Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Hyland Connect
- Enterprise Platforms
- Alfresco
- Alfresco Archive
- Kerberos SSO for Share (and Alfresco) struggles
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Kerberos SSO for Share (and Alfresco) struggles
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-10-2014 01:57 PM
Hi folks,
I'm looking for some help on this subject really, and any assistance is greatly appreciated.
I basically followed the instructions in the below guides to get to the position I am currently in now:
http://docs.alfresco.com/4.0/tasks/auth-kerberos-ADconfig.html
http://docs.alfresco.com/4.0/tasks/auth-kerberos-shareSSO.html
Firstly I should start my saying my knowledge of Alfresco ranges between none and very little (remove "of Alfresco" from that statement and the same could still be said!) but I've been tasked with configuring Kerberos SSO for Share and Alfresco web apps. So imagine my surprise when I actually managed to get it working, quickly followed by my dismay when it suddenly decided to stop working. I've read over a number of other posts where people are experiencing similar issues but have not found anything that has helped to resolve my issue as yet.
Current state of affairs - When browsing (in both Chrome and IE) to /alfresco or /share, a credentials dialog box now appears, which when cancelled takes me to the respective app login page where I am able to log in using Windows credentials. Previously I would be logged straight into the app without any prompts - the only thing I know to have changed from the working config is a new keytab file was created, although this does appears to authenticate properly ("kinit -k -t…" comes back successful).
Our environment looks something like the below:
Alfresco Community Edition 4.0.d (running on Ubuntu 12.04 LTS)
Java 7 (OpenJDK 7)
Server 2008 R2 Active Directory Domain Controller
I have enabled Kerberos debugging but the Alfresco.log isn't really forthcoming with any useful information (to me at least) so I was wondering how else I can find the root cause of this problem?
Unfortunately I'm unable to attach files so I have reluctantly pasted below various config/log files (or extracts), having removed actual config specific to our environment.
###alfresco-global.properties:###
#Authentication Chain
authentication.chain=kerberos1:kerberos,dc1:ldap-ad,alfinst:alfrescoNtlm
ntlm.authentication.sso.enabled=false
###kerberos-authentication.properties###
kerberos.authentication.realm=DOMAIN.LOCAL
kerberos.authentication.sso.enabled=true
kerberos.authentication.authenticateCIFS=true
kerberos.authentication.user.configEntryName=Alfresco
kerberos.authentication.cifs.password=<Password>
kerberos.authentication.cifs.configEntryName=AlfrescoCIFS
kerberos.authentication.stripUsernameSuffix=true
kerberos.authentication.http.password=<Password>
kerberos.authentication.http.configEntryName=AlfrescoHTTP
kerberos.authentication.defaultAdministratorUserNames=admin,administrator
kerberos.authentication.browser.ticketLogons=true
###krb5.conf###
[libdefaults]
default_realm = <MYDOMAIN.LOCAL>
# The following krb5.conf variables are only for MIT Kerberos.
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
default_tgs_enctypes = arcfour-hmac-md5
default_tkt_enctypes = arcfour-hmac-md5
permitted_enctypes = arcfour-hmac-md5
# The following libdefaults parameters are only for Heimdal Kerberos.
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
fcc-mit-ticketflags = true
[realms]
<MYDOMAIN.LOCAL> = {
kdc = <domaincontroller.mydomain.local>
admin_server = <domaincontroller.mydomain.local>
default_domain = <MYDOMAIN.LOCAL>
}
[domain_realm]
.<mydomain.local> = <MYDOMAIN.LOCAL>
<mydomain.local> = <MYDOMAIN.LOCAL>
###java.security###
login.config.url.1=file:${java.home}/lib/security/java.login.config
###java.login###
Alfresco {
com.sun.security.auth.module.Krb5LoginModule sufficient;
};
AlfrescoCIFS {
com.sun.security.auth.module.Krb5LoginModule required
storeKey=true
useKeyTab=true
keyTab="/etc/keys/cifs<server FQDN>.keytab"
principal="cifs/cifs<server FQDN>";
};
ShareHTTP {
com.sun.security.auth.module.Krb5LoginModule required
storeKey=true
useKeyTab=true
keyTab="/etc/keys/http<server FQDN>.keytab"
principal="HTTP/<server FQDN>";
};
AlfrescoHTTP {
com.sun.security.auth.module.Krb5LoginModule required
storeKey=true
useKeyTab=true
keyTab="/etc/keys/http<server FQDN>.keytab"
principal="HTTP/<server FQDN>";
};
com.sun.net.ssl.client {
com.sun.security.auth.module.Krb5LoginModule sufficient;
};
other {
com.sun.security.auth.module.Krb5LoginModule sufficient;
};
###share-config-custom.xml###
<!– Kerberos settings –>
<!– To enable kerberos rename this condition to "Kerberos" –>
<config evaluator="string-compare" condition="Kerberos" replace="true">
<kerberos>
<!–
Password for HTTP service account.
