CIFS conf problem (KrbException: Identifier doesn't match...
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-21-2008 07:18 PM
Hi everyone!
I have a little but very annoying problem with configuring CIFS on Alfresco Labs.
About the environment:
I have one computer to test this function with Windows XP on it (Computer name: va; Domain: mydom). I've decided to create a virtual PC and to install a Windows 2003 Server on it. This server (Computer name: va-virtserver; Domain: test2003.nyugi) is the AD server that I would like to configure to do the Kerbeos authentication for Alfresco CIFS. Unfortunately my PC and my new virtual server are in different domain, but if I understood right this should not be a problem. (But maybe this is the cause of my problems. … I hope not.)
About my installation and configuration process:
I have installed Alfresco Labs version 3.0.0 (b 1164) schema 131 (Alfresco-Labs-3b-OOo-Setup.exe) on my WinXP (d:\Alfresco). After that I followed the instructions of the Configuring the CIFS and web servers for Kerberos/AD integration wiki page. Since I belive I did everything by the 'manual' I will tell my every move step by step:
[size=85]
Later I tried to change the passwords:
[size=85]
——————————————-
Please somebody help me finding out the solution!
I have a little but very annoying problem with configuring CIFS on Alfresco Labs.
About the environment:
I have one computer to test this function with Windows XP on it (Computer name: va; Domain: mydom). I've decided to create a virtual PC and to install a Windows 2003 Server on it. This server (Computer name: va-virtserver; Domain: test2003.nyugi) is the AD server that I would like to configure to do the Kerbeos authentication for Alfresco CIFS. Unfortunately my PC and my new virtual server are in different domain, but if I understood right this should not be a problem. (But maybe this is the cause of my problems. … I hope not.)
About my installation and configuration process:
I have installed Alfresco Labs version 3.0.0 (b 1164) schema 131 (Alfresco-Labs-3b-OOo-Setup.exe) on my WinXP (d:\Alfresco). After that I followed the instructions of the Configuring the CIFS and web servers for Kerberos/AD integration wiki page. Since I belive I did everything by the 'manual' I will tell my every move step by step:
- On my virtual server (va-virtserver.test2003.nyugi) I've created the two user accounts (alfrescocifs, alfrescohttp) with password same as the account names, and with the desired settings: 'Password never expires' enabled, 'User must change password at next logon' disabled, 'Use DES encryption types for this account' and 'Do not require Kerberos preauthentication' options enabled.
- I used the ktpass utility om va-virtserver to generate key tables for the CIFS and web servers. I used these lines:
- I've created the Service Principal Names (SPN) for the Alfresco CIFS and web server using the setspn utility:
- I've copied the key table files to the installed Alfresco's etc subdir:
- I've created the Kerberos ini file in c:\WINDOWS\krb5.ini (later I've made a copy of it in a newly created C:\WINNT folder because an exception somewhere missed it from that path):
- I've created a Java login configuration file (c:\java\jdk1.5.0_07\jre\lib\security\java.login.config😞
- I've put this line into the Java security configuration file (c:\java\jdk1.5.0_07\jre\lib\security\java.security😞
- I've added this to d:\Alfresco\tomcat\webapps\alfresco\WEB-INF\classes\alfresco\file-servers.xml file:
- I've changed the default values to these in d:\Alfresco\tomcat\webapps\alfresco\WEB-INF\web.xml file:
ktpass -princ cifs/va.mydom@ALFTEST.NYUGI -pass alfcifs -mapuser TEST2003\alfrescocifs -crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL -mapop set +desonly -out c:\temp\alfrescocifs.keytabktpass -princ HTTP/va.mydom@ALFTEST.NYUGI -pass alfhttp -mapuser TEST2003\alfrescohttp -crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL -mapop set +desonly -out c:\temp\alfrescohttp.keytabsetspn -a cifs/va alfrescocifssetspn -a cifs/va.mydom alfrescocifssetspn -a http/va alfrescohttpsetspn -a http/va.mydom alfrescohttp\\va-virtserver\c$\temp\alfrescocifs.keytab -> d$\Alfresco\etc\alfrescocifs.keytab
\\va-virtserver\c$\temp\alfrescohttp.keytab -> d$\Alfresco\etc\alfrescohttp.keytab
[libdefaults] default_realm = ALFTEST.NYUGI[realms] ALFTEST.NYUGI = { kdc = va-virtserver admin_server = va-virtserver }[domain_realm] va-virtserver = ALFTEST.NYUGI .va-virtserver = ALFTEST.NYUGIAlfrescoCIFS { com.sun.security.auth.module.Krb5LoginModule required storeKey=true useKeyTab=true keyTab="d:/Alfresco/etc/alfrescocifs.keytab" principal="cifs/va.mydom";};AlfrescoHTTP { com.sun.security.auth.module.Krb5LoginModule required storeKey=true useKeyTab=true keyTab="d:/Alfresco/etc/alfrescohttp.keytab" principal="HTTP/va.mydom";};…login.config.url.1=file:${java.home}/lib/security/java.login.config…<config evaluator="string-compare" condition="Filesystem Security"> <authenticator type="enterprise"> <KDC>va-virtserver</KDC> <Realm>ALFTEST.NYUGI</Realm> <Password>alfrescocifs</Password> <Principal>cifs/va.mydom@ALFTEST.NYUGI</Principal> </authenticator></config> <filter> <filter-name>Authentication