetupPrivilegedAction.run(SessionSetupPrivilegedAction.java:102)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Unknown Source)
at org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator.doKerberosLogon(EnterpriseCifsAuthenticator.java:1536)
at org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator.doSpnegoSessionSetup(EnterpriseCifsAuthenticator.java:1420)
at org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator.access$200(EnterpriseCifsAuthenticator.java:87)
at org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator$2.execute(EnterpriseCifsAuthenticator.java:897)
at org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator$2.execute(EnterpriseCifsAuthenticator.java:881)
at org.alfresco.repo.transaction.RetryingTransactionHelper.doInTransaction(RetryingTransactionHelper.java:454)
at org.alfresco.filesys.auth.cifs.CifsAuthenticatorBase.doInTransaction(CifsAuthenticatorBase.java:641)
at org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator.processAlfrescoSessionSetup(EnterpriseCifsAuthenticator.java:880)
at org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator.processSessionSetup(EnterpriseCifsAuthenticator.java:682)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at org.alfresco.repo.management.subsystems.ChainingSubsystemProxyFactory$1.invoke(ChainingSubsystemProxyFactory.java:112)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
at com.sun.proxy.$Proxy188.processSessionSetup(Unknown Source)
at org.alfresco.jlan.smb.server.NTProtocolHandler.procSessionSetup(NTProtocolHandler.java:417)
at org.alfresco.jlan.smb.server.NTProtocolHandler.runProtocol(NTProtocolHandler.java:223)
at org.alfresco.jlan.smb.server.SMBSrvSession.processPacket(SMBSrvSession.java:1480)
at org.alfresco.jlan.smb.server.nio.NIOCIFSThreadRequest.runRequest(NIOCIFSThreadRequest.java:150)
at org.alfresco.jlan.server.thread.ThreadRequestPool$ThreadWorker.run(ThreadRequestPool.java:153)
at java.lang.Thread.run(Unknown Source)
Caused by: KrbException: Specified version of key is not available (44)
at sun.security.krb5.EncryptionKey.findKey(Unknown Source)
at sun.security.krb5.KrbApReq.authenticate(Unknown Source)
at sun.security.krb5.KrbApReq.<init>(Unknown Source)
at sun.security.jgss.krb5.InitSecContextToken.<init>(Unknown Source)
… 29 more
2015-02-06 15:14:48,837 ERROR [auth.cifs.EnterpriseCifsAuthenticator] [AlfJLANWorker19] No SPNEGO response, Kerberos logon failed
2015-02-06 15:14:48,854 ERROR [org.alfresco.fileserver] [AlfJLANWorker20] Error from JLAN
GSSException: Failure unspecified at GSS-API level (Mechanism level: Specified version of key is not available (44))
at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
at org.alfresco.jlan.server.auth.kerberos.SessionSetupPrivilegedAction.run(SessionSetupPrivilegedAction.java:102)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Unknown Source)
at org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator.doKerberosLogon(EnterpriseCifsAuthenticator.java:1536)
at org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator.doSpnegoSessionSetup(EnterpriseCifsAuthenticator.java:1420)
at org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator.access$200(EnterpriseCifsAuthenticator.java:87)
at org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator$2.execute(EnterpriseCifsAuthenticator.java:897)
at org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator$2.execute(EnterpriseCifsAuthenticator.java:881)
at org.alfresco.repo.transaction.RetryingTransactionHelper.doInTransaction(RetryingTransactionHelper.java:454)
at org.alfresco.filesys.auth.cifs.CifsAuthenticatorBase.doInTransaction(CifsAuthenticatorBase.java:641)
at org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator.processAlfrescoSessionSetup(EnterpriseCifsAuthenticator.java:880)
at org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator.processSessionSetup(EnterpriseCifsAuthenticator.java:682)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at org.alfresco.repo.management.subsystems.ChainingSubsystemProxyFactory$1.invoke(ChainingSubsystemProxyFactory.java:112)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
at com.sun.proxy.$Proxy188.processSessionSetup(Unknown Source)
at org.alfresco.jlan.smb.server.NTProtocolHandler.procSessionSetup(NTProtocolHandler.java:417)
at org.alfresco.jlan.smb.server.NTProtocolHandler.runProtocol(NTProtocolHandler.java:223)
at org.alfresco.jlan.smb.server.SMBSrvSession.processPacket(SMBSrvSession.java:1480)
at org.alfresco.jlan.smb.server.nio.NIOCIFSThreadRequest.runRequest(NIOCIFSThreadRequest.java:150)
at org.alfresco.jlan.server.thread.ThreadRequestPool$ThreadWorker.run(ThreadRequestPool.java:153)
at java.lang.Thread.run(Unknown Source)
Caused by: KrbException: Specified version of key is not available (44)
at sun.security.krb5.EncryptionKey.findKey(Unknown Source)
at sun.security.krb5.KrbApReq.authenticate(Unknown Source)
at sun.security.krb5.KrbApReq.<init>(Unknown Source)
at sun.security.jgss.krb5.InitSecContextToken.<init>(Unknown Source)
… 29 more
2015-02-06 15:14:48,857 ERROR [auth.cifs.EnterpriseCifsAuthenticator] [AlfJLANWorker20] No SPNEGO response, Kerberos logon failed
I dont't understand the cause of this error "Specified version of key is not available", as kvno between AD and keytab are matching, and kerberos
auth has been tested successfully using kinit. Could somebody help me ?
