Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Kerberos difficulties

doiheartwentyon
Champ in-the-making
Champ in-the-making

‎08-05-2009 01:00 PM

Hi,
I have been trying to get Kerberos and LDAP chaining to work using the instructions at
http://wiki.alfresco.com/wiki/Alfresco_Authentication_Subsystems

In Share, I can log in through the login screen and authenticate against Kerberos users; LDAP synchronization is also working.
However, I can't log in to the Alfresco backend web application. I get (on screen)

org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'authenticationFilter' defined in file [/opt/alfresco/tomcat/webapps/alfresco/WEB-INF/classes/alfresco/subsystems/Authentication/kerberos/kerberos-filter-context.xml]: Invocation of init method failed; nested exception is javax.servlet.ServletException: Failed to login HTTP server service
caused by:
javax.servlet.ServletException: Failed to login HTTP server service

I don't see why this happens as I thought the HTTP server service was only used when SSO was enabled, and I have set kerberos.authentication.sso.enabled to false.

Investigating, I created a HTTP principal for the service, but this also failed with the same message and the logs:

17:29:36,557  ERROR [app.servlet.KerberosAuthenticationFilter] HTTP Kerberos web filter error
javax.security.auth.login.LoginException: Integrity check on decrypted field failed (31)
   at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:659)
[snip]
Caused by: KrbException: Integrity check on decrypted field failed (31)
   at sun.security.krb5.internal.crypto.DesCbcEType.decrypt(DesCbcEType.java:154)
   at sun.security.krb5.internal.crypto.DesCbcEType.decrypt(DesCbcEType.java:125)
   at sun.security.krb5.EncryptedData.decrypt(EncryptedData.java:167)
   at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:87)
   at sun.security.krb5.KrbAsReq.getReply(KrbAsReq.java:486)
   at sun.security.krb5.Credentials.sendASRequest(Credentials.java:406)
   at sun.security.krb5.Credentials.acquireTGT(Credentials.java:356)
   at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:629)
   … 64 more


I didn't initially supply a kerberos.authentication.http.password because I'm using a keytab file in java.login.config and am not responsible for the password.
When I switched to using an explicit password (kinit.java working fine for the principal) I still got this error.
Our Kerberos server (not AD) supports DES3-CBC-SHA1-KD key type only and I haven't knowingly told JAAS to use a particular one (maybe I should ?)

My questions then:
1. Should I worry about kerberos.authentication.http.password ?
2. Anyone have any hints about why the encryption is failing ? Is it the key type ?
3. Why is the Alfresco web client trying to authenticate this way at all, given that I have supposedly disabled the HTTP SSO service ?
Labels:
0 Kudos
14 REPLIES 14

dward
Champ on-the-rise
Champ on-the-rise

‎08-25-2009 08:14 AM

This is now fixed in HEAD.
0 Kudos

dannyboy
Champ in-the-making
Champ in-the-making

‎08-25-2009 12:19 PM

Thank you for your time and patience. I will confess that after changing kerberos authentication properties and the error persisted I declared war on all things cifs in /alfresco.

I followed your instructions but there was a "The processing instruction target matching "[xX][mM][lL]" error when importing the file. It had to do with whitespace in the file, I think it was a formatting problem when copying it over. Anyways, deleted the whitespace and it imported and ran fine.

I no longer get the "Failed to login CIFS server service" error when each time I login with an AD account. Good catch!

I still receive the following error when trying to access the Alfresco webapp. The problem in the screenshot I posted a while back still happens. 

11:40:57,528 ERROR [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] HTTP Kerberos web filter error

javax.security.auth.login.LoginException: Pre-authentication information was invalid (24)"

Does this mean that I am doing something wrong? Did I setup my keytab incorrectly or something? However, I am able to login with AD accounts just fine…
0 Kudos

dward
Champ on-the-rise
Champ on-the-rise

‎08-25-2009 12:34 PM

I don't understand. The screenshot is of the HTTP service login problem, which was fixed by

https://issues.alfresco.com/jira/browse/ETHREEOH-2617

Aren't you running with a recent 3.3 build?

As for the other error, what do you mean by "I am able to login with AD accounts just fine". What are you trying to log in with then?

If you are trying to log in as an internal Alfresco user, such as admin, you will need alfrescoNtlm in your authentication chain.

If this explains the problem, but you are still getting a nast exception on your screen when you enter an invalid password, there is still a bug somewhere.

I'm hoping to set up a Kerberos system soon so that I can investigate properly.
0 Kudos

dannyboy
Champ in-the-making
Champ in-the-making

‎08-25-2009 12:53 PM

Sorry for being unclear.

I am running Alfresco 3.2 but will download the latest build now.

I am able to login to the Share webapp with Active Directory user-names. The user is then auto-created inside of Alfresco.

Now, when I try to access the Alfresco webapp, the screenshot error occurs. I never see the login screen… nothing except for that screenshot.

So it probably is this SSO bug, I will try it out on the new build.

Edit: Tried it in 3.3 and the same error occurs. I really think it might be I misconfigured kerberos, though I can use the Share webapp just fine.
0 Kudos

dward
Champ on-the-rise
Champ on-the-rise

‎08-26-2009 08:45 AM

Did you build from HEAD? It does work, I promise!

I've managed to set up Kerberos on a VM and I think I've resolved the problem with the CIFS and HTTP service principals.

See this bug comment https://issues.alfresco.com/jira/browse/ETHREEOH-425?focusedCommentId=29595&page=com.atlassian.jira....

It seems that if you did change the accounts to use DES encryption,  you would have to reset the passwords, as otherwise they are not cached with DES encryption.

And for Java 6, you can use RC4-HMAC-NT encryption instead. So the new ktpass commands are the following (after deselecting the use DES encryption option and resetting the password on both accounts). I've updated the wiki.

ktpass -princ cifs/<cifs-server-name>.<domain>@<realm> -pass <password> -mapuser <domainnetbios>\alfrescocifs -crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL -out c:\temp\alfrescocifs.keytab
ktpass -princ HTTP/<web-server-name>.<domain>@<realm> -pass <password> -mapuser <domainnetbios>\alfrescohttp -crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL -out c:\temp\alfrescohttp.keytab
Getting started

Tags

Find what you came for

We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.

Copyright © 2025 Khoros, LLC