Filter</filter-name> <filter-class>org.alfresco.web.app.servlet.KerberosAuthenticationFilter</filter-class> <init-param> <param-name>KDC</param-name> <param-value>va-virtserver</param-value> </init-param> <init-param> <param-name>Realm</param-name> <param-value>ALFTEST.NYUGI</param-value> </init-param> <init-param> <param-name>Password</param-name> <param-value>alfrescocifs</param-value> </init-param> <init-param> <param-name>Principal</param-name> <param-value>cifs/va.mydom@ALFTEST.NYUGI</param-value> </init-param> </filter>… <filter> <filter-name>WebDAV Authentication Filter</filter-name> <filter-class>org.alfresco.repo.webdav.auth.KerberosAuthenticationFilter</filter-class> <init-param> <param-name>KDC</param-name> <param-value>va-virtserver</param-value> </init-param> <init-param> <param-name>Realm</param-name> <param-value>ALFTEST.NYUGI</param-value> </init-param> <init-param> <param-name>Password</param-name> <param-value>alfrescohttp</param-value> </init-param> <init-param> <param-name>Principal</param-name> <param-value>HTTP/va.mydom@ALFTEST.NYUGI</param-value> </init-param> </filter>[size=85]
09:01:07,139 ERROR [webdav.auth.KerberosAuthenticationFilter] HTTP Kerberos web filter errorjavax.security.auth.login.LoginException: null (68) at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:652) at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:512) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:585) at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769) at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186) at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680) at javax.security.auth.login.LoginContext.login(LoginContext.java:579) at org.alfresco.repo.webdav.auth.KerberosAuthenticationFilter.init(KerberosAuthenticationFilter.java:340) at org.apache.catalina.core.ApplicationFilterConfig.getFilter(ApplicationFilterConfig.java:221) at org.apache.catalina.core.ApplicationFilterConfig.setFilterDef(ApplicationFilterConfig.java:302) at org.apache.catalina.core.ApplicationFilterConfig.<init>(ApplicationFilterConfig.java:78) at org.apache.catalina.core.StandardContext.filterStart(StandardContext.java:3635) at org.apache.catalina.core.StandardContext.start(StandardContext.java:4222) at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:760) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:740) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:544) at org.apache.catalina.startup.HostConfig.deployWAR(HostConfig.java:825) at org.apache.catalina.startup.HostConfig.deployWARs(HostConfig.java:714) at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:490) at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1138) at org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:311) at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:120) at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1022) at org.apache.catalina.core.StandardHost.start(StandardHost.java:736) at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1014) at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:443) at org.apache.catalina.core.StandardService.start(StandardService.java:448) at org.apache.catalina.core.StandardServer.start(StandardServer.java:700) at org.apache.catalina.startup.Catalina.start(Catalina.java:552) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:585) at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:295) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:433)Caused by: KrbException: null (68) at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:64) at sun.security.krb5.KrbAsReq.getReply(KrbAsReq.java:345) at sun.security.krb5.Credentials.acquireTGT(Credentials.java:370) at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:642) … 39 moreCaused by: KrbException: Identifier doesn't match expected value (906) at sun.security.krb5.internal.KDCRep.init(KDCRep.java:133) at sun.security.krb5.internal.ASRep.init(ASRep.java:58) at sun.security.krb5.internal.ASRep.<init>(ASRep.java:53) at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:50) … 42 more09:01:07,686 ERROR [[Catalina].[localhost].[/alfresco]] Exception starting filter WebDAV Authentication Filterjavax.servlet.ServletException: Failed to login HTTP server service at org.alfresco.repo.webdav.auth.KerberosAuthenticationFilter.init(KerberosAuthenticationFilter.java:354) at org.apache.catalina.core.ApplicationFilterConfig.getFilter(ApplicationFilterConfig.java:221) at org.apache.catalina.core.ApplicationFilterConfig.setFilterDef(ApplicationFilterConfig.java:302) at org.apache.catalina.core.ApplicationFilterConfig.<init>(ApplicationFilterConfig.java:78) at org.apache.catalina.core.StandardContext.filterStart(StandardContext.java:3635) at org.apache.catalina.core.StandardContext.start(StandardContext.java:4222) at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:760) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:740) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:544) at org.apache.catalina.startup.HostConfig.deployWAR(HostConfig.java:825) at org.apache.catalina.startup.HostConfig.deployWARs(HostConfig.java:714) at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:490) at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1138) at org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:311) at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:120) at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1022) at