cancel
Showing results for 
Search instead for 
Did you mean: 

Kerberos SSO for Share (and Alfresco) struggles

john_pen
Champ in-the-making
Champ in-the-making
Hi folks,

I'm looking for some help on this subject really, and any assistance is greatly appreciated.

I basically followed the instructions in the below guides to get to the position I am currently in now:
http://docs.alfresco.com/4.0/tasks/auth-kerberos-ADconfig.html
http://docs.alfresco.com/4.0/tasks/auth-kerberos-shareSSO.html

Firstly I should start my saying my knowledge of Alfresco ranges between none and very little (remove "of Alfresco" from that statement and the same could still be said!) but I've been tasked with configuring Kerberos SSO for Share and Alfresco web apps. So imagine my surprise when I actually managed to get it working, quickly followed by my dismay when it suddenly decided to stop working. I've read over a number of other posts where people are experiencing similar issues but have not found anything that has helped to resolve my issue as yet.

Current state of affairs - When browsing (in both Chrome and IE) to /alfresco or /share, a credentials dialog box now appears, which when cancelled takes me to the respective app login page where I am able to log in using Windows credentials. Previously I would be logged straight into the app without any prompts - the only thing I know to have changed from the working config is a new keytab file was created, although this does appears to authenticate properly ("kinit -k -t…" comes back successful).

Our environment looks something like the below:
Alfresco Community Edition 4.0.d (running on Ubuntu 12.04 LTS)
Java 7 (OpenJDK 7)
Server 2008 R2 Active Directory Domain Controller

I have enabled Kerberos debugging but the Alfresco.log isn't really forthcoming with any useful information (to me at least) so I was wondering how else I can find the root cause of this problem?

Unfortunately I'm unable to attach files so I have reluctantly pasted below various config/log files (or extracts), having removed actual config specific to our environment.

###alfresco-global.properties:###
#Authentication Chain
authentication.chain=kerberos1:kerberos,dc1:ldap-ad,alfinst:alfrescoNtlm
ntlm.authentication.sso.enabled=false

###kerberos-authentication.properties###
kerberos.authentication.realm=DOMAIN.LOCAL
kerberos.authentication.sso.enabled=true
kerberos.authentication.authenticateCIFS=true
kerberos.authentication.user.configEntryName=Alfresco
kerberos.authentication.cifs.password=<Password>
kerberos.authentication.cifs.configEntryName=AlfrescoCIFS
kerberos.authentication.stripUsernameSuffix=true
kerberos.authentication.http.password=<Password>
kerberos.authentication.http.configEntryName=AlfrescoHTTP
kerberos.authentication.defaultAdministratorUserNames=admin,administrator
kerberos.authentication.browser.ticketLogons=true

###krb5.conf###
[libdefaults]
   default_realm = <MYDOMAIN.LOCAL>

# The following krb5.conf variables are only for MIT Kerberos.
   krb4_config = /etc/krb.conf
   krb4_realms = /etc/krb.realms
   kdc_timesync = 1
   ccache_type = 4
   forwardable = true
   proxiable = true


   default_tgs_enctypes = arcfour-hmac-md5
   default_tkt_enctypes = arcfour-hmac-md5
   permitted_enctypes = arcfour-hmac-md5

# The following libdefaults parameters are only for Heimdal Kerberos.
   v4_instance_resolve = false
   v4_name_convert = {
      host = {
         rcmd = host
         ftp = ftp
      }
      plain = {
         something = something-else
      }
   }
   fcc-mit-ticketflags = true

[realms]
   <MYDOMAIN.LOCAL> = {
      kdc = <domaincontroller.mydomain.local>
      admin_server = <domaincontroller.mydomain.local>
      default_domain = <MYDOMAIN.LOCAL>
}

[domain_realm]
   .<mydomain.local> = <MYDOMAIN.LOCAL>
   <mydomain.local> = <MYDOMAIN.LOCAL>

###java.security###
login.config.url.1=file:${java.home}/lib/security/java.login.config   

###java.login###
Alfresco {
   com.sun.security.auth.module.Krb5LoginModule sufficient;
};

AlfrescoCIFS {
   com.sun.security.auth.module.Krb5LoginModule required
   storeKey=true
   useKeyTab=true
   keyTab="/etc/keys/cifs<server FQDN>.keytab"
   principal="cifs/cifs<server FQDN>";
};

ShareHTTP {
   com.sun.security.auth.module.Krb5LoginModule required
   storeKey=true
   useKeyTab=true
   keyTab="/etc/keys/http<server FQDN>.keytab"
   principal="HTTP/<server FQDN>";
};

