Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Hyland Connect
- Enterprise Platforms
- Alfresco
- Alfresco Archive
- Re: alfresco 5.0c and kerberos
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
alfresco 5.0c and kerberos
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-06-2015 09:22 AM
Hi,
I'm facing issues to setup kerberos authentication against 2008R2 AD
domain controller on an Alfresco Community 5c platform (on linux debian 7).
I followed the procedure that we applied on alf 4.2, which was working fine.
I made the following:
- create services accounts on AD (alfrescoCIFS & alfrescoHTTP), with correct settings (SPN, UPN, disable Kerberos preauth)
- create keytab files and put it on alfresco server
- create krb5.conf on alfresco server with correct settings
- test kerberos auth from alfresco server (using krb5-user MIT tools)
> kinit cifs/myhostname.mydomain.loc@MYDOMAIN.LOC -k -t /etc/keys/keytab
-> success. It should confirm that AD, keytab and krb5.conf configurations are correct. Am'I correct ?
Configure auth chain, CIFS, Kerberos auth in alfresco-global.properties
Now the JAAS config :
- update the /opt/alfresco-5.0.c/java/lib/security/java.security file and add following line:
login.config.url.1=file:${java.home}/lib/security/java.login.config
- create java.login.config file
Restart Alfresco
-> seems to be OK: INFO [management.subsystems.ChildApplicationContextFactory] [localhost-startStop-1] Starting 'Authentication' subsystem, ID: [Authentication, managed, kerberos1]
The problem:
When trying to access to alfresco using CIFS, I get a 'logon failure' on my windows client, and following output in catalina.out:
2015-02-06 15:14:48,630 ERROR [org.alfresco.fileserver] [AlfJLANWorker18] Error from JLAN
GSSException: Failure unspecified at GSS-API level (Mechanism level: Specified version of key is not available (44))
at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
at org.alfresco.jlan.server.auth.kerberos.SessionSetupPrivilegedAction.run(SessionSetupPrivilegedAction.java:102)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Unknown Source)
at org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator.doKerberosLogon(EnterpriseCifsAuthenticator.java:1536)
at org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator.doSpnegoSessionSetup(EnterpriseCifsAuthenticator.java:1420)
at org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator.access$200(EnterpriseCifsAuthenticator.java:87)
at org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator$2.execute(EnterpriseCifsAuthenticator.java:897)
at org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator$2.execute(EnterpriseCifsAuthenticator.java:881)
at org.alfresco.repo.transaction.RetryingTransactionHelper.doInTransaction(RetryingTransactionHelper.java:454)
at org.alfresco.filesys.auth.cifs.CifsAuthenticatorBase.doInTransaction(CifsAuthenticatorBase.java:641)
at org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator.processAlfrescoSessionSetup(EnterpriseCifsAuthenticator.java:880)
at org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator.processSessionSetup(EnterpriseCifsAuthenticator.java:682)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at org.alfresco.repo.management.subsystems.ChainingSubsystemProxyFactory$1.invoke(ChainingSubsystemProxyFactory.java:112)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
at com.sun.proxy.$Proxy188.processSessionSetup(Unknown Source)
at org.alfresco.jlan.smb.server.NTProtocolHandler.procSessionSetup(NTProtocolHandler.java:417)
at org.alfresco.jlan.smb.server.NTProtocolHandler.runProtocol(NTProtocolHandler.java:223)
at org.alfresco.jlan.smb.server.SMBSrvSession.processPacket(SMBSrvSession.java:1480)
at org.alfresco.jlan.smb.server.nio.NIOCIFSThreadRequest.runRequest(NIOCIFSThreadRequest.java:150)
at org.alfresco.jlan.server.thread.ThreadRequestPool$ThreadWorker.run(ThreadRequestPool.java:153)
at java.lang.Thread.run(Unknown Source)
Caused by: KrbException: Specified version of key is not available (44)
at sun.security.krb5.EncryptionKey.findKey(Unknown Source)
at sun.security.krb5.KrbApReq.authenticate(Unknown Source)
