Kerberos + Active Directory
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-25-2014 01:06 PM
First… Sorry my english!!!!!!!!!
Hi comuninity,
I want to access Share automatically using Kerberos SSO with my domain users. I can access Alfresco with SSO, but not Share.
Servers: All the machines are in my domain MIDOMINIO.NET
* w2008alfresco - (Alfresco) Windows Server 2008 R2
* AD01 - (Active Directory) Windows Server 2008 R2
* clientexp - (Maquina cliente) - Windows XP SP3 / Internet Explorer 6 / Firefox 28
* cliente01 (Maquina cliente) - Windows 7 / Internet Explorer 11 / Firefox 28
1) In my active directory AD01 i create the user 'alfrescohttp'
- Not requiere previous kerberos authentication
- Password never expires
2) In active directory AD01 I execute
3) I copy keytab in alfresco server (w2008alfresco)
4) I execute in AD01
5) Configuration C:\Windows\krb5.ini (Server w2008alfresco)
6) I create java.login.config in C:/Alfresco/java/jre/lib/security (w2008alfresco machine)
7) I change the line in file C:/Alfresco/java/jre/lib/security/java.security (w2008alfresco machine)
Add the sities http://w2008alfresco and http://w2008alfresco.midominio.net in internet explorer. Intranet zone on the client machines. Login automatic with name and password checked.
😎 Rename the file share-config-custom.xml.sample to share-config-custom.xml
9) Uncomment the "Remote" seccions
10) Replace KerberosDisables to Kerberos with the next data
11) In active directory, in the user alfrescohttop properties, i checked "Trust this user for delegation to any service (Kerberos only)"
12) Firefox configuration
13) alfresco.properties
When i want to access, a dialog appears and the log is:
Hi comuninity,
I want to access Share automatically using Kerberos SSO with my domain users. I can access Alfresco with SSO, but not Share.
Servers: All the machines are in my domain MIDOMINIO.NET
* w2008alfresco - (Alfresco) Windows Server 2008 R2
* AD01 - (Active Directory) Windows Server 2008 R2
* clientexp - (Maquina cliente) - Windows XP SP3 / Internet Explorer 6 / Firefox 28
* cliente01 (Maquina cliente) - Windows 7 / Internet Explorer 11 / Firefox 28
1) In my active directory AD01 i create the user 'alfrescohttp'
- Not requiere previous kerberos authentication
- Password never expires
2) In active directory AD01 I execute
ktpass -princ HTTP/w2008alfresco.midominio.net@MIDOMINIO.NET -pass MIPASSWORD -mapuser midominio\alfrescohttp -crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL -out c:\temp\alfrescohttp.keytab -kvno 03) I copy keytab in alfresco server (w2008alfresco)
4) I execute in AD01
setspn -a HTTP/W2008ALFRESCO alfrescohttpsetspn -a HTTP/W2008ALFRESCO.midominio.net alfrescohttp5) Configuration C:\Windows\krb5.ini (Server w2008alfresco)
[libdefaults]default_realm = MIDOMINIO.NETdefault_tkt_enctypes = rc4-hmacdefault_tgs_enctypes = rc4-hmac[realms]MIDOMINIO.NET = { kdc = ad01.midominio.net admin_server = ad01.midominio.net}[domain_realm]ad01.midominio.net = MIDOMINIO.NET.ad01.midominio.net = MIDOMINIO.NET6) I create java.login.config in C:/Alfresco/java/jre/lib/security (w2008alfresco machine)
Alfresco { com.sun.security.auth.module.Krb5LoginModule sufficient;};AlfrescoHTTP{ com.sun.security.auth.module.Krb5LoginModule required storeKey=true useKeyTab=true keyTab="C:/Alfresco/keytab/alfrescohttp.keytab" principal="HTTP/W2008ALFRESCO.midominio.net";};ShareHTTP{ com.sun.security.auth.module.Krb5LoginModule required storeKey=true useKeyTab=true keyTab="C:/Alfresco/keytab/alfrescohttp.keytab" principal="HTTP/W2008ALFRESCO.midominio.net";};com.sun.net.ssl.client { com.sun.security.auth.module.Krb5LoginModule sufficient;};other { com.sun.security.auth.module.Krb5LoginModule sufficient;};7) I change the line in file C:/Alfresco/java/jre/lib/security/java.security (w2008alfresco machine)
login.config.url.1=file:C:/Alfresco/java/jre/lib/security/java.login.configAdd the sities http://w2008alfresco and http://w2008alfresco.midominio.net in internet explorer. Intranet zone on the client machines. Login automatic with name and password checked.
