Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Could we make the kerberos users alfrescocifs and alfrescohttp to allow customers to have several alfresco instances (e.g: test, validation and production environments) authenticate against the same AD server

tanmaysalve
Champ on-the-rise
Champ on-the-rise

‎08-16-2017 07:33 AM

Two Instances:

UAT (ip1), PROD(ip2)

Steps Performed:

First kerberos configuration on UAT - successful

Second kerberos configuration on PROD - successful

then,

On UAT,

when, 1.1.1.1:8080/share, it gives cannot found.

alfresco and share application throws exception.

Reason:

****-**-** **:**:**,925 ERROR [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] [localhost-startStop-1] HTTP Kerberos web filter error
javax.security.auth.login.LoginException: Client not found in Kerberos database (6)
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Unknown Source)
at com.sun.security.auth.module.Krb5LoginModule.login(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at javax.security.auth.login.LoginContext.invoke(Unknown Source)
at javax.security.auth.login.LoginContext.access$000(Unknown Source)
at javax.security.auth.login.LoginContext$4.run(Unknown Source)
at javax.security.auth.login.LoginContext$4.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(Unknown Source)
at javax.security.auth.login.LoginContext.login(Unknown Source)
at org.alfresco.repo.webdav.auth.BaseKerberosAuthenticationFilter.init(BaseKerberosAuthenticationFilter.java:189)
at org.alfresco.web.app.servlet.KerberosAuthenticationFilter.init(KerberosAuthenticationFilter.java:63)
at org.alfresco.repo.webdav.auth.BaseSSOAuthenticationFilter.afterPropertiesSet(BaseSSOAuthenticationFilter.java:153)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.invokeInitMethods(AbstractAutowireCapableBeanFactory.java:1573)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1511)
at .

.

.

.

.

.

.

.

.

.org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:938)
at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:479)
at org.springframework.web.context.ContextLoader.configureAndRefreshWebApplicationContext(ContextLoader.java:410)
at org.springframework.web.context.ContextLoader.initWebApplicationContext(ContextLoader.java:306)
at org.springframework.web.context.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:112)
at org.alfresco.web.app.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:70)
at org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:5016)
at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5524)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:901)
at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:877)
at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:649)
at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:672)
at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1859)
at java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source)
at java.util.concurrent.FutureTask.run(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
Caused by: KrbException: Client not found in Kerberos database (6)
at sun.security.krb5.KrbAsRep.<init>(Unknown Source)
at sun.security.krb5.KrbAsReqBuilder.send(Unknown Source)
at sun.security.krb5.KrbAsReqBuilder.action(Unknown Source)
... 65 more
Caused by: KrbException: Identifier doesn't match expected value (906)
at sun.security.krb5.internal.KDCRep.init(Unknown Source)
at sun.security.krb5.internal.ASRep.init(Unknown Source)
at sun.security.krb5.internal.ASRep.<init>(Unknown Source)
... 68 more

Labels:
0 Kudos
2 REPLIES 2

afaust
Legendary Innovator
Legendary Innovator

‎08-16-2017 09:32 AM

You cannot use Kerberos on an IP-based host. Give UAT a proper domain name and use that to address it, and it should work with Kerberos (provided you set up the SPN in AD as well).

Also, make sure that the user has the SPNs for all the relevant systems, and use the most up-to-date keytab for all systems. Ideally, you would create separate system users in AD for each environment and only have them associated with the SPNs of their environment.

0 Kudos

tanmaysalve
Champ on-the-rise
Champ on-the-rise
In response to afaust

‎08-16-2017 10:01 AM

Hi Axel,

Thanks for your reply

We only have two kerberos users alfrescohttp and alfrescocifs currently which worked for one host server (UAT), then we ran the ktpass command which change the principal name with a different host(prod) for the same mentioned kerberos users. It worked for prod but stopped working for UAT (which is obvious)

We are supposed to run several instances of alfresco in our organisation and it would be difficult to manage creation of these users again and again.

Hence I need to know if there is a way out where we can use the same users for several alfresco instances to authenticate against the same AD server though not recommended

0 Kudos
Getting started

Explore our Alfresco products with the links below. Use labels to filter content by product module.

Copyright © 2024 Khoros, LLC