at sun.security.krb5.KrbApReq.<init>(Unknown Source)
at sun.security.jgss.krb5.InitSecContextToken.<init>(Unknown Source)
… 29 more
2015-02-06 15:14:48,633 ERROR [auth.cifs.EnterpriseCifsAuthenticator] [AlfJLANWorker18] No SPNEGO response, Kerberos logon failed
2015-02-06 15:14:48,834 ERROR [org.alfresco.fileserver] [AlfJLANWorker19] Error from JLAN
GSSException: Failure unspecified at GSS-API level (Mechanism level: Specified version of key is not available (44))
at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
at org.alfresco.jlan.server.auth.kerberos.SessionSetupPrivilegedAction.run(SessionSetupPrivilegedAction.java:102)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Unknown Source)
at org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator.doKerberosLogon(EnterpriseCifsAuthenticator.java:1536)
at org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator.doSpnegoSessionSetup(EnterpriseCifsAuthenticator.java:1420)
at org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator.access$200(EnterpriseCifsAuthenticator.java:87)
at org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator$2.execute(EnterpriseCifsAuthenticator.java:897)
at org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator$2.execute(EnterpriseCifsAuthenticator.java:881)
at org.alfresco.repo.transaction.RetryingTransactionHelper.doInTransaction(RetryingTransactionHelper.java:454)
at org.alfresco.filesys.auth.cifs.CifsAuthenticatorBase.doInTransaction(CifsAuthenticatorBase.java:641)
at org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator.processAlfrescoSessionSetup(EnterpriseCifsAuthenticator.java:880)
at org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator.processSessionSetup(EnterpriseCifsAuthenticator.java:682)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at org.alfresco.repo.management.subsystems.ChainingSubsystemProxyFactory$1.invoke(ChainingSubsystemProxyFactory.java:112)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
at com.sun.proxy.$Proxy188.processSessionSetup(Unknown Source)
at org.alfresco.jlan.smb.server.NTProtocolHandler.procSessionSetup(NTProtocolHandler.java:417)
at org.alfresco.jlan.smb.server.NTProtocolHandler.runProtocol(NTProtocolHandler.java:223)
at org.alfresco.jlan.smb.server.SMBSrvSession.processPacket(SMBSrvSession.java:1480)
at org.alfresco.jlan.smb.server.nio.NIOCIFSThreadRequest.runRequest(NIOCIFSThreadRequest.java:150)
at org.alfresco.jlan.server.thread.ThreadRequestPool$ThreadWorker.run(ThreadRequestPool.java:153)
at java.lang.Thread.run(Unknown Source)
Caused by: KrbException: Specified version of key is not available (44)
at sun.security.krb5.EncryptionKey.findKey(Unknown Source)
at sun.security.krb5.KrbApReq.authenticate(Unknown Source)
at sun.security.krb5.KrbApReq.<init>(Unknown Source)
at sun.security.jgss.krb5.InitSecContextToken.<init>(Unknown Source)
… 29 more
2015-02-06 15:14:48,837 ERROR [auth.cifs.EnterpriseCifsAuthenticator] [AlfJLANWorker19] No SPNEGO response, Kerberos logon failed
2015-02-06 15:14:48,854 ERROR [org.alfresco.fileserver] [AlfJLANWorker20] Error from JLAN
GSSException: Failure unspecified at GSS-API level (Mechanism level: Specified version of key is not available (44))
at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
at org.alfresco.jlan.server.auth.kerberos.SessionSetupPrivilegedAction.run(SessionSetupPrivilegedAction.java:102)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Unknown Source)
at org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator.doKerberosLogon(EnterpriseCifsAuthenticator.java:1536)
at org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator.doSpnegoSessionSetup(EnterpriseCifsAuthenticator.java:1420)
at org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator.access$200(EnterpriseCifsAuthenticator.java:87)
at org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator$2.execute(EnterpriseCifsAuthenticator.java:897)
at org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator$2.execute(EnterpriseCifsAuthenticator.java:881)
at org.alfresco.repo.transaction.RetryingTransactionHelper.doInTransaction(RetryingTransactionHelper.java:454)
