Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Hyland Connect
- Enterprise Platforms
- Alfresco
- Alfresco Archive
- SSO with Kerberos : Client sent an NTLMSSP securit...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
SSO with Kerberos : Client sent an NTLMSSP security blob
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-27-2011 03:41 AM
Hello,
I'm trying to configure Alfresco to run SSO using Kerberos.
Here's the environment I'm working on:
- My PC is part of domaine.fr. That's the client in my test. It runs on Windows 7 Pro and tests are made with IE8.
- The Alfresco server is a CentOS 5 VM. Alfresco 3.3g is running on Tomcat 6.
- Finally, I've created an Active Directory on a Windows Server 2008 R2 VM. This VM is the domain controller for domaine.local (domain netbios name = DOMAINE0) that I've created specially for this test.
I do not have DNS, so I work with IP:
- Client: xx.xx.xx.35
- Server Alf xx.xx.xx.60
- Server AD: xx.xx.xx.28
First of all, I've tested my environment by setting up passthru => No problem.
When I access to the webapp, I have a Windows login window that appears. I enter the login / password of an account of my AD indicating DOMAINE0 and I automatically connect to Alfresco (bypassing the login page).
After this first test (to control that SSO with passthru is OK), I've followed the instructions in the Kerberos Alfresco wiki page. In my case, CIFS will not be activated, so I've only considered instructions concerning HTTP configuration.
- Create Account alfrescohttp in AD (enable options "Password never expires", "Use DES encryption types for Kerberos" and "Pre-authentication Kerberos is not necessary").
- Generate the keytab on the AD server with the following parameters:
=> @ HTTP/xx.xx.xx.60 DOMAINE.LOCAL
=> DOMAINE0 \ alfrescohttp
That made me an SPN:
setspn-l alfrescohttp
ServicePrincipalName names registered for CN = HTTP Alfresco, OU = users, OU = ged, OR = esi,
DC = domain, DC = local:
HTTP/xx.xx.xx.60
- On my Alfresco server, I added a directory kerberos in the Tomcat directory where I placed the following files:
=> The keytab generated previously;
=> Krb5.conf
=> java.login.config
- Always on the Alfresco server, I changed the setting JAVA_OPTS to obtain:
- I modified the file alfresco-global.properties for:
- I also enabled logs about kerberos in log4j.properties.
When starting Tomcat, I get the following logs indicating that all goes well:
But, when I try to access to the webapp with my AD user, I get the Windows login window where I enter the login and password indicating DOMAINE0 but the connection is KO. After a few tries, I get a blank page.
In the log file, I get the following messages:
Is there a conf to do on the client? (In IE, the site is within the intranet zone and automatic authentication is enabled for intranet sites).
The use of IP can be a problem?
Are there other logs that might help me to see where is the problem?
Are there any other info (especially on the AD server) that could be useful?
Thank you in advance for your help.
I'm trying to configure Alfresco to run SSO using Kerberos.
Here's the environment I'm working on:
- My PC is part of domaine.fr. That's the client in my test. It runs on Windows 7 Pro and tests are made with IE8.
- The Alfresco server is a CentOS 5 VM. Alfresco 3.3g is running on Tomcat 6.
- Finally, I've created an Active Directory on a Windows Server 2008 R2 VM. This VM is the domain controller for domaine.local (domain netbios name = DOMAINE0) that I've created specially for this test.
I do not have DNS, so I work with IP:
- Client: xx.xx.xx.35
- Server Alf xx.xx.xx.60
- Server AD: xx.xx.xx.28
First of all, I've tested my environment by setting up passthru => No problem.
When I access to the webapp, I have a Windows login window that appears. I enter the login / password of an account of my AD indicating DOMAINE0 and I automatically connect to Alfresco (bypassing the login page).
After this first test (to control that SSO with passthru is OK), I've followed the instructions in the Kerberos Alfresco wiki page. In my case, CIFS will not be activated, so I've only considered instructions concerning HTTP configuration.
- Create Account alfrescohttp in AD (enable options "Password never expires", "Use DES encryption types for Kerberos" and "Pre-authentication Kerberos is not necessary").
