Hyland Connect

borisstankov · ‎04-15-2015

Hello,

I need some help with configuring the Kerberos Single-Sign On with my alfresco. Here are more details about the env:
Alfresco Community 5.0.c on CentOS 6.6 (Final).
My AD is on Windows Server 2012.
I'm configuring the the Kerberos to go agains this AD and to autheticate my users with the tickets directly from there so they wouldn't have to login every time to it.

I have those configs:

1. in /etc/krb5.conf


[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_keytab_name = FILE:/etc/httpportal2.keytab
 default_realm = CORP.INT
 ticket_lifetime = 24h
 renew_lifetime = 7d
 default_tkt_enctypes = rc4-hmac
 default_tgs_enctypes = rc4-hmac
 forwardable = true
# proxiable = true

[realms]
 CORP.INT = {
  kdc = dc1.corp.int
  admin_server = dc1.corp.int
 }

[domain_realm]
 .corp.int = CORP.INT
 corp.int = CORP.INT
‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

2. global properties:


authentication.chain=kerberos1:kerberos,alfinst:alfrescoNtlm

kerberos.authentication.realm=DOMAIN
kerberos.authentication.sso.enabled=true
kerberos.authentication.authenticateCIFS=false
kerberos.authentication.user.configEntryName=Alfresco 
kerberos.authentication.cifs.password=Password
kerberos.authentication.cifs.configEntryName=AlfrescoCIFS
kerberos.authentication.stripUsernameSuffix=true
kerberos.authentication.http.password=Password
kerberos.authentication.http.configEntryName=AlfrescoHTTP
kerberos.authentication.browser.ticketLogons=true
‍‍‍‍‍‍‍‍‍‍‍‍‍‍

3. In /opt/alfresco-5.0/tomcat/bin/setenv.sh


JAVA_HOME=/opt/alfresco-5.0/java
JRE_HOME=$JAVA_HOME
JAVA_OPTS="-XX:+DisableExplicitGC -Djava.awt.headless=true -Dalfresco.home=/opt/alfresco-5.0 -Dcom.sun.management.jmxremote -Dsun.security.krb5.msinterop.kstring=true -XX:ReservedCodeCacheSize=128m $JAVA_OPTS "
JAVA_OPTS="-XX:MaxPermSize=5120M -Xms4096M -Xmx5120M $JAVA_OPTS " # java-memory-settings
export JAVA_HOME
export JRE_HOME
export JAVA_OPTS
‍‍‍‍‍‍‍‍‍

4. I have configured the share-config-custom.xml as explained in the alfresco wiki.

5. IN /opt/alfresco-5.0/java/lib/security/java.security I've added this row:
login.config.url.1=file:${java.home}/lib/security/java.login.config

6. IN /opt/alfresco-5.0/java/lib/security/java.login.config I have this:


Alfresco {
        com.sun.security.auth.module.Krb5LoginModule sufficient;
    };

    AlfrescoCIFS {
        com.sun.security.auth.module.Krb5LoginModule required
        storeKey=true
        useKeyTab=true
        keyTab="/etc/cifsportal2.keytab"
        principal="cifs/portal2.domain";
    };

    AlfrescoHTTP {
        com.sun.security.auth.module.Krb5LoginModule required
        storeKey=true
        useKeyTab=true
        keyTab="/etc/httpportal2.keytab"
        principal="HTTP/portal2.domain";
    };
   
    ShareHTTP {
        com.sun.security.auth.module.Krb5LoginModule required
        storeKey=true
        useKeyTab=true
        keyTab="/etc/httpportal2.keytab"
        principal="HTTP/portal2.domain";
    };

    com.sun.net.ssl.client {
        com.sun.security.auth.module.Krb5LoginModule sufficient;
    };

    other {
        com.sun.security.auth.module.Krb5LoginModule sufficient;
   };
‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

7. Also the keytabs are at the specified dir: /etc with the same names with 777 permissions and they are generated with the correct kvno version.