The account name *must* be built from the HTTP server name, in the format :
HTTP/<server_name>@<realm>
(NB this is because the web browser requests an ST for the
HTTP/<server_name> principal in the current realm, so if we're to decode
that ST, it has to match.)
–>
<password>Password</password>
<!–
Kerberos realm and KDC address.
–>
<realm>MYDOMAIN.LOCAL</realm>
<!–
Service Principal Name to use on the repository tier.
This must be like: HTTP/host.name@REALM
–>
<endpoint-spn>HTTP/serverFQDN@MYDOMAIN.LOCAL</endpoint-spn>
<!–
JAAS login configuration entry name.
–>
<config-entry>ShareHTTP</config-entry>
</kerberos>
</config>
<!– example port config used to access remote Alfresco server (default is 8080) –>
I also uncommented the two following "<config evaluator="string-compare" condition="Remote">" sections in this file.
###Alfresco.log###
15:25:00,559 INFO [org.apache.chemistry.opencmis.browser.BrowseServlet] Allow pattern: http.*
15:26:54,832 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] HTTP Kerberos login successful
15:26:54,833 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] Logged on using principal HTTP/server.mydomain.local@MYDOMAIN.LOCAL
15:26:54,845 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] Authentication not required (filter), chaining …
15:26:54,891 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] Authentication not required (filter), chaining …
15:26:54,917 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] Authentication not required (filter), chaining …
15:26:54,935 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] New Kerberos auth request from 127.0.0.1 (127.0.0.1:39732)
15:27:12,794 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] New Kerberos auth request from 127.0.0.1 (127.0.0.1:38034)
15:27:12,804 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] New Kerberos auth request from 127.0.0.1 (127.0.0.1:47490)
15:27:12,816 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] Authentication not required (filter), chaining …
15:27:12,854 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] Authentication not required (filter), chaining …
15:27:12,868 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] Authentication not required (filter), chaining …
15:27:13,647 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] Authentication not required (filter), chaining …
15:27:13,661 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] Authentication not required (filter), chaining …
15:27:13,714 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] New Kerberos auth request from 127.0.0.1 (127.0.0.1:49959)
15:27:13,720 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] New Kerberos auth request from 127.0.0.1 (127.0.0.1:57950)
15:27:14,185 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] Authentication not required (filter), chaining …
15:27:14,199 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] Authentication not required (filter), chaining …
15:27:14,220 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] Authentication not required (filter), chaining …
15:27:14,742 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] New Kerberos auth request from 127.0.0.1 (127.0.0.1:49811)
15:27:14,749 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] New Kerberos auth request from 127.0.0.1 (127.0.0.1:49266)
15:27:43,509 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] New Kerberos auth request from 127.0.0.1 (127.0.0.1:57304)
15:27:43,513 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] New Kerberos auth request from 127.0.0.1 (127.0.0.1:58560)
15:27:48,110 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] New Kerberos auth request from x.x.x.x (x.x.x.x:38935)
15:27:48,115 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] Client sent an NTLMSSP security blob **prompted in browser for domain credentials at this point**
15:27:52,152 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] Login page requested, chaining …
Apologies for the information overload! Again, thanks to anyone who takes the time to look at this, it's a real pain.
Regards,
John
I'm looking for some help on this subject really, and any assistance is greatly appreciated.
I basically followed the instructions in the below guides to get to the position I am currently in now:
http://docs.alfresco.com/4.0/tasks/auth-kerberos-ADconfig.html
http://docs.alfresco.com/4.0/tasks/auth-kerberos-shareSSO.html
Firstly I should start my saying my knowledge of Alfresco ranges between none and very little (remove "of Alfresco" from that statement and the same could still be said!) but I've been tasked with configuring Kerberos SSO for Share and Alfresco web apps. So imagine my surprise when I actually managed to get it working, quickly followed by my dismay when it suddenly decided to stop working. I've read over a number of other posts where people are experiencing similar issues but have not found anything that has helped to resolve my issue as yet.
