Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Hyland Connect
- Content Management
- Alfresco
- Alfresco Archive
- Kerberos difficulties
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Kerberos difficulties
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-05-2009 01:00 PM
Hi,
I have been trying to get Kerberos and LDAP chaining to work using the instructions at
http://wiki.alfresco.com/wiki/Alfresco_Authentication_Subsystems
In Share, I can log in through the login screen and authenticate against Kerberos users; LDAP synchronization is also working.
However, I can't log in to the Alfresco backend web application. I get (on screen)
I don't see why this happens as I thought the HTTP server service was only used when SSO was enabled, and I have set kerberos.authentication.sso.enabled to false.
Investigating, I created a HTTP principal for the service, but this also failed with the same message and the logs:
I didn't initially supply a kerberos.authentication.http.password because I'm using a keytab file in java.login.config and am not responsible for the password.
When I switched to using an explicit password (kinit.java working fine for the principal) I still got this error.
Our Kerberos server (not AD) supports DES3-CBC-SHA1-KD key type only and I haven't knowingly told JAAS to use a particular one (maybe I should ?)
My questions then:
1. Should I worry about kerberos.authentication.http.password ?
2. Anyone have any hints about why the encryption is failing ? Is it the key type ?
3. Why is the Alfresco web client trying to authenticate this way at all, given that I have supposedly disabled the HTTP SSO service ?
I have been trying to get Kerberos and LDAP chaining to work using the instructions at
http://wiki.alfresco.com/wiki/Alfresco_Authentication_Subsystems
In Share, I can log in through the login screen and authenticate against Kerberos users; LDAP synchronization is also working.
However, I can't log in to the Alfresco backend web application. I get (on screen)
org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'authenticationFilter' defined in file [/opt/alfresco/tomcat/webapps/alfresco/WEB-INF/classes/alfresco/subsystems/Authentication/kerberos/kerberos-filter-context.xml]: Invocation of init method failed; nested exception is javax.servlet.ServletException: Failed to login HTTP server service
caused by:
javax.servlet.ServletException: Failed to login HTTP server service
I don't see why this happens as I thought the HTTP server service was only used when SSO was enabled, and I have set kerberos.authentication.sso.enabled to false.
Investigating, I created a HTTP principal for the service, but this also failed with the same message and the logs:
17:29:36,557 ERROR [app.servlet.KerberosAuthenticationFilter] HTTP Kerberos web filter error
javax.security.auth.login.LoginException: Integrity check on decrypted field failed (31)
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:659)
[snip]
Caused by: KrbException: Integrity check on decrypted field failed (31)
at sun.security.krb5.internal.crypto.DesCbcEType.decrypt(DesCbcEType.java:154)
at sun.security.krb5.internal.crypto.DesCbcEType.decrypt(DesCbcEType.java:125)
at sun.security.krb5.EncryptedData.decrypt(EncryptedData.java:167)
at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:87)
at sun.security.krb5.KrbAsReq.getReply(KrbAsReq.java:486)
at sun.security.krb5.Credentials.sendASRequest(Credentials.java:406)
at sun.security.krb5.Credentials.acquireTGT(Credentials.java:356)
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:629)
… 64 moreI didn't initially supply a kerberos.authentication.http.password because I'm using a keytab file in java.login.config and am not responsible for the password.
When I switched to using an explicit password (kinit.java working fine for the principal) I still got this error.
Our Kerberos server (not AD) supports DES3-CBC-SHA1-KD key type only and I haven't knowingly told JAAS to use a particular one (maybe I should ?)
My questions then:
1. Should I worry about kerberos.authentication.http.password ?
2. Anyone have any hints about why the encryption is failing ? Is it the key type ?
3. Why is the Alfresco web client trying to authenticate this way at all, given that I have supposedly disabled the HTTP SSO service ?
Labels:
- Labels:
-
Archive
14 REPLIES 14
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-06-2009 06:04 AM
1. I think you have exposed a problem with the Kerberos authentication subsystem. The http.password indeed should only be relevant when kerberos.authentication.sso.enabled=true but it is trying to validate everything at startup. For now, you will have to work around this by creating the HTTP principal anyway (as you have done). I have logged
https://issues.alfresco.com/jira/browse/ETHREEOH-2617
2. Does any of this help:
http://forums.sun.com/thread.jspa?threadID=5250326
http://jhelvoort.wordpress.com/2009/01/02/integrity-check-on-decrypted-field-failed-31/
http://mailman.mit.edu/pipermail/kerberos/2006-November/010849.html
?
