Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Share SSO with Kerberos AD

jackjm
Champ in-the-making
Champ in-the-making

‎06-05-2013 03:24 PM

Hello all,

I am trying to implement SSO for share using Kerberos AD and followed the directions listed in the official documentation at docs.alfresco.com. I keep getting the following exception 


2013-06-05 12:02:30,998  WARN  [site.servlet.KerberosSessionSetupPrivilegedAction] [http-80-3] Caught GSS Error
 GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)
   at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:741)
   at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:323)
   at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:267)


Here is are the settings the files, the setting and the respective locations. I have turned on the debugging which printed the messages above. Any suggestions to help fix the issue will be greatly appreciated. We are running 4.0.d community on a Windows 2008 machine.

Thank you very much for your time


alfresco-global.properties
### Kerberos SSO ###
kerberos.authentication.realm=LOCAL.COM
kerberos.authentication.sso.enabled=true
kerberos.authentication.authenticateCIFS=false
kerberos.authentication.user.configEntryName=AlfrescoHTTP
kerberos.authentication.http.configEntryName=AlfrescoHTTP
#kerberos.authentication.cifs.configEntryName=AlfrescoCIFS
kerberos.authentication.stripUsernameSuffix=true
kerberos.authentication.http.password=password
kerberos.authentication.cifs.password=password
kerberos.authentication.browser.ticketLogons=true
kerberos.authentication.defaultAdministratorUserNames=usera



share-config-custom.xml
<config evaluator="string-compare" condition="Kerberos" replace="true">
   <kerberos>
      <password>password</password>
      <realm>LOCAL.COM</realm>
      <endpoint-spn>HTTP/domain@LOCAL.COM</endpoint-spn>
      <config-entry>ShareHTTP</config-entry>
   </kerberos>
</config>

<config evaluator="string-compare" condition="Remote">
      <remote>
   <connector>
            <id>alfrescoCookie</id>
            <name>Alfresco Connector</name>
            <description>Connects to an Alfresco instance using cookie-based authentication</description>
            <class>org.springframework.extensions.webscripts.connector.AlfrescoConnector</class>
         </connector>
         
    <endpoint>
            <id>alfresco</id>
            <name>Alfresco - user access</name>
            <description>Access to Alfresco Repository WebScripts that require user authentication</description>
            <connector-id>alfrescoCookie</connector-id>
            <endpoint-url>http://localhost:80/alfresco/wcs</endpoint-url>
            <identity>user</identity>
            <external-auth>true</external-auth>
         </endpoint>
      </remote>
</config>



java.login.config at C:\Alfresco\java\jre\lib\security == as described in the documentation but changing the keyTab location to C:/etc/alfresco.keytab

Also modified java.security at C:\Alfresco\java\jre\lib\security to point to java.login.config



krb5.ini at (C:\Windows)
[libdefaults]
 default_realm = LOCAL.COM
 default_tkt_enctypes = rc4-hmac
 default_tgs_enctypes = rc4-hmac 

[realms]
 LOCAL.COM = {
  kdc = machine.local.com
  admin_server = machine.local.com
 }