AlfrescoHTTP {
   com.sun.security.auth.module.Krb5LoginModule required
   storeKey=true
   useKeyTab=true
   keyTab="/etc/keys/http<server FQDN>.keytab"
   principal="HTTP/<server FQDN>";
};

com.sun.net.ssl.client {
   com.sun.security.auth.module.Krb5LoginModule sufficient;
};

other {
   com.sun.security.auth.module.Krb5LoginModule sufficient;
};

###share-config-custom.xml###
<!– Kerberos settings –>
   <!– To enable kerberos rename this condition to "Kerberos" –>
   <config evaluator="string-compare" condition="Kerberos" replace="true">
      <kerberos>
         <!–
            Password for HTTP service account.
            The account name *must* be built from the HTTP server name, in the format :
               HTTP/<server_name>@<realm>
            (NB this is because the web browser requests an ST for the
            HTTP/<server_name> principal in the current realm, so if we're to decode
            that ST, it has to match.)
         –>
         <password>Password</password>
         <!–
            Kerberos realm and KDC address.
         –>
         <realm>MYDOMAIN.LOCAL</realm>
         <!–
            Service Principal Name to use on the repository tier.
            This must be like: HTTP/host.name@REALM
         –>
         <endpoint-spn>HTTP/serverFQDN@MYDOMAIN.LOCAL</endpoint-spn>
         <!–
            JAAS login configuration entry name.
         –>
         <config-entry>ShareHTTP</config-entry>
      </kerberos>
   </config>

   <!– example port config used to access remote Alfresco server (default is 8080) –>
  
I also uncommented the two following "<config evaluator="string-compare" condition="Remote">" sections in this file.

###Alfresco.log###
15:25:00,559 INFO  [org.apache.chemistry.opencmis.browser.BrowseServlet] Allow pattern: http.*
15:26:54,832 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] HTTP Kerberos login successful
15:26:54,833 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] Logged on using principal HTTP/server.mydomain.local@MYDOMAIN.LOCAL
15:26:54,845 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] Authentication not required (filter), chaining …
15:26:54,891 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] Authentication not required (filter), chaining …
15:26:54,917 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] Authentication not required (filter), chaining …
15:26:54,935 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] New Kerberos auth request from 127.0.0.1 (127.0.0.1:39732)
15:27:12,794 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] New Kerberos auth request from 127.0.0.1 (127.0.0.1:38034)
15:27:12,804 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] New Kerberos auth request from 127.0.0.1 (127.0.0.1:47490)
15:27:12,816 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] Authentication not required (filter), chaining …
15:27:12,854 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] Authentication not required (filter), chaining …
15:27:12,868 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] Authentication not required (filter), chaining …
15:27:13,647 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] Authentication not required (filter), chaining …
15:27:13,661 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] Authentication not required (filter), chaining …
15:27:13,714 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] New Kerberos auth request from 127.0.0.1 (127.0.0.1:49959)
15:27:13,720 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] New Kerberos auth request from 127.0.0.1 (127.0.0.1:57950)
15:27:14,185 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] Authentication not required (filter), chaining …
15:27:14,199 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] Authentication not required (filter), chaining …
15:27:14,220 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] Authentication not required (filter), chaining …
15:27:14,742 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] New Kerberos auth request from 127.0.0.1 (127.0.0.1:49811)
15:27:14,749 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] New Kerberos auth request from 127.0.0.1 (127.0.0.1:49266)
15:27:43,509 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] New Kerberos auth request from 127.0.0.1 (127.0.0.1:57304)
15:27:43,513 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] New Kerberos auth request from 127.0.0.1 (127.0.0.1:58560)
15:27:48,110 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] New Kerberos auth request from x.x.x.x (x.x.x.x:38935)
15:27:48,115 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] Client sent an NTLMSSP security blob **prompted in browser for domain credentials at this point**
15:27:52,152 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] Login page requested, chaining …

Apologies for the information overload! Again, thanks to anyone who takes the time to look at this, it's a real pain.

Regards,
John



10 REPLIES 10

sab
Champ in-the-making
Champ in-the-making
I noticed this in your file:
keyTab="/etc/keys/http.keytab"

If you look here:
http://wiki.alfresco.com/wiki/Alfresco_Authentication_Subsystems#Kerberos
An example is keyTab="/etc/alfrescohttp.keytab"

So you have a folder in between were the file should be???
Just an idea.

I myself have tried and failed to get Kerberos to work, so i know little about this software also. All i got working was passthru & LDAP-AD.

