Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Kerberos authentication

luishuang
Champ in-the-making
Champ in-the-making

‎12-30-2011 04:56 AM

I can logon with alfresco explorer but not alfresco share. When I try and logon to alfresco share, it actually brings up a windows popup box. If I use an AD account it won't let me on but the builtin alfresco admin would work. I can't see any errors in catalina.out and if I run kinit on the alfresco server, it is using authenticating correctly using kerberos.

My java.login.config file
Alfresco {
   com.sun.security.auth.module.Krb5LoginModule sufficient;
};

svc-alfrescocifs {
   com.sun.security.auth.module.Krb5LoginModule required
   storeKey=true
   useKeyTab=true
   keyTab="/etc/svc-alfrescocifs.keytab"
   principal="cifs/srv11-0015.inst.camlab";
};

svc-alfrescohttp {
   com.sun.security.auth.module.Krb5LoginModule required
   storeKey=true
   useKeyTab=true
   keyTab="/etc/svc-alfrescohttp.keytab"
   principal="HTTP/srv11-0015.inst.camlab";
};

com.sun.net.ssl.client {
   com.sun.security.auth.module.Krb5LoginModule sufficient;
};

other {
   com.sun.security.auth.module.Krb5LoginModule sufficient;
};


ShareHTTP {
   com.sun.security.auth.module.Krb5LoginModule required
   storeKey=true
   useKeyTab=true
   keyTab="/etc/svc-alfrescohttp.keytab"
   principal="HTTP/srv11-0015.inst.camlab";

and krb5.conf
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = INST.CAMLAB
 default_tkt_enctypes = rc4-hmac
 default_tgs_enctypes = rc4-hmac 

 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 forwardable = yes

[realms]
 INST.CAMLAB = {
  kdc = instlab01.inst.camlab:88
  admin_server = instlab01.inst.camlab:749
  default_domain = inst.camlab
 }

[domain_realm]
instlab01.inst.camlab = INST.CAMLAB
.instlab01.inst.camlab = INST.CAMLAB

share-config-custom.xml
 <!– Kerberos settings –>
   <!– To enaable kerberos rename this condition to "Kerberos" –>
   <config evaluator="string-compare" condition="Kerberos" replace="true">
      <kerberos>
         <!–
            Password for HTTP service account.
            The account name *must* be built from the HTTP server name, in the format :
               HTTP/<server_name>@<realm>
            (NB this is because the web browser requests an ST for the
            HTTP/<server_name> principal in the current realm, so if we're to decode
            that ST, it has to match.)
         –>
         <password>xxxxx</password>
         <!–
            Kerberos realm and KDC address.
         –>
         <realm>INST.CAMLAB</realm>
         <!–
            Service Principal Name to use on the repository tier.
            This must be like: HTTP/host.name@REALM
         –>
         <endpoint-spn>HTTP/SRV11-0015@INST.CAMLAB</endpoint-spn>
         <!–
            JAAS login configuration entry name.
         –>
         <config-entry>ShareHTTP</config-entry>
      </kerberos>
   </config>


and my alfresco-global.properties
authentication.chain=alfrescoNtlm1:alfrescoNtlm,kerberos1:kerberos
ntlm.authentication.sso.enabled=true
alfresco.authentication.authenticateCIFS=true
Labels:
0 Kudos
1 REPLY 1

gronfelt
Champ in-the-making
Champ in-the-making

‎01-03-2012 05:51 AM

ntlm.authentication.sso.enabled should not be set to true when using kerberos. Instead you should set kerberos.authentication.sso.enabled to true.
0 Kudos
Getting started

Tags

Find what you came for

We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.

Copyright © 2025 Khoros, LLC