[domain_realm]
 machine.local.com = LOCAL.COM
 .machine.local.com = LOCAL.COM

Labels:
0 Kudos
1 REPLY 1

jackjm
Champ in-the-making
Champ in-the-making

‎06-07-2013 06:57 PM

I don't know if it matters but I see the following messages before the exception


2013-06-05 12:03:34,436  DEBUG [app.servlet.KerberosAuthenticationFilter] [http-80-4] Authentication not required (user), chaining …
 2013-06-05 12:03:34,436  DEBUG [app.servlet.KerberosAuthenticationFilter] [http-80-1] New Kerberos auth request from 10.1.100.180 (10.1.100.180:64546)
 2013-06-05 12:03:34,452  DEBUG [app.servlet.KerberosAuthenticationFilter] [http-80-4] Authentication not required (user), chaining …
 2013-06-05 12:03:34,467  INFO  [web.site.EditionInterceptor] [http-80-5] Successfully retrieved license information from Alfresco.
 2013-06-05 12:03:34,483  DEBUG [app.servlet.KerberosAuthenticationFilter] [http-80-4] Authentication not required (user), chaining …
 2013-06-05 12:03:34,749  DEBUG [app.servlet.KerberosAuthenticationFilter] [http-80-4] Authentication not required (filter), chaining …
 2013-06-05 12:03:34,749  DEBUG [app.servlet.KerberosAuthenticationFilter] [http-80-1] Authentication not required (filter), chaining …
 2013-06-05 12:03:34,811  DEBUG [app.servlet.KerberosAuthenticationFilter] [http-80-1] Authentication not required (filter), chaining …
 2013-06-05 12:03:34,858  DEBUG [app.servlet.KerberosAuthenticationFilter] [http-80-1] Authentication not required (filter), chaining …
 2013-06-05 12:03:34,936  DEBUG [app.servlet.KerberosAuthenticationFilter] [http-80-5] Authentication not required (user), chaining …
 2013-06-05 12:03:35,030  DEBUG [app.servlet.KerberosAuthenticationFilter] [http-80-5] Authentication not required (filter), chaining …
 2013-06-05 12:03:35,061  DEBUG [app.servlet.KerberosAuthenticationFilter] [http-80-5] Authentication not required (filter), chaining …
 2013-06-05 12:03:35,124  DEBUG [app.servlet.KerberosAuthenticationFilter] [http-80-5] Authentication not required (filter), chaining …
 2013-06-05 12:03:35,139  DEBUG [app.servlet.KerberosAuthenticationFilter] [http-80-5] Authentication not required (filter), chaining …
 2013-06-05 12:03:35,155  DEBUG [app.servlet.KerberosAuthenticationFilter] [http-80-5] Authentication not required (filter), chaining …
 2013-06-05 12:03:35,186  DEBUG [app.servlet.KerberosAuthenticationFilter] [http-80-5] Authentication not required (filter), chaining …
 2013-06-05 12:03:35,217  DEBUG [app.servlet.KerberosAuthenticationFilter] [http-80-5] Authentication not required (filter), chaining …
 2013-06-05 12:03:35,233  DEBUG [app.servlet.KerberosAuthenticationFilter] [http-80-5] Authentication not required (filter), chaining …
 2013-06-05 12:03:35,249  DEBUG [app.servlet.KerberosAuthenticationFilter] [http-80-5] Authentication not required (filter), chaining …
 2013-06-05 12:03:35,264  DEBUG [app.servlet.KerberosAuthenticationFilter] [http-80-5] Authentication not required (filter), chaining …
 2013-06-05 12:03:35,280  DEBUG [app.servlet.KerberosAuthenticationFilter] [http-80-5] Authentication not required (filter), chaining …
 2013-06-05 12:03:35,295  DEBUG [app.servlet.KerberosAuthenticationFilter] [http-80-5] Authentication not required (filter), chaining …
 2013-06-05 12:03:35,311  DEBUG [app.servlet.KerberosAuthenticationFilter] [http-80-5] Authentication not required (filter), chaining …
 2013-06-05 12:03:35,327  DEBUG [app.servlet.KerberosAuthenticationFilter] [http-80-5] Authentication not required (filter), chaining …
 2013-06-05 12:03:35,342  DEBUG [app.servlet.KerberosAuthenticationFilter] [http-80-5] Authentication not required (filter), chaining …
 2013-06-05 12:03:35,358  DEBUG [app.servlet.KerberosAuthenticationFilter] [http-80-5] Authentication not required (filter), chaining …
 2013-06-05 12:03:35,374  DEBUG [app.servlet.KerberosAuthenticationFilter] [http-80-5] Authentication not required (filter), chaining …
 2013-06-05 12:03:35,389  DEBUG [app.servlet.KerberosAuthenticationFilter] [http-80-5] Authentication not required (filter), chaining …
 2013-06-05 12:03:35,405  DEBUG [app.servlet.KerberosAuthenticationFilter] [http-80-5] Authentication not required (filter), chaining …
 2013-06-05 12:03:35,420  DEBUG [app.servlet.KerberosAuthenticationFilter] [http-80-5] Authentication not required (filter), chaining …
 2013-06-05 12:03:35,436  DEBUG [app.servlet.KerberosAuthenticationFilter] [http-80-5] Authentication not required (filter), chaining …
 2013-06-05 12:03:35,452  DEBUG [app.servlet.KerberosAuthenticationFilter] [http-80-5] Authentication not required (filter), chaining …
 2013-06-05 12:03:35,467  DEBUG [app.servlet.KerberosAuthenticationFilter] [http-80-5] Authentication not required (filter), chaining …
 2013-06-05 12:03:35,483  DEBUG [app.servlet.KerberosAuthenticationFilter] [http-80-5] Authentication not required (filter), chaining …
 2013-06-05 12:03:35,639  DEBUG [app.servlet.KerberosAuthenticationFilter] [http-80-5] Authentication not required (filter), chaining …
