Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Kerberos+ AD+ Alfresco Problem! help

subemontes
Champ in-the-making
Champ in-the-making

‎10-14-2008 12:01 PM

Hi all!
first and foremost, description.
Machine A _> Alfresco
Machie b -> SQL
Machine c-> Alf_data
Machine d -> Domain Controler

Info:
http://wiki.alfresco.com/wiki/Configuring_the_CIFS_and_web_servers_for_Kerberos/AD_integration
http://wiki.alfresco.com/wiki/Enterprise_Security_and_Authentication_Configuration
http://java.sun.com/javase/6/docs/technotes/guides/security/jaas/tutorials/GeneralAcnOnly.html
And many posts in forums in this one, many from belmeki…

No luck.

Take the easy point first.
in http://wiki.alfresco.com/wiki/Enterprise_Security_and_Authentication_Configuration
are told that allowing kerberos is as easy as modify 2 files:
jaas-authentication-context.xml
java.security
java.security.config

well… it didnt work.
Here's jaas:
<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE beans PUBLIC '-//SPRING//DTD BEAN//EN' 'http://www.springframework.org/dtd/spring-beans.dtd'>

<beans>
    <!– The authentication component.                                      –>

    <!– Jass authentication - most of the config goes somewhere else       –>
       
    <bean id="authenticationComponent" 
                 class="org.alfresco.repo.security.authentication.jaas.JAASAuthenticationComponent">
        <property name="realm">
            <value>REALM</value>
        </property>
        <property name="jaasConfigEntryName">
            <value>Alfresco</value>
        </property>
    </bean>

    <!– DAO that rejects changes - JAAS is read only at the moment.      –>
    <!– It does allow users to be deleted with out warnings from the UI. –>
    <!– The user is still present in JAAS, only the personal information is removed from alfresco. –> 
    
    <bean name="authenticationDao" class="org.alfresco.repo.security.authentication.DefaultMutableAuthenticationDao" >
        <property name="allowDeleteUser">
            <value>true</value>
        </property>
    </bean>    

</beans>
Here's the line of java.security
login.config.url.1=file:C:/Program Files/Java/jdk1.6.0_07/jre/lib/security/java.login.config
and java.security.config
Alfresco {
   com.sun.security.auth.module.Krb5LoginModule sufficient;
   };
com.sun.net.ssl.client {
   com.sun.security.auth.module.Krb5LoginModule sufficient;
};
other {
   com.sun.security.auth.module.Krb5LoginModule sufficient;
};

And here's the horrible error (that i dont fully understand):
17:43:07,014 INFO  [org.alfresco.repo.domain.schema.SchemaBootstrap] Schema managed by database dialect org.alfresco.repo.domain.hibernate.dialect.AlfrescoSQLServerDialect.
17:43:10,810 INFO  [org.alfresco.repo.domain.schema.SchemaBootstrap] No changes were made to the schema.
17:43:14,482 INFO  [org.alfresco.repo.admin.ConfigurationChecker] The Alfresco root data directory ('dir.root') is: \\172.16.1.103\alfresco$\alf_data
17:43:14,529 INFO  [org.alfresco.repo.admin.patch.PatchExecuter] Comprobando si hay parches para aplicar …
17:43:15,092 INFO  [org.alfresco.repo.module.ModuleServiceImpl] Found 0 module(s).
17:43:15,295 ERROR [org.alfresco.smb.protocol.auth] No valid CIFS authentication combination available
17:43:15,295 ERROR [org.alfresco.smb.protocol.auth] Either enable Kerberos support or use an authentication component that supports MD4 hashed passwords
17:43:15,310 ERROR [org.alfresco.smb.protocol] CIFS server configuration error, Invalid CIFS authenticator configuration
org.alfresco.error.AlfrescoRuntimeException: Invalid CIFS authenticator configuration
   at org.alfresco.filesys.server.auth.EnterpriseCifsAuthenticator.initialize(EnterpriseCifsAuthenticator.java:378)
Anyone can give a hand ?
Really angry about this one…
Labels:
0 Kudos
6 REPLIES 6

subemontes
Champ in-the-making
Champ in-the-making

‎10-14-2008 12:13 PM

Next Try:
http://wiki.alfresco.com/wiki/Configuring_the_CIFS_and_web_servers_for_Kerberos/AD_integration
Really hard way… tokens… cifs… passwords…
Starting… following that web and
http://forums.alfresco.com/en/viewtopic.php?f=9&t=14741&p=48528&hilit=No+valid+CIFS+authentication+c...
And mainly
http://forums.alfresco.com/en/viewtopic.php?f=9&t=14773&p=48590&hilit=kerberos#p48590

So i Have a real example… I have configured it like in the manual… didnt work.