- Generate the keytab on the AD server with the following parameters:
=> @ HTTP/xx.xx.xx.60 DOMAINE.LOCAL
=> DOMAINE0 \ alfrescohttp
That made me an SPN:
setspn-l alfrescohttp
ServicePrincipalName names registered for CN = HTTP Alfresco, OU = users, OU = ged, OR = esi,
DC = domain, DC = local:
HTTP/xx.xx.xx.60
- On my Alfresco server, I added a directory kerberos in the Tomcat directory where I placed the following files:
=> The keytab generated previously;
=> Krb5.conf
[Libdefaults]
default_realm = DOMAINE.LOCAL
default_tkt_enctypes = rc4-hmac
default_tgs_enctypes = rc4-hmac
[Realms]
EUROGICIEL.LOCAL = {
kdc = xx.xx.xx.28
admin_server = xx.xx.xx.28
}
[Domain_realm]
. Domaine.local = DOMAINE.LOCAL
=> java.login.config
Alfresco {
Sufficient com.sun.security.auth.module.Krb5LoginModule;
};
AlfrescoHTTP {
com.sun.security.auth.module.Krb5LoginModule required
debug = true
storeKey = true
useKeyTab = true
keytab = "/ usr/share/tomcat6/kerberos/alfrescohttp.keytab"
main = "HTTP/xx.xx.xx.60";
};
com.sun.net.ssl.client {
Sufficient com.sun.security.auth.module.Krb5LoginModule;
};
Other {
Sufficient com.sun.security.auth.module.Krb5LoginModule;
};
- Always on the Alfresco server, I changed the setting JAVA_OPTS to obtain:
JAVA_OPTS = "-Xmx2048m-XX: MaxPermSize = 256m-Djava.security.auth.login.config =/usr/share/tomcat6/kerberos/java.login.config-Djava.security.krb5.conf=/usr/share/tomcat6/kerberos/krb5.conf "
- I modified the file alfresco-global.properties for:
…
authentication.chain = kerberos1: kerberos
kerberos.authentication.realm = DOMAINE.LOCAL
kerberos.authentication.sso.enabled = true
kerberos.authentication.authenticateCIFS = false
Alfresco kerberos.authentication.user.configEntryName =
kerberos.authentication.http.configEntryName = AlfrescoHTTP
kerberos.authentication.http.password = secret
kerberos.authentication.defaultAdministratorUserNames = mlagneaux
kerberos.authentication.http.kerberosDebug = true
…
- I also enabled logs about kerberos in log4j.properties.
When starting Tomcat, I get the following logs indicating that all goes well:
17:15:12,932 User: System DEBUG [webdav.auth.KerberosAuthenticationFilter] HTTP Kerberos login successful
17:15:12,933 User: System DEBUG [webdav.auth.KerberosAuthenticationFilter] Logged on using main HTTP/xx.xx.xx.60 @ DOMAINE.LOCAL
But, when I try to access to the webapp with my AD user, I get the Windows login window where I enter the login and password indicating DOMAINE0 but the connection is KO. After a few tries, I get a blank page.
In the log file, I get the following messages:
17:24:02,121 DEBUG [app.servlet.KerberosAuthenticationFilter] Kerberos auth request from New xx.xx.xx.35 (xx.xx.xx.35: 62,790)
17:24:02,130 DEBUG [app.servlet.KerberosAuthenticationFilter] Client feels NTLMSSP year security blob
Is there a conf to do on the client? (In IE, the site is within the intranet zone and automatic authentication is enabled for intranet sites).
The use of IP can be a problem?
Are there other logs that might help me to see where is the problem?
Are there any other info (especially on the AD server) that could be useful?
Thank you in advance for your help.
Labels:
- Labels:
-
Archive
2 REPLIES 2
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-16-2011 10:30 AM
As described in the following post, I've installed Java JCE on my server but doesn't work either.
http://forums1.man.alfresco.com/en/viewtopic.php?f=3&t=20891
http://forums1.man.alfresco.com/en/viewtopic.php?f=3&t=20891
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-30-2011 07:41 AM
Hello mlagneaux,
SSO with Alfresco Explorer only worked for me in combination with a DNS server.
This is also stated in the documentation.
Add your alfresco machines to your DNS on your Windows server and choose the
appropiate Service Principal names.
Kind regards,
Georg
SSO with Alfresco Explorer only worked for me in combination with a DNS server.
This is also stated in the documentation.
Add your alfresco machines to your DNS on your Windows server and choose the
appropiate Service Principal names.
Kind regards,
Georg
Related Content
- unconstrained delegation with Kerberos in Alfresco Forum
- ACS 7.3 + Kerberos. SSO Authentication for Share stops working every night in Alfresco Forum
- Setup ACS-7.x, ASS-2.x, Local Transformation Service using distribution package step by step Part 2 in Alfresco Blog
- Alfresco configuration for SSO: are my alfresco files correct? in Alfresco Forum
- Kerberos SSO for alfresco docker installation in Alfresco Forum
Getting started
Tags
Find what you came for
We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.