Thanks,
Vincent
Labels:
- Labels:
-
Archive
17 REPLIES 17
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-09-2015 04:28 PM
After further analysis, I see that :
- Alfresco is getting the initial TGT correctly for CIFS at startup
- User fails to get TGS for alfresco with error KRB5KDC_ERR_BADOPTION 'STATUS_NOT_SUPPORTED'
any suggestion ?
really nobody can help ?
thanks
- Alfresco is getting the initial TGT correctly for CIFS at startup
- User fails to get TGS for alfresco with error KRB5KDC_ERR_BADOPTION 'STATUS_NOT_SUPPORTED'
any suggestion ?
really nobody can help ?
thanks
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-11-2015 06:32 AM
Issue has been identified on AD side.
Tricky problem: mixed upper/lowercase in the domain name, and consequently in the Kerberos TGS (refused by alfresco JAAS).
No easy solution at this time.
Vincent.
Tricky problem: mixed upper/lowercase in the domain name, and consequently in the Kerberos TGS (refused by alfresco JAAS).
No easy solution at this time.
Vincent.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-06-2015 08:22 AM
After digging out Kerberos and AD, I finally found that the problem was (again) a kvno issue.
conclusions:
- kinit does NOT validate the keytab file, even if you use it as parameter as it requests to get a TGT. kvno is not checked at this step (it does validate the Kerberos config only - krb5.conf)
- you need to check the kvno on AD U&C directly, parameters (constructed): msDS-KeyVersionNumber
Vincent
conclusions:
- kinit does NOT validate the keytab file, even if you use it as parameter as it requests to get a TGT. kvno is not checked at this step (it does validate the Kerberos config only - krb5.conf)
- you need to check the kvno on AD U&C directly, parameters (constructed): msDS-KeyVersionNumber
Vincent
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-03-2015 08:10 AM
Would you please send me the settings for you installation?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-04-2015 03:43 PM
could you please give me some details about the settings you want me to send ?
as explain above the issue is solved (kvno issue), but I'm of course ready to
share everything you need if it can help….
as explain above the issue is solved (kvno issue), but I'm of course ready to
share everything you need if it can help….
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-07-2015 04:45 AM
Well, I can see those error messeges in the catalina.out:
2015-04-07 11:22:18,591 DEBUG [app.servlet.KerberosAuthenticationFilter] [http-apr-8080-exec-5] Authentication not required (filter), chaining …
2015-04-07 11:22:18,658 DEBUG [app.servlet.KerberosAuthenticationFilter] [http-apr-8080-exec-10] Authentication not required (filter), chaining …
2015-04-07 11:22:18,674 DEBUG [app.servlet.KerberosAuthenticationFilter] [http-apr-8080-exec-1] Authentication not required (filter), chaining …
2015-04-07 11:22:18,691 DEBUG [app.servlet.KerberosAuthenticationFilter] [http-apr-8080-exec-3] Authentication not required (filter), chaining …
2015-04-07 11:22:18,697 DEBUG [app.servlet.KerberosAuthenticationFilter] [http-apr-8080-exec-6] Authentication not required (filter), chaining …
2015-04-07 11:22:18,720 DEBUG [app.servlet.KerberosAuthenticationFilter] [http-apr-8080-exec-2] Authentication not required (filter), chaining …
2015-04-07 11:22:19,264 DEBUG [app.servlet.KerberosAuthenticationFilter] [http-apr-8080-exec-7] Authentication not required (filter), chaining …
2015-04-07 11:22:19,272 DEBUG [app.servlet.KerberosAuthenticationFilter] [http-apr-8080-exec-9] Authentication not required (filter), chaining …
2015-04-07 11:22:20,093 DEBUG [app.servlet.KerberosAuthenticationFilter] [http-apr-8080-exec-5] New Kerberos auth request from 192.168.192.240 (192.168.192.240:50747)
2015-04-07 11:22:20,093 DEBUG [app.servlet.KerberosAuthenticationFilter] [http-apr-8080-exec-5] Issuing login challenge to browser.