3. Good question. It shouldn't and soon won't.
https://issues.alfresco.com/jira/browse/ETHREEOH-2617
2. Does any of this help:
http://forums.sun.com/thread.jspa?threadID=5250326
http://jhelvoort.wordpress.com/2009/01/02/integrity-check-on-decrypted-field-failed-31/
http://mailman.mit.edu/pipermail/kerberos/2006-November/010849.html
?
3. Good question. It shouldn't and soon won't.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-06-2009 06:41 AM
1. I think you have exposed a problem with the Kerberos authentication subsystem. The http.password indeed should only be relevant when kerberos.authentication.sso.enabled=true but it is trying to validate everything at startup. For now, you will have to work around this by creating the HTTP principal anyway (as you have done)
OK, good - FYI the same is true of the CIFS principal - I needed to create it even with kerberos.authentication.authenicateCIFS set to false.
2. Does any of this help:
http://forums.sun.com/thread.jspa?threadID=5250326
http://jhelvoort.wordpress.com/2009/01/02/integrity-check-on-decrypted-field-failed-31/
http://mailman.mit.edu/pipermail/kerberos/2006-November/010849.html
1. No, realm is already in uppercase.
2. This poster gets the message from kinit, but I have no problems logging in with kinit (including java kinit)
3. I think this poster had problems with the enctype - I suppose this may be possible, but I haven't found out how I can force JAAS to use a particular one, and surely that would also impact kinit.java ?
I tried switching from keytab to password and providing this password in the properties file (and the principal in java.login.config). kinit and kinit.java were fine, but no luck with Alfresco.
Finally, I get the 'integrity check' message from kinit.java if I supply the wrong password, so I'm now wondering if the keytab file is being misread somehow
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-11-2009 08:40 AM
To followup…
I changed the java.login.config to use my own principal instead of HTTP/server.x.y.z , supplying my password in the properties file, and this worked[1], so I guess it's something on the kerberos side. The only thing I can think of is that for some reason Alfresco needs a user principal not a host principal, but I'm not clear on the difference.
[1] Well, it allowed me to access the Alfresco web client with SSO disabled, at least.
I changed the java.login.config to use my own principal instead of HTTP/server.x.y.z , supplying my password in the properties file, and this worked[1], so I guess it's something on the kerberos side. The only thing I can think of is that for some reason Alfresco needs a user principal not a host principal, but I'm not clear on the difference.
[1] Well, it allowed me to access the Alfresco web client with SSO disabled, at least.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-13-2009 07:53 AM
FYI a fix has been checked in to HEAD, revision 15729. Here's the change comment:
FYI there did not appear to be a problem with the CIFS authenticators, which already suppress their initialization when disabled.
ETHREEOH-2617: When SSO is disabled in a subsystem, disable initialization of its filters
- Do not validate filter configuration parameters in NTLM and Kerberos authentication filters when the filter is disabledFYI there did not appear to be a problem with the CIFS authenticators, which already suppress their initialization when disabled.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-19-2009 02:58 PM
I am able to login with accounts in my Active Directory in the Share webapp, but I can not access the Alfresco webapp:
[img]http://imgur.com/U4Jn7l.png[/img]
[img]http://imgur.com/U4Jn7l.png[/img]
![[img]http://imgur.com/U4Jn7l.png[/img]](http://imgur.com/U4Jn7.png){kind=link}
11:40:57,528 ERROR [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] HTTP Kerberos web filter error
javax.security.auth.login.LoginException: Pre-authentication information was invalid (24)Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-21-2009 05:33 PM
Please let me know if I am not clear. I am not an expert 😕
Also, though I have Cifs.enabled = false everywhere I can find, I still get the following error when I login via kerberos on the Share app:
I thought it wasn't supposed to try Cifs authentication if it is disabled in kerberos-authentication.xml. I have file server disabled as well.
