Hi
We're having some problems setting up Kerberos for a SSO configuration.
We've followed the procedures on http://wiki.alfresco.com/wiki/Configuring_the_CIFS_and_web_servers_for_Kerberos/AD_integration and http://wiki.alfresco.com/wiki/Enterprise_Security_and_Authentication_Configuration#JAAS_-_Java_Authe... to set up JAAS + Kerberos, as a preparation before the actual SSO configuration, but we're running into some problems.
I'll describe the steps we've taken so far:
1. Enabled and modified the jaas-authentication-context.xml file
2. Edited the java.login.config file in C:\Program Files\Java\jdk1.6.0_14\jre\lib\security
3. Added the following line to the java.security file in the same folder as java.login.config file.
4. Put the krb5.ini file under C:\Windows
5. Put the alfrescohttp.keytab file under C:\etc\alfrescohttp.keytab
When we start alfresco, we cannot login with any user credentials that should be valid for the Active Directory. We've then tried to set up the Kerberos authentication filter for the web client in Alfresco web.xml file.
But then we get an error message when starting Alfresco:
After which Alfresco shuts down.
I've found a JIRA entry about the same error: https://issues.alfresco.com/jira/browse/ETHREEOH-2584. But I don't think this is the problem since:
- The affects version specified is 3.1 SP1, we're running Labs 3Stable (which is equivalent to 3.0.1, I think)
- The BaseSSOAuthenticationFilter code snippet in the JIRA entry doesn't match that of the 3Stable one.
Some extra info:
We're running Alfresco Labs 3Stable on a Windows 2003 server.
We've setup LDAP user synchronization.
We've previously successfully (kind of) used NTLM authentication, but came to the conclusion that NTLM + SSO would not work in our situation.
If anyone has any ideas/suggestions/remarks/…, they are more than welcome
Thanks
Bram
We're having some problems setting up Kerberos for a SSO configuration.
We've followed the procedures on http://wiki.alfresco.com/wiki/Configuring_the_CIFS_and_web_servers_for_Kerberos/AD_integration and http://wiki.alfresco.com/wiki/Enterprise_Security_and_Authentication_Configuration#JAAS_-_Java_Authe... to set up JAAS + Kerberos, as a preparation before the actual SSO configuration, but we're running into some problems.
I'll describe the steps we've taken so far:
1. Enabled and modified the jaas-authentication-context.xml file
<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE beans PUBLIC '-//SPRING//DTD BEAN//EN' 'http://www.springframework.org/dtd/spring-beans.dtd'>
<beans>
<bean id="authenticationComponent"
class="org.alfresco.repo.security.authentication.jaas.JAASAuthenticationComponent">
<property name="realm">
<value>NEFRA.PARAS</value>
</property>
<property name="jaasConfigEntryName">
<value>AlfrescoHTTP</value>
</property>
</bean>
<bean name="authenticationDao" class="org.alfresco.repo.security.authentication.DefaultMutableAuthenticationDao" >
<property name="allowDeleteUser">
<value>true</value>
</property>
</bean>
</beans>2. Edited the java.login.config file in C:\Program Files\Java\jdk1.6.0_14\jre\lib\security
Alfresco {
com.sun.security.auth.module.Krb5LoginModule sufficient;
};
com.sun.net.ssl.client {
com.sun.security.auth.module.Krb5LoginModule sufficient;
};
other {
com.sun.security.auth.module.Krb5LoginModule sufficient;
};
AlfrescoHTTP {
com.sun.security.auth.module.Krb5LoginModule required
storeKey=true
useKeyTab=true
keyTab="C:/etc/alfrescohttp.keytab"
principal="HTTP/nef-alfresco.nefra.paras.org";
};3. Added the following line to the java.security file in the same folder as java.login.config file.
login.config.url.1=file:${java.home}/lib/security/java.login.config4. Put the krb5.ini file under C:\Windows
5. Put the alfrescohttp.keytab file under C:\etc\alfrescohttp.keytab
When we start alfresco, we cannot login with any user credentials that should be valid for the Active Directory. We've then tried to set up the Kerberos authentication filter for the web client in Alfresco web.xml file.
<filter>
<filter-name>Authentication Filter</filter-name>
<filter-class>org.alfresco.web.app.servlet.KerberosAuthenticationFilter</filter-class>
<init-param>
<param-name>KDC</param-name>
<param-value>root2.paras.org:88</param-value>
</init-param>
<init-param>
<param-name>Realm</param-name>
<param-value>NEFRA.PARAS</param-value>
</init-param>
<init-param>
<param-name>Password</param-name>
<param-value>password</param-value>
</init-param>
<init-param>
<param-name>Principal</param-name>
<param-value>alfrescouser</param-value>
</init-param>
</filter>But then we get an error message when starting Alfresco:
javax.servlet.ServletException: Failed to get local server name
at org.alfresco.repo.webdav.auth.BaseSSOAuthenticationFilter.init(BaseSSOAuthenticationFilter.java:220).
After which Alfresco shuts down.
I've found a JIRA entry about the same error: https://issues.alfresco.com/jira/browse/ETHREEOH-2584. But I don't think this is the problem since:
- The affects version specified is 3.1 SP1, we're running Labs 3Stable (which is equivalent to 3.0.1, I think)
- The BaseSSOAuthenticationFilter code snippet in the JIRA entry doesn't match that of the 3Stable one.
Some extra info:
We're running Alfresco Labs 3Stable on a Windows 2003 server.
We've setup LDAP user synchronization.
We've previously successfully (kind of) used NTLM authentication, but came to the conclusion that NTLM + SSO would not work in our situation.
If anyone has any ideas/suggestions/remarks/…, they are more than welcome
Thanks
Bram
Hmm, ok. Upgrading to a newer version is currently not an option since we haven't tested our AMP developments on newer Alfresco versions.
I guess we'll try to set up CIFS then. I'll let you know if it worked out or not
Thanks
Bram
I guess we'll try to set up CIFS then. I'll let you know if it worked out or not
Thanks
Bram
We've successfully set up Kerberos SSO
Turning on CIFS did indeed solve the problem. Thanks for this, dward.
Turning on CIFS did indeed solve the problem. Thanks for this, dward.