But, before asking, i need someone answer in some thing…
If all my net is Microsoft…. ¿Is useful tryint to use tokens? or the first of my post (just another wili) will work ?
any help ?
0 Kudos

subemontes
Champ in-the-making
Champ in-the-making

‎10-14-2008 12:37 PM

And After following the
http://wiki.alfresco.com/wiki/Configuring_the_CIFS_and_web_servers_for_Kerberos/AD_integration
Here's the error:
18:32:34,929 INFO  [org.alfresco.repo.domain.schema.SchemaBootstrap] No changes were made to the schema.
18:32:38,679 INFO  [org.alfresco.repo.admin.ConfigurationChecker] The Alfresco root data directory ('dir.root') is: \\X.X.X.X\alfresco$\alf_data
18:32:38,741 INFO  [org.alfresco.repo.admin.patch.PatchExecuter] Comprobando si hay parches para aplicar …
18:32:39,288 INFO  [org.alfresco.repo.module.ModuleServiceImpl] Found 0 module(s).
18:32:40,257 INFO  [org.alfresco.service.descriptor.DescriptorService] Alfresco JVM - v1.6.0_07-b06; maximum heap size 960,000MB
18:32:40,257 INFO  [org.alfresco.service.descriptor.DescriptorService] Alfresco started (Community Network): Current version 2.9.0 (B 683) schema 116 - Installed version 2.9.0 (B 683) schema 116
18:32:44,366 ERROR [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] HTTP Kerberos web filter error
javax.security.auth.login.LoginException: Integrity check on decrypted field failed (31)
   at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:696)
   at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:542)
   at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
   at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
   at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
   at java.lang.reflect.Method.invoke(Method.java:597)
   at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
   at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
   at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
   at java.security.AccessController.doPrivileged(Native Method)
   at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
   at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
   at org.alfresco.web.app.servlet.KerberosAuthenticationFilter.init(KerberosAuthenticationFilter.java:366)
   at org.apache.catalina.core.ApplicationFilterConfig.getFilter(ApplicationFilterConfig.java:221)
   at org.apache.catalina.core.ApplicationFilterConfig.setFilterDef(ApplicationFilterConfig.java:302)
   at org.apache.catalina.core.ApplicationFilterConfig.<init>(ApplicationFilterConfig.java:78)
   at org.apache.catalina.core.StandardContext.filterStart(StandardContext.java:3635)
   at org.apache.catalina.core.StandardContext.start(StandardContext.java:4222)
   at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:760)
   at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:740)
   at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:544)
   at org.apache.catalina.startup.HostConfig.deployWAR(HostConfig.java:825)
   at org.apache.catalina.startup.HostConfig.deployWARs(HostConfig.java:714)
   at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:490)
   at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1138)
   at org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:311)
   at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:120)
   at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1022)
   at org.apache.catalina.core.StandardHost.start(StandardHost.java:736)
   at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1014)
   at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:443)
   at org.apache.catalina.core.StandardService.start(StandardService.java:448)
   at org.apache.catalina.core.StandardServer.start(StandardServer.java:700)
   at org.apache.catalina.startup.Catalina.start(Catalina.java:552)
   at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
   at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
   at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
   at java.lang.reflect.Method.invoke(Method.java:597)
   at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:295)
   at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:433)
Caused by: KrbException: Integrity check on decrypted field failed (31)
   at sun.security.krb5.internal.crypto.DesCbcEType.decrypt(DesCbcEType.java:154)
   at sun.security.krb5.internal.crypto.DesCbcMd5EType.decrypt(DesCbcMd5EType.java:33)
   at sun.security.krb5.internal.crypto.DesCbcEType.decrypt(DesCbcEType.java:125)
   at sun.security.krb5.internal.crypto.DesCbcMd5EType.decrypt(DesCbcMd5EType.java:33)
   at sun.security.krb5.EncryptedData.decrypt(EncryptedData.java:168)
   at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:87)
   at sun.security.krb5.KrbAsReq.getReply(KrbAsReq.java:449)
   at sun.security.krb5.Credentials.sendASRequest(Credentials.java:406)
   at sun.security.krb5.Credentials.acquireTGT(Credentials.java:355)
   at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:662)
   … 39 more
18:32:45,210 ERROR [org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/alfresco]] Excepción arrancando filtro Authentication Filter
javax.servlet.ServletException: Failed to login HTTP server service
   at org.alfresco.web.app.servlet.KerberosAuthenticationFilter.init(KerberosAuthenticationFilter.java:380)
   at org.apache.catalina.core.ApplicationFilterConfig.getFilter(ApplicationFilterConfig.java:221)
   at org.apache.catalina.core.ApplicationFilterConfig.setFilterDef(ApplicationFilterConfig.java:302)
   at org.apache.catalina.core.ApplicationFilterConfig.<init>(ApplicationFilterConfig.java:78)
   at org.apache.catalina.core.StandardContext.filterStart(StandardContext.java:3635)
   at org.apache.catalina.core.StandardContext.start(StandardContext.java:4222)
   at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:760)
   at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:740)
   at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:544)
   at org.apache.catalina.startup.HostConfig.deployWAR(HostConfig.java:825)
   at org.apache.catalina.startup.HostConfig.deployWARs(HostConfig.java:714)
   at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:490)
   at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1138)
   at org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:311)
   at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:120)
   at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1022)
   at org.apache.catalina.core.StandardHost.start(StandardHost.java:736)
   at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1014)
   at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:443)
   at org.apache.catalina.core.StandardService.start(StandardService.java:448)
   at org.apache.catalina.core.StandardServer.start(StandardServer.java:700)
   at org.apache.catalina.startup.Catalina.start(Catalina.java:552)
   at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
   at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
   at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
   at java.lang.reflect.Method.invoke(Method.java:597)
   at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:295)
   at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:433)