org.apache.catalina.core.StandardHost.start(StandardHost.java:736) at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1014) at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:443) at org.apache.catalina.core.StandardService.start(StandardService.java:448) at org.apache.catalina.core.StandardServer.start(StandardServer.java:700) at org.apache.catalina.startup.Catalina.start(Catalina.java:552) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:585) at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:295) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:433)09:01:07,748 ERROR [app.servlet.KerberosAuthenticationFilter] HTTP Kerberos web filter errorjavax.security.auth.login.LoginException: null (68) at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:652) at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:512) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:585) at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769) at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186) at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680) at javax.security.auth.login.LoginContext.login(LoginContext.java:579) at org.alfresco.web.app.servlet.KerberosAuthenticationFilter.init(KerberosAuthenticationFilter.java:366) at org.apache.catalina.core.ApplicationFilterConfig.getFilter(ApplicationFilterConfig.java:221) at org.apache.catalina.core.ApplicationFilterConfig.setFilterDef(ApplicationFilterConfig.java:302) at org.apache.catalina.core.ApplicationFilterConfig.<init>(ApplicationFilterConfig.java:78) at org.apache.catalina.core.StandardContext.filterStart(StandardContext.java:3635) at org.apache.catalina.core.StandardContext.start(StandardContext.java:4222) at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:760) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:740) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:544) at org.apache.catalina.startup.HostConfig.deployWAR(HostConfig.java:825) at org.apache.catalina.startup.HostConfig.deployWARs(HostConfig.java:714) at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:490) at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1138) at org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:311) at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:120) at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1022) at org.apache.catalina.core.StandardHost.start(StandardHost.java:736) at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1014) at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:443) at org.apache.catalina.core.StandardService.start(StandardService.java:448) at org.apache.catalina.core.StandardServer.start(StandardServer.java:700) at org.apache.catalina.startup.Catalina.start(Catalina.java:552) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:585) at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:295) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:433)Caused by: KrbException: null (68) at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:64) at sun.security.krb5.KrbAsReq.getReply(KrbAsReq.java:345) at sun.security.krb5.Credentials.acquireTGT(Credentials.java:370) at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:642) … 39 moreCaused by: KrbException: Identifier doesn't match expected value (906) at sun.security.krb5.internal.KDCRep.init(KDCRep.java:133) at sun.security.krb5.internal.ASRep.init(ASRep.java:58) at sun.security.krb5.internal.ASRep.<init>(ASRep.java:53) at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:50) … 42 more09:01:07,748 ERROR [[Catalina].[localhost].[/alfresco]] Exception starting filter Authentication Filterjavax.servlet.ServletException: Failed to login HTTP server service at org.alfresco.web.app.servlet.KerberosAuthenticationFilter.init(KerberosAuthenticationFilter.java:380) at org.apache.catalina.core.ApplicationFilterConfig.getFilter(ApplicationFilterConfig.java:221) at org.apache.catalina.core.ApplicationFilterConfig.setFilterDef(ApplicationFilterConfig.java:302) at org.apache.catalina.core.ApplicationFilterConfig.<init>(ApplicationFilterConfig.java:78) at org.apache.catalina.core.StandardContext.filterStart(StandardContext.java:3635) at org.apache.catalina.core.StandardContext.start(StandardContext.java:4222) at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:760) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:740) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:544) at org.apache.catalina.startup.HostConfig.deployWAR(HostConfig.java:825) at org.apache.catalina.startup.HostConfig.deployWARs(HostConfig.java:714) at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:490) at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1138) at org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:311) at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:120) at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1022) at org.apache.catalina.core.StandardHost.start(StandardHost.java:736) at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1014) at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:443) at org.apache.catalina.core.StandardService.start(StandardService.java:448) at org.apache.catalina.core.StandardServer.start(StandardServer.java:700) at org.apache.catalina.startup.Catalina.start(Catalina.java:552) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:585) at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:295) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:433)2008.09.19. 9:01:07 org.apache.catalina.core.StandardContext startSEVERE: Error filterStart2008.09.19. 9:01:07 org.apache.catalina.core.StandardContext startSEVERE: Context [/alfresco] startup failed due to previous errorsLater I tried to change the passwords:
