Hyland Connect

xkahn · ‎01-12-2011

I have a development machine I just upgraded to 3.4.c. (from 3.2r2) Everything appears to be working, so I wanted to try out the SSO patches that have been put into Alfresco since 3.2r2. (I had SSO working before, but couldn't use it because of some chaining bugs and problems with WebDAV) I switched to Kerberos auth and set SSO to true. And i get this error:

17:19:14,849 ERROR [org.alfresco.fileserver] GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)
GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)

the full error is:

During startup:

17:17:32,151 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] HTTP Kerberos login successful
17:17:32,152 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] Logged on using principal HTTP/alfresco-xkahn.example.com@EXAMPLE.COM
17:17:32,409 DEBUG [org.alfresco.repo.webdav.auth.KerberosAuthenticationFilter] HTTP Kerberos login successful
17:17:32,409 DEBUG [org.alfresco.repo.webdav.auth.KerberosAuthenticationFilter] Logged on using principal HTTP/alfresco-xkahn.example.com@EXAMPLE.COM
‍‍‍‍‍

At auth time:

17:19:11,954 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] New Kerberos auth request from 10.3.112.6 (10.3.112.6:0)
17:19:14,849 ERROR [org.alfresco.fileserver] GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)
GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)
   at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:741)
   at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:323)
   at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:267)
   at org.alfresco.jlan.server.auth.kerberos.SessionSetupPrivilegedAction.run(SessionSetupPrivilegedAction.java:102)
   at java.security.AccessController.doPrivileged(Native Method)
   at javax.security.auth.Subject.doAs(Subject.java:337)
   at org.alfresco.repo.webdav.auth.BaseKerberosAuthenticationFilter.doKerberosLogon(BaseKerberosAuthenticationFilter.java:494)
   at org.alfresco.repo.webdav.auth.BaseKerberosAuthenticationFilter.authenticateRequest(BaseKerberosAuthenticationFilter.java:384)
   at org.alfresco.repo.webdav.auth.BaseSSOAuthenticationFilter.doFilter(BaseSSOAuthenticationFilter.java:132)
   at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
   at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
   at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
   at java.lang.reflect.Method.invoke(Method.java:597)
   at org.alfresco.repo.management.subsystems.ChainingSubsystemProxyFactory$1.invoke(ChainingSubsystemProxyFactory.java:103)
   at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
   at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:202)
   at $Proxy218.doFilter(Unknown Source)
   at org.alfresco.repo.web.filter.beans.BeanProxyFilter.doFilter(BeanProxyFilter.java:82)
   at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)
   at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
   at org.alfresco.web.app.servlet.GlobalLocalizationFilter.doFilter(GlobalLocalizationFilter.java:58)
   at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)
   at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
   at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:210)
   at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:172)
   at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
   at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117)
   at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:108)
   at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:151)
   at org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:200)
   at org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:291)
   at org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:775)
   at org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:704)
   at org.apache.jk.common.ChannelSocket$SocketConnection.runIt(ChannelSocket.java:897)
   at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:685)
   at java.lang.Thread.run(Thread.java:662)
Caused by: KrbException: Checksum failed
   at sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Aes256CtsHmacSha1EType.java:85)
   at sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Aes256CtsHmacSha1EType.java:77)
   at sun.security.krb5.EncryptedData.decrypt(EncryptedData.java:168)
   at sun.security.krb5.KrbCred.<init>(KrbCred.java:137)
   at sun.security.jgss.krb5.InitialToken$OverloadedChecksum.<init>(InitialToken.java:262)
   at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:102)
   at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:724)
   … 35 more
Caused by: java.security.GeneralSecurityException: Checksum failed
   at sun.security.krb5.internal.crypto.dk.AesDkCrypto.decryptCTS(AesDkCrypto.java:431)
   at sun.security.krb5.internal.crypto.dk.AesDkCrypto.decrypt(AesDkCrypto.java:254)
   at sun.security.krb5.internal.crypto.Aes256.decrypt(Aes256.java:59)
   at sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Aes256CtsHmacSha1EType.java:83)
   … 41 more
17:19:14,851 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] No SPNEGO response, Kerberos logon failed
‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

I've installed the jce-policy-unlimited file so support for "AES-256 CTS mode with 96-bit SHA-1 HMAC" tickets. My keytab appears to be in order:

# klist -ket /etc/krb5.keytab 
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp         Principal
—- —————– ——————————————————–
   3 12/09/09 11:56:54 HTTP/alfresco-xkahn.example.com@EXAMPLE.COM (AES-256 CTS mode with 96-bit SHA-1 HMAC) 
   3 12/09/09 11:56:54 HTTP/alfresco-xkahn.example.com@EXAMPLE.COM (AES-128 CTS mode with 96-bit SHA-1 HMAC) 
   3 12/09/09 11:56:54 HTTP/alfresco-xkahn.example.com@EXAMPLE.COM (DES cbc mode with CRC-32) 
   3 12/09/09 11:56:54 HTTP/alfresco-xkahn.example.com@EXAMPLE.COM (Triple DES cbc mode raw) 
   3 12/09/09 11:56:55 HTTP/alfresco-xkahn.example.com@EXAMPLE.COM (ArcFour with HMAC/md5) ‍‍‍‍‍‍‍‍‍

I am able to use tickets to authenticate on the same machine through Apache using an identical keytab. Advice?

joopmartens · ‎07-28-2015

Hi xkahn,

I'm running into exactly the same issue like you did only I'm running Alfresco 5.0.d and I'm using jce-policy-unlimited 8 because initially I ran into the aes256 encryption issue.

My keytab also appears to be fine and the windows eventlog on the DC is only showing success event for the kerberos service ticket and authentication for the user I'm trying to logon.

Have you been able to solve this issue and if yes could you provide some information regarding your solution?

Many thanks in advance.

joopmartens · ‎07-29-2015

Hi,

I have already found and solved the issue.
Hopefully it can be for any help of others running into this issue.

Solution:
My Alfresco Linux server FQDN hostname did not match with the Active directory computer account and AD domain name.
After changing the FQDN to hostname.ADDOMAIN.TLD (In case you AD domain is: ADDOMAIN.TLD) solved this issue for me.