Credentials can not be delegated - Alfresco Share
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-15-2012 11:54 AM
I've hit a brick wall configuring Alfresco 4.0.d on Redhat 6.
I'm using Kerberos authentication, it seems to be working normally, and single sign on is working on the main alfresco app itself. I've been through the configuration steps to get the share app working, but try as I may, I keep getting this error in catalina.out each time a browser accesses http://server:8080/share along with a 'Windows Security' password box.
WARN [site.servlet.KerberosSessionSetupPrivilegedAction] credentials can not be delegated!
Here's what I've done so far:Using AD users and computers, selected the alfrescohttp account, and selected 'trust this user for delegation to any service (Kerberos only).
Copied /opt/alfresco-4.0.d/tomcat/shared/classes/alfresco/web-extension/share-config-custom.xml.sample to share-config-custom.xml and edited like this:
<config evaluator="string-compare" condition="Kerberos" replace="true"> <kerberos> <password>*****</password> <realm>MYDOMAIN.CO.UK</realm> <endpoint-spn>HTTP/server.mydomain.co.uk@MYDOMAIN.CO.UK</endpoint-spn> <config-entry>ShareHTTP</config-entry> </kerberos> </config> <config evaluator="string-compare" condition="Remote"> <remote> <keystore> <path>alfresco/web-extension/alfresco-system.p12</path> <type>pkcs12</type> <password>alfresco-system</password> </keystore> <connector> <id>alfrescoCookie</id> <name>Alfresco Connector</name> <description>Connects to an Alfresco instance using cookie-based authentication</description> <class>org.springframework.extensions.webscripts.connector.AlfrescoConnector</class> </connector> <endpoint> <id>alfresco</id> <name>Alfresco - user access</name> <description>Access to Alfresco Repository WebScripts that require user authentication</description> <connector-id>alfrescoCookie</connector-id> <endpoint-url>http://localhost:8080/alfresco/wcs</endpoint-url> <identity>user</identity> <external-auth>true</external-auth> </endpoint> </remote> </config>
Setup the /etc/krb5.conf file like this:
[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log[libdefaults] default_realm = MYDOMAIN.CO.UK default_tkt_enctypes = rc4-hmac default_tgs_enctypes = rc4-hmac forwardable = true proxiable = true[realms] MYDOMAIN.CO.UK = { kdc = mydc.mydomain.co.uk admin_server = mydc.mydomain.co.uk }[domain_realm] .mydc.mydomain.co.uk = MYDOMAIN.CO.UKmydc.mydomain.co.uk = MYDOMAIN.CO.UK
/opt/alfresco-4.0.d/java/jre/lib/security/java.login.config is configured like this:
Alfresco { com.sun.security.auth.module.Krb5LoginModule sufficient;};AlfrescoCIFS { com.sun.security.auth.module.Krb5LoginModule required storeKey=true useKeyTab=true keyTab="/etc/alfrescocifs.keytab" principal="cifs/server.mydomain.co.uk";};AlfrescoHTTP { com.sun.security.auth.module.Krb5LoginModule required storeKey=true useKeyTab=true keyTab="/etc/alfrescohttp.keytab" principal="HTTP/server.mydomain.co.uk";};com.sun.net.ssl.client { com.sun.security.auth.module.Krb5LoginModule sufficient;};other { com.sun.security.auth.module.Krb5LoginModule sufficient;};ShareHTTP {com.sun.security.auth.module.Krb5LoginModule requiredstoreKey=trueuseKeyTab=truekeyTab="/etc/alfrescohttp.keytab"principal="HTTP/server.mydomain.co.uk";};
And finally, the following settings in alfresco-global.conf
authentication.chain=kerberos1:kerberos,alfrescoNtlm1:alfrescoNtlmkerberos.authentication.real=MYDOMAIN.CO.UKkerberos.authentication.user.configEntryName=Alfrescokerberos.authentication.cifs.configEntryName=AlfrescoCIFSkerberos.authentication.http.configEntryName=AlfrescoHTTPkerberos.authentication.cifs.password=******kerberos.authentication.http.password=*****kerberos.authentication.defaultAdministratorUserNames=administratorntlm.authentication.sso.enabled=true
As I say, I've hit a brick wall with this and I'd really appreciate any help you can give me!
- Labels:
-
Archive
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-16-2012 07:46 AM
have you tried running your server with Java GSS debugging turned on (parameter "-Dsun.security.krb5.debug=true -Dsun.security.jgss.debug=true")? This should help you determine if your server is actually authenticating using the correct principal - the one you set up as being able to delegate.
Regards
Axel
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-16-2012 07:51 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-31-2019 04:36 PM
Not necessarily. Kerberos delegation operates differently.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-16-2012 09:08 AM
it would not stop SSO on /alfresco necessarily. /share and /alfresco are technically separate applications which both handle their part in the Kerberos SSO, and a failure in one application (/share) need not occur on the other as well, as the handling is partially different.
Regards
Axel
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-16-2012 09:15 AM
KrbException: Invalid option setting in ticket request. (101)
I'm not any kind of Kerberos expert, but this seemed to point to a problem with the setup of Kerberos on the alfreso server. I revisited /etc/krb5.conf, removed the options for proxying and forwarding, ran kdestroy and restarted alfresco.
Fingers crossed, SSO now seems to be working properly for both the /alfresco and /share apps.
Thank you Axel.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-29-2019 02:07 AM
Hello ,
I am facing the same error, facing issue to enable kerberos SSO in share.
I have added the debug config "-Dsun.security.krb5.debug=true -Dsun.security.jgss.debug=true" . whereas I am nota ble to see any o/p in catalina.log , alfresco.log or share.log. Could you please let me know the steps to debug kerberos.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-16-2019 02:30 PM
Please post your properties files also.