ktpass -princ cifs/va.mydom@ALFTEST.NYUGI -pass alfrescocifs -mapuser TEST2003\alfrescocifs -crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL -mapop set +desonly -out c:\temp\alfrescocifs.keytabktpass -princ HTTP/va.mydom@ALFTEST.NYUGI -pass alfrescohttp -mapuser TEST2003\alfrescohttp -crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL -mapop set +desonly -out c:\temp\alfrescohttp.keytab[size=85]
2008.09.19. 23:19:47 org.apache.coyote.http11.Http11BaseProtocol initINFO: Initializing Coyote HTTP/1.1 on http-80802008.09.19. 23:19:48 org.apache.catalina.startup.Catalina loadINFO: Initialization processed in 5187 ms2008.09.19. 23:19:48 org.apache.catalina.core.StandardService startINFO: Starting service Catalina2008.09.19. 23:19:48 org.apache.catalina.core.StandardEngine startINFO: Starting Servlet Engine: Apache Tomcat/5.5.232008.09.19. 23:19:48 org.apache.catalina.core.StandardHost startINFO: XML validation disabled2008.09.19. 23:19:57 org.apache.catalina.startup.HostConfig deployWARINFO: Deploying web application archive alfresco.war23:22:16,837 INFO [config.xml.XMLConfigService$PropertyConfigurer] Loading properties file from class path resource [alfresco/file-servers.properties]23:23:22,974 INFO [domain.schema.SchemaBootstrap] Schema managed by database dialect org.hibernate.dialect.DerbyDialect.23:23:23,005 INFO [domain.schema.SchemaBootstrap] Alfresco is using the Apache Derby default database. Please only use this while evaluating Alfresco, it is NOT recommended for production or deployment!23:23:40,333 INFO [domain.schema.SchemaBootstrap] No changes were made to the schema.23:24:04,363 User:System INFO [repo.admin.ConfigurationChecker] The Alfresco root data directory ('dir.root') is: D:\Alfresco\alf_data23:24:04,941 User:System INFO [admin.patch.PatchExecuter] Checking for patches to apply …23:24:06,472 User:System INFO [admin.patch.PatchExecuter] No patches were required.23:24:06,519 User:System INFO [repo.module.ModuleServiceImpl] Found 0 module(s).23:24:22,393 User:System INFO [service.descriptor.DescriptorService] Alfresco JVM - v1.5.0_07-b03; maximum heap size 506,313MB23:24:22,393 User:System INFO [service.descriptor.DescriptorService] Alfresco started (Labs): Current version 3.0.0 (b 1164) schema 131 - Installed version 3.0.0 (b 1164) schema 13123:24:24,284 User:System WARN [alfresco.linkvalidation.LinkValidationServiceImpl] LinkValidationService Update is not running (virtualization server not registered or started)23:25:11,484 ERROR [webdav.auth.KerberosAuthenticationFilter] HTTP Kerberos web filter errorjavax.security.auth.login.LoginException: null (68) at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:652) at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:512) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:585) at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769) at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186) at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680) at javax.security.auth.login.LoginContext.login(LoginContext.java:579) at org.alfresco.repo.webdav.auth.KerberosAuthenticationFilter.init(KerberosAuthenticationFilter.java:340) at org.apache.catalina.core.ApplicationFilterConfig.getFilter(ApplicationFilterConfig.java:221) at org.apache.catalina.core.ApplicationFilterConfig.setFilterDef(ApplicationFilterConfig.java:302) at org.apache.catalina.core.ApplicationFilterConfig.<init>(ApplicationFilterConfig.java:78) at org.apache.catalina.core.StandardContext.filterStart(StandardContext.java:3635) at org.apache.catalina.core.StandardContext.start(StandardContext.java:4222) at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:760) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:740) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:544) at org.apache.catalina.startup.HostConfig.deployWAR(HostConfig.java:825) at org.apache.catalina.startup.HostConfig.deployWARs(HostConfig.java:714) at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:490) at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1138) at org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:311) at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:120) at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1022) at org.apache.catalina.core.StandardHost.start(StandardHost.java:736) at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1014) at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:443) at org.apache.catalina.core.StandardService.start(StandardService.java:448) at org.apache.catalina.core.StandardServer.start(StandardServer.java:700) at org.apache.catalina.startup.Catalina.start(Catalina.java:552) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:585) at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:295) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:433)Caused by: KrbException: null (68) at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:64) at sun.security.krb5.KrbAsReq.getReply(KrbAsReq.java:345) at sun.security.krb5.Credentials.acquireTGT(Credentials.java:370) at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:642) … 39 moreCaused by: KrbException: Identifier doesn't match expected value (906) at sun.security.krb5.internal.KDCRep.init(KDCRep.java:133) at sun.security.krb5.internal.ASRep.init(ASRep.java:58) at sun.security.krb5.internal.ASRep.