Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Hyland Connect
- Enterprise Platforms
- Alfresco
- Alfresco Archive
- Kerberos SSO (against AD) sometimes fails on Share...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Kerberos SSO (against AD) sometimes fails on Share (4.0.d)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-17-2013 04:02 AM
I've recently implemented Kerberos SSO on both CIFS and Share. At first glance everything looks fine, it works smooth.
Until later durring the day, when users starts to be prompted for passwords.
My first instinct is that we're dealing with expired Kerberos tickets. Enabling debugging, yup, it seems so:
I restart my borwser and get issued a new ticket and everything is good.
After this I check my ticket with klist. I have a nice valid and renewable ticket that lasts for 10 hours.
1-5 hours later (random, no system in the timeframe) I experience EXACTLY the same thing. Login prompt (windows login, not Share login page). Verify the ticket, it's still valid. I restart the browser and we're good to go again.
However, from the logs it does not say that my ticket is no longer valid, it says:
What could cause this?
I checked time on the servers and they were NOT in sync. I setup NTP and now they are, but the problem still persists.
I also experience that I have to restart Share every 10 hours, after the Kerberos ticket for my AlfrescoHTTP expires,
it can't renew it.
It only seems to be a problem with Share. Alfresco explorer and CIFS works just fine.
Any pointers could be most welcome!
More details about my setup:
Alfresco 4.0.d
Win 2008 r2 server (AD)
Alfresco config:
share-config-custom.xml:
Until later durring the day, when users starts to be prompted for passwords.
My first instinct is that we're dealing with expired Kerberos tickets. Enabling debugging, yup, it seems so:
Found ticket for OLEH@MYDOMAIN.LOCAL to go to HTTP/alfresco.local@DOMAIN.LOCAL expiring on Fri May 17 03:47:56 WGST 2013
04:52:06,730 DEBUG [site.servlet.SSOAuthenticationFilter] Kerberos logon error
java.lang.IllegalStateException: This ticket is no longer valid
I restart my borwser and get issued a new ticket and everything is good.
After this I check my ticket with klist. I have a nice valid and renewable ticket that lasts for 10 hours.
1-5 hours later (random, no system in the timeframe) I experience EXACTLY the same thing. Login prompt (windows login, not Share login page). Verify the ticket, it's still valid. I restart the browser and we're good to go again.
However, from the logs it does not say that my ticket is no longer valid, it says:
Search Subject for Kerberos V5 ACCEPT cred (HTTP/alfresco.DOMAIN.LOCAL@DOMAIN.LOCAL, sun.security.jgss.krb5.Krb5AcceptCredential)
Found key for HTTP/alfresco.DOMAIN.LOCAL@DOMAIN.LOCAL(23)
Entered Krb5Context.acceptSecContext with state=STATE_NEW
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
Using builtin default etypes for permitted_enctypes
default etypes for permitted_enctypes: 3 1 23 16 17 18.
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> Config reset default kdc DOMAIN.LOCAL
replay cache for oleh@DOMAIN.LOCAL is null.
object 0: 1368700723000/198
object 0: 1368700723000/198
>>> KrbApReq: authenticate succeed.
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>>Delegated Creds have pname=oleh@DOMAIN.LOCAL sname=krbtgt/DOMAIN.LOCAL@DOMAIN.LOCAL authtime=null starttime=20130516102536Z endtime=20130516202533ZrenewTill=2013052310253
3Z
Krb5Context setting peerSeqNumber to: 145069278
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
Krb5Context setting mySeqNumber to: 607740720
Entered Krb5Context.initSecContext with state=STATE_NEW
Found ticket for HTTP/alfresco.DOMAIN.LOCAL@DOMAIN.LOCAL to go to krbtgt/DOMAIN.LOCAL@DOMAIN.LOCAL expiring on Thu May 16 15:49:24 WGST 2013
Found ticket for OLEH@DOMAIN.LOCAL to go to HTTP/alfresco.DOMAIN.LOCAL@DOMAIN.LOCAL expiring on Thu May 16 15:16:15 WGST 2013
Service ticket not found in the subject
>>> Credentials acquireServiceCreds: same realm
default etypes for default_tgs_enctypes: 23.