at org.alfresco.filesys.auth.cifs.CifsAuthenticatorBase.doInTransaction(CifsAuthenticatorBase.java:641)
at org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator.processAlfrescoSessionSetup(EnterpriseCifsAuthenticator.java:880)
at org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator.processSessionSetup(EnterpriseCifsAuthenticator.java:682)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at org.alfresco.repo.management.subsystems.ChainingSubsystemProxyFactory$1.invoke(ChainingSubsystemProxyFactory.java:112)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
at com.sun.proxy.$Proxy188.processSessionSetup(Unknown Source)
at org.alfresco.jlan.smb.server.NTProtocolHandler.procSessionSetup(NTProtocolHandler.java:417)
at org.alfresco.jlan.smb.server.NTProtocolHandler.runProtocol(NTProtocolHandler.java:223)
at org.alfresco.jlan.smb.server.SMBSrvSession.processPacket(SMBSrvSession.java:1480)
at org.alfresco.jlan.smb.server.nio.NIOCIFSThreadRequest.runRequest(NIOCIFSThreadRequest.java:150)
at org.alfresco.jlan.server.thread.ThreadRequestPool$ThreadWorker.run(ThreadRequestPool.java:153)
at java.lang.Thread.run(Unknown Source)
Caused by: KrbException: Specified version of key is not available (44)
at sun.security.krb5.EncryptionKey.findKey(Unknown Source)
at sun.security.krb5.KrbApReq.authenticate(Unknown Source)
at sun.security.krb5.KrbApReq.<init>(Unknown Source)
at sun.security.jgss.krb5.InitSecContextToken.<init>(Unknown Source)
… 29 more
2015-02-06 15:14:48,857 ERROR [auth.cifs.EnterpriseCifsAuthenticator] [AlfJLANWorker20] No SPNEGO response, Kerberos logon failed
I dont't understand the cause of this error "Specified version of key is not available", as kvno between AD and keytab are matching, and kerberos
auth has been tested successfully using kinit. Could somebody help me ?
Thanks,
Vincent
I'm facing issues to setup kerberos authentication against 2008R2 AD
domain controller on an Alfresco Community 5c platform (on linux debian 7).
I followed the procedure that we applied on alf 4.2, which was working fine.
I made the following:
- create services accounts on AD (alfrescoCIFS & alfrescoHTTP), with correct settings (SPN, UPN, disable Kerberos preauth)
- create keytab files and put it on alfresco server
- create krb5.conf on alfresco server with correct settings
- test kerberos auth from alfresco server (using krb5-user MIT tools)
> kinit cifs/myhostname.mydomain.loc@MYDOMAIN.LOC -k -t /etc/keys/keytab
-> success. It should confirm that AD, keytab and krb5.conf configurations are correct. Am'I correct ?
Configure auth chain, CIFS, Kerberos auth in alfresco-global.properties
### auth chain
authentication.chain=kerberos1:kerberos,myDomain:ldap-ad,alfrescoNtlm1:alfrescoNtlm
### ldap auth
ldap.authentication.active=true
ldap.authentication.allowGuestLogin=false
ldap.authentication.userNameFormat=%s@mydomain.loc
ldap.authentication.java.naming.provider.url=ldap://x.x.x.x
ldap.authentication.java.naming.security.authentication=simple
ldap.authentication.defaultAdministratorUserNames=admin
### KERBEROS auth
kerberos.authentication.realm=MYDOMAIN.LOC
kerberos.authentication.authenticateCIFS=true
kerberos.authentication.sso.enabled=false
kerberos.authentication.user.configEntryName=Alfresco
kerberos.authentication.defaultAdministratorUserNames=admin
kerberos.authentication.cifs.configEntryName=alfrescoCIFS
kerberos.authentication.cifs.password=****************
kerberos.authentication.http.configEntryName=alfrescoHTTP
kerberos.authentication.http.password=****************
kerberos.authentication.browser.ticketLogons=true
kerberos.authentication.stripUsernameSuffix=true
### ldap sync
ldap.synchronization.active=true
ldap.synchronization.java.naming.security.authentication=simple
ldap.synchronization.java.naming.security.principal=svc-ldapsync@mydomain.loc
ldap.synchronization.java.naming.security.credentials=****************
ldap.synchronization.groupSearchBase=ou\=Groups,dc\=MYDOMAIN,dc=loc
ldap.synchronization.userSearchBase=ou\=Users,dc\=MYDOMAIN,dc=loc
