Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Alfresco authenticate against domain or servername? (AD2003)

tpeelen
Champ in-the-making
Champ in-the-making

‎09-27-2007 10:10 AM

Hi All,

Sometimes I get Alfresco up and running to authenticate & sync against AD2003 (Web Client). However, I get a question from the IT department:

"Does Alfresco authenticate against the domain (and find the AD itself) or against a configured named server."

We use JAAS/Kerberos on RedHat5, Java1.5, Alfresco 2.1.0 EE against AD2003

I can see KDC and admin_server mentioned in krb5.conf, and pointing to a single servername. Is this the clue I need? I am not that much into (windows) security….

Thanks in advance!

Tjarda
Labels:
0 Kudos
2 REPLIES 2

tpeelen
Champ in-the-making
Champ in-the-making

‎10-02-2007 05:49 AM

The background is the following. I understand from the IT guys over here, Microsoft Active Directory is designed for (un/expected) reboot. Therefore they have at least two instances of AD. Because you can never guarantee that one named server is up and available, they expect an application to ask the domain where the AD(s) can be found.

It appears to me in the Alfresco config there is a reference to named (KDC) servers instead: (http://wiki.alfresco.com/wiki/Configuring_the_CIFS_and_web_servers_for_Kerberos/AD_integration)

file-servers-custom.xml:

<config evaluator="string-compare" condition="Filesystem Security">
  <authenticator type="enterprise">
    <KDC>adsrv.alfresco.org</KDC>
    <Realm>ALFRESCO.ORG</Realm>
    <Password>…</Password>
  </authenticator>
</config>

and in /etc/krb5.conf

[libdefaults]
 default_realm = ALFRESCO.ORG


[realms]
 ALFRESCO.ORG = {
  kdc = adsrv.alfresco.org
  admin_server = adsrv.alfresco.org
 }


[domain_realm]
 adsrv.alfresco.org = ALFRESCO.ORG
 .adsrv.alfresco.org = ALFRESCO.ORG

The local IT guys need to know if the named-server option can be configured in such a manner it can handle the AD-uncertainty of which of the AD servers is up…

PS: there is something similar in the ldap auth en sync xml configs, although the auth can look for multiple named AD servers…
0 Kudos

gary_spencer
Champ in-the-making
Champ in-the-making

‎10-15-2007 09:57 AM

Hi,

The Kerberos setup details are not under our control. All of the samples I've seen or used have named servers in them, but it may be possible to name multiple servers.

In the Alfresco config the KDC value is used to do the initial service logon using the key table that is generated during the setup. I'm not sure if having a list of servers there would work unless there is some replication between the AD servers so that the key table is still valid. The key has a version number in it which is bumped each time the key table is generated with the ktpass command, the version numbers must match.

If you follow the Kerberos setup then list the SPNs on the backup AD server for the account are the mappings there ?.

If the values are being replicated then it could be possible to make the KDC property a list of servers, but it might require the krb5.ini setup to match as some of the Java API code references those settings.

Cheers

Gary
0 Kudos
Getting started

Tags

Find what you came for

We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.

Copyright © 2025 Khoros, LLC