Current state of affairs - When browsing (in both Chrome and IE) to /alfresco or /share, a credentials dialog box now appears, which when cancelled takes me to the respective app login page where I am able to log in using Windows credentials. Previously I would be logged straight into the app without any prompts - the only thing I know to have changed from the working config is a new keytab file was created, although this does appears to authenticate properly ("kinit -k -t…" comes back successful).
Our environment looks something like the below:
Alfresco Community Edition 4.0.d (running on Ubuntu 12.04 LTS)
Java 7 (OpenJDK 7)
Server 2008 R2 Active Directory Domain Controller
I have enabled Kerberos debugging but the Alfresco.log isn't really forthcoming with any useful information (to me at least) so I was wondering how else I can find the root cause of this problem?
Unfortunately I'm unable to attach files so I have reluctantly pasted below various config/log files (or extracts), having removed actual config specific to our environment.
###alfresco-global.properties:###
#Authentication Chain
authentication.chain=kerberos1:kerberos,dc1:ldap-ad,alfinst:alfrescoNtlm
ntlm.authentication.sso.enabled=false
###kerberos-authentication.properties###
kerberos.authentication.realm=DOMAIN.LOCAL
kerberos.authentication.sso.enabled=true
kerberos.authentication.authenticateCIFS=true
kerberos.authentication.user.configEntryName=Alfresco
kerberos.authentication.cifs.password=<Password>
kerberos.authentication.cifs.configEntryName=AlfrescoCIFS
kerberos.authentication.stripUsernameSuffix=true
kerberos.authentication.http.password=<Password>
kerberos.authentication.http.configEntryName=AlfrescoHTTP
kerberos.authentication.defaultAdministratorUserNames=admin,administrator
kerberos.authentication.browser.ticketLogons=true
###krb5.conf###
[libdefaults]
default_realm = <MYDOMAIN.LOCAL>
# The following krb5.conf variables are only for MIT Kerberos.
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
default_tgs_enctypes = arcfour-hmac-md5
default_tkt_enctypes = arcfour-hmac-md5
permitted_enctypes = arcfour-hmac-md5
# The following libdefaults parameters are only for Heimdal Kerberos.
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
fcc-mit-ticketflags = true
[realms]
<MYDOMAIN.LOCAL> = {
kdc = <domaincontroller.mydomain.local>
admin_server = <domaincontroller.mydomain.local>
default_domain = <MYDOMAIN.LOCAL>
}
[domain_realm]
.<mydomain.local> = <MYDOMAIN.LOCAL>
<mydomain.local> = <MYDOMAIN.LOCAL>
###java.security###
login.config.url.1=file:${java.home}/lib/security/java.login.config
###java.login###
Alfresco {
com.sun.security.auth.module.Krb5LoginModule sufficient;
};
AlfrescoCIFS {
com.sun.security.auth.module.Krb5LoginModule required
storeKey=true
useKeyTab=true
keyTab="/etc/keys/cifs<server FQDN>.keytab"
principal="cifs/cifs<server FQDN>";
};
ShareHTTP {
com.sun.security.auth.module.Krb5LoginModule required
storeKey=true
useKeyTab=true
keyTab="/etc/keys/http<server FQDN>.keytab"
principal="HTTP/<server FQDN>";
};
AlfrescoHTTP {
com.sun.security.auth.module.Krb5LoginModule required
storeKey=true
useKeyTab=true
keyTab="/etc/keys/http<server FQDN>.keytab"
principal="HTTP/<server FQDN>";
};
com.sun.net.ssl.client {
com.sun.security.auth.module.Krb5LoginModule sufficient;
};
other {
com.sun.security.auth.module.Krb5LoginModule sufficient;
};
###share-config-custom.xml###
<!– Kerberos settings –>
<!– To enable kerberos rename this condition to "Kerberos" –>
<config evaluator="string-compare" condition="Kerberos" replace="true">
<kerberos>
<!–
Password for HTTP service account.
The account name *must* be built from the HTTP server name, in the format :
HTTP/<server_name>@<realm>
(NB this is because the web browser requests an ST for the
HTTP/<server_name> principal in the current realm, so if we're to decode
that ST, it has to match.)
–>
<password>Password</password>
<!–
Kerberos realm and KDC address.
–>
<realm>MYDOMAIN.LOCAL</realm>
<!–
Service Principal Name to use on the repository tier.
