Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Kerberos: Share fails to renew/refresh ticket

oleh
Champ in-the-making
Champ in-the-making

‎06-05-2013 08:16 AM

We're currently having trouble with Share, we need to restart it every 10 hours.

Our setup:
Alfresco 4.0.d (community) running on Ubuntu 12.04
Windows 2008R2 AD
Kerberos SSO
Windows 7 client, IE9

Everything works fine on the Alfresco side. Alfresco Explorer and CIFS is just fine, but as soon as Share has been running for 10 hours (default ticket life time in AD) we're unable to log in. First we'll be prompted with a browser login, then windows login and after that the Share login form. If I reload the page and enter my password a couple of times it will eventually let me in and we can run for another 10 hours.

If I restart Share I get straight in after it comes up.

Is this a common issue? For me it seems Share should be able to renew the TGT?

I get this exception in the logs:


13:55:18,443  DEBUG [site.servlet.SSOAuthenticationFilter] Kerberos logon error
java.lang.IllegalStateException: This ticket is no longer valid
   at javax.security.auth.kerberos.KerberosTicket.toString(KerberosTicket.java:638)
   at java.lang.String.valueOf(String.java:2854)
   at java.lang.StringBuilder.append(StringBuilder.java:128)
   at sun.security.jgss.krb5.SubjectComber.findAux(SubjectComber.java:150)
   at sun.security.jgss.krb5.SubjectComber.find(SubjectComber.java:59)
   at sun.security.jgss.krb5.Krb5Util.getTicket(Krb5Util.java:155)
   at sun.security.jgss.krb5.Krb5Context$1.run(Krb5Context.java:606)
   at sun.security.jgss.krb5.Krb5Context$1.run(Krb5Context.java:599)
   at java.security.AccessController.doPrivileged(Native Method)
   at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:598)
   at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:248)
   at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:179)
   at org.alfresco.web.site.servlet.KerberosSessionSetupPrivilegedAction.run(KerberosSessionSetupPrivilegedAction.java:127)
   at org.alfresco.web.site.servlet.KerberosSessionSetupPrivilegedAction.run(KerberosSessionSetupPrivilegedAction.java:44)
   at java.security.AccessController.doPrivileged(Native Method)
   at javax.security.auth.Subject.doAs(Subject.java:356)
   at org.alfresco.web.site.servlet.SSOAuthenticationFilter.doKerberosLogon(SSOAuthenticationFilter.java:1009)
   at org.alfresco.web.site.servlet.SSOAuthenticationFilter.doFilter(SSOAuthenticationFilter.java:441)
   at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1326)
   at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:479)
   at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:119)
   at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:520)
   at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:227)
   at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:940)
   at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:409)
   at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:186)
   at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:874)
   at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:117)
   at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:250)
   at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:149)
   at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:110)
   at org.eclipse.jetty.server.Server.handle(Server.java:349)
   at org.eclipse.jetty.server.HttpConnection.handleRequest(HttpConnection.java:441)
   at org.eclipse.jetty.server.HttpConnection$RequestHandler.headerComplete(HttpConnection.java:904)
   at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:565)
   at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:217)
   at org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:46)
   at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:545)
   at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:43)
   at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:598)
   at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:533)
   at java.lang.Thread.run(Thread.java:722)


Any info or pointers will be very welcome!


Some setup info:

share-config-custom.xml:

   <config evaluator="string-compare" condition="Kerberos" replace="true">
      <kerberos>
         <password>password</password>
         <realm>DOMAIN.LOCAL</realm>
         <endpoint-spn>HTTP/alfresco.domain.local@DOMAIN.LOCAL</endpoint-spn>
         <config-entry>ShareHTTP</config-entry>
      </kerberos>
   </config>

Labels:
0 Kudos
2 REPLIES 2

jspuchau
Champ in-the-making
Champ in-the-making

‎10-23-2014 02:25 AM

Hi

Any update here? Same is happening to us.

Regards,
0 Kudos

resplin
Elite Collaborator
Elite Collaborator

‎08-30-2017 09:20 AM

This post came up again (see ALF-21938). Talking to the team, we are confident it is a misconfiguration on the Active Directory side, rather than with the Alfresco product.

From Ole Hejlskov: If memory serves me correct . . . it was the issue with time sync. We had an issue back in the day where the AD was syncing with a different ntp server than the repo did. We ended up syncing everything with the AD server.

0 Kudos
Getting started

Tags

Find what you came for

We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.

Copyright © 2024 Khoros, LLC