😎 Rename the file share-config-custom.xml.sample to share-config-custom.xml
9) Uncomment the "Remote" seccions
10) Replace KerberosDisables to Kerberos with the next data
<config evaluator="string-compare" condition="Kerberos" replace="true"> <kerberos> <password>MIPASSWORD</password> <realm>MIDOMINIO.NET</realm> <endpoint-spn>HTTP/w2008ALFRESCO.midominio.net@MIDOMINIO.NET</endpoint-spn> <config-entry>ShareHTTP</config-entry> </kerberos> </config>11) In active directory, in the user alfrescohttop properties, i checked "Trust this user for delegation to any service (Kerberos only)"
12) Firefox configuration
network.negotiate-auth.delegation-urisnetwork.negotiate-auth.trusted-urisnetwork.negotiate-auth.using-native-gsslib13) alfresco.properties
authentication.chain=kerberos1:kerberos,alfrescoNtlm1:alfrescoNtlmkerberos.authentication.realm=MIDOMINIO.NETkerberos.authentication.sso.enabled=truekerberos.authentication.authenticateCIFS=falsekerberos.authentication.user.configEntryName=Alfrescokerberos.authentication.http.configEntryName=AlfrescoHTTPkerberos.authentication.http.password=MIPASSWORDkerberos.authentication.defaultAdministratorUserNames=adminkerberos.authentication.stripUsernameSuffix=trueWhen i want to access, a dialog appears and the log is:
Search Subject for Kerberos V5 ACCEPT cred (HTTP/W2008ALFRESCO.midominio.net@MIDOMINIO.NET, sun.security.jgss.krb5.Krb5AcceptCredential)Found KeyTabFound KerberosKey for HTTP/W2008ALFRESCO.midominio.net@MIDOMINIO.NETEntered Krb5Context.acceptSecContext with state=STATE_NEWAdded key: 23version: 0Ordering keys wrt default_tkt_enctypes listdefault etypes for default_tkt_enctypes: 23.>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacETypeUsing builtin default etypes for permitted_enctypesdefault etypes for permitted_enctypes: 17 16 23 1 3.>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacETypeSystem time adjustedobject 0: 1398444344146/146721replay cache found.>>> KrbApReq: authenticate succeed.Krb5Context setting peerSeqNumber to: 1290115219>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacETypeKrb5Context setting mySeqNumber to: 750672582014-04-25 13:45:44,053 WARN [site.servlet.KerberosSessionSetupPrivilegedAction] [http-apr-8080-exec-9] credentials can not be delegated!
Labels:
- Labels:
-
Archive
3 REPLIES 3
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-05-2014 11:48 AM
I think you are missing share-config-custom.xml configuration on Share. Take a look at http://docs.alfresco.com/4.2/index.jsp?topic=%2Fcom.alfresco.enterprise.doc%2Ftasks%2Fauth-kerberos-...
Hyland Developer Evangelist
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-05-2014 01:47 PM
I did….
I didnt write the remote sections here. They are same as the http://docs.alfresco.com/4.2/index.jsp?topic=%2Fcom.alfresco.enterprise.doc%2Ftasks%2Fauth-kerberos-... page.
In my first post
Quote:
😎 Rename the file share-config-custom.xml.sample to share-config-custom.xml
9) Uncomment the "Remote" seccions
10) Replace KerberosDisables to Kerberos with the next data
I didnt write the remote sections here. They are same as the http://docs.alfresco.com/4.2/index.jsp?topic=%2Fcom.alfresco.enterprise.doc%2Ftasks%2Fauth-kerberos-... page.
In my first post
Quote:
😎 Rename the file share-config-custom.xml.sample to share-config-custom.xml
9) Uncomment the "Remote" seccions
10) Replace KerberosDisables to Kerberos with the next data
<config evaluator="string-compare" condition="Kerberos" replace="true"> <kerberos> <password>MIPASSWORD</password> <realm>MIDOMINIO.NET</realm> <endpoint-spn>HTTP/w2008ALFRESCO.midominio.net@MIDOMINIO.NET</endpoint-spn> <config-entry>ShareHTTP</config-entry> </kerberos> </config>
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-16-2019 12:46 PM
I have the same issue on alfresco 4.1.4. Did you ever get this sorted?!