<init>(ASRep.java:53) at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:50) … 42 more23:25:11,516 ERROR [[Catalina].[localhost].[/alfresco]] Exception starting filter WebDAV Authentication Filterjavax.servlet.ServletException: Failed to login HTTP server service at org.alfresco.repo.webdav.auth.KerberosAuthenticationFilter.init(KerberosAuthenticationFilter.java:354) at org.apache.catalina.core.ApplicationFilterConfig.getFilter(ApplicationFilterConfig.java:221) at org.apache.catalina.core.ApplicationFilterConfig.setFilterDef(ApplicationFilterConfig.java:302) at org.apache.catalina.core.ApplicationFilterConfig.<init>(ApplicationFilterConfig.java:78) at org.apache.catalina.core.StandardContext.filterStart(StandardContext.java:3635) at org.apache.catalina.core.StandardContext.start(StandardContext.java:4222) at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:760) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:740) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:544) at org.apache.catalina.startup.HostConfig.deployWAR(HostConfig.java:825) at org.apache.catalina.startup.HostConfig.deployWARs(HostConfig.java:714) at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:490) at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1138) at org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:311) at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:120) at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1022) at org.apache.catalina.core.StandardHost.start(StandardHost.java:736) at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1014) at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:443) at org.apache.catalina.core.StandardService.start(StandardService.java:448) at org.apache.catalina.core.StandardServer.start(StandardServer.java:700) at org.apache.catalina.startup.Catalina.start(Catalina.java:552) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:585) at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:295) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:433)23:25:11,703 ERROR [app.servlet.KerberosAuthenticationFilter] HTTP Kerberos web filter errorjavax.security.auth.login.LoginException: null (68) at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:652) at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:512) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:585) at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769) at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186) at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680) at javax.security.auth.login.LoginContext.login(LoginContext.java:579) at org.alfresco.web.app.servlet.KerberosAuthenticationFilter.init(KerberosAuthenticationFilter.java:366) at org.apache.catalina.core.ApplicationFilterConfig.getFilter(ApplicationFilterConfig.java:221) at org.apache.catalina.core.ApplicationFilterConfig.setFilterDef(ApplicationFilterConfig.java:302) at org.apache.catalina.core.ApplicationFilterConfig.<init>(ApplicationFilterConfig.java:78) at org.apache.catalina.core.StandardContext.filterStart(StandardContext.java:3635) at org.apache.catalina.core.StandardContext.start(StandardContext.java:4222) at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:760) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:740) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:544) at org.apache.catalina.startup.HostConfig.deployWAR(HostConfig.java:825) at org.apache.catalina.startup.HostConfig.deployWARs(HostConfig.java:714) at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:490) at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1138) at org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:311) at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:120) at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1022) at org.apache.catalina.core.StandardHost.start(StandardHost.java:736) at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1014) at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:443) at org.apache.catalina.core.StandardService.start(StandardService.java:448) at org.apache.catalina.core.StandardServer.start(StandardServer.java:700) at org.apache.catalina.startup.Catalina.start(Catalina.java:552) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:585) at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:295) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:433)Caused by: KrbException: null (68) at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:64) at sun.security.krb5.KrbAsReq.getReply(KrbAsReq.java:345) at sun.security.krb5.Credentials.acquireTGT(Credentials.java:370) at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:642) … 39 moreCaused by: KrbException: Identifier doesn't match expected value (906) at sun.security.krb5.internal.KDCRep.init(KDCRep.java:133) at sun.security.krb5.internal.ASRep.init(ASRep.java:58) at sun.security.krb5.internal.ASRep.<init>(ASRep.java:53) at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:50) … 42 more23:25:11,953 ERROR [[Catalina].[localhost].