This is the error message from he catalina.out log file (it came to the loop of those several messages):

2015-04-14 15:51:49,435 DEBUG [webdav.auth.KerberosAuthenticationFilter] [http-apr-8080-exec-9] Performing fallback authentication…
Apr 14, 2015 3:51:49 PM org.apache.catalina.core.StandardWrapperValve invoke

SEVERE: Servlet.service() for servlet [cmisatom10] in context with path [/alfresco] threw exception
org.alfresco.service.namespace.InvalidQNameException: A QName must consist of a local name
   at org.alfresco.service.namespace.QName.createQName(QName.java:87)
   at org.alfresco.repo.security.person.PersonServiceImpl.getChildNameLower(PersonServiceImpl.java:1768)
   at org.alfresco.repo.security.person.PersonServiceImpl.getPersonOrNullImpl(PersonServiceImpl.java:537)
   at org.alfresco.repo.security.person.PersonServiceImpl.getUserIdentifier(PersonServiceImpl.java:1880)
   at org.alfresco.repo.security.authentication.AuthenticationComponentImpl$1$1.doWork(AuthenticationComponentImpl.java:93)
   at org.alfresco.repo.security.authentication.AuthenticationComponentImpl$1$1.doWork(AuthenticationComponentImpl.java:90)
   at org.alfresco.repo.tenant.TenantUtil.runAsWork(TenantUtil.java:119)
   at org.alfresco.repo.tenant.TenantUtil.runAsTenant(TenantUtil.java:88)
   at org.alfresco.repo.tenant.TenantUtil$1.doWork(TenantUtil.java:62)
   at org.alfresco.repo.security.authentication.AuthenticationUtil.runAs(AuthenticationUtil.java:548)
   at org.alfresco.repo.tenant.TenantUtil.runAsUserTenant(TenantUtil.java:58)
   at org.alfresco.repo.tenant.TenantUtil.runAsSystemTenant(TenantUtil.java:112)
   at org.alfresco.repo.security.authentication.AuthenticationComponentImpl$1.execute(AuthenticationComponentImpl.java:89)
   at org.alfresco.repo.security.authentication.AuthenticationComponentImpl$1.execute(AuthenticationComponentImpl.java:86)
   at org.alfresco.repo.transaction.RetryingTransactionHelper.doInTransaction(RetryingTransactionHelper.java:454)
   at org.alfresco.repo.transaction.RetryingTransactionHelper.doInTransaction(RetryingTransactionHelper.java:342)
   at org.alfresco.repo.security.authentication.AuthenticationComponentImpl.authenticateImpl(AuthenticationComponentImpl.java:84)
   at org.alfresco.repo.security.authentication.AbstractAuthenticationComponent.authenticate(AbstractAuthenticationComponent.java:162)
   at org.alfresco.repo.security.authentication.AuthenticationServiceImpl.authenticate(AuthenticationServiceImpl.java:68)
   at org.alfresco.repo.security.authentication.AbstractChainingAuthenticationService.authenticate(AbstractChainingAuthenticationService.java:195)
   at sun.reflect.GeneratedMethodAccessor593.invoke(Unknown Source)
   at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
   at java.lang.reflect.Method.invoke(Unknown Source)
   at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:317)
   at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:183)
   at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:150)
   at net.sf.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor.invoke(MethodSecurityInterceptor.java:80)
   at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
   at org.alfresco.repo.security.permissions.impl.ExceptionTranslatorMethodInterceptor.invoke(ExceptionTranslatorMethodInterceptor.java:46)
   at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
   at org.alfresco.repo.audit.AuditMethodInterceptor.invoke(AuditMethodInterceptor.java:159)
   at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
   at org.springframework.transaction.interceptor.TransactionInterceptor$1.proceedWithInvocation(TransactionInterceptor.java:96)
   at org.springframework.transaction.interceptor.TransactionAspectSupport.invokeWithinTransaction(TransactionAspectSupport.java:260)
   at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:94)
   at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
   at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
   at com.sun.proxy.$Proxy64.authenticate(Unknown Source)
   at org.alfresco.repo.webdav.auth.SSOFallbackBasicAuthenticationDriver.authenticateRequest(SSOFallbackBasicAuthenticationDriver.java:120)
   at org.alfresco.repo.webdav.auth.BaseSSOAuthenticationFilter.performFallbackAuthentication(BaseSSOAuthenticationFilter.java:604)
   at org.alfresco.repo.webdav.auth.BaseKerberosAuthenticationFilter.authenticateRequest(BaseKerberosAuthenticationFilter.java:279)
   at org.alfresco.repo.webdav.auth.BaseSSOAuthenticationFilter.doFilter(BaseSSOAuthenticationFilter.java:155)
   at sun.reflect.GeneratedMethodAccessor595.invoke(Unknown Source)
   at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
   at java.lang.reflect.Method.invoke(Unknown Source)
   at org.alfresco.repo.management.subsystems.ChainingSubsystemProxyFactory$1.invoke(ChainingSubsystemProxyFactory.java:112)
   at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
   at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
   at com.sun.proxy.$Proxy274.doFilter(Unknown Source)
   at org.alfresco.repo.web.filter.beans.BeanProxyFilter.doFilter(BeanProxyFilter.java:82)
   at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
   at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
   at org.alfresco.web.app.servlet.CmisSecurityContextCleanerFilter.doFilter(CmisSecurityContextCleanerFilter.java:49)
   at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
   at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
   at org.alfresco.web.app.servlet.GlobalLocalizationFilter.doFilter(GlobalLocalizationFilter.java:61)
   at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
   at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
   at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
   at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
   at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:501)
   at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170)
   at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:98)
   at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950)
   at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
   at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
   at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1040)
   at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:607)
   at org.apache.tomcat.util.net.AprEndpoint$SocketWithOptionsProcessor.run(AprEndpoint.java:2378)
   at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
   at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
   at java.lang.Thread.run(Unknown Source)




