Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Credentials can not be delegated - Alfresco Share

leftcase
Champ in-the-making
Champ in-the-making

‎06-15-2012 11:54 AM

Hi folks,

I've hit a brick wall configuring Alfresco 4.0.d on Redhat 6.

I'm using Kerberos authentication, it seems to be working normally, and single sign on is working on the main alfresco app itself. I've been through the configuration steps to get the share app working, but try as I may, I keep getting this error in catalina.out each time a browser accesses http://server:8080/share along with a 'Windows Security' password box.

WARN  [site.servlet.KerberosSessionSetupPrivilegedAction] credentials can not be delegated!
Here's what I've done so far:

Using AD users and computers, selected the alfrescohttp account, and selected 'trust this user for delegation to any service (Kerberos only).

Copied /opt/alfresco-4.0.d/tomcat/shared/classes/alfresco/web-extension/share-config-custom.xml.sample to share-config-custom.xml and edited like this:

   <config evaluator="string-compare" condition="Kerberos" replace="true">
      <kerberos>
         <password>*****</password>
         <realm>MYDOMAIN.CO.UK</realm>
         <endpoint-spn>HTTP/server.mydomain.co.uk@MYDOMAIN.CO.UK</endpoint-spn>
         <config-entry>ShareHTTP</config-entry>
      </kerberos>
   </config>


   <config evaluator="string-compare" condition="Remote">
      <remote>
         <keystore>
             <path>alfresco/web-extension/alfresco-system.p12</path>
             <type>pkcs12</type>
             <password>alfresco-system</password>
         </keystore>

         <connector>
            <id>alfrescoCookie</id>
            <name>Alfresco Connector</name>
            <description>Connects to an Alfresco instance using cookie-based authentication</description>
            <class>org.springframework.extensions.webscripts.connector.AlfrescoConnector</class>
         </connector>

         <endpoint>
            <id>alfresco</id>
            <name>Alfresco - user access</name>
            <description>Access to Alfresco Repository WebScripts that require user authentication</description>
            <connector-id>alfrescoCookie</connector-id>
            <endpoint-url>http://localhost:8080/alfresco/wcs</endpoint-url>
            <identity>user</identity>
            <external-auth>true</external-auth>
         </endpoint>
      </remote>
   </config>

Setup the /etc/krb5.conf file like this:

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = MYDOMAIN.CO.UK
 default_tkt_enctypes = rc4-hmac
 default_tgs_enctypes = rc4-hmac
 forwardable = true
 proxiable = true

[realms]
 MYDOMAIN.CO.UK = {
  kdc = mydc.mydomain.co.uk
  admin_server = mydc.mydomain.co.uk
 }

[domain_realm]
 .mydc.mydomain.co.uk = MYDOMAIN.CO.UK
mydc.mydomain.co.uk = MYDOMAIN.CO.UK

/opt/alfresco-4.0.d/java/jre/lib/security/java.login.config is configured like this:


Alfresco {
   com.sun.security.auth.module.Krb5LoginModule sufficient;
};

AlfrescoCIFS {
   com.sun.security.auth.module.Krb5LoginModule required
   storeKey=true
   useKeyTab=true
   keyTab="/etc/alfrescocifs.keytab"
   principal="cifs/server.mydomain.co.uk";
};

AlfrescoHTTP {
   com.sun.security.auth.module.Krb5LoginModule required
   storeKey=true
   useKeyTab=true
   keyTab="/etc/alfrescohttp.keytab"
   principal="HTTP/server.mydomain.co.uk";
};

com.sun.net.ssl.client {
   com.sun.security.auth.module.Krb5LoginModule sufficient;
};

other {
   com.sun.security.auth.module.Krb5LoginModule sufficient;
};

ShareHTTP {
com.sun.security.auth.module.Krb5LoginModule required
storeKey=true
useKeyTab=true
keyTab="/etc/alfrescohttp.keytab"
principal="HTTP/server.mydomain.co.uk";
};

And finally, the following settings in alfresco-global.conf


authentication.chain=kerberos1:kerberos,alfrescoNtlm1:alfrescoNtlm

kerberos.authentication.real=MYDOMAIN.CO.UK
kerberos.authentication.user.configEntryName=Alfresco
kerberos.authentication.cifs.configEntryName=AlfrescoCIFS
kerberos.authentication.http.configEntryName=AlfrescoHTTP
kerberos.authentication.cifs.password=******
kerberos.authentication.http.password=*****
kerberos.authentication.defaultAdministratorUserNames=administrator

ntlm.authentication.sso.enabled=true

As I say, I've hit a brick wall with this and I'd really appreciate any help you can give me!
Labels:
0 Kudos
7 REPLIES 7

afaust
Legendary Innovator
Legendary Innovator

‎06-16-2012 07:46 AM

Hello,

have you tried running your server with Java GSS debugging turned on (parameter "-Dsun.security.krb5.debug=true -Dsun.security.jgss.debug=true")? This should help you determine if your server is actually authenticating using the correct principal - the one you set up as being able to delegate.

Regards
Axel
0 Kudos

leftcase
Champ in-the-making
Champ in-the-making

‎06-16-2012 07:51 AM

I'll give it a go, if there was a problem in the Kerberos setup, wouldn't that stop SSO working via the alfresco app too? Just to confirm, SSO works for /alfresco, just not for /share.
0 Kudos

shocko
Champ in-the-making
Champ in-the-making
In response to leftcase

‎05-31-2019 04:36 PM

Not necessarily. Kerberos delegation operates differently.

0 Kudos

afaust
Legendary Innovator
Legendary Innovator

‎06-16-2012 09:08 AM

Hello,

it would not stop SSO on /alfresco necessarily. /share and /alfresco are technically separate applications which both handle their part in the Kerberos SSO, and a failure in one application (/share) need not occur on the other as well, as the handling is partially different.

Regards
Axel
0 Kudos

leftcase
Champ in-the-making
Champ in-the-making

‎06-16-2012 09:15 AM

Thanks for the debugging advice, it was really helpful. It revealed a few errors including:

KrbException: Invalid option setting in ticket request. (101)

I'm not any kind of Kerberos expert, but this seemed to point to a problem with the setup of Kerberos on the alfreso server. I revisited /etc/krb5.conf, removed the options for proxying and forwarding, ran kdestroy and restarted alfresco.

Fingers crossed, SSO now seems to be working properly for both the /alfresco and /share apps.

Thank you Axel.
0 Kudos

supriya_verma
Champ in-the-making
Champ in-the-making
In response to leftcase

‎04-29-2019 02:07 AM

Hello ,

I am facing the same error, facing issue to enable kerberos SSO in share.

I have added the debug config "-Dsun.security.krb5.debug=true -Dsun.security.jgss.debug=true" . whereas I am nota ble to see any o/p in catalina.log , alfresco.log or share.log. Could you please let me know the steps to debug kerberos.

0 Kudos

shocko
Champ in-the-making
Champ in-the-making
In response to supriya_verma

‎05-16-2019 02:30 PM

Please post your properties files also.

0 Kudos
Getting started

Tags

Find what you came for

We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.

Copyright © 2024 Khoros, LLC