[/alfresco]] Exception starting filter Authentication Filterjavax.servlet.ServletException: Failed to login HTTP server service at org.alfresco.web.app.servlet.KerberosAuthenticationFilter.init(KerberosAuthenticationFilter.java:380) at org.apache.catalina.core.ApplicationFilterConfig.getFilter(ApplicationFilterConfig.java:221) at org.apache.catalina.core.ApplicationFilterConfig.setFilterDef(ApplicationFilterConfig.java:302) at org.apache.catalina.core.ApplicationFilterConfig.<init>(ApplicationFilterConfig.java:78) at org.apache.catalina.core.StandardContext.filterStart(StandardContext.java:3635) at org.apache.catalina.core.StandardContext.start(StandardContext.java:4222) at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:760) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:740) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:544) at org.apache.catalina.startup.HostConfig.deployWAR(HostConfig.java:825) at org.apache.catalina.startup.HostConfig.deployWARs(HostConfig.java:714) at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:490) at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1138) at org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:311) at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:120) at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1022) at org.apache.catalina.core.StandardHost.start(StandardHost.java:736) at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1014) at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:443) at org.apache.catalina.core.StandardService.start(StandardService.java:448) at org.apache.catalina.core.StandardServer.start(StandardServer.java:700) at org.apache.catalina.startup.Catalina.start(Catalina.java:552) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:585) at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:295) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:433)2008.09.19. 23:25:12 org.apache.catalina.core.StandardContext startSEVERE: Error filterStart2008.09.19. 23:25:12 org.apache.catalina.core.StandardContext startSEVERE: Context [/alfresco] startup failed due to previous errors——————————————-
Please somebody help me finding out the solution!
Labels:
- Labels:
-
Archive
14 REPLIES 14
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-22-2008 05:58 PM
Hi!
It's me again. I made a step forward. The writers of the wiki page Configuring the CIFS and web servers for Kerberos/AD integration presumed that every reader is aware of the fact, that the <realm> is the uppercase name of the Windows domain by the ktpass utility. (See: Step-by-Step Guide to Kerberos 5 (krb5 1.0) Interoperability) I wasn't.
I replaced all occurences of ALFTEST.NYUGI (my fictitious realm name) with my server's domain TEST2003.NYUGI. This resulted a clean, exceptionless Alfresco Server start.
But the Alfresco Web Client is not available. Firefox shows an empty page (even the source is empty), IE shows an Alfresco System Error page:
[size=85]
The strange thing is, no exceptions appeared in the logs (except the java.lang.ArrayIndexOutOfBoundsException).
I hope I'll find something if I search the forums.
It's me again. I made a step forward. The writers of the wiki page Configuring the CIFS and web servers for Kerberos/AD integration presumed that every reader is aware of the fact, that the <realm> is the uppercase name of the Windows domain by the ktpass utility. (See: Step-by-Step Guide to Kerberos 5 (krb5 1.0) Interoperability) I wasn't.
I replaced all occurences of ALFTEST.NYUGI (my fictitious realm name) with my server's domain TEST2003.NYUGI. This resulted a clean, exceptionless Alfresco Server start.
But the Alfresco Web Client is not available. Firefox shows an empty page (even the source is empty), IE shows an Alfresco System Error page:
[size=85]
java.lang.ArrayIndexOutOfBoundsException: End of data buffer at org.alfresco.jlan.server.auth.asn.DERBuffer.unpackBytes(DERBuffer.java:195) at org.alfresco.jlan.server.auth.asn.DERApplicationSpecific.derDecode(DERApplicationSpecific.java:95) at org.alfresco.jlan.server.auth.asn.DERBuffer.unpackObject(DERBuffer.java:369) at org.alfresco.jlan.server.auth.asn.DERBuffer.unpackApplicationSpecific(DERBuffer.java:759) at org.alfresco.jlan.server.auth.spnego.NegTokenInit.decode(NegTokenInit.java:191) at org.alfresco.web.app.servlet.KerberosAuthenticationFilter.doFilter(KerberosAuthenticationFilter.java:581) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:210) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:174) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:108) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:151) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:870) at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:665) at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:528) at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:81) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:685) at java.lang.Thread.run(Thread.java:595) The strange thing is, no exceptions appeared in the logs (except the java.lang.ArrayIndexOutOfBoundsException).
I hope I'll find something if I search the forums.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-24-2008 04:14 AM
The blank screen in firefox is probably a 401 header without content.
We experienced the same problem, you have to configure firefox with the about:config value of [network.negotiate-auth.trusted-uris]. We added the servername of alfresco here.
Can you show the server log when starting?