Regards

swatnew1
Champ on-the-rise
Champ on-the-rise
I have tried and implemented Kerberos successfully . It works.
John ,
Pricipal can not be just HTTP/

It should be like below
AlfrescoHTTP {
   com.sun.security.auth.module.Krb5LoginModule required
   storeKey=true
   useKeyTab=true
   keyTab="/etc/keys/prod_int_merged.keytab"
   principal="HTTP/edms.deltads.ent";
   };

   ShareHTTP {
   com.sun.security.auth.module.Krb5LoginModule required
   storeKey=true
   useKeyTab=true
   keyTab="/etc/keys/prod_int_merged.keytab"
   principal="HTTP/edms.deltads.ent";
   };
Http/servername

john_pen
Champ in-the-making
Champ in-the-making
Hi Swatnew1,

Thanks for your response, again it's greatly appreciated.

Sorry - I've removed a number of references to our domain/network from the config files but overlooked the fact I hadn't padded out the principal with some dummy info. The principals are actually more like 'principal="HTTP/servername.domain.local"' and "cifs/servername.domain.local". These point at the users/SPN's created in Active Directory and keytab authentication against these principals (using kinit command in Ubuntu) is successful.

I also did have kerberos SSO working for a brief period of time and as far as I can tell nothing has changed in terms of config, but now I get a basic authentication prompt from the browser (IE or Chrome) when accessing alfresco and share sites.

Question: NOT ABLE TO ESTABLISH SSO using Kerberos.

 

Environment Details

alfresco-community-installer-201611-EA-win-x64

Windows server 2008 R2 Standard.

 

***** Find all the files in the attachments

 

Steps Performed:

1) created two LDAP users - name: AlfrescoHTTP, password: ***, name: AlfrescoCIFS, password: ***

2) a) Enable Password never expires.
    b) Disable User must change password at next logon.
    c) Select the Account tab and enable the Do not require Kerberos preauthentication option in the Account         Options section.
    d)
 In the user Delegation tab, select the Trust this user for delegation to any service (Kerberos only) check box.

3) Created Keytab files for both users, kept at location C:\alf\ on server (aaa), 

4) Created "krb5.ini" file on server (aaa) at location, C:\Windows\

5) Created "java.login.config" file at location <install-path>:\Alfresco\instance\java\lib\security\ 

6) Edited "java.security" file at <install-path>:\Alfresco\instance\java\lib\security\ path and appended following,

      login.config.url.1=file:${java.home}/lib/security/java.login.config 

7) Edited alfresco-global.properties file.

😎 Edited share-config-custom.xml file.

9) Restarted the alfresco services.

 

 

Log Files:

alfrescotomcat-stdout.2017-06-12.log

2017-06-12 12:34:36,168 INFO [alfresco.repo.admin] [localhost-startStop-1] Using database URL 'jdbcSmiley Tongueostgresql://localhost:5432/alfresco' with user 'alfresco'.
2017-06-12 12:34:36,168 INFO [alfresco.repo.admin] [localhost-startStop-1] Connected to database PostgreSQL version 9.4.4
2017-06-12 12:34:45,980 INFO [domain.schema.SchemaBootstrap] [localhost-startStop-1] Ignoring script patch (post-Hibernate): patch.db-V4.2-metadata-query-indexes
2017-06-12 12:34:45,980 INFO [domain.schema.SchemaBootstrap] [localhost-startStop-1] Ignoring script patch (post-Hibernate): patch.db-V5.1-metadata-query-indexes
2017-06-12 12:34:45,980 INFO [domain.schema.SchemaBootstrap] [localhost-startStop-1] Ignoring script patch (post-Hibernate): patch.db-V5.2-remove-jbpm-tables-from-db
2017-06-12 12:34:57,667 INFO [management.subsystems.ChildApplicationContextFactory] [localhost-startStop-1] Starting 'Authentication' subsystem, ID: [Authentication, managed, kerberos1]
2017-06-12 12:34:57,902 DEBUG [app.servlet.KerberosAuthenticationFilter] [localhost-startStop-1] HTTP Kerberos login successful
2017-06-12 12:34:57,902 DEBUG [app.servlet.KerberosAuthenticationFilter] [localhost-startStop-1] Logged on using principal HTTP/HOST.comp.com@COMP.COM
2017-06-12 12:34:57,933 DEBUG [webdav.auth.KerberosAuthenticationFilter] [localhost-startStop-1] HTTP Kerberos login successful
2017-06-12 12:34:57,933 DEBUG [webdav.auth.KerberosAuthenticationFilter] [localhost-startStop-1] Logged on using principal HTTP/HOST.comp.com@COMP.COM
2017-06-12 12:34:58,042 INFO [management.subsystems.ChildApplicationContextFactory] [localhost-startStop-1] Startup of 'Authentication' subsystem, ID: [Authentication, managed, kerberos1] complete
2017-06-12 12:34:58,042 INFO [management.subsystems.ChildApplicationContextFactory] [localhost-startStop-1] Starting 'Authentication' subsystem, ID: [Authentication, managed, ldap1]
2017-06-12 12:34:58,324 INFO [management.subsystems.ChildApplicationContextFactory] [localhost-startStop-1] Startup of 'Authentication' subsystem, ID: [Authentication, managed, ldap1] complete