:?  :?  :? HELP :?  :?
0 Kudos

subemontes
Champ in-the-making
Champ in-the-making

‎10-15-2008 07:34 AM

Ok. Update:
We return to first and "simple" configuration:
http://wiki.alfresco.com/wiki/Enterprise_Security_and_Authentication_Configuration

I Installed "filemon" from sysinternals, to know if java was really using java.login.config…
I modify java.security in this way:
login.config.url.1=file:${user.home}/.java.login.config
login.config.url.2=file:${java.home}/jre/lib/security/java.login.config
login.config.url.3=file:${java.home}/lib/security/java.login.config
login.config.url.4=file:${java.home}/java.login.config
login.config.url.5=file:C:/Program Files/Java/jdk1.6.0_07/jre/lib/security/java.login.config

Using preference and inhttp://java.sun.com/j2se/1.4.2/docs/guide/security/jaas/spec/com/sun/security/auth/login/ConfigFile....

explains that it must go checking all folders… but filemon didnt show that file accesses (it shows java.security only)
The error running the alfresco is this:
13:21:59,571 INFO  [org.alfresco.repo.module.ModuleServiceImpl] Found 0 module(s).
13:21:59,852 ERROR [org.alfresco.smb.protocol.auth] No valid CIFS authentication combination available
13:21:59,852 ERROR [org.alfresco.smb.protocol.auth] Either enable Kerberos support or use an authentication component that supports MD4 hashed passwords
13:21:59,852 ERROR [org.alfresco.smb.protocol] CIFS server configuration error, Invalid CIFS authenticator configuration
org.alfresco.error.AlfrescoRuntimeException: Invalid CIFS authenticator configuration
   at org.alfresco.filesys.server.auth.EnterpriseCifsAuthenticator.initialize(EnterpriseCifsAuthenticator.java:378)

Anyone has a solution plZ!
0 Kudos

subemontes
Champ in-the-making
Champ in-the-making

‎10-15-2008 08:58 AM

Update:
Have modify the file-servers.xml to try to configure. CIFS with passthorg.
Error.
<config evaluator="string-compare" condition="Filesystem Security">
    <!– <authenticator type="enterprise">–>
     <authenticator type="passthru">
      <server>192.168.1.100</server>
</authenticator>
</config>

Error:
14:55:23,506 INFO  [org.alfresco.repo.admin.patch.PatchExecuter] Comprobando si hay parches para aplicar …
14:55:24,147 INFO  [org.alfresco.repo.module.ModuleServiceImpl] Found 0 module(s).
14:55:24,397 ERROR [org.alfresco.smb.protocol] CIFS server configuration error, No valid authentication servers found for passthru
org.alfresco.error.AlfrescoRuntimeException: No valid authentication servers found for passthru
   at org.alfresco.filesys.server.auth.passthru.PassthruAuthenticator.initialize(PassthruAuthenticator.java:1208)

Any idea ?
0 Kudos

subemontes
Champ in-the-making
Champ in-the-making

‎10-15-2008 11:55 AM

WOW! Have found a way to work with kerberos tokens and AND.
He gets credentials and enter…

But fails against CIFS… damm
0 Kudos

subemontes
Champ in-the-making
Champ in-the-making

‎11-07-2008 08:44 AM

Updated:
Bad Luck… the tokens where working but no autentificacion was possible.

Because We get short on time, I checked the way to configure NTLM v2, and without the CIFS server (anyone knows if it is useful) and we are working without kerberos but NTLM.

Will try again in few days!…
0 Kudos
Getting started

Tags

Find what you came for

We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.

Copyright © 2025 Khoros, LLC