Also, though I have Cifs.enabled = false everywhere I can find, I still get the following error when I login via kerberos on the Share app:
14:59:41,586 ERROR [org.alfresco.web.scripts.AbstractRuntime] Exception from executeScript - redirecting to status template error: Error creating bean with name 'cifsAuthenticator' defined in file [C:\Alfresco\tomcat\webapps\alfresco\WEB-INF\classes\alfresco\subsystems\Authentication\kerberos\kerberos-authentication-context.xml]: Invocation of init method failed; nested exception is org.alfresco.jlan.server.config.InvalidConfigurationException: Failed to login CIFS server service
org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'cifsAuthenticator' defined in file [C:\Alfresco\tomcat\webapps\alfresco\WEB-INF\classes\alfresco\subsystems\Authentication\kerberos\kerberos-authentication-context.xml]: Invocation of init method failed; nested exception is org.alfresco.jlan.server.config.InvalidConfigurationException: Failed to login CIFS server service
Caused by: org.alfresco.jlan.server.config.InvalidConfigurationException: Failed to login CIFS server serviceI thought it wasn't supposed to try Cifs authentication if it is disabled in kerberos-authentication.xml. I have file server disabled as well.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-24-2009 05:31 AM
Did you include this in alfresco-global.properties ?
kerberos.authentication.authenticateCIFS=false
kerberos.authentication.authenticateCIFS=false
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-24-2009 11:44 AM
Did you include this in alfresco-global.properties ?
kerberos.authentication.authenticateCIFS=false
Thanks for the reply!
I already had 'kerberos.authentication.authenticateCIFS=false' in my kerberos authentication properties file, but to humor the point I added it to alfresco global properties as well.
I still get the same error:
10:39:32,347 ERROR [org.alfresco.web.scripts.AbstractRuntime] Exception from executeScript - redirecting to status template error: Error creating bean with name 'cifsAuthenticator' defined in file [C:\Alfresco\tomcat\webapps\alfresco\WEB-INF\classes\alfresco\subsystems\Authentication\kerberos\kerberos-authentication-context.xml]: Invocation of init method failed; nested exception is org.alfresco.jlan.server.config.InvalidConfigurationException: Failed to login CIFS server serviceRegardless, I am more concerened about not being able to login into the alfresco webapp when kerberos authentication is enabled, as you can see from my screenshot 3 posts up.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-25-2009 06:54 AM
You need to understand how to control subsystem properties rather than randomly editing different files.
I've just double-checked the configuration and think I have found the problem. I will re-open the bug and ensure that it is fixed in HEAD.
It's this line in network-protocol-context.xml
Even though CifsAuthenticatorBase implements InitializingBean, initialize() has been declared as the init-method. This means that the logic that only calls initialize() when the active flag is set will be bypassed.
A workaround is to put the following in $TOMCAT_HOME/shared/classes/alfresco/extension/temp-context.xml
I've just double-checked the configuration and think I have found the problem. I will re-open the bug and ensure that it is fixed in HEAD.
It's this line in network-protocol-context.xml
<!– CIFS authentication –>
<bean id="cifsAuthenticatorBase" abstract="true" init-method="initialize">
…
Even though CifsAuthenticatorBase implements InitializingBean, initialize() has been declared as the init-method. This means that the logic that only calls initialize() when the active flag is set will be bypassed.
A workaround is to put the following in $TOMCAT_HOME/shared/classes/alfresco/extension/temp-context.xml
<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE beans PUBLIC '-//SPRING//DTD BEAN//EN' 'http://www.springframework.org/dtd/spring-beans.dtd'>
<beans>
<!– Fix initialization of CIFS authenticators –>
<bean id="cifsAuthenticatorBase" abstract="true">
<property name="config">
<ref bean="fileServerConfiguration" />
</property>
<property name="authenticationService">
<ref bean="authenticationService" />
</property>
<property name="authenticationComponent">
<ref bean="authenticationComponent" />
</property>
<property name="nodeService">
<ref bean="NodeService" />
</property>
<property name="personService">
<ref bean="personService" />
</property>
<property name="transactionService">
<ref bean="transactionService" />
</property>
<property name="authorityService">
<ref bean="authorityService" />
</property>
<property name="diskInterface">
<ref bean="contentDiskDriver" />
</property>
</bean>
</beans>
Related Content
- fileServersNG 24.3 Released - SMB2/SMB3 file server in Alfresco Forum
- ACS 23.1 : Share QuickLink redirect for authentication when using Keycloak in Alfresco Forum
- send email notification not working when i start a workflow in Alfresco Forum
- Alfresco Share Kerberos SSO - credentials cannot be delegated in Alfresco Forum
- unconstrained delegation with Kerberos in Alfresco Forum
Getting started
Tags
Find what you came for
We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.
