Hi folks,I've hit a brick wall configuring Alfresco 4.0.d on Redhat 6. I'm using Kerberos authentication, it seems to be working normally, and single sign on is working on the main alfresco app itself. I've been through the configuration steps to get the share app working, but try as I may, I keep getting this error in catalina.out each time a browser accesses http://server:8080/share along with a 'Windows Security' password box.WARN [site.servlet.KerberosSessionSetupPrivilegedAction] credentials can not be delegated!
Here's what I've done so far:Using AD users and computers, selected the alfrescohttp account, and selected 'trust this user for delegation to any service (Kerberos only).Copied /opt/alfresco-4.0.d/tomcat/shared/classes/alfresco/web-extension/share-config-custom.xml.sample to share-config-custom.xml and edited like this: <config evaluator="string-compare" condition="Kerberos" replace="true"> <kerberos> <password>*****</password> <realm>MYDOMAIN.CO.UK</realm> <endpoint-spn>HTTP/server.mydomain.co.uk@MYDOMAIN.CO.UK</endpoint-spn> <config-entry>ShareHTTP</config-entry> </kerberos> </config> <config evaluator="string-compare" condition="Remote"> <remote> <keystore> <path>alfresco/web-extension/alfresco-system.p12</path> <type>pkcs12</type> <password>alfresco-system</password> </keystore> <connector> <id>alfrescoCookie</id> <name>Alfresco Connector</name> <description>Connects to an Alfresco instance using cookie-based authentication</description> <class>org.springframework.extensions.webscripts.connector.AlfrescoConnector</class> </connector> <endpoint> <id>alfresco</id> <name>Alfresco - user access</name> <description>Access to Alfresco Repository WebScripts that require user authentication</description> <connector-id>alfrescoCookie</connector-id> <endpoint-url>http://localhost:8080/alfresco/wcs</endpoint-url> <identity>user</identity> <external-auth>true</external-auth> </endpoint> </remote> </config>
Setup the /etc/krb5.conf file like this:[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log[libdefaults] default_realm = MYDOMAIN.CO.UK default_tkt_enctypes = rc4-hmac default_tgs_enctypes = rc4-hmac forwardable = true proxiable = true[realms] MYDOMAIN.CO.UK = { kdc = mydc.mydomain.co.uk admin_server = mydc.mydomain.co.uk }[domain_realm] .mydc.mydomain.co.uk = MYDOMAIN.CO.UKmydc.mydomain.co.uk = MYDOMAIN.CO.UK
/opt/alfresco-4.0.d/java/jre/lib/security/java.login.config is configured like this:Alfresco { com.sun.security.auth.module.Krb5LoginModule sufficient;};AlfrescoCIFS { com.sun.security.auth.module.Krb5LoginModule required storeKey=true useKeyTab=true keyTab="/etc/alfrescocifs.keytab" principal="cifs/server.mydomain.co.uk";};AlfrescoHTTP { com.sun.security.auth.module.Krb5LoginModule required storeKey=true useKeyTab=true keyTab="/etc/alfrescohttp.keytab" principal="HTTP/server.mydomain.co.uk";};com.sun.net.ssl.client { com.sun.security.auth.module.Krb5LoginModule sufficient;};other { com.sun.security.auth.module.Krb5LoginModule sufficient;};ShareHTTP {com.sun.security.auth.module.Krb5LoginModule requiredstoreKey=trueuseKeyTab=truekeyTab="/etc/alfrescohttp.keytab"principal="HTTP/server.mydomain.co.uk";};
And finally, the following settings in alfresco-global.confauthentication.chain=kerberos1:kerberos,alfrescoNtlm1:alfrescoNtlmkerberos.authentication.real=MYDOMAIN.CO.UKkerberos.authentication.user.configEntryName=Alfrescokerberos.authentication.cifs.configEntryName=AlfrescoCIFSkerberos.authentication.http.configEntryName=AlfrescoHTTPkerberos.authentication.cifs.password=******kerberos.authentication.http.password=*****kerberos.authentication.defaultAdministratorUserNames=administratorntlm.authentication.sso.enabled=true
As I say, I've hit a brick wall with this and I'd really appreciate any help you can give me!