15:51:49,588 WARN [org.alfresco.wcm.client.util.impl.GuestSessionFactoryImpl] WQS unable to connect to repository: Internal Server Error

Please let me know where is my mistake and why I'm unable to autheticate via kerberos. Also if you need anything else from me about the problem.

Thanks a lot in advance!

jjacobwip · ‎03-29-2016

Hi Boris,

Are you still having issues with Kerberos Share SSO on 5.0.d? Please let me know, I can give you some insights as I just got it configured on a 5.0.d

Thanks
Jerry

tanmaysalve · ‎06-15-2017

Question: NOT ABLE TO ESTABLISH SSO using Kerberos.

Environment Details:

alfresco-community-installer-201611-EA-win-x64

Windows server 2008 R2 Standard.

***** Find all the files in the attachments

Steps Performed:

1) created two LDAP users - name: AlfrescoHTTP, password: ***, name: AlfrescoCIFS, password: ***

2) a) Enable Password never expires.
    b) Disable User must change password at next logon.
    c) Select the Account tab and enable the Do not require Kerberos preauthentication option in the Account          Options section.
    d) In the user Delegation tab, select the Trust this user for delegation to any service (Kerberos only) check box.

3) Created Keytab files for both users, kept at location C:\alf\ on server (aaa),

4) Created "krb5.ini" file on server (aaa) at location, C:\Windows\

5) Created "java.login.config" file at location <install-path>:\Alfresco\instance\java\lib\security\

6) Edited "java.security" file at <install-path>:\Alfresco\instance\java\lib\security\ path and appended following,

login.config.url.1=file:${java.home}/lib/security/java.login.config

7) Edited alfresco-global.properties file.

😎 Edited share-config-custom.xml file.

9) Restarted the alfresco services.

Log Files:

alfrescotomcat-stdout.2017-06-12.log

2017-06-12 12:34:36,168 INFO [alfresco.repo.admin] [localhost-startStop-1] Using database URL 'jdbcostgresql://localhost:5432/alfresco' with user 'alfresco'.
2017-06-12 12:34:36,168 INFO [alfresco.repo.admin] [localhost-startStop-1] Connected to database PostgreSQL version 9.4.4
2017-06-12 12:34:45,980 INFO [domain.schema.SchemaBootstrap] [localhost-startStop-1] Ignoring script patch (post-Hibernate): patch.db-V4.2-metadata-query-indexes
2017-06-12 12:34:45,980 INFO [domain.schema.SchemaBootstrap] [localhost-startStop-1] Ignoring script patch (post-Hibernate): patch.db-V5.1-metadata-query-indexes
2017-06-12 12:34:45,980 INFO [domain.schema.SchemaBootstrap] [localhost-startStop-1] Ignoring script patch (post-Hibernate): patch.db-V5.2-remove-jbpm-tables-from-db
2017-06-12 12:34:57,667 INFO [management.subsystems.ChildApplicationContextFactory] [localhost-startStop-1] Starting 'Authentication' subsystem, ID: [Authentication, managed, kerberos1]
2017-06-12 12:34:57,902 DEBUG [app.servlet.KerberosAuthenticationFilter] [localhost-startStop-1] HTTP Kerberos login successful
2017-06-12 12:34:57,902 DEBUG [app.servlet.KerberosAuthenticationFilter] [localhost-startStop-1] Logged on using principal HTTP/HOST.comp.com@COMP.COM
2017-06-12 12:34:57,933 DEBUG [webdav.auth.KerberosAuthenticationFilter] [localhost-startStop-1] HTTP Kerberos login successful
2017-06-12 12:34:57,933 DEBUG [webdav.auth.KerberosAuthenticationFilter] [localhost-startStop-1] Logged on using principal HTTP/HOST.comp.com@COMP.COM
2017-06-12 12:34:58,042 INFO [management.subsystems.ChildApplicationContextFactory] [localhost-startStop-1] Startup of 'Authentication' subsystem, ID: [Authentication, managed, kerberos1] complete
2017-06-12 12:34:58,042 INFO [management.subsystems.ChildApplicationContextFactory] [localhost-startStop-1] Starting 'Authentication' subsystem, ID: [Authentication, managed, ldap1]
2017-06-12 12:34:58,324 INFO [management.subsystems.ChildApplicationContextFactory] [localhost-startStop-1] Startup of 'Authentication' subsystem, ID: [Authentication, managed, ldap1] complete