2015-04-07 11:22:20,660 DEBUG [webdav.auth.KerberosAuthenticationFilter] [http-apr-8080-exec-1] Performing fallback authentication…
2015-04-07 11:22:20,697 DEBUG [webdav.auth.KerberosAuthenticationFilter] [http-apr-8080-exec-1] Issuing login challenge to browser.
2015-04-07 11:22:20,698 DEBUG [webdav.auth.KerberosAuthenticationFilter] [http-apr-8080-exec-1] Fallback authentication failed. Restarting login…
11:22:20,699 WARN [org.alfresco.wcm.client.util.impl.GuestSessionFactoryImpl] WQS unable to connect to repository: Unauthorized
At this time my browser asks me about my password in a loop and never goes our of it.
I edited: global.properties files with:
authentication.chain=kerberos1:kerberos
kerberos.authentication.realm=CORP.INT
kerberos.authentication.sso.enabled=true
kerberos.authentication.authenticateCIFS=false
kerberos.authentication.user.configEntryName=Alfresco
kerberos.authentication.cifs.password=Password123!
kerberos.authentication.cifs.configEntryName=AlfrescoCIFS
kerberos.authentication.stripUsernameSuffix=true
kerberos.authentication.http.password=Password123!
kerberos.authentication.http.configEntryName=AlfrescoHTTP
kerberos.authentication.browser.ticketLogons=true
Also I edited the /opt/alfresco-5.0/tomcat/shared/classes/alfresco/web-extension/share-config-custom.xml as expalined here: http://docs.alfresco.com/community/tasks/auth-kerberos-shareSSO.html
I have this configs in my JAVA_OPTS which are located in this file :
THose are the configs for my /etc/krb5.conf file (the DOMAIN is my domain and it's the correct one in the real file):
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = DOMAIN
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
default_tkt_enctypes = rc4-hmac
default_tgs_enctypes = rc4-hmac
forwardable = true
proxiable = true
[realms]
DOMAIN= {
kdc = dc1.domain
admin_server = dc1.domain
}
[domain_realm]
.corp.int = DOMAIN
corp.int = DOMAIN
Both keyfiles are location in the /etc dir.
I created a file java.login.config under here:/opt/alfresco-5.0/java/lib/security with the following code (system.domain = my alfresco fqdn):
I also edited the java.security file in the same dir by adding this line:
login.config.url.1=file:${java.home}/lib/security/java.login.config
Do you have any idea if I'm missing some and I should add it, or I setup some of the setting not in the right way?
Regards!
2015-04-07 11:22:18,591 DEBUG [app.servlet.KerberosAuthenticationFilter] [http-apr-8080-exec-5] Authentication not required (filter), chaining …
2015-04-07 11:22:18,658 DEBUG [app.servlet.KerberosAuthenticationFilter] [http-apr-8080-exec-10] Authentication not required (filter), chaining …
2015-04-07 11:22:18,674 DEBUG [app.servlet.KerberosAuthenticationFilter] [http-apr-8080-exec-1] Authentication not required (filter), chaining …
2015-04-07 11:22:18,691 DEBUG [app.servlet.KerberosAuthenticationFilter] [http-apr-8080-exec-3] Authentication not required (filter), chaining …
2015-04-07 11:22:18,697 DEBUG [app.servlet.KerberosAuthenticationFilter] [http-apr-8080-exec-6] Authentication not required (filter), chaining …
2015-04-07 11:22:18,720 DEBUG [app.servlet.KerberosAuthenticationFilter] [http-apr-8080-exec-2] Authentication not required (filter), chaining …
2015-04-07 11:22:19,264 DEBUG [app.servlet.KerberosAuthenticationFilter] [http-apr-8080-exec-7] Authentication not required (filter), chaining …
2015-04-07 11:22:19,272 DEBUG [app.servlet.KerberosAuthenticationFilter] [http-apr-8080-exec-9] Authentication not required (filter), chaining …
2015-04-07 11:22:20,093 DEBUG [app.servlet.KerberosAuthenticationFilter] [http-apr-8080-exec-5] New Kerberos auth request from 192.168.192.240 (192.168.192.240:50747)
2015-04-07 11:22:20,093 DEBUG [app.servlet.KerberosAuthenticationFilter] [http-apr-8080-exec-5] Issuing login challenge to browser.