ldap.synchronization.personDifferentialQuery=(&(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512)(!(whenChanged<\={0})))
### CIFS-NFS-FTP
filesystem.name=WCM
cifs.enabled=true
cifs.serverName=myhostname
cifs.domain=mydomain.loc
cifs.hostannounce=false
cifs.pseudoFiles.enabled=false
cifs.pseudoFiles.explorerURL.enabled=false
cifs.pseudoFiles.explorerURL.fileName=__Alfresco.url
cifs.pseudoFiles.shareURL.enabled=false
cifs.pseudoFiles.shareURL.fileName=__Share.url
ftp.enabled=false
nfs.enabled=false
Now the JAAS config :
- update the /opt/alfresco-5.0.c/java/lib/security/java.security file and add following line:
login.config.url.1=file:${java.home}/lib/security/java.login.config
- create java.login.config file
Alfresco {
com.sun.security.auth.module.Krb5LoginModule sufficient;
};
alfrescoCIFS {
com.sun.security.auth.module.Krb5LoginModule required
storeKey=true
useKeyTab=true
doNotPrompt=true
keyTab="/etc/keys/keytab"
principal="cifs/myhostname.mydomain.loc";
};
alfrescoHTTP {
com.sun.security.auth.module.Krb5LoginModule required
storeKey=true
useKeyTab=true
doNotPrompt=true
keyTab="/etc/keys/keytab"
principal="HTTP/myhostname.mydomain.loc";
};
com.sun.net.ssl.client {
com.sun.security.auth.module.Krb5LoginModule sufficient;
};
other {
com.sun.security.auth.module.Krb5LoginModule sufficient;
};
Restart Alfresco
-> seems to be OK: INFO [management.subsystems.ChildApplicationContextFactory] [localhost-startStop-1] Starting 'Authentication' subsystem, ID: [Authentication, managed, kerberos1]
The problem:
When trying to access to alfresco using CIFS, I get a 'logon failure' on my windows client, and following output in catalina.out:
2015-02-06 15:14:48,630 ERROR [org.alfresco.fileserver] [AlfJLANWorker18] Error from JLAN
GSSException: Failure unspecified at GSS-API level (Mechanism level: Specified version of key is not available (44))
at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
at org.alfresco.jlan.server.auth.kerberos.SessionSetupPrivilegedAction.run(SessionSetupPrivilegedAction.java:102)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Unknown Source)
at org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator.doKerberosLogon(EnterpriseCifsAuthenticator.java:1536)
at org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator.doSpnegoSessionSetup(EnterpriseCifsAuthenticator.java:1420)
at org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator.access$200(EnterpriseCifsAuthenticator.java:87)
at org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator$2.execute(EnterpriseCifsAuthenticator.java:897)
at org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator$2.execute(EnterpriseCifsAuthenticator.java:881)
at org.alfresco.repo.transaction.RetryingTransactionHelper.doInTransaction(RetryingTransactionHelper.java:454)
at org.alfresco.filesys.auth.cifs.CifsAuthenticatorBase.doInTransaction(CifsAuthenticatorBase.java:641)
at org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator.processAlfrescoSessionSetup(EnterpriseCifsAuthenticator.java:880)
at org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator.processSessionSetup(EnterpriseCifsAuthenticator.java:682)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at org.alfresco.repo.management.subsystems.ChainingSubsystemProxyFactory$1.invoke(ChainingSubsystemProxyFactory.java:112)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
at com.sun.proxy.$Proxy188.processSessionSetup(Unknown Source)
at org.alfresco.jlan.smb.server.NTProtocolHandler.procSessionSetup(NTProtocolHandler.java:417)
at org.alfresco.jlan.smb.server.NTProtocolHandler.runProtocol(NTProtocolHandler.java:223)
at org.alfresco.jlan.smb.server.SMBSrvSession.processPacket(SMBSrvSession.java:1480)
at org.alfresco.jlan.smb.server.nio.NIOCIFSThreadRequest.runRequest(NIOCIFSThreadRequest.java:150)
at org.alfresco.jlan.server.thread.ThreadRequestPool$ThreadWorker.run(ThreadRequestPool.java:153)
at java.lang.Thread.run(Unknown Source)
Caused by: KrbException: Specified version of key is not available (44)
at sun.security.krb5.EncryptionKey.findKey(Unknown Source)
at sun.security.krb5.KrbApReq.authenticate(Unknown Source)
