Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Hyland Connect
- Enterprise Platforms
- Alfresco
- Alfresco Archive
- Kerberos issue Client sent an NTLMSSP security blo...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Kerberos issue Client sent an NTLMSSP security blob not able to SSO
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-09-2015 12:52 AM
Hi Forum ,
i am setting kerberos authentication .
In my logs i am able to see
But when I login from client it prompts for Windows pop up for login.
I want to achieve SSO with kerberos to both Explorer and Share.
Below is my configuration
I have refereed below link for kerberos configuration
http://www.anotherstrangerme.com/afresco-integration-with-active-directory-using-kerberos/
Step 1: Created two accounts in AD AlfresoHTTP and AlfrescoCIFS with settings given in link above.
Step 2: used ktpass command
<blockcode>
ktpass -princ cifs/<cifs-server-name>.<domain>@<realm> -pass <password> -mapuser <domainnetbios>\alfrescocifs -crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL -mapop set +desonly -out c:\temp\alfrescocifs.keytab
ktpass -princ HTTP/<web-server-name>.<domain>@<realm> -pass <password> -mapuser <domainnetbios>\alfrescohttp -crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL -mapop set +desonly -out c:\temp\alfrescohttp.keytab
</blockcode>
Please note I have used -crypto DES-CBC-MD5 will this really matters??am i right here?can i use this??Please suggest right approach.
Step 3: krb5.ini (ini file as i am doing it on windows server 2008 R2 )
But here i have not mentioned
default_tkt_enctypes = and
default_tgs_enctypes =
i tried with using DES-CBC-MD5 but it did not work
step 4 :
step 5: in JRE\lib\security\java.security.
and chain as below:
authentication.chain=kerberos1:kerberos,ldap1:ldap-ad
My Qproblem :
1) not able to SSO on Alfresco ( Share not yet configured )
2) On attempt to login with link
http://server-name:8080/alfresco/
It prompt me windows login screen and then alfresco login screen if my password is correct.
My Log says as bwlow :
version using 4.2e
Please help me to understand and to solve where i am going wrong
Please let me know if any other information is required.
i am setting kerberos authentication .
In my logs i am able to see
INFO [management.subsystems.ChildApplicationContextFactory] [localhost-startStop-1] Starting 'Authentication' subsystem, ID: [Authentication, managed, kerberos1]
2015-02-09 10:52:19,943 DEBUG [app.servlet.KerberosAuthenticationFilter] [localhost-startStop-1] HTTP Kerberos login successful
But when I login from client it prompts for Windows pop up for login.
I want to achieve SSO with kerberos to both Explorer and Share.
Below is my configuration
I have refereed below link for kerberos configuration
http://www.anotherstrangerme.com/afresco-integration-with-active-directory-using-kerberos/
Step 1: Created two accounts in AD AlfresoHTTP and AlfrescoCIFS with settings given in link above.
Step 2: used ktpass command
<blockcode>
ktpass -princ cifs/<cifs-server-name>.<domain>@<realm> -pass <password> -mapuser <domainnetbios>\alfrescocifs -crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL -mapop set +desonly -out c:\temp\alfrescocifs.keytab
ktpass -princ HTTP/<web-server-name>.<domain>@<realm> -pass <password> -mapuser <domainnetbios>\alfrescohttp -crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL -mapop set +desonly -out c:\temp\alfrescohttp.keytab
</blockcode>
Please note I have used -crypto DES-CBC-MD5 will this really matters??am i right here?can i use this??Please suggest right approach.
Step 3: krb5.ini (ini file as i am doing it on windows server 2008 R2 )
[libdefaults]
default_realm = ALFRESCO.ORG
[realms]
ALFRESCO.ORG = {
kdc = adsrv.alfresco.org
admin_server = adsrv.alfresco.org
}
[domain_realm]
adsrv.alfresco.org = ALFRESCO.ORG
.adsrv.alfresco.org = ALFRESCO.ORG
But here i have not mentioned
default_tkt_enctypes = and
default_tgs_enctypes =
i tried with using DES-CBC-MD5 but it did not work
step 4 :
Alfresco {
com.sun.security.auth.module.Krb5LoginModule sufficient;
};
AlfrescoCIFS {
com.sun.security.auth.module.Krb5LoginModule required
storeKey=true
useKeyTab=true
keyTab=”C:/temp/alfrescocifs.keytab”
principal=”cifs/<cifs-server-name>.<domain>”;
};
AlfrescoHTTP {
com.sun.security.auth.module.Krb5LoginModule required
storeKey=true
useKeyTab=true
keyTab=”C:/temp/alfrescohttp.keytab”
principal=”HTTP/<web-server-name>.<domain>”;
};
com.sun.net.ssl.client {
com.sun.security.auth.module.Krb5LoginModule sufficient;
};
other {
com.sun.security.auth.module.Krb5LoginModule sufficient;
}
step 5: in JRE\lib\security\java.security.
