Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Hyland Connect
- Enterprise Platforms
- Alfresco
- Alfresco Archive
- Re: Kerberos + Active Directory
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Kerberos + Active Directory
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-25-2014 01:06 PM
First… Sorry my english!!!!!!!!!
Hi comuninity,
I want to access Share automatically using Kerberos SSO with my domain users. I can access Alfresco with SSO, but not Share.
Servers: All the machines are in my domain MIDOMINIO.NET
* w2008alfresco - (Alfresco) Windows Server 2008 R2
* AD01 - (Active Directory) Windows Server 2008 R2
* clientexp - (Maquina cliente) - Windows XP SP3 / Internet Explorer 6 / Firefox 28
* cliente01 (Maquina cliente) - Windows 7 / Internet Explorer 11 / Firefox 28
1) In my active directory AD01 i create the user 'alfrescohttp'
- Not requiere previous kerberos authentication
- Password never expires
2) In active directory AD01 I execute
3) I copy keytab in alfresco server (w2008alfresco)
4) I execute in AD01
5) Configuration C:\Windows\krb5.ini (Server w2008alfresco)
6) I create java.login.config in C:/Alfresco/java/jre/lib/security (w2008alfresco machine)
7) I change the line in file C:/Alfresco/java/jre/lib/security/java.security (w2008alfresco machine)
Add the sities http://w2008alfresco and http://w2008alfresco.midominio.net in internet explorer. Intranet zone on the client machines. Login automatic with name and password checked.
😎 Rename the file share-config-custom.xml.sample to share-config-custom.xml
9) Uncomment the "Remote" seccions
10) Replace KerberosDisables to Kerberos with the next data
11) In active directory, in the user alfrescohttop properties, i checked "Trust this user for delegation to any service (Kerberos only)"
12) Firefox configuration
13) alfresco.properties
When i want to access, a dialog appears and the log is:
Hi comuninity,
I want to access Share automatically using Kerberos SSO with my domain users. I can access Alfresco with SSO, but not Share.
Servers: All the machines are in my domain MIDOMINIO.NET
* w2008alfresco - (Alfresco) Windows Server 2008 R2
* AD01 - (Active Directory) Windows Server 2008 R2
* clientexp - (Maquina cliente) - Windows XP SP3 / Internet Explorer 6 / Firefox 28
* cliente01 (Maquina cliente) - Windows 7 / Internet Explorer 11 / Firefox 28
1) In my active directory AD01 i create the user 'alfrescohttp'
- Not requiere previous kerberos authentication
- Password never expires
2) In active directory AD01 I execute
ktpass -princ HTTP/w2008alfresco.midominio.net@MIDOMINIO.NET -pass MIPASSWORD -mapuser midominio\alfrescohttp -crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL -out c:\temp\alfrescohttp.keytab -kvno 03) I copy keytab in alfresco server (w2008alfresco)
4) I execute in AD01
setspn -a HTTP/W2008ALFRESCO alfrescohttp
setspn -a HTTP/W2008ALFRESCO.midominio.net alfrescohttp
5) Configuration C:\Windows\krb5.ini (Server w2008alfresco)
[libdefaults]
default_realm = MIDOMINIO.NET
default_tkt_enctypes = rc4-hmac
default_tgs_enctypes = rc4-hmac
[realms]
MIDOMINIO.NET = {
kdc = ad01.midominio.net
admin_server = ad01.midominio.net
}
[domain_realm]
ad01.midominio.net = MIDOMINIO.NET
.ad01.midominio.net = MIDOMINIO.NET
6) I create java.login.config in C:/Alfresco/java/jre/lib/security (w2008alfresco machine)
Alfresco {
com.sun.security.auth.module.Krb5LoginModule sufficient;
};
AlfrescoHTTP
{
com.sun.security.auth.module.Krb5LoginModule required
storeKey=true
useKeyTab=true
keyTab="C:/Alfresco/keytab/alfrescohttp.keytab"
principal="HTTP/W2008ALFRESCO.midominio.net";
};
ShareHTTP
{
com.sun.security.auth.module.Krb5LoginModule required
storeKey=true
useKeyTab=true
keyTab="C:/Alfresco/keytab/alfrescohttp.keytab"
principal="HTTP/W2008ALFRESCO.midominio.net";
};
com.sun.net.ssl.client {
com.sun.security.auth.module.Krb5LoginModule sufficient;
};
other {
com.sun.security.auth.module.Krb5LoginModule sufficient;
};
7) I change the line in file C:/Alfresco/java/jre/lib/security/java.security (w2008alfresco machine)
login.config.url.1=file:C:/Alfresco/java/jre/lib/security/java.login.config
Add the sities http://w2008alfresco and http://w2008alfresco.midominio.net in internet explorer. Intranet zone on the client machines. Login automatic with name and password checked.