at sun.security.krb5.KrbApReq.<init>(Unknown Source)
at sun.security.jgss.krb5.InitSecContextToken.<init>(Unknown Source)
… 29 more
2015-02-06 15:14:48,633 ERROR [auth.cifs.EnterpriseCifsAuthenticator] [AlfJLANWorker18] No SPNEGO response, Kerberos logon failed
2015-02-06 15:14:48,834 ERROR [org.alfresco.fileserver] [AlfJLANWorker19] Error from JLAN
GSSException: Failure unspecified at GSS-API level (Mechanism level: Specified version of key is not available (44))
at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
at org.alfresco.jlan.server.auth.kerberos.SessionSetupPrivilegedAction.run(SessionSetupPrivilegedAction.java:102)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Unknown Source)
at org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator.doKerberosLogon(EnterpriseCifsAuthenticator.java:1536)
at org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator.doSpnegoSessionSetup(EnterpriseCifsAuthenticator.java:1420)
at org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator.access$200(EnterpriseCifsAuthenticator.java:87)
at org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator$2.execute(EnterpriseCifsAuthenticator.java:897)
at org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator$2.execute(EnterpriseCifsAuthenticator.java:881)
at org.alfresco.repo.transaction.RetryingTransactionHelper.doInTransaction(RetryingTransactionHelper.java:454)
at org.alfresco.filesys.auth.cifs.CifsAuthenticatorBase.doInTransaction(CifsAuthenticatorBase.java:641)
at org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator.processAlfrescoSessionSetup(EnterpriseCifsAuthenticator.java:880)
at org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator.processSessionSetup(EnterpriseCifsAuthenticator.java:682)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at org.alfresco.repo.management.subsystems.ChainingSubsystemProxyFactory$1.invoke(ChainingSubsystemProxyFactory.java:112)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
at com.sun.proxy.$Proxy188.processSessionSetup(Unknown Source)
at org.alfresco.jlan.smb.server.NTProtocolHandler.procSessionSetup(NTProtocolHandler.java:417)
at org.alfresco.jlan.smb.server.NTProtocolHandler.runProtocol(NTProtocolHandler.java:223)
at org.alfresco.jlan.smb.server.SMBSrvSession.processPacket(SMBSrvSession.java:1480)
at org.alfresco.jlan.smb.server.nio.NIOCIFSThreadRequest.runRequest(NIOCIFSThreadRequest.java:150)
at org.alfresco.jlan.server.thread.ThreadRequestPool$ThreadWorker.run(ThreadRequestPool.java:153)
at java.lang.Thread.run(Unknown Source)
Caused by: KrbException: Specified version of key is not available (44)
at sun.security.krb5.EncryptionKey.findKey(Unknown Source)
at sun.security.krb5.KrbApReq.authenticate(Unknown Source)
at sun.security.krb5.KrbApReq.<init>(Unknown Source)
at sun.security.jgss.krb5.InitSecContextToken.<init>(Unknown Source)
… 29 more
2015-02-06 15:14:48,837 ERROR [auth.cifs.EnterpriseCifsAuthenticator] [AlfJLANWorker19] No SPNEGO response, Kerberos logon failed
2015-02-06 15:14:48,854 ERROR [org.alfresco.fileserver] [AlfJLANWorker20] Error from JLAN
GSSException: Failure unspecified at GSS-API level (Mechanism level: Specified version of key is not available (44))
at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
at org.alfresco.jlan.server.auth.kerberos.SessionSetupPrivilegedAction.run(SessionSetupPrivilegedAction.java:102)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Unknown Source)
at org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator.doKerberosLogon(EnterpriseCifsAuthenticator.java:1536)
at org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator.doSpnegoSessionSetup(EnterpriseCifsAuthenticator.java:1420)
at org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator.access$200(EnterpriseCifsAuthenticator.java:87)
at org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator$2.execute(EnterpriseCifsAuthenticator.java:897)
at org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator$2.execute(EnterpriseCifsAuthenticator.java:881)
at org.alfresco.repo.transaction.RetryingTransactionHelper.doInTransaction(RetryingTransactionHelper.java:454)
