Hi thereI'm trying to use SSO Kerberos with Alfresco 4.2c on Tomcat 7 (Ubuntu, OpenJDK 7) and Kerberos (Ubuntu, MIT krb5). When I try to access alfresco from my Mac (using Firefox or Google Chrome) I get redirected to username/password login form (which actually works fine).Debug messages in the alfresco log look as follows:2012-12-17 18:29:43,369 DEBUG [app.servlet.KerberosAuthenticationFilter] [http-bio-8080-exec-1] New Kerberos auth request from xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx:49251)
2012-12-17 18:29:43,369 DEBUG [app.servlet.KerberosAuthenticationFilter] [http-bio-8080-exec-1] Issuing login challenge to browser.
2012-12-17 18:29:43,424 DEBUG [app.servlet.KerberosAuthenticationFilter] [http-bio-8080-exec-1] Unsupported SPNEGO mechanism 1.3.6.1.4.1.311.2.2.10
2012-12-17 18:29:43,424 DEBUG [app.servlet.KerberosAuthenticationFilter] [http-bio-8080-exec-1] Clearing session.
2012-12-17 18:29:43,424 DEBUG [app.servlet.KerberosAuthenticationFilter] [http-bio-8080-exec-1] Issuing login challenge to browser.
2012-12-17 18:29:43,525 DEBUG [app.servlet.KerberosAuthenticationFilter] [http-bio-8080-exec-4] Login page requested, chaining …
alfresco-global.properties looks as follows:authentication.chain=kerberos:kerberos
#krb5
kerberos.authentication.realm=XXX.XX
kerberos.authentication.sso.enabled=true
kerberos.authentication.authenticateCIFS=true
kerberos.authentication.user.configEntryName=Alfresco
kerberos.authentication.cifs.configEntryName=AlfrescoCIFS
kerberos.authentication.http.configEntryName=AlfrescoHTTP
kerberos.authentication.cifs.password=xxx
kerberos.authentication.http.password=xxx
kerberos.authentication.defaultAdministratorUserNames=xxx
alfresco.login.config (included in java.security) looks as follows:Alfresco {
com.sun.security.auth.module.Krb5LoginModule sufficient;
};
AlfrescoCIFS {
com.sun.security.auth.module.Krb5LoginModule required
storeKey=true
useKeyTab=true
keyTab="/etc/alfresco.keytab"
principal="cifs/xxx.xxx.xx";
};
AlfrescoHTTP {
com.sun.security.auth.module.Krb5LoginModule required
storeKey=true
useKeyTab=true
keyTab="/etc/alfresco.keytab"
principal="HTTP/xxx.xxx.xx";
};
Alfresco Server Kerberos krb5.conf looks as follows:[realms]
XXX.XX = {
kdc = kerberos.xxx.xx
admin_server = kerberos.xxx.xx
}
[domain_realm]
.xxx.xx = XXX.XX
[login]
krb4_convert = true
krb4_get_tickets = false
I looked into the sources of alfresco and it seems that SPNEGO mech 1.3.6.1.4.1.311.2.2.30 is supported but not 1.3.6.1.4.1.311.2.2.10Need I further configuration in my Firefox/Chrome/Mac? I (unfortunately) do not know much about kerberos negotiation mechs.Thanks for any suggestions