2015-04-07 11:22:20,660 DEBUG [webdav.auth.KerberosAuthenticationFilter] [http-apr-8080-exec-1] Performing fallback authentication…
2015-04-07 11:22:20,697 DEBUG [webdav.auth.KerberosAuthenticationFilter] [http-apr-8080-exec-1] Issuing login challenge to browser.
2015-04-07 11:22:20,698 DEBUG [webdav.auth.KerberosAuthenticationFilter] [http-apr-8080-exec-1] Fallback authentication failed. Restarting login…
11:22:20,699 WARN [org.alfresco.wcm.client.util.impl.GuestSessionFactoryImpl] WQS unable to connect to repository: Unauthorized
At this time my browser asks me about my password in a loop and never goes our of it.
I edited: global.properties files with:
authentication.chain=kerberos1:kerberos
kerberos.authentication.realm=CORP.INT
kerberos.authentication.sso.enabled=true
kerberos.authentication.authenticateCIFS=false
kerberos.authentication.user.configEntryName=Alfresco
kerberos.authentication.cifs.password=Password123!
kerberos.authentication.cifs.configEntryName=AlfrescoCIFS
kerberos.authentication.stripUsernameSuffix=true
kerberos.authentication.http.password=Password123!
kerberos.authentication.http.configEntryName=AlfrescoHTTP
kerberos.authentication.browser.ticketLogons=true
Also I edited the /opt/alfresco-5.0/tomcat/shared/classes/alfresco/web-extension/share-config-custom.xml as expalined here: http://docs.alfresco.com/community/tasks/auth-kerberos-shareSSO.html
I have this configs in my JAVA_OPTS which are located in this file :
JAVA_HOME=/opt/alfresco-5.0/java
JRE_HOME=$JAVA_HOME
JAVA_OPTS="-XX:+DisableExplicitGC -Djava.awt.headless=true -Dalfresco.home=/opt/alfresco-5.0 -Dcom.sun.management.jmxremote -Dsun.security.krb5.msinterop.kstring=true -XX:ReservedCodeCacheSize=128m $JAVA_OPTS "
JAVA_OPTS="-XX:MaxPermSize=5120M -Xms4096M -Xmx5120M $JAVA_OPTS " # java-memory-settings
export JAVA_HOME
export JRE_HOME
export JAVA_OPTS
THose are the configs for my /etc/krb5.conf file (the DOMAIN is my domain and it's the correct one in the real file):
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = DOMAIN
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
default_tkt_enctypes = rc4-hmac
default_tgs_enctypes = rc4-hmac
forwardable = true
proxiable = true
[realms]
DOMAIN= {
kdc = dc1.domain
admin_server = dc1.domain
}
[domain_realm]
.corp.int = DOMAIN
corp.int = DOMAIN
Both keyfiles are location in the /etc dir.
I created a file java.login.config under here:/opt/alfresco-5.0/java/lib/security with the following code (system.domain = my alfresco fqdn):
Alfresco {
com.sun.security.auth.module.Krb5LoginModule sufficient;
};
AlfrescoCIFS {
com.sun.security.auth.module.Krb5LoginModule required
storeKey=true
useKeyTab=true
keyTab="/etc/cifsportal2.keytab"
principal="cifs/system.domain";
};
AlfrescoHTTP {
com.sun.security.auth.module.Krb5LoginModule required
storeKey=true
useKeyTab=true
keyTab="/etc/httpportal2.keytab"
principal="HTTP/system.domain";
};
ShareHTTP {
com.sun.security.auth.module.Krb5LoginModule required
storeKey=true
useKeyTab=true
keyTab="/etc/httpportal2.keytab"
principal="HTTP/system.domain";
};
com.sun.net.ssl.client {
com.sun.security.auth.module.Krb5LoginModule sufficient;
};
other {
com.sun.security.auth.module.Krb5LoginModule sufficient;
};
I also edited the java.security file in the same dir by adding this line:
login.config.url.1=file:${java.home}/lib/security/java.login.config
Do you have any idea if I'm missing some and I should add it, or I setup some of the setting not in the right way?