Alfresco.log file

2017-06-12 17:05:21,669 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] [http-apr-8080-exec-3] New Kerberos auth request from 127.0.0.1 (127.0.0.1:57333)
2017-06-12 17:05:21,669 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] [http-apr-8080-exec-3] Issuing login challenge to browser.
2017-06-12 17:05:27,888 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] [http-apr-8080-exec-7] New Kerberos auth request from 127.0.0.1 (127.0.0.1:57341)
2017-06-12 17:05:27,888 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] [http-apr-8080-exec-7] Issuing login challenge to browser.
2017-06-12 17:05:28,044 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] [http-apr-8080-exec-12] New Kerberos auth request from 127.0.0.1 (127.0.0.1:57341)
2017-06-12 17:05:28,044 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] [http-apr-8080-exec-12] Issuing login challenge to browser.
2017-06-12 17:05:28,982 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] [http-apr-8080-exec-15] New Kerberos auth request from 127.0.0.1 (127.0.0.1:57339)
2017-06-12 17:05:28,982 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] [http-apr-8080-exec-15] Issuing login challenge to browser.browser.@#

Question: Want to know whether the steps which are performed for Kerberso sso are correct or some more config need to be done. Not able to figure out from the logs files what is the exact error. How do I proceed further in investigating and establishing SSO.

tanmaysalve · ‎06-15-2017

http://hostort/alfresco getting logged in via kerbero

Output:

2017-06-12 17:05:27,888 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] [http-apr-8080-exec-7] New Kerberos auth request from 127.0.0.1 (127.0.0.1:57341)
2017-06-12 17:05:27,888 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] [http-apr-8080-exec-7] Issuing login challenge to browser.

http://hostort/share NOT getting logged in via kerberos

Output:
2017-06-15 13:02:35,220 DEBUG [webdav.auth.KerberosAuthenticationFilter] [http-apr-8080-exec-1] New Kerberos auth request from 10.172.0.215 (10.172.0.215:53162)
2017-06-15 13:02:35,220 DEBUG [webdav.auth.KerberosAuthenticationFilter] [http-apr-8080-exec-1] Issuing login challenge to browser.
2017-06-15 13:02:35,282 DEBUG [webdav.auth.KerberosAuthenticationFilter] [http-apr-8080-exec-6] Create the User environment for: SomeUserName
2017-06-15 13:02:35,282 DEBUG [webdav.auth.KerberosAuthenticationFilter] [http-apr-8080-exec-6] User SomeUserName logged on via Kerberos
2017-06-15 13:02:35,282 DEBUG [webdav.auth.KerberosAuthenticationFilter] [http-apr-8080-exec-6] Authenticated through Kerberos.
2017-06-15 13:03:51,999 DEBUG [webdav.auth.KerberosAuthenticationFilter] [http-apr-8080-exec-8] Found a session user: SomeUserName
2017-06-15 13:03:51,999 DEBUG [webdav.auth.KerberosAuthenticationFilter] [http-apr-8080-exec-8] Authentication not required (user), chaining ...

tanmaysalve · ‎07-25-2017

There was issue with a module which was installed.

Once the module was uninstalled, kerberos started working

Hyland Connect

Kerberos problem