at org.alfresco.filesys.auth.cifs.CifsAuthenticatorBase.doInTransaction(CifsAuthenticatorBase.java:641)
at org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator.processAlfrescoSessionSetup(EnterpriseCifsAuthenticator.java:880)
at org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator.processSessionSetup(EnterpriseCifsAuthenticator.java:682)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at org.alfresco.repo.management.subsystems.ChainingSubsystemProxyFactory$1.invoke(ChainingSubsystemProxyFactory.java:112)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
at com.sun.proxy.$Proxy188.processSessionSetup(Unknown Source)
at org.alfresco.jlan.smb.server.NTProtocolHandler.procSessionSetup(NTProtocolHandler.java:417)
at org.alfresco.jlan.smb.server.NTProtocolHandler.runProtocol(NTProtocolHandler.java:223)
at org.alfresco.jlan.smb.server.SMBSrvSession.processPacket(SMBSrvSession.java:1480)
at org.alfresco.jlan.smb.server.nio.NIOCIFSThreadRequest.runRequest(NIOCIFSThreadRequest.java:150)
at org.alfresco.jlan.server.thread.ThreadRequestPool$ThreadWorker.run(ThreadRequestPool.java:153)
at java.lang.Thread.run(Unknown Source)
Caused by: KrbException: Specified version of key is not available (44)
at sun.security.krb5.EncryptionKey.findKey(Unknown Source)
at sun.security.krb5.KrbApReq.authenticate(Unknown Source)
at sun.security.krb5.KrbApReq.<init>(Unknown Source)
at sun.security.jgss.krb5.InitSecContextToken.<init>(Unknown Source)
… 29 more
2015-02-06 15:14:48,857 ERROR [auth.cifs.EnterpriseCifsAuthenticator] [AlfJLANWorker20] No SPNEGO response, Kerberos logon failed
I dont't understand the cause of this error "Specified version of key is not available", as kvno between AD and keytab are matching, and kerberos
auth has been tested successfully using kinit. Could somebody help me ?
Thanks,
Vincent
Labels:
- Labels:
-
Archive
17 REPLIES 17
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-23-2015 04:11 AM
Hi Vincent,
Nice to hear form you again and there is no problem in the delay.
Ok, let's try from a different point of view.
Here is what I want to achive:
Our alfresco is only for internal use of all employees of our company. Every employee has a LDAP AD account and we want to configure those accounts to use single-sign on, meaning then do not have to enter user and passowrd when they open the url link for the alfresco.
I never used kerberos before and maybe I'm doing it wrong.
Please let me know if you think that I need to do some changes or I should do something else entirely.
Boris
Nice to hear form you again and there is no problem in the delay.
Ok, let's try from a different point of view.
Here is what I want to achive:
Our alfresco is only for internal use of all employees of our company. Every employee has a LDAP AD account and we want to configure those accounts to use single-sign on, meaning then do not have to enter user and passowrd when they open the url link for the alfresco.
I never used kerberos before and maybe I'm doing it wrong.
Please let me know if you think that I need to do some changes or I should do something else entirely.
Boris
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-23-2015 12:14 PM
Hi Boris,
I understand your needs.
My point is that I never experienced kerberos SSO on share (what you want to do).
But I configured very often kerberos sso on CIFS connector. My suggestion is to try first
to make this working (kerberos sso on CIFS) which is less complicated, and could valide the whole config (alfresco, AD, kerberos client).
Did you enable CIFS connector ?
Vincent
I understand your needs.
My point is that I never experienced kerberos SSO on share (what you want to do).
But I configured very often kerberos sso on CIFS connector. My suggestion is to try first
to make this working (kerberos sso on CIFS) which is less complicated, and could valide the whole config (alfresco, AD, kerberos client).
Did you enable CIFS connector ?
Vincent
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-24-2015 09:23 AM
Hi Vicent,
Thanks for helping me about this problem - its much appriciated!
