Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Kerberos Share SSO - trying out whats new in HEAD

loftux
Star Contributor
Star Contributor

‎06-15-2010 06:43 AM

I'm trying to set up the new SSO mechanism found in HEAD that will support Kerberos SSO for Share.
And of course there is a lot of guesswork when playing with the latest stuff  Smiley Happy

I'm getting this error
12:11:11,580 WARN  [org.alfresco.web.site.servlet.KerberosSessionSetupPrivilegedAction] credentials can not be delegated!

So I made sure the accounts set up kerberos for had the setting "trusted for delegation" ticked in AD. Didn't help.
in krkb5.conf i have
        forwardable = true
        proxiable = true


This is what I have in share-config-custom.xml
   <config evaluator="string-compare" condition="Remote">
      <remote>
         
         <connector>
            <id>alfrescoCookie</id>
            <name>Alfresco Connector</name>
            <description>Connects to an Alfresco instance using cookie-based authentication</description>
            <class>org.springframework.extensions.webscripts.connector.AlfrescoConnector</class>
         </connector>
                  
         <endpoint>
            <id>alfresco</id>
            <name>Alfresco - user access</name>
            <description>Access to Alfresco Repository WebScripts that require user authentication</description>
            <connector-id>alfrescoCookie</connector-id>
            <endpoint-url>http://alfresco.alf.se:8080/alfresco/wcs</endpoint-url>
            <identity>user</identity>
            <external-auth>true</external-auth>
         </endpoint>

      </remote>
   </config>
Should I use alfrescoCookie as connector-id? The server endpoint-url uses the same server-name as for the security principals.

As for the Share Kerberos config
   <!– Kerberos settings –>
   <config evaluator="string-compare" condition="Kerberos" replace="true">
      <kerberos>
         <password>secret</password>
         <realm>ALF.SE</realm>
         <endpoint-spn>HTTP/alfresco.alf.se@ALF.SE</endpoint-spn>
         <config-entry>AlfrescoHTTP</config-entry>
      </kerberos>
   </config>
I re-used the Config for Alfresco Explorer, is that allowed?
I tried to create a separate keytab for Share, but since HTTP/alfresco.alf.se@ALF.SE was and they are on the same server, I used HTTPSHARE/alfresco.alf.se@ALF.SE for the user created. Didnt work.
Is there a rule that the prefix for HTTP application must be exactly that? If so, then my understanding is that the only way to get this setup to work is to setup Share and Alfresco on separate servers.
Labels:
0 Kudos
5 REPLIES 5

jbarros
Champ in-the-making
Champ in-the-making

‎11-21-2010 04:07 PM

Hi,
have you found solution for kerberos share SSO?
0 Kudos

loftux
Star Contributor
Star Contributor

‎11-22-2010 02:19 AM

Yes, you can get SSO with Kerberos for Share using 3.4.b (and possibly 3.4.a, I haven't tested)
You have the config example in share-config-custom.xml.sample.
If you have Share and Alfresco on the same server, you can use the same account/keytab. If Share is on a separate server, you need to create a separate account for the Share server, and this server needs to access AD directly; My understanding is that Share validates your ticket directly with AD server.

There is however one issue, and that is that you do not get fallback to form based login if the browser doesn't support Kerberos, or you are not logged in to you AD domain.
I've reported the issue http://issues.alfresco.com/jira/browse/ALF-5159
There you also can find config files attached to the issue that you can use as a sample.
0 Kudos

mody25egy
Champ in-the-making
Champ in-the-making

‎08-01-2011 07:30 PM

I have the same issue :s how did you fixed it ?
0 Kudos

dward
Champ on-the-rise
Champ on-the-rise

‎06-10-2012 09:49 AM

I just tried this out on Alfresco 3.4.10 and hit the same issue. I eventually found that the documented configuration does work, but it's VERY important to access the alfresco server in your browser through its fully qualified domain name used in the Kerberos configuration (not localhost) and to make sure this name is added to your local intranet security zone in Internet Explorer. Without it in my local intranet zone I was getting the "credentials can not be delegated" message - it seems that the browser indicates that the credentials supplied are not delegatable (delagable?) when authenticating outside the intranet. Hope this saves someone else a few hours!

I also discovered a bug with the handling of NegoEx requests in https://issues.alfresco.com/jira/browse/ALF-14462 . Expect a fix for this in HEAD very soon!
0 Kudos

jean-rémyrevy
Champ in-the-making
Champ in-the-making

‎10-29-2013 06:29 AM

A (really) long time after, for someone like me in this kind of trouble, I suggest you to read this : http://serverfault.com/questions/399384/credentials-can-not-be-delegated-alfresco-share
In a few words you may comment / remove those lines from /etc/krb5.conf :

<blockcode>
forwardable = true
proxiable = true
</blockcode>
0 Kudos
Getting started

Tags

Find what you came for

We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.

Copyright © 2025 Khoros, LLC