Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Kerberos setup with cluster and load balancer

loftux
Star Contributor
Star Contributor

‎06-10-2015 04:45 AM

I'm setting up a 4.2.4 cluster with two nodes (node1.example.comn, node2.example.com). Each have alfresco and share running.
Users access an apache front-end that acts as a load balancer (alfresco.example.com) using Apache.

The goal is to have users SSO when accessing the loadbalancer.

I've been able to create the ticket and get SSO working when accessing the nodes directly, both for http and cifs. What I still struggle with is to getting SSO working from load balancer.

What I have tried is in java.login.config

Alfresco {
   com.sun.security.auth.module.Krb5LoginModule sufficient;
};

AlfrescoCIFS {
   com.sun.security.auth.module.Krb5LoginModule required
   storeKey=true
   useKeyTab=true
   doNotPrompt=true
   keyTab="/etc/cifsnode1.keytab"
   principal="cifs/node1.example.com";
};

AlfrescoHTTP
{
   com.sun.security.auth.module.Krb5LoginModule required
   storeKey=true
   useKeyTab=true
   doNotPrompt=true
   keyTab="/etc/httpnode1.keytab"
   principal="HTTP/node1.example.com";
};

ShareHTTP
{
   com.sun.security.auth.module.Krb5LoginModule required
   storeKey=true
   useKeyTab=true
   doNotPrompt=true
   keyTab="/etc/sharehttp.keytab"
   principal="HTTP/alfresco.example.com";
};

com.sun.net.ssl.client {
   com.sun.security.auth.module.Krb5LoginModule sufficient;
};

other {
   com.sun.security.auth.module.Krb5LoginModule sufficient;
};

When I got Share SSO working I hade the same keytab for Share as for repo HTTP. When involving the load balancer I tested if it would work if I use a third account fro ShareHTTP (HTTP/alfresco.example.com) as this matches the url users access.

In share-config-custom.xml, there is in the Kerberos config section the setting endpoint-spn, this should be the principal for node1/node2, i.e. HTTP/node1.example.com@EXAMPLE.COM if I am correct?

Is there any specific setting that needs to be in apache configuration for it to forward kerberos tickets? The load balancer uses ajp.
Labels:
0 Kudos
1 REPLY 1

steven_okennedy
Star Contributor
Star Contributor

‎09-01-2015 11:36 AM

Hi Loftux,

Have you seen anything to make you think that Apache is not forwarding on the Kerberos ticket?  Generally the Kerberos ticket is included in the request from a client in the "Authentication" header, as part of a GSSAPI token, so I don't know if there's anything in Apache that strips this - I assume you're not using auth_mod_kerb since you want Alfresco to do the authentication?

Do you know if you can authenticate with the Alfresco Explorer app using SSO through Apache?  I just ask because Share delegates back to Alfresco for Kerrberos authentication and that extra layer of complexity can often have its own issues.

I'd be very interested in if you find a solution for this as I'm in a similar situation currently as well (using hardware load balancer instead of Apache), looking into how we can get  SSO to work properly through the load balancer.  Similarly we had successfully tested in single server environments and in clustered environments going directly to the server, but we're still having issues with SSO through the balancer. 

I have a hunch that our problem at least is to do with aligning the SPNs & associated keytabs on both hosts with the name of the load balanced service rather than the host names, but I'm not sure. 

Regards

Steven
0 Kudos
Getting started

Tags

Find what you came for

We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.

Copyright © 2025 Khoros, LLC