Regards!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-07-2015 10:07 AM
Hi,
Could you first validate your SSO Kerberos config using CIFS (you'll bypass all possible misconfiguration on the client browser) ?
Are you running Alfresco on Linux ?
Here are the main steps to follow: (Assuming your KDC is an MS AD DC)
- Service account creation with correct UPN/SPN
- Linux Keberos client config (krb5.conf)
- Test Kinit (krb5-user package on debian) to check that authentication is correct
-> kinit -V cifs/alfrescoserver.mydomain.loc@MYDOMAIN.LOC
- Generate keytab (with correct kvno !!)
-> I'm using ktpass on linux. Check service account's kvno on AD (attribute msDS-KeyVersionNumber, don't forget to show 'constructed' user attributes on AD Users&Computers)
- Test Kinit using keytab
-> kinit -V cifs/alfrescoserver.mydomain.loc@MYDOMAIN.LOC -k -t myKeytabFile
Could you confirm you did this successfully ? (I'll post my alf config soon if you need).
Vincent
Could you first validate your SSO Kerberos config using CIFS (you'll bypass all possible misconfiguration on the client browser) ?
Are you running Alfresco on Linux ?
Here are the main steps to follow: (Assuming your KDC is an MS AD DC)
- Service account creation with correct UPN/SPN
- Linux Keberos client config (krb5.conf)
- Test Kinit (krb5-user package on debian) to check that authentication is correct
-> kinit -V cifs/alfrescoserver.mydomain.loc@MYDOMAIN.LOC
- Generate keytab (with correct kvno !!)
-> I'm using ktpass on linux. Check service account's kvno on AD (attribute msDS-KeyVersionNumber, don't forget to show 'constructed' user attributes on AD Users&Computers)
- Test Kinit using keytab
-> kinit -V cifs/alfrescoserver.mydomain.loc@MYDOMAIN.LOC -k -t myKeytabFile
Could you confirm you did this successfully ? (I'll post my alf config soon if you need).
Vincent
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-08-2015 04:59 AM
Hi,
You assumed correctly.
My alfresco version 5.0.c is on centOS 6.5 and our MS AD is on Windows Server 2012.
Thanks for the notes you sent, we checked them closely with our team here. At this point:
kinit -V cifs/alfrescoserver.mydomain.loc@MYDOMAIN.LOC ->>> this one was Authorized, but
kinit -V cifs/alfrescoserver.mydomain.loc@MYDOMAIN.LOC -k -t myKeytabFile ->>> this one failed
Then we generated the keytabs with the correct knvo. It was version 4, but generated it with 0 at first.
Now both commands are returning the Authozired:
kinit -V cifs/alfrescoserver.mydomain.loc@MYDOMAIN.LOC
kinit -V cifs/alfrescoserver.mydomain.loc@MYDOMAIN.LOC -k -t myKeytabFile
However I'm still not able to use the single-sign on authentication and I can't login to alfresco using this type of authentication. here is what I can see now in the "catalina.out":
Apr 08, 2015 11:50:21 AM org.apache.catalina.startup.Catalina start
INFO: Server startup in 139796 ms
2015-04-08 11:50:21,763 WARN [scripts.solr.AlfrescoModelsDiff] [http-bio-8443-exec-2] Unable to fetch model changes from /alfresco/service/api/solr/modelsdiff
2015-04-08 11:50:21,768 WARN [scripts.solr.AlfrescoModelsDiff] [http-bio-8443-exec-1] Unable to fetch model changes from /alfresco/service/api/solr/modelsdiff
2015-04-08 11:50:22,233 DEBUG [webdav.auth.KerberosAuthenticationFilter] [http-apr-8080-exec-2] Performing fallback authentication…
Apr 08, 2015 11:50:22 AM org.apache.catalina.core.StandardWrapperValve invoke
SEVERE: Servlet.service() for servlet [cmisatom10] in context with path [/alfresco] threw exception
org.alfresco.service.namespace.InvalidQNameException: A QName must consist of a local name
at org.alfresco.service.namespace.QName.createQName(QName.java:87)
at org.alfresco.repo.security.person.PersonServiceImpl.getChildNameLower(PersonServiceImpl.java:1768)
at org.alfresco.repo.security.person.PersonServiceImpl.getPersonOrNullImpl(PersonServiceImpl.java:537)
at org.alfresco.repo.security.person.PersonServiceImpl.getUserIdentifier(PersonServiceImpl.java:1880)
at org.alfresco.repo.security.authentication.AuthenticationComponentImpl$1$1.doWork(AuthenticationComponentImpl.java:93)
at org.alfresco.repo.security.authentication.AuthenticationComponentImpl$1$1.doWork(AuthenticationComponentImpl.java:90)
at org.alfresco.repo.tenant.TenantUtil.runAsWork(TenantUtil.java:119)