login.config.url.1=file:C:/Alfresco/java/jre/lib/security/java.login.config and chain as below:
authentication.chain=kerberos1:kerberos,ldap1:ldap-ad
My Qproblem :
1) not able to SSO on Alfresco ( Share not yet configured )
2) On attempt to login with link
http://server-name:8080/alfresco/
It prompt me windows login screen and then alfresco login screen if my password is correct.
My Log says as bwlow :
2015-02-09 10:54:36,959 INFO [site.servlet.SSOAuthenticationFilter] [localhost-startStop-1] SSOAuthenticationFilter initialised.
2015-02-09 10:55:39,407 DEBUG [app.servlet.KerberosAuthenticationFilter] [http-apr-8080-exec-3] New Kerberos auth request from 10.0.2.22 (10.0.2.22:60268)
2015-02-09 10:55:39,407 DEBUG [app.servlet.KerberosAuthenticationFilter] [http-apr-8080-exec-3] Issuing login challenge to browser.
2015-02-09 10:55:39,438 DEBUG [app.servlet.KerberosAuthenticationFilter] [http-apr-8080-exec-4] Client sent an NTLMSSP security blob
2015-02-09 10:55:39,438 DEBUG [app.servlet.KerberosAuthenticationFilter] [http-apr-8080-exec-4] Clearing session.
2015-02-09 10:55:39,438 DEBUG [app.servlet.KerberosAuthenticationFilter] [http-apr-8080-exec-4] Issuing login challenge to browser.
2015-02-09 10:56:06,785 DEBUG [app.servlet.KerberosAuthenticationFilter] [http-apr-8080-exec-6] Login page requested, chaining …
2015-02-09 10:56:07,503 DEBUG [app.servlet.KerberosAuthenticationFilter] [http-apr-8080-exec-8] Authentication not required (filter), chaining …
version using 4.2e
Please help me to understand and to solve where i am going wrong
Please let me know if any other information is required.
Labels:
- Labels:
-
Archive
2 REPLIES 2
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-12-2015 06:42 AM
Hi Forum,
I have configured Kerberos Authentication with SSO on explorer and share.
I was stuck at above mentioned error.
i.e Client sent an NTLMSSP security blob
I change one property in AD .
the Use DES encryption types for this account is unchecked. And few related settings and all works great.
After a week of struggle i able to configure this , i feel like happiest person on the earth when i achieve this.
Thanks to forum all comments here helps a lot.
Feel free to ask me if you want all my configuration . I would be happy to help you.
Thanks and Regards
Aditya C Chaudhari
I have configured Kerberos Authentication with SSO on explorer and share.
I was stuck at above mentioned error.
i.e Client sent an NTLMSSP security blob
I change one property in AD .
the Use DES encryption types for this account is unchecked. And few related settings and all works great.
After a week of struggle i able to configure this , i feel like happiest person on the earth when i achieve this.
Thanks to forum all comments here helps a lot.
Feel free to ask me if you want all my configuration . I would be happy to help you.
Thanks and Regards
Aditya C Chaudhari
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-17-2019 05:49 AM
Hello Aditya,
Could you please let us know what configuration changes are required on AD side and how can we achieve that.
Thanks and Regards,
Supriya
Related Content
- unconstrained delegation with Kerberos in Alfresco Forum
- ACS 7.3 + Kerberos. SSO Authentication for Share stops working every night in Alfresco Forum
- Setup ACS-7.x, ASS-2.x, Local Transformation Service using distribution package step by step Part 2 in Alfresco Blog
- Alfresco configuration for SSO: are my alfresco files correct? in Alfresco Forum
- Kerberos SSO for alfresco docker installation in Alfresco Forum
Getting started
Tags
Find what you came for
We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.
