i have
ms ldap - win2008r2 - mydomen.local
dc01.mydomen.local - controller domen
client - win7
alfresco server - fs02.mydomen.local
a need step by step config kerberos!
my step:
1. install alfresco-community-installer-201605-linux-x64.bin
in directory /opt/alfresco-community
(centos 7 - domen member)
2. creat two users on domen controller
name: AlfrescoHTTP(alfrescohttp@mydomen.local)
password: 12345678
and
name: AlfrescoCIFS(alfrescocifs@mydomen.local)
password: 12345678
3. on controller domen execute command
setspn -a cifs/fs02 alfrescocifs setspn -a cifs/fs02.mydomen.local alfrescocifs setspn -a HTTP/fs02 alfrescohttp setspn -a HTTP/fs02.mydomen.local alfrescohttp |
4. in Account tab set "enable" the Do not require Kerberos preauthentication option in the Account Options section
for users AlfrescoHTTP und AlfrescoCIFS
5. for user AlfrescoHTTP in Delegation tab clicking the radio button Trust this user for delegation to any service (kerberos only).
6. Make keytab files for AlfrescoCIFS
ktpass -princ cifs/fs02.mydomen.local@MYDOMEN.LOCAL -pass 12345678 -mapuser mydomen\alfrescocifs -crypto ALL -ptype KRB5_NT_PRINCIPAL -out c:\temp\alfrescocifs.keytab -kvno 0 |
and for user AlfrescoHTTP
ktpass -princ HTTP/fs02.mydomen.local@MYDOMEN.LOCAL -pass 12345678 -mapuser mydomen\alfrescohttp -crypto ALL -ptype KRB5_NT_PRINCIPAL -out c:\temp\alfrescohttp.keytab -kvno 0 |
7. Copy files c:\temp\alfrescohttp.keytab and c:\temp\alfrescocifs.keytab to alfresco server => ( fs02) /ets/keys/alfrescohttp.keytab and ets/keys/alfrescocifs.keytab
8. Edit file ets/krb5.conf
[logging] default = FILE:/usr/local/samba/var/log/krb5libs.log kdc = FILE:/usr/local/samba/var/log/krb5kdc.log admin_server = FILE:/usr/local/samba/var/log/kadmind.log [libdefaults] default_realm = MYDOMEN.LOCAL [realms] MYDOMEN.LOCAL = { default_domain = MYDOMEN.LOCAL kdc = dc01.mydomen.local admin_server = dc01.mydomen.local } [domain_realm] mydomen.local = MYDOMEN.LOCAL .mydomen.local = MYDOMEN.LOCAL dc01.mydomen.local = MYDOMEN.LOCAL .dc01.mydomen.local = MYDOMEN.LOCAL |
(dc01.mydomen.local - controller domen)
9. create file /opt/alfresco-community/java/lib/security/java.login.config
Alfresco { com.sun.security.auth.module.Krb5LoginModule sufficient; }; AlfrescoCIFS { com.sun.security.auth.module.Krb5LoginModule required storeKey=true useKeyTab=true keyTab="/etc/keys/alfrescocifs.keytab" principal="cifs/fs02.mydomen.local"; }; AlfrescoHTTP { com.sun.security.auth.module.Krb5LoginModule required storeKey=true useKeyTab=true keyTab="/etc/keys/alfrescohttp.keytab" principal="HTTP/fs02.mydomen.local"; }; ShareHTTP { com.sun.security.auth.module.Krb5LoginModule required storeKey=true debug=true useKeyTab=true doNotPrompt=true keyTab="/etc/keys/alfrescohttp.keytab" principal="HTTP/fs02.mydomen.local"; }; com.sun.net.ssl.client { com.sun.security.auth.module.Krb5LoginModule sufficient; }; other { com.sun.security.auth.module.Krb5LoginModule sufficient; }; |
10. add line in file /opt/alfresco-community/java/lib/security/java.security
login.config.url.1=file:${java.home}/lib/security/java.login.config |
11. edit file /opt/alfresco-community/tomcat/shared/classes/alfresco-global.properties
add lines:
authentication.chain=ldap1:ldap-ad,kerberos1:kerberos ntlm.authentication.sso.enabled = true
ntlm.authentication.browser.ticketLogons=true ldap.authentication.active=false
ldap.authentication.userNameFormat=%s@mydomen.local
ldap.authentication.allowGuestLogin=false
ldap.authentication.java.naming.provider.url=ldap://dc01.mydomen.local:389
ldap.authentication.defaultAdministratorUserNames=Administrator,alfresco,admin ldap.synchronization.active=true
ldap.synchronization.java.naming.security.principal=user_alfresco@mydomen.local
ldap.synchronization.java.naming.security.credentials=12345678 ldap.synchronization.groupSearchBase=ou=Group,dc=mydomen,dc=local
ldap.synchronization.userSearchBase=ou=user,dc=mydomen,dc=local filesystem.domainMappings=MYDOMEN
filesystem.domainMappings.value.MYDOMEN.subnet=192.168.0.0
filesystem.domainMappings.value.MYDOMEN.mask=255.255.255.0 ### Kerberos properties ### kerberos.authentication.sso.enabled=true
kerberos.authentication.defaultAdministratorUserNames=admin
kerberos.authentication.user.configEntryName=Alfresco
kerberos.authentication.cifs.configEntryName=AlfrescoCIFS
kerberos.authentication.cifs.password=12345678
kerberos.authentication.http.configEntryName=AlfrescoHTTP
kerberos.authentication.http.password=12345678
kerberos.authentication.authenticateCIFS=true
kerberos.authentication.realm=MYDOMEN.LOCAL
kerberos.authentication.stripUsernameSuffix=true kerberos.authentication.browser.ticketLogons=true
kerberos.authentication.sso.fallback.enabled=true |
ou=Group,dc=mydomen,dc=local - content group for export in Alfresco
ou=user,dc=mydomen,dc=local - content user for export in Alfresco |
12. cread user in controller domen
login: user_alfresco@mydomen.local
password: 12345678
13. i do:
"open Active Directory Users and Computers, right click on the domain, and select 'Delegate Control...' Click 'Next', then select the user that you are using for the LDAP bind and click 'Next'. The permission that they will need is on the next screen 'Read all inetOrgPerson information.' "
14. Edit /opt/alfresco-community/tomcat/shared/classes/alfresco/web-extension/share-config-custom.xml
Change ALFRESCO.ORG -> MYDOMEN.LOCAL
Change servrer name of you server name
Uncomment Kerberos section
reboot server alfresco - fs02
15. edit settings internet explorer (IE11)
Check Tools > Internet Options > Security > Local Intranet
add domen http:/*.mydomen.local
Check Tools > Internet Options > Security > Custom Level and make sure Automatic logon with current username and password is selected
working!!!