Sorry, but I'm not sure how I can do the thing you described above. Would you please give me some pointers, steps, advice or etc?
Cheers,
Bobi
Thanks for helping me about this problem - its much appriciated!
Sorry, but I'm not sure how I can do the thing you described above. Would you please give me some pointers, steps, advice or etc?
Cheers,
Bobi
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-29-2015 05:13 PM
Hi Boris,
here's a config example to make CIFS with Kerberos SSO working (alfresco-share.properties)
Could you make this working: accessing the CIFS share from a Workstation in your domain ?
here's a config example to make CIFS with Kerberos SSO working (alfresco-share.properties)
Could you make this working: accessing the CIFS share from a Workstation in your domain ?
###LDAP###
ldap.authentication.active=true
ldap.synchronization.active=true
#ldap.authentication.allowGuestLogin=false
ldap.authentication.userNameFormat=%s@MYDOMAIN.LOC
ldap.authentication.java.naming.provider.url=ldap://1.2.3.4:389
ldap.authentication.defaultAdministratorUserNames=administrator
ldap.synchronization.java.naming.security.principal=userThatCanReadADUsersProperties@MYDOMAIN.LOC
ldap.synchronization.java.naming.security.credentials=userPassword
###ldap.synchronization.groupQuery=(objectclass\=group)
ldap.synchronization.groupDifferentialQuery=(&(objectclass\=group)(!(whenChanged<\={0})))
###ldap.synchronization.groupDifferentialQuery=(objectclass\=group)
###ldap.synchronization.personQuery=(&(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512))
ldap.synchronization.personDifferentialQuery=(&(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512)(!(whenChanged<\={0})))
###ldap.synchronization.personDifferentialQuery=(&(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512))
ldap.synchronization.groupSearchBase=ou\=GROUPS,dc\=MYDOMAIN,dc=LOC
ldap.synchronization.userSearchBase=ou\=USERS,dc\=MYDOMAIN,dc=LOC
## fileserver subsystem
filesystem.name=NAME_OF_CIFS_SHARE
cifs.enabled=true
cifs.serverName=myServerName
cifs.domain=MYDOMAIN.LOC
cifs.hostannounce=false
##cifs.pseudoFiles.enabled=true
## turn off Desktop actions
cifs.pseudoFiles.enabled=false
cifs.pseudoFiles.explorerURL.enabled=false
cifs.pseudoFiles.explorerURL.fileName=__Alfresco.url
cifs.pseudoFiles.shareURL.enabled=false
cifs.pseudoFiles.shareURL.fileName=__Share.url
ftp.enabled=false
nfs.enabled=false
### AUTH & SYNC ###
authentication.chain=kerberos1:kerberos,my-domain:ldap-ad,alfrescoNtlm1:alfrescoNtlm
### LDAP SYNC SUBSYSTEM ###
# startup and authent sync process always is differential mode sync mode (if false, sync is in full mode):
synchronization.synchronizeChangesOnly=true
# The cron expression defining when imports should take place
## Synchro toutes les 30 minutes
synchronization.import.cron=0 0/15 * * * ?
synchronization.syncWhenMissingPeopleLogIn=true
# Should we trigger a differential sync on startup?
synchronization.syncOnStartup=true
synchronization.allowDeletions=true
## disable home folders creation
ldap.synchronization.defaultHomeFolderProvider=companyHomeFolderProvider
## KERBEROS
kerberos.authentication.realm=MYDOMAIN.LOC
kerberos.authentication.authenticateCIFS=true
kerberos.authentication.sso.enabled=false
kerberos.authentication.user.configEntryName=Alfresco
kerberos.authentication.defaultAdministratorUserNames=administrator
kerberos.authentication.cifs.configEntryName=Alfresco5-CIFS // should match JAAS config entry and AD account
kerberos.authentication.cifs.password=userPassword
kerberos.authentication.http.configEntryName=Alfresco5-HTTP // should match JAAS config entry and AD account
kerberos.authentication.http.password=userPassword
kerberos.authentication.browser.ticketLogons=true
kerberos.authentication.stripUsernameSuffix=true
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-08-2015 08:26 AM
HI Vincent,
Sorry for the late reply, but I was out of office.