at org.alfresco.repo.tenant.TenantUtil.runAsTenant(TenantUtil.java:88)
at org.alfresco.repo.tenant.TenantUtil$1.doWork(TenantUtil.java:62)
at org.alfresco.repo.security.authentication.AuthenticationUtil.runAs(AuthenticationUtil.java:548)
at org.alfresco.repo.tenant.TenantUtil.runAsUserTenant(TenantUtil.java:58)
at org.alfresco.repo.tenant.TenantUtil.runAsSystemTenant(TenantUtil.java:112)
at org.alfresco.repo.security.authentication.AuthenticationComponentImpl$1.execute(AuthenticationComponentImpl.java:89)
at org.alfresco.repo.security.authentication.AuthenticationComponentImpl$1.execute(AuthenticationComponentImpl.java:86)
at org.alfresco.repo.transaction.RetryingTransactionHelper.doInTransaction(RetryingTransactionHelper.java:454)
at org.alfresco.repo.transaction.RetryingTransactionHelper.doInTransaction(RetryingTransactionHelper.java:342)
at org.alfresco.repo.security.authentication.AuthenticationComponentImpl.authenticateImpl(AuthenticationComponentImpl.java:84)
at org.alfresco.repo.security.authentication.AbstractAuthenticationComponent.authenticate(AbstractAuthenticationComponent.java:162)
at org.alfresco.repo.security.authentication.AuthenticationServiceImpl.authenticate(AuthenticationServiceImpl.java:68)
at org.alfresco.repo.security.authentication.AbstractChainingAuthenticationService.authenticate(AbstractChainingAuthenticationService.java:195)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:317)
at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:183)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:150)
at net.sf.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor.invoke(MethodSecurityInterceptor.java:80)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
at org.alfresco.repo.security.permissions.impl.ExceptionTranslatorMethodInterceptor.invoke(ExceptionTranslatorMethodInterceptor.java:46)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
at org.alfresco.repo.audit.AuditMethodInterceptor.invoke(AuditMethodInterceptor.java:159)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
at org.springframework.transaction.interceptor.TransactionInterceptor$1.proceedWithInvocation(TransactionInterceptor.java:96)
at org.springframework.transaction.interceptor.TransactionAspectSupport.invokeWithinTransaction(TransactionAspectSupport.java:260)
at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:94)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
at com.sun.proxy.$Proxy64.authenticate(Unknown Source)
at org.alfresco.repo.webdav.auth.SSOFallbackBasicAuthenticationDriver.authenticateRequest(SSOFallbackBasicAuthenticationDriver.java:120)
at org.alfresco.repo.webdav.auth.BaseSSOAuthenticationFilter.performFallbackAuthentication(BaseSSOAuthenticationFilter.java:604)
at org.alfresco.repo.webdav.auth.BaseKerberosAuthenticationFilter.authenticateRequest(BaseKerberosAuthenticationFilter.java:279)
at org.alfresco.repo.webdav.auth.BaseSSOAuthenticationFilter.doFilter(BaseSSOAuthenticationFilter.java:155)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at org.alfresco.repo.management.subsystems.ChainingSubsystemProxyFactory$1.invoke(ChainingSubsystemProxyFactory.java:112)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
at com.sun.proxy.$Proxy274.doFilter(Unknown Source)
at org.alfresco.repo.web.filter.beans.BeanProxyFilter.doFilter(BeanProxyFilter.java:82)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.alfresco.web.app.servlet.CmisSecurityContextCleanerFilter.doFilter(CmisSecurityContextCleanerFilter.java:49)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.alfresco.web.app.servlet.GlobalLocalizationFilter.doFilter(GlobalLocalizationFilter.java:61)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:501)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:98)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1040)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:607)
at org.apache.tomcat.util.net.AprEndpoint$SocketWithOptionsProcessor.run(AprEndpoint.java:2378)
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
<b>
11:50:22,377 WARN [org.alfresco.wcm.client.util.impl.GuestSessionFactoryImpl] WQS unable to connect to repository: Internal Server Error
2015-04-08 11:50:24,388 DEBUG [webdav.auth.KerberosAuthenticationFilter] [http-apr-8080-exec-3] Performing fallback authentication…
</b>
All the BEST!