 

Alfresco.log file

2017-06-12 17:05:21,669 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] [http-apr-8080-exec-3] New Kerberos auth request from 127.0.0.1 (127.0.0.1:57333)
2017-06-12 17:05:21,669 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] [http-apr-8080-exec-3] Issuing login challenge to browser.
2017-06-12 17:05:27,888 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] [http-apr-8080-exec-7] New Kerberos auth request from 127.0.0.1 (127.0.0.1:57341)
2017-06-12 17:05:27,888 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] [http-apr-8080-exec-7] Issuing login challenge to browser.
2017-06-12 17:05:28,044 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] [http-apr-8080-exec-12] New Kerberos auth request from 127.0.0.1 (127.0.0.1:57341)
2017-06-12 17:05:28,044 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] [http-apr-8080-exec-12] Issuing login challenge to browser.
2017-06-12 17:05:28,982 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] [http-apr-8080-exec-15] New Kerberos auth request from 127.0.0.1 (127.0.0.1:57339)
2017-06-12 17:05:28,982 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] [http-apr-8080-exec-15] Issuing login challenge to browser.@#

Question: Want to know whether the steps which are performed for Kerberso sso are correct or some more config need to be done. Not able to figure out from the logs files what is the exact error. How do I proceed further in investigating and establishing SSO. 

john_pen
Champ in-the-making
Champ in-the-making
Hi Sab,

Firstly thanks for taking the time to reply, I appreciate it. Secondly, apologies for the delayed response.

Yes, the keytab files are stored in '/etc/keys/', but as long as the keytabs can be found in the path specified in the java.login.config file I don't think this is the issue. Kerberos SSO was working with this config but for the life of me I can't find what has changed to break it. That said, I'm completely out of ideas at this point so I'm willing to try anything.

Regards,
John

Did you have any luck in resolving this? We have hit the exact same problem (or if not,
something very similar anyway). I would be interested to hear if you have found a solution.

Regards,

Angelos

…and it may help you, too, so I am giving out some hints here.
Your logs state that Kerberos is not attempted at all by your browser:

15:27:48,110 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] New Kerberos auth request from x.x.x.x  (x.x.x.x:38935)
15:27:48,115 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] Client sent an NTLMSSP security blob


"Client sent an NTLMSSP security blob" means that the Authorize: HTTP header that your browser is sending
does not contain a Kerberos ticket, but instead an NTLMSSP protocol blob, containing negotiation data. The
next question is, why?

In order to debug this, you should use a sniffer like Wireshark to capture the conversation between your
client and your KDC/AS (your domain controller). Look for a possible failure when the client sends a
TGS-REQ request to the KDC/AS, asking for the service ticket to Alfresco.

In our case, we found that the culprit was a misconfiguration in the encrytpion types. I noticed that in
your krb5.conf, you allow only arcfour-hmac-md5, and it may be the case that one of your service accts
is using DES or some other encryption type.

In our case, DES was set for the service account (and that was dropped by the default security policies
of Windows 7). In your case it may be something similar, having to do with encryption types, but it can
equally well be a misspelling in the service name.

Alas, these misconfigurations seem to be common and it I could not find many good replies in forums
(this one, stackoverflow or others). I hope this one will help you.

Regards,

Angelos

Hi Angelos,

Apologies for the delayed response. I'd given up checking on this post due to lack of replies, but I did manage to get kerberos SSO working in the end. However, it was not using Alfresco Community Edition 4.0.d mentioned in this post, as our development team made the decision to make use of Alfresco Community Edition 4.2.f instead. If you're not using the same version of Alfresco as ourselves, I'm not sure whether my config will work in your environment, but I did make some notes detailing the steps I took to configure SSO if you're interested. I'd have to clean them up a little, but I'd gladly send them to yourself if you want them. I'll check back on the post every now and again to see if you have replied.

Regards,
John



Hello,

Would you mind send me your settings for the Kerberos so I can check it? I'm having issues with it too, so I want to check the configurations. Smiley Happy