Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

ACS 7.3 CE Kerberos SSO not working, always shows login page

Go to answer
rrosell
Champ in-the-making
Champ in-the-making

‎07-27-2023 10:03 AM

Hi folks,

I recently installed ACS 7.3.1 on Windows Server 2022, following these instructions:
https://javaworld-abhinav.blogspot.com/2022/05/setup-acs-7-ass-2-and-local-windows.html
- Tomcat 9.0.72
- OpenJDK 11.0.19
- ActiveMQ 5.17.4
- PostgreSQL 15.3
- ASS 2.0.6
- Transform Core-AiO 2.7.1

That works so far, ldap-AD sync is running and I can log in with my AD user.

Then I wanted to configure Kerberos SSO and followed these instructions:
- https://docs.alfresco.com/identity-service/latest/tutorial/sso/
- https://hub.alfresco.com/t5/alfresco-content-services-forum/acs-7-3-kerberos-sso-authentication-for-...
- https://hub.alfresco.com/t5/alfresco-content-services-forum/kerberos-sso-configuration/td-p/304314
-https://docs.alfresco.com/content-services/community/admin/auth-sync/
I also tried different constellations resulting from the pages.

User alfrescosso created, SPN's set, keytab created and distributed, Configs adjusted and so on.

I changed the port from 8080 to 80.

Firefox, Edge (Chromium) and IE are configured accordingly.

Now when I go to http://<server>/share/, the orange login page always appears.

Is there anything else I need to take care of?

Or can someone post working config files (share-config-custom.xml, alfresco-global.properties, java.login.config, ...)?

Thanks

Greetings
Robert

Labels:
0 Kudos
1 ACCEPTED ANSWER

Go to answer
rrosell
Champ in-the-making
Champ in-the-making
In response to Sandra09

‎07-28-2023 10:27 AM

Hi,

I have solved it in the meantime.
I have reset the whole share-config-custom.xml and started again. I included both <config evaluator="string-compare" condition="Remote"> sections.

After that I got a java error for the Kerberos connection: GSSException: No valid credentials provided (Mechanism level: KDC cannot accommodate requested option (13))

I was able to fix this by changing the AD user for delegation to "Trust the user for delegation to specified services only".
https://stackoverflow.com/questions/72651807/krberror-kdc-cannot-accommodate-requested-option-when-c...

View answer in original post

0 Kudos
3 REPLIES 3

Go to answer
abhinavmishra14
World-Class Innovator
World-Class Innovator

‎07-27-2023 01:49 PM

you may have missed any config or miss configure. Try to revisit the steps and see if you can locate anything. 

Also try to see if you find any errors in alfresco.log, share.log and catalina.out.

~Abhinav
(ACSCE, AWS SAA, Azure Admin)
0 Kudos

Go to answer
Sandra09
Champ in-the-making
Champ in-the-making

‎07-28-2023 02:01 AM

You can double-check that the DNS is correctly resolving the hostname of your ACS server. Also, ensure that the hostname used in the SPNs matches the server's actual hostname. Or Enable Kerberos debugging to check if there are any errors or issues with the Kerberos authentication process. You can add the following property to the "alfresco-global.properties" file:

kerberos.authentication.debug=true
myfedloan
0 Kudos

Go to answer
rrosell
Champ in-the-making
Champ in-the-making
In response to Sandra09

‎07-28-2023 10:27 AM

Hi,

I have solved it in the meantime.
I have reset the whole share-config-custom.xml and started again. I included both <config evaluator="string-compare" condition="Remote"> sections.

After that I got a java error for the Kerberos connection: GSSException: No valid credentials provided (Mechanism level: KDC cannot accommodate requested option (13))

I was able to fix this by changing the AD user for delegation to "Trust the user for delegation to specified services only".
https://stackoverflow.com/questions/72651807/krberror-kdc-cannot-accommodate-requested-option-when-c...

0 Kudos
Getting started

Explore our Alfresco products with the links below. Use labels to filter content by product module.

Copyright © 2024 Khoros, LLC