 2013-06-05 12:03:35,655  DEBUG [app.servlet.KerberosAuthenticationFilter] [http-80-5] Authentication not required (filter), chaining …
 2013-06-05 12:03:35,702  DEBUG [app.servlet.KerberosAuthenticationFilter] [http-80-5] Authentication not required (user), chaining …
 2013-06-05 12:03:35,999  DEBUG [app.servlet.KerberosAuthenticationFilter] [http-80-5] Authentication not required (user), chaining …
 2013-06-05 12:03:36,624  DEBUG [app.servlet.KerberosAuthenticationFilter] [http-80-5] Authentication not required (user), chaining …
 2013-06-05 12:03:36,889  DEBUG [app.servlet.KerberosAuthenticationFilter] [http-80-5] Authentication not required (user), chaining …
 2013-06-05 12:03:36,983  DEBUG [app.servlet.KerberosAuthenticationFilter] [http-80-5] Authentication not required (user), chaining …
 2013-06-05 12:03:37,014  DEBUG [app.servlet.KerberosAuthenticationFilter] [http-80-6] Authentication not required (user), chaining …
 2013-06-05 12:03:37,030  DEBUG [app.servlet.KerberosAuthenticationFilter] [http-80-7] Authentication not required (user), chaining …
 2013-06-05 12:03:37,061  DEBUG [app.servlet.KerberosAuthenticationFilter] [http-80-1] Authentication not required (user), chaining …
 2013-06-05 12:03:37,092  DEBUG [app.servlet.KerberosAuthenticationFilter] [http-80-10] Authentication not required (user), chaining …
 2013-06-05 12:03:37,108  DEBUG [app.servlet.KerberosAuthenticationFilter] [http-80-8] Authentication not required (user), chaining …
 2013-06-05 12:03:37,108  DEBUG [app.servlet.KerberosAuthenticationFilter] [http-80-6] Authentication not required (user), chaining …
 2013-06-05 12:03:37,155  DEBUG [app.servlet.KerberosAuthenticationFilter] [http-80-5] Authentication not required (user), chaining …
 2013-06-05 12:03:37,217  DEBUG [app.servlet.KerberosAuthenticationFilter] [http-80-8] Authentication not required (user), chaining …
 2013-06-05 12:03:37,374  DEBUG [app.servlet.KerberosAuthenticationFilter] [http-80-10] Authentication not required (user), chaining …
 2013-06-05 12:03:38,374  DEBUG [app.servlet.KerberosAuthenticationFilter] [http-80-1] Authentication not required (user), chaining …
 2013-06-05 12:03:38,780  DEBUG [app.servlet.KerberosAuthenticationFilter] [http-80-9] Authentication not required (user), chaining …
 2013-06-05 12:03:38,796  DEBUG [app.servlet.KerberosAuthenticationFilter] [http-80-6] Authentication not required (user), chaining …
 2013-06-05 12:03:38,811  DEBUG [app.servlet.KerberosAuthenticationFilter] [http-80-6] Authentication not required (user), chaining …
 2013-06-05 12:03:38,952  DEBUG [app.servlet.KerberosAuthenticationFilter] [http-80-5] Authentication not required (user), chaining …
 2013-06-05 12:03:38,967  DEBUG [app.servlet.KerberosAuthenticationFilter] [http-80-1] Authentication not required (user), chaining …
 2013-06-05 12:03:39,077  DEBUG [app.servlet.KerberosAuthenticationFilter] [http-80-9] Authentication not required (user), chaining …
 2013-06-05 12:03:39,092  DEBUG [app.servlet.KerberosAuthenticationFilter] [http-80-3] Authentication not required (user), chaining …
 2013-06-05 12:03:39,124  DEBUG [app.servlet.KerberosAuthenticationFilter] [http-80-3] Authentication not required (user), chaining …
 2013-06-05 12:03:39,421  DEBUG [app.servlet.KerberosAuthenticationFilter] [http-80-2] Authentication not required (user), chaining …
 2013-06-05 12:03:39,421  DEBUG [app.servlet.KerberosAuthenticationFilter] [http-80-6] Authentication not required (user), chaining …
 2013-06-05 12:03:39,796  DEBUG [app.servlet.KerberosAuthenticationFilter] [http-80-11] Authentication not required (user), chaining …
 2013-06-05 12:03:39,811  DEBUG [app.servlet.KerberosAuthenticationFilter] [http-80-2] Authentication not required (user), chaining …
 2013-06-05 12:03:39,874  DEBUG [app.servlet.KerberosAuthenticationFilter] [http-80-12] Authentication not required (user), chaining …
 2013-06-05 12:03:39,889  DEBUG [app.servlet.KerberosAuthenticationFilter] [http-80-13] Authentication not required (user), chaining …
 2013-06-05 12:03:39,936  DEBUG [app.servlet.KerberosAuthenticationFilter] [http-80-11] Authentication not required (user), chaining …
 2013-06-05 12:03:39,952  DEBUG [app.servlet.KerberosAuthenticationFilter] [http-80-12] Authentication not required (user), chaining …
 2013-06-05 12:03:42,733  DEBUG [app.servlet.KerberosAuthenticationFilter] [http-80-10] Authentication not required (user), chaining …
2013-06-05 12:03:42,780  DEBUG [app.servlet.KerberosAuthenticationFilter] [http-80-10] New Kerberos auth request from machine.ip (ma.ch.ine.ip:64613)
 Checksum failed !


Any suggestions are greatly appreciated since this one of the last steps for deploying the community edition across the company and then hopefully purchasing the enterprise edition.

thanks a lot for your time
0 Kudos
Getting started

Tags

Find what you came for

We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.

Copyright © 2024 Khoros, LLC