😎 Rename the file share-config-custom.xml.sample to share-config-custom.xml
9) Uncomment the "Remote" seccions
10) Replace KerberosDisables to Kerberos with the next data
<config evaluator="string-compare" condition="Kerberos" replace="true">
<kerberos>
<password>MIPASSWORD</password>
<realm>MIDOMINIO.NET</realm>
<endpoint-spn>HTTP/w2008ALFRESCO.midominio.net@MIDOMINIO.NET</endpoint-spn>
<config-entry>ShareHTTP</config-entry>
</kerberos>
</config>
11) In active directory, in the user alfrescohttop properties, i checked "Trust this user for delegation to any service (Kerberos only)"
12) Firefox configuration
network.negotiate-auth.delegation-uris
network.negotiate-auth.trusted-uris
network.negotiate-auth.using-native-gsslib13) alfresco.properties
authentication.chain=kerberos1:kerberos,alfrescoNtlm1:alfrescoNtlm
kerberos.authentication.realm=MIDOMINIO.NET
kerberos.authentication.sso.enabled=true
kerberos.authentication.authenticateCIFS=false
kerberos.authentication.user.configEntryName=Alfresco
kerberos.authentication.http.configEntryName=AlfrescoHTTP
kerberos.authentication.http.password=MIPASSWORD
kerberos.authentication.defaultAdministratorUserNames=admin
kerberos.authentication.stripUsernameSuffix=true
When i want to access, a dialog appears and the log is:
Search Subject for Kerberos V5 ACCEPT cred (HTTP/W2008ALFRESCO.midominio.net@MIDOMINIO.NET, sun.security.jgss.krb5.Krb5AcceptCredential)
Found KeyTab
Found KerberosKey for HTTP/W2008ALFRESCO.midominio.net@MIDOMINIO.NET
Entered Krb5Context.acceptSecContext with state=STATE_NEW
Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23.
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
Using builtin default etypes for permitted_enctypes
default etypes for permitted_enctypes: 17 16 23 1 3.
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
System time adjusted
object 0: 1398444344146/146721
replay cache found.
>>> KrbApReq: authenticate succeed.
Krb5Context setting peerSeqNumber to: 1290115219
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
Krb5Context setting mySeqNumber to: 75067258
2014-04-25 13:45:44,053 WARN [site.servlet.KerberosSessionSetupPrivilegedAction] [http-apr-8080-exec-9] credentials can not be delegated!
Labels:
- Labels:
-
Archive
3 REPLIES 3
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-05-2014 11:48 AM
I think you are missing share-config-custom.xml configuration on Share. Take a look at http://docs.alfresco.com/4.2/index.jsp?topic=%2Fcom.alfresco.enterprise.doc%2Ftasks%2Fauth-kerberos-...
Hyland Developer Evangelist
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-05-2014 01:47 PM
I did….
I didnt write the remote sections here. They are same as the http://docs.alfresco.com/4.2/index.jsp?topic=%2Fcom.alfresco.enterprise.doc%2Ftasks%2Fauth-kerberos-... page.
In my first post
Quote:
😎 Rename the file share-config-custom.xml.sample to share-config-custom.xml
9) Uncomment the "Remote" seccions
10) Replace KerberosDisables to Kerberos with the next data
I didnt write the remote sections here. They are same as the http://docs.alfresco.com/4.2/index.jsp?topic=%2Fcom.alfresco.enterprise.doc%2Ftasks%2Fauth-kerberos-... page.
In my first post
Quote:
😎 Rename the file share-config-custom.xml.sample to share-config-custom.xml
9) Uncomment the "Remote" seccions
10) Replace KerberosDisables to Kerberos with the next data
<config evaluator="string-compare" condition="Kerberos" replace="true">
<kerberos>
<password>MIPASSWORD</password>
<realm>MIDOMINIO.NET</realm>
<endpoint-spn>HTTP/w2008ALFRESCO.midominio.net@MIDOMINIO.NET</endpoint-spn>
<config-entry>ShareHTTP</config-entry>
</kerberos>
</config>
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-16-2019 12:46 PM
I have the same issue on alfresco 4.1.4. Did you ever get this sorted?!
Related Content
- ldapS configuration for samba-ad in Alfresco Forum
- Authentication and synchronisation of Alfresco 23 with Active Directory in Alfresco Forum
- Alfresco Community Edition 23.2 Release Notes in Alfresco Blog
- Active Directory LDAP being polled by Alfresco millions of times per day in Alfresco Forum
- How to Switch from LDAP to Active DIrectory for Authentication in Alfresco Forum
Getting started
Tags
Find what you came for
We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.
