01-14-2021 01:28 AM
Hi guys. I'm trying to set up Kerberos + SSO on alfresco 5.2 server based on this tutorial https://hub.alfresco.com/t5/alfresco-content-services-hub/configuring-the-cifs-and-web-servers-for-k....
But I'm getting
ERROR [org.alfresco.web.site.servlet.SSOAuthenticationFilter] [localhost-startStop-1] HTTP Kerberos web filter error
javax.security.auth.login.LoginException: Unable to obtain password from user
Any
I've created AD users myalfcifs and myalfhttp and enabled Do not require Kerberos preauthentication options in the Account Options. Created key tables with
ktpass -princ cifs/alfresco.mycomp.com@MYCOMP.COM -pass D password1 -mapuser mycomp\myalfcifs -crypto all -ptype KRB5_NT_PRINCIPAL -out c:\temp\myalfcifs .keytab -kvno 0
and
ktpass -princ HTTP/alfresco.mycomp.com@MYCOMP.COM -pass D password2 -mapuser mycomp\myalfhttp -crypto all -ptype KRB5_NT_PRINCIPAL -out c:\temp\myalfhttp .keytab -kvno 0
Created SPN
setspn -a cifs/alfresco myalfcifs
setspn -a cifs/alfresco myalfhttp
I'm not sure whether I should my username myalfcifs/http instead of AlfrescoCIFS/HTTP to in java.login.config (tried both ways with no difference)
AlfrescoCIFS {
com.sun.security.auth.module.Krb5LoginModule required
storeKey=true
useKeyTab=true
keyTab="/etc/keys/myalfcifs.keytab"
principal="cifs/alfresco.mycomp.com";
};
related alfresco-global.properties configuration:
authentication.chain=ldap1:ldap-ad,kerberos1:kerberos
ntlm.authentication.sso.enabled=false
ntlm.authentication.browser.ticketLogons=true
ldap.authentication.active=false
ldap.authentication.userNameFormat=%s
ldap.authentication.allowGuestLogin=false
ldap.authentication.escapeCommasInBind=false
ldap.authentication.escapeCommasInUid=false
ldap.authentication.java.naming.security.authentication=simple
ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
ldap.authentication.java.naming.provider.url=ldap://dc.mycomp.com:389
synchronization.synchronizeChangesOnly=false
synchronization.import.cron=0 2 * * * ?
synchronization.syncWhenMissingPeopleLogIn=true
synchronization.autoCreatePeopleOnLogin=true
ldap.synchronization.active=true
ldap.synchronization.queryBatchSize=1000
ldap.synchronization.java.naming.security.authenticaton=simple
ldap.synchronization.java.naming.security.principal=user_alfresco@mycomp.com
ldap.synchronization.java.naming.security.credentials=Password
ldap.synchronization.groupSearchBase=dc\=mycomp,dc\=com
ldap.synchronization.userSearchBase=dc\=mycomp,dc\=com
### Kerberos properties ###
kerberos.authentication.sso.enabled=true
kerberos.authentication.defaultAdministratorUserNames=admin
kerberos.authentication.user.configEntryName=Alfresco
kerberos.authentication.cifs.configEntryName=myalfcifs
kerberos.authentication.cifs.password=password1
kerberos.authentication.http.configEntryName=myalfhttp
kerberos.authentication.http.password=password2
kerberos.authentication.authenticateCIFS=true
kerberos.authentication.realm=MYCOMP.COM
kerberos.authentication.stripUsernameSuffix=true
kerberos.authentication.browser.ticketLogons=true
kerberos.authentication.sso.fallback.enabled=true
share-config-custom.xml Kerberos settings:
<!-- To enable kerberos rename this condition to "Kerberos" -->
<config evaluator="string-compare" condition="Kerberos" replace="true">
<kerberos>
<password>password2</password>
<realm>MYCOMP.COM</realm>
<endpoint-spn>HTTP/alfresco.mycomp.com@MYCOMP.COM</endpoint-spn>
<config-entry>ShareHTTP</config-entry>
<stripUserNameSuffix>true</stripUserNameSuffix>
</kerberos>
</config>
+ uncommented <config evaluator="string-compare" condition="Remote"> sections
Explore our Alfresco products with the links below. Use labels to filter content by product module.