>>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbKdcReq send: kdc=10.66.60.20 UDP:88, timeout=30000, number of retries =3, #bytes=1627
>>> KDCCommunication: kdc=10.66.60.20 UDP:88, timeout=30000,Attempt =1, #bytes=1627
>>> KrbKdcReq send: #bytes read=116
>>> KrbKdcReq send: #bytes read=116
>>> KDCRep: init() encoding tag is 126 req type is 13
>>>KRBError:
sTime is Thu May 16 08:38:43 WGST 2013 1368700723000
suSec is 284507
error code is 52
error Message is Response too big for UDP, retry with TCP
realm is DOMAIN.LOCAL
sname is HTTP/alfresco.DOMAIN.LOCAL
msgType is 30
>>> KrbKdcReq send: kdc=10.66.60.20 TCP:88, timeout=30000, number of retries =3, #bytes=1621
>>>DEBUG: TCPClient reading 1578 bytes
>>> KrbKdcReq send: #bytes read=1578
>>> KrbKdcReq send: #bytes read=1578
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbApReq: APOptions are 00100000 00000000 00000000 00000000
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
Krb5Context setting mySeqNumber to: 857087925
Created InitSecContextToken:
0000: 01 00 6E 82 0C 14 30 82 0C 10 A0 03 02 01 05 A1 ..n…0………
0010: 03 02 01 0E A2 07 03 05 00 20 00 00 00 A3 82 04 ……… ……
0020: FB 61 82 04 F7 30 82 04 F3 A0 03 02 01 05 A1 15 .a…0……….
0030: 1B 13 4E 55 4B 49 53 53 49 4F 52 46 49 49 54 2E ..DOMAIN.
0040: 49 4E 54 52 41 A2 2E 30 2C A0 03 02 01 00 A1 25 INTRA..0,……%
0050: 30 23 1B 04 48 54 54 50 1B 1B 6E 75 6B 69 64 6F 0#..HTTP..alfresc
0060: 63 2E 6E 75 6B 69 73 73 69 6F 72 66 69 69 74 2E o.DOMAIN.
0070: 69 6E 74 72 61 A3 82 04 A3 30 82 04 9F A0 03 02 local….0……
0080: 01 17 A1 03 02 01 0E A2 82 04 91 04 82 04 8D F7 …………….
0090: 22 0C A3 CB 00 21 0F 90 81 A9 9B 5E 1E 43 CD 36 "….!…..^.C.6
00A0: 33 F0 93 EC E8 5D E0 55 AA 7F A5 AE 34 5E 4F 98 3….].U….4^O.
00B0: F2 EB 80 5C 56 23 D8 3F CF 9F EA 0D 8B 2C E7 73 …\V#.?…..,.s
00C0: E4 F5 BB 06 84 56 DA D4 25 EE D4 A8 F0 D4 C5 29 …..V..%……)
00D0: 6A 32 2C DD A0 50 1B DD 14 78 CA 98 9B AD 34 B0 j2,..P…x….4.
00E0: AF 87 E4 A6 47 BF FF E1 EA 14 6A B8 C8 BC D9 EA ….G…..j…..
[a lot more hex code]
What could cause this?
I checked time on the servers and they were NOT in sync. I setup NTP and now they are, but the problem still persists.
I also experience that I have to restart Share every 10 hours, after the Kerberos ticket for my AlfrescoHTTP expires,
it can't renew it.
It only seems to be a problem with Share. Alfresco explorer and CIFS works just fine.
Any pointers could be most welcome!
More details about my setup:
Alfresco 4.0.d
Win 2008 r2 server (AD)
Alfresco config:
kerberos.authentication.realm=DOMAIN.LOCAL
kerberos.authentication.sso.enabled=true
kerberos.authentication.authenticateCIFS=true
kerberos.authentication.user.configEntryName=Alfresco
kerberos.authentication.cifs.configEntryName=AlfrescoCIFS
kerberos.authentication.http.configEntryName=AlfrescoHTTP
kerberos.authentication.stripUsernameSuffix=true
kerberos.authentication.cifs.password=[pass]
kerberos.authentication.http.password=[pass]
kerberos.authentication.defaultAdministratorUserNames=oleh
authentication.chain=kerberos1:kerberos,ldap1:ldap
share-config-custom.xml:
<config evaluator="string-compare" condition="Kerberos" replace="true">
<kerberos>
<password>[pass]</password>
<realm>DOMAIN.LOCAL</realm>
<endpoint-spn>HTTP/alfresco.domain.local@DOMAIN.LOCAL</endpoint-spn>
<config-entry>ShareHTTP</config-entry>
</kerberos>
</config>
Labels:
- Labels:
-
Archive
1 REPLY 1
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-25-2019 05:57 AM
Is there anyone who has solved this problem?
Thanks.
Related Content
- fileServersNG 24.3 Released - SMB2/SMB3 file server in Alfresco Forum
- ACS 23.1 : Share QuickLink redirect for authentication when using Keycloak in Alfresco Forum
- Alfresco Share Kerberos SSO - credentials cannot be delegated in Alfresco Forum
- unconstrained delegation with Kerberos in Alfresco Forum
- ACS 7.3 CE Kerberos SSO not working, always shows login page in Alfresco Forum
Getting started
Tags
Find what you came for
We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.