We experienced the same problem, you have to configure firefox with the about:config value of [network.negotiate-auth.trusted-uris]. We added the servername of alfresco here.
Can you show the server log when starting?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-25-2008 05:53 PM
Hi jitse!
Thanks for the FF conf tip. I'll try it as soon as I can.
However I think I realized, that without understanding the very basics of several related technologies, I will not succeed in my task. So maybe it would be more effective to ask help for the exact problem. Thus here it is:
I have Windows clients in a domain. I have domain users in groups. The AD server is a Win 2003 Server. I am looking for a DMS solution which is handy enough to persuade every user to use it instead of a simple file server. For this the file operations copying from local to the server (upoad) and vice versa (download) should be accessible in file managers. That's why I thought of using CIFS. I never used it before, but according to the docs it is very promising. (I tried WebDAV with some other DMS's, but WebDAV is too slow for us.)
I addition to the simple file access I would like to be able to control permissions for the AD groups. So users of one AD group could edit stuff, users of other AD group could only read them, etc.
So this my real task is, and for this I need help. Something like an explained step by step AD integrated CIFS configuration guide for Dummies. I know it's too much, but there are too many things to go after.
… Okay, some well targeted links to some related readings would be appreciated also.
Thanks for the FF conf tip. I'll try it as soon as I can.
However I think I realized, that without understanding the very basics of several related technologies, I will not succeed in my task. So maybe it would be more effective to ask help for the exact problem. Thus here it is:
I have Windows clients in a domain. I have domain users in groups. The AD server is a Win 2003 Server. I am looking for a DMS solution which is handy enough to persuade every user to use it instead of a simple file server. For this the file operations copying from local to the server (upoad) and vice versa (download) should be accessible in file managers. That's why I thought of using CIFS. I never used it before, but according to the docs it is very promising. (I tried WebDAV with some other DMS's, but WebDAV is too slow for us.)
I addition to the simple file access I would like to be able to control permissions for the AD groups. So users of one AD group could edit stuff, users of other AD group could only read them, etc.
So this my real task is, and for this I need help. Something like an explained step by step AD integrated CIFS configuration guide for Dummies. I know it's too much, but there are too many things to go after.
… Okay, some well targeted links to some related readings would be appreciated also.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-07-2008 04:08 PM
Ok! I see. I asked too much.
Anyway I got to the next level. Now when I want to browse the CIFS server, the login name and password are asked. But nothing is accepted. The strange thing is, that there are no signs of these tries in any of the logs. I searched the alfresco's the tomcat's log, the client's (winXP) and the server's (win2003) event logs too, but nothing.
Are there any options to set for getting some debug logs?
Anyway I got to the next level. Now when I want to browse the CIFS server, the login name and password are asked. But nothing is accepted. The strange thing is, that there are no signs of these tries in any of the logs. I searched the alfresco's the tomcat's log, the client's (winXP) and the server's (win2003) event logs too, but nothing.
Are there any options to set for getting some debug logs?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-12-2008 12:18 PM
I can confirm the problem. I did exactly as in the wiki and got the same exception with Alfresco Labs 3 on Windows 2003 Server AD.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-13-2008 02:56 AM
You can set the debuglevel in the log4j.properties (under /tomcat/webapps/alfresco/WEB-INF/classes, AND you can set the kerberos debugging in the CIFS-authenticator you added in the file-server-custom.xml
(<kerberosDebug/> It's a new addition at the end of the page of http://wiki.alfresco.com/wiki/Configuring_the_CIFS_and_web_servers_for_Kerberos/AD_integration
I guess it must have something to do with failing kerberos authentication for cifs.
My guess : If you are using SSO the user-passwords are stored different (other hash?). There will not be a match if alfresco authentication is tried on these accounts. We experienced something likewise, and found out that accounts we made in alfresco before turning on SSO (which can/will auto-create your users) were able to use SSO on the webclient and alfresco authentication (or ntlm) on CIFS.
You can check this by forcing kerberos-only authentication for CIFS, also a newly added feature, described at the end of aforementioned wiki page.
Maybe we get SSO/Kerberos with AD as KDC for CIFS working this week, if so i will provide some additional feedback.
We were struggling with the principals for CIFS, it seems alfresco uses the [cifs/short-host-name] principal, but if you follow the wiki you only ktpass the [cifs/FQDN-hostname] alfresco host.
It seemed that in our case the [cifs/short-host-name] principal] is not chained to the alfrescocifs UPN(user principal) because the ktpass not only provides a keytab but also does the linking of SPN to UPN.