This must be like: HTTP/host.name@REALM
–>
<endpoint-spn>HTTP/serverFQDN@MYDOMAIN.LOCAL</endpoint-spn>
<!–
JAAS login configuration entry name.
–>
<config-entry>ShareHTTP</config-entry>
</kerberos>
</config>
<!– example port config used to access remote Alfresco server (default is 8080) –>
I also uncommented the two following "<config evaluator="string-compare" condition="Remote">" sections in this file.
###Alfresco.log###
15:25:00,559 INFO [org.apache.chemistry.opencmis.browser.BrowseServlet] Allow pattern: http.*
15:26:54,832 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] HTTP Kerberos login successful
15:26:54,833 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] Logged on using principal HTTP/server.mydomain.local@MYDOMAIN.LOCAL
15:26:54,845 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] Authentication not required (filter), chaining …
15:26:54,891 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] Authentication not required (filter), chaining …
15:26:54,917 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] Authentication not required (filter), chaining …
15:26:54,935 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] New Kerberos auth request from 127.0.0.1 (127.0.0.1:39732)
15:27:12,794 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] New Kerberos auth request from 127.0.0.1 (127.0.0.1:38034)
15:27:12,804 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] New Kerberos auth request from 127.0.0.1 (127.0.0.1:47490)
15:27:12,816 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] Authentication not required (filter), chaining …
15:27:12,854 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] Authentication not required (filter), chaining …
15:27:12,868 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] Authentication not required (filter), chaining …
15:27:13,647 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] Authentication not required (filter), chaining …
15:27:13,661 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] Authentication not required (filter), chaining …
15:27:13,714 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] New Kerberos auth request from 127.0.0.1 (127.0.0.1:49959)
15:27:13,720 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] New Kerberos auth request from 127.0.0.1 (127.0.0.1:57950)
15:27:14,185 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] Authentication not required (filter), chaining …
15:27:14,199 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] Authentication not required (filter), chaining …
15:27:14,220 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] Authentication not required (filter), chaining …
15:27:14,742 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] New Kerberos auth request from 127.0.0.1 (127.0.0.1:49811)
15:27:14,749 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] New Kerberos auth request from 127.0.0.1 (127.0.0.1:49266)
15:27:43,509 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] New Kerberos auth request from 127.0.0.1 (127.0.0.1:57304)
15:27:43,513 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] New Kerberos auth request from 127.0.0.1 (127.0.0.1:58560)
15:27:48,110 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] New Kerberos auth request from x.x.x.x (x.x.x.x:38935)
15:27:48,115 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] Client sent an NTLMSSP security blob **prompted in browser for domain credentials at this point**
15:27:52,152 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] Login page requested, chaining …
Apologies for the information overload! Again, thanks to anyone who takes the time to look at this, it's a real pain.
Regards,
John
Labels:
- Labels:
-
Archive
10 REPLIES 10
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-13-2015 07:53 AM
Hi Boris,
Apologies for the delay, I don't really check this post any longer. However attached is the contents of our /etc/krb5.conf. I had to rename the file ".txt" in order to upload it, if you need to open the file in a text editor use something like Notepad++, as Windows Notepad loses the formatting.
I've replaced any reference to our domain/server names, obviously you'll need to replace "DOMAIN.NAME" with your own domain information and reference your own domain controller, and note that some values are UPPER CASE. If you were looking for any other information please post a reply and I'll see if I can help.
Apologies for the delay, I don't really check this post any longer. However attached is the contents of our /etc/krb5.conf. I had to rename the file ".txt" in order to upload it, if you need to open the file in a text editor use something like Notepad++, as Windows Notepad loses the formatting.
I've replaced any reference to our domain/server names, obviously you'll need to replace "DOMAIN.NAME" with your own domain information and reference your own domain controller, and note that some values are UPPER CASE. If you were looking for any other information please post a reply and I'll see if I can help.
Related Content
- fileServersNG 24.3 Released - SMB2/SMB3 file server in Alfresco Forum
- ACS 23.1 : Share QuickLink redirect for authentication when using Keycloak in Alfresco Forum
- Alfresco Share Kerberos SSO - credentials cannot be delegated in Alfresco Forum
- unconstrained delegation with Kerberos in Alfresco Forum
- ACS 7.3 CE Kerberos SSO not working, always shows login page in Alfresco Forum
Getting started
Tags
Find what you came for
We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.