I'm not sure how to use those:
Would you please give me more details about them and how to use them correctly?
(I already tested with the configs, but nothing much happens, because I'm not sure what are the correct values of those properties.)
Thanks a lot man!
Sorry for the late reply, but I was out of office.
I'm not sure how to use those:
## fileserver subsystem
filesystem.name=NAME_OF_CIFS_SHARE
cifs.enabled=true
cifs.serverName=myServerName
cifs.domain=MYDOMAIN.LOC
cifs.hostannounce=false
##cifs.pseudoFiles.enabled=true
## turn off Desktop actions
cifs.pseudoFiles.enabled=false
cifs.pseudoFiles.explorerURL.enabled=false
cifs.pseudoFiles.explorerURL.fileName=__Alfresco.url
cifs.pseudoFiles.shareURL.enabled=false
cifs.pseudoFiles.shareURL.fileName=__Share.url
ftp.enabled=false
nfs.enabled=false
Would you please give me more details about them and how to use them correctly?
(I already tested with the configs, but nothing much happens, because I'm not sure what are the correct values of those properties.)
Thanks a lot man!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-12-2015 08:36 AM
Hi,
the most important is:
filesystem.name=NAME_OF_CIFS_SHARE -> name of your CIFS share
cifs.enabled=true -> enable CIFS for Alfresco
cifs.serverName=myServerName -> the NetBIOS name of the CIFS server
cifs.domain=MYDOMAIN.LOC -> the domain name, must match your AD domain and kerberos realm
-> could you check your log when starting alfresco, and look for
'Startup of 'Authentication' subsystem…' and
'Starting 'fileServers' subsystem…'
try to access your alfresco using \\alfrescoServerName\NAME_OF_CIFS_SHARE
and check here for options: http://docs.alfresco.com/community/concepts/fileserv-subsystem-CIFS.html
Regards,
Vincent
the most important is:
filesystem.name=NAME_OF_CIFS_SHARE -> name of your CIFS share
cifs.enabled=true -> enable CIFS for Alfresco
cifs.serverName=myServerName -> the NetBIOS name of the CIFS server
cifs.domain=MYDOMAIN.LOC -> the domain name, must match your AD domain and kerberos realm
-> could you check your log when starting alfresco, and look for
'Startup of 'Authentication' subsystem…' and
'Starting 'fileServers' subsystem…'
try to access your alfresco using \\alfrescoServerName\NAME_OF_CIFS_SHARE
and check here for options: http://docs.alfresco.com/community/concepts/fileserv-subsystem-CIFS.html
Regards,
Vincent
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-23-2015 08:13 AM
I have followed the documentation to set up kerberos for AD authentication .Your config files match with mine .There are no errors found in the log file during startup of alfresco services.The web application is working fine.However when i access from windows 7 machine connected to AD(Microsoft 2008 R2 server)the CIFS shared folders i get an error as shown in the image. I have implemented Alfresco on Ubuntu server.
Any suggestions on this issue,and also please post your config files.
Thank You,
Sudheer
Any suggestions on this issue,and also please post your config files.
Thank You,
Sudheer
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-26-2015 03:21 PM
Hi,
When you say "windows 7 machine connected to AD" you mean integrated in a 2008 R2 AD domain ?
Could you please post the Catalina.out trace when error occurs ?
Could you please confirm that you have kerberos enabled for CIFS ?
Did you check that the KVNO set in your keytab file is matching the service account in AD ?
Vincent
When you say "windows 7 machine connected to AD" you mean integrated in a 2008 R2 AD domain ?
Could you please post the Catalina.out trace when error occurs ?
Could you please confirm that you have kerberos enabled for CIFS ?
Did you check that the KVNO set in your keytab file is matching the service account in AD ?
Vincent
Related Content
- Webinar recording: Enhance your Alfresco solution with Generative AI in Alfresco Blog
- Folder quota exceeded in Alfresco Forum
- signing pdf document add-on/module for alfresco 23 in Alfresco Forum
- AMPs on Maven 3.9 doesn't build in Alfresco Forum
- Migration Alfresco Community 5.2 to alfresco 23.1 in Alfresco Forum
Getting started
Tags
Find what you came for
We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.
