Hyland Connect

phivuu-2 · ‎12-06-2019

I have succesfully configured Kerberos and generated SPN + Keytabs to work when the Reverse Proxy is disabled. However I want it to work with the reverse proxy. From what I understand, I need to generate generate new SPN + Keytabs for the proxy DNS. Alfresco server runs on the same server as Apache reverse server.

Do I need to reconfigure krb5.ini, java.login.config and share-config-custom.xml anything?

krb5.ini: Points to the AD server
java.login.config: Currently points to the alfresco server which runs apache reverse proxy(not using the proxy DNS).
share-config-custom.xml: Kerberos endpoint-spn points to the alfresco server which runs apache reverse proxy(not using the proxy DNS). Remote section uses localhost.

The proxy DNS is alfrescotest.jonkoping.se. Are the commands correct or did I add one .jonkoping.se too many?

setspn -a cifs/alfrescotest.jonkoping.se alfrescocifs
setspn -a cifs/alfrescotest.jonkoping.se.jonkoping.se alfrescocifs
setspn -a HTTP/alfrescotest.jonkoping.se alfrescohttp
setspn -a HTTP/alfrescotest.jonkoping.se.jonkoping.se alfrescohttp

ktpass -princ cifs/alfrescotest.jonkoping.se.jonkoping.se@jonkoping.se -pass Password -mapuser jonkoping\alfrescocifs -crypto ALL -ptype KRB5_NT_PRINCIPAL -out d:\temp\alfrescocifs.keytab -kvno 0

ktpass -princ HTTP/alfrescotest.jonkoping.se.jonkoping.se@jonkoping.se -pass Password -mapuser jonkoping\alfrescohttp -crypto ALL -ptype KRB5_NT_PRINCIPAL -out d:\temp\alfrescohttp.keytab -kvno 0

Lastly, do I need to configure Apache httpd.conf anything to forward the headers to alfresco repository?

phivuu-2 · ‎05-14-2020

Yes, this link was also somewhat helpful https://docs.alfresco.com/sso/topics/kerberos.html
Here's my notes:

1. If there is a reverse proxy, make sure it's used to create SPN and kerberos keytabs.
Example: Proxy DNS alfresco.example.com Realm: EXAMPLE.COM
setspn -a HTTP/alfresco.example.com alfrescohttp
ktpass -princ HTTP/alfresco.example.com@EXAMPLE.COM -pass Password -mapuser example\alfrescohttp -crypto ALL -ptype KRB5_NT_PRINCIPAL -out d:\temp\alfrescohttp.keytab -kvno 0
2. Make sure AlfrescoHTTP AlfrescoCIFS AD users can be found in alfresco after a sync.
3. krb5.ini - Point at the AD server here.
4. share-config-custom.xml - Make sure endpoint-spn is pointed to the reverse proxy DNS if there is one.
5. No Kerberos module should be needed for Reverse Proxy. It should forward the Kerberos headers to alfresco repository for authentication if the SPN and keytabs are created with proxy DNS.
6. java/lib/security/java.login.config - Make sure principal is pointed to reverse proxy DNS.

View answer in original post

c-0815 · ‎05-14-2020

I have the same problem. Have you found a solution in the meantime?

regards

Ralph

phivuu-2 · ‎05-14-2020

Yes, this link was also somewhat helpful https://docs.alfresco.com/sso/topics/kerberos.html
Here's my notes:

1. If there is a reverse proxy, make sure it's used to create SPN and kerberos keytabs.
Example: Proxy DNS alfresco.example.com Realm: EXAMPLE.COM
setspn -a HTTP/alfresco.example.com alfrescohttp
ktpass -princ HTTP/alfresco.example.com@EXAMPLE.COM -pass Password -mapuser example\alfrescohttp -crypto ALL -ptype KRB5_NT_PRINCIPAL -out d:\temp\alfrescohttp.keytab -kvno 0
2. Make sure AlfrescoHTTP AlfrescoCIFS AD users can be found in alfresco after a sync.
3. krb5.ini - Point at the AD server here.
4. share-config-custom.xml - Make sure endpoint-spn is pointed to the reverse proxy DNS if there is one.
5. No Kerberos module should be needed for Reverse Proxy. It should forward the Kerberos headers to alfresco repository for authentication if the SPN and keytabs are created with proxy DNS.
6. java/lib/security/java.login.config - Make sure principal is pointed to reverse proxy DNS.

c-0815 · ‎05-26-2020

Thank you. Now it works.

kind regards

Ralph

Hyland Connect

Apache Reverse Proxy with Kerberos SSO