You assumed correctly.
My alfresco version 5.0.c is on centOS 6.5 and our MS AD is on Windows Server 2012.
Thanks for the notes you sent, we checked them closely with our team here. At this point:
kinit -V cifs/alfrescoserver.mydomain.loc@MYDOMAIN.LOC ->>> this one was Authorized, but
kinit -V cifs/alfrescoserver.mydomain.loc@MYDOMAIN.LOC -k -t myKeytabFile ->>> this one failed
Then we generated the keytabs with the correct knvo. It was version 4, but generated it with 0 at first.
Now both commands are returning the Authozired:
kinit -V cifs/alfrescoserver.mydomain.loc@MYDOMAIN.LOC
kinit -V cifs/alfrescoserver.mydomain.loc@MYDOMAIN.LOC -k -t myKeytabFile
However I'm still not able to use the single-sign on authentication and I can't login to alfresco using this type of authentication. here is what I can see now in the "catalina.out":
Apr 08, 2015 11:50:21 AM org.apache.catalina.startup.Catalina start
INFO: Server startup in 139796 ms
2015-04-08 11:50:21,763 WARN [scripts.solr.AlfrescoModelsDiff] [http-bio-8443-exec-2] Unable to fetch model changes from /alfresco/service/api/solr/modelsdiff
2015-04-08 11:50:21,768 WARN [scripts.solr.AlfrescoModelsDiff] [http-bio-8443-exec-1] Unable to fetch model changes from /alfresco/service/api/solr/modelsdiff
2015-04-08 11:50:22,233 DEBUG [webdav.auth.KerberosAuthenticationFilter] [http-apr-8080-exec-2] Performing fallback authentication…
Apr 08, 2015 11:50:22 AM org.apache.catalina.core.StandardWrapperValve invoke
SEVERE: Servlet.service() for servlet [cmisatom10] in context with path [/alfresco] threw exception
org.alfresco.service.namespace.InvalidQNameException: A QName must consist of a local name
at org.alfresco.service.namespace.QName.createQName(QName.java:87)
at org.alfresco.repo.security.person.PersonServiceImpl.getChildNameLower(PersonServiceImpl.java:1768)
at org.alfresco.repo.security.person.PersonServiceImpl.getPersonOrNullImpl(PersonServiceImpl.java:537)
at org.alfresco.repo.security.person.PersonServiceImpl.getUserIdentifier(PersonServiceImpl.java:1880)
at org.alfresco.repo.security.authentication.AuthenticationComponentImpl$1$1.doWork(AuthenticationComponentImpl.java:93)
at org.alfresco.repo.security.authentication.AuthenticationComponentImpl$1$1.doWork(AuthenticationComponentImpl.java:90)
at org.alfresco.repo.tenant.TenantUtil.runAsWork(TenantUtil.java:119)
at org.alfresco.repo.tenant.TenantUtil.runAsTenant(TenantUtil.java:88)
at org.alfresco.repo.tenant.TenantUtil$1.doWork(TenantUtil.java:62)
at org.alfresco.repo.security.authentication.AuthenticationUtil.runAs(AuthenticationUtil.java:548)
at org.alfresco.repo.tenant.TenantUtil.runAsUserTenant(TenantUtil.java:58)
at org.alfresco.repo.tenant.TenantUtil.runAsSystemTenant(TenantUtil.java:112)
at org.alfresco.repo.security.authentication.AuthenticationComponentImpl$1.execute(AuthenticationComponentImpl.java:89)
at org.alfresco.repo.security.authentication.AuthenticationComponentImpl$1.execute(AuthenticationComponentImpl.java:86)
at org.alfresco.repo.transaction.RetryingTransactionHelper.doInTransaction(RetryingTransactionHelper.java:454)
at org.alfresco.repo.transaction.RetryingTransactionHelper.doInTransaction(RetryingTransactionHelper.java:342)
at org.alfresco.repo.security.authentication.AuthenticationComponentImpl.authenticateImpl(AuthenticationComponentImpl.java:84)
at org.alfresco.repo.security.authentication.AbstractAuthenticationComponent.authenticate(AbstractAuthenticationComponent.java:162)
at org.alfresco.repo.security.authentication.AuthenticationServiceImpl.authenticate(AuthenticationServiceImpl.java:68)
at org.alfresco.repo.security.authentication.AbstractChainingAuthenticationService.authenticate(AbstractChainingAuthenticationService.java:195)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:317)
at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:183)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:150)