Hope that helps
Cheers Jitse
(<kerberosDebug/> It's a new addition at the end of the page of http://wiki.alfresco.com/wiki/Configuring_the_CIFS_and_web_servers_for_Kerberos/AD_integration
I guess it must have something to do with failing kerberos authentication for cifs.
My guess : If you are using SSO the user-passwords are stored different (other hash?). There will not be a match if alfresco authentication is tried on these accounts. We experienced something likewise, and found out that accounts we made in alfresco before turning on SSO (which can/will auto-create your users) were able to use SSO on the webclient and alfresco authentication (or ntlm) on CIFS.
You can check this by forcing kerberos-only authentication for CIFS, also a newly added feature, described at the end of aforementioned wiki page.
Maybe we get SSO/Kerberos with AD as KDC for CIFS working this week, if so i will provide some additional feedback.
We were struggling with the principals for CIFS, it seems alfresco uses the [cifs/short-host-name] principal, but if you follow the wiki you only ktpass the [cifs/FQDN-hostname] alfresco host.
It seemed that in our case the [cifs/short-host-name] principal] is not chained to the alfrescocifs UPN(user principal) because the ktpass not only provides a keytab but also does the linking of SPN to UPN.
Hope that helps
Cheers Jitse
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-14-2008 08:50 AM
You can set the debuglevel in the log4j.properties (under /tomcat/webapps/alfresco/WEB-INF/classes, AND you can set the kerberos debugging in the CIFS-authenticator you added in the file-server-custom.xmlWhere exactly in log4j.properties shall I set the debug level
(<kerberosDebug/> It's a new addition at the end of the page of http://wiki.alfresco.com/wiki/Configuring_the_CIFS_and_web_servers_for_Kerberos/AD_integration
I guess it must have something to do with failing kerberos authentication for cifs.I did this but nothing changed
My guess : If you are using SSO the user-passwords are stored different (other hash?). There will not be a match if alfresco authentication is tried on these accounts. We experienced something likewise, and found out that accounts we made in alfresco before turning on SSO (which can/will auto-create your users) were able to use SSO on the webclient and alfresco authentication (or ntlm) on CIFS.
You can check this by forcing kerberos-only authentication for CIFS, also a newly added feature, described at the end of aforementioned wiki page.
Maybe we get SSO/Kerberos with AD as KDC for CIFS working this week, if so i will provide some additional feedback.
We were struggling with the principals for CIFS, it seems alfresco uses the [cifs/short-host-name] principal, but if you follow the wiki you only ktpass the [cifs/FQDN-hostname] alfresco host.
It seemed that in our case the [cifs/short-host-name] principal] is not chained to the alfrescocifs UPN(user principal) because the ktpass not only provides a keytab but also does the linking of SPN to UPN.
Hope that helps
Cheers Jitse
Actually for me it is quite vague what are you suggesting in order to fix the issue. Can you not post an updated manual for setting CIFS with Kerberos? It is obvious it doesn't work.
I tried with the latest Labs version (from 01.10.2008), followed the wiki to the letter and got the same exception again and again:
15:34:54,453 User:guest ERROR [[localhost].[/alfresco].[Faces Servlet]] Servlet.service() for servlet Faces Servlet threw exception java.lang.ArrayIndexOutOfBoundsException: End of data buffer at org.alfresco.jlan.server.auth.asn.DERBuffer.unpackBytes(DERBuffer.java:195) at org.alfresco.jlan.server.auth.asn.DERApplicationSpecific.derDecode(DERApplicationSpecific.java:95) at org.alfresco.jlan.server.auth.asn.DERBuffer.unpackObject(DERBuffer.java:369) at org.alfresco.jlan.server.auth.asn.DERBuffer.unpackApplicationSpecific(DERBuffer.java:759) at org.alfresco.jlan.server.auth.spnego.NegTokenInit.decode(NegTokenInit.java:191) at org.alfresco.web.app.servlet.KerberosAuthenticationFilter.doFilter(KerberosAuthenticationFilter.java:581) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:210) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:174) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:108) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:151) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:870) at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:665) at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:528) at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:81) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:685) at java.lang.Thread.run(Thread.java:619)Please fix this. Thank you.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-16-2008 05:34 AM
Have u got any luck ? Have been figthing for 2 days now with no complete luck
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-16-2008 05:57 AM
Not at all. I've been fighting with this issue for 2 weeks and gave up. Now I'm waiting for somebody from Alfresco to come in and to suggest a solution. Obviously they are not so eager to help. Which makes me draw conclusions about the product and the support.