at net.sf.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor.invoke(MethodSecurityInterceptor.java:80)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
at org.alfresco.repo.security.permissions.impl.ExceptionTranslatorMethodInterceptor.invoke(ExceptionTranslatorMethodInterceptor.java:46)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
at org.alfresco.repo.audit.AuditMethodInterceptor.invoke(AuditMethodInterceptor.java:159)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
at org.springframework.transaction.interceptor.TransactionInterceptor$1.proceedWithInvocation(TransactionInterceptor.java:96)
at org.springframework.transaction.interceptor.TransactionAspectSupport.invokeWithinTransaction(TransactionAspectSupport.java:260)
at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:94)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
at com.sun.proxy.$Proxy64.authenticate(Unknown Source)
at org.alfresco.repo.webdav.auth.SSOFallbackBasicAuthenticationDriver.authenticateRequest(SSOFallbackBasicAuthenticationDriver.java:120)
at org.alfresco.repo.webdav.auth.BaseSSOAuthenticationFilter.performFallbackAuthentication(BaseSSOAuthenticationFilter.java:604)
at org.alfresco.repo.webdav.auth.BaseKerberosAuthenticationFilter.authenticateRequest(BaseKerberosAuthenticationFilter.java:279)
at org.alfresco.repo.webdav.auth.BaseSSOAuthenticationFilter.doFilter(BaseSSOAuthenticationFilter.java:155)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at org.alfresco.repo.management.subsystems.ChainingSubsystemProxyFactory$1.invoke(ChainingSubsystemProxyFactory.java:112)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
at com.sun.proxy.$Proxy274.doFilter(Unknown Source)
at org.alfresco.repo.web.filter.beans.BeanProxyFilter.doFilter(BeanProxyFilter.java:82)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.alfresco.web.app.servlet.CmisSecurityContextCleanerFilter.doFilter(CmisSecurityContextCleanerFilter.java:49)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.alfresco.web.app.servlet.GlobalLocalizationFilter.doFilter(GlobalLocalizationFilter.java:61)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:501)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:98)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1040)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:607)
at org.apache.tomcat.util.net.AprEndpoint$SocketWithOptionsProcessor.run(AprEndpoint.java:2378)
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
<b>
11:50:22,377 WARN [org.alfresco.wcm.client.util.impl.GuestSessionFactoryImpl] WQS unable to connect to repository: Internal Server Error
2015-04-08 11:50:24,388 DEBUG [webdav.auth.KerberosAuthenticationFilter] [http-apr-8080-exec-3] Performing fallback authentication…
</b>
All the BEST!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-21-2015 09:24 AM
Hi
Sorry for the delay I was in vacation…
To be honest I never tried Kerberos SSO for HTTP with share (does not make sense for us as users needs to log on from the Internet).
I know that you need to configure extra things for HTTP SSO like delegation on AD.
Do you have the opportunity to test Kerberos SSO using on CIFS connector ? (this may help to identify the source of the issue)
Vincent
Sorry for the delay I was in vacation…
To be honest I never tried Kerberos SSO for HTTP with share (does not make sense for us as users needs to log on from the Internet).
I know that you need to configure extra things for HTTP SSO like delegation on AD.
Do you have the opportunity to test Kerberos SSO using on CIFS connector ? (this may help to identify the source of the issue)
Vincent
Related Content
- Webinar recording: Enhance your Alfresco solution with Generative AI in Alfresco Blog
- Folder quota exceeded in Alfresco Forum
- signing pdf document add-on/module for alfresco 23 in Alfresco Forum
- AMPs on Maven 3.9 doesn't build in Alfresco Forum
- Migration Alfresco Community 5.2 to alfresco 23.1 in Alfresco Forum
Getting started
Tags
Find what you came for
We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.
