03-08-2018 09:05 AM
I have installed Alfresco Community Edition V5.0.0 on Ubuntu
After configuring alfresco-global.properties , import of users from AD works very well after that ,
I 'm looking for enabling kerberos with alfresco and Active Directory
that's why i have followed the documentation starting by :
under /etc/ i have filled the file krb5.conf
[libdefaults]
default_realm = GCT.COM.TN
## default_tkt_enctypes = rc4-hmac
## default_tgs_enctypes = rc4-hmac
[realms]
GCT.COM.TN = {
kdc = srv-adgctgab.gct.com.tn
admin_server = srv-adgctgab.gct.com.tn
}
[domain_realm]
srv-adgctgab.gct.com.tn = GCT.COM.TN
.srv-adgctgab.gct.com.tn = GCT.COM.TN
under /opt/alfresco-5.0.d/java/lib/security/
i create a file java.login.config
Afresco {
com.sun.security.auth.module.Krb5LoginModule sufficient;
};
AlfrescoCIFS {
com.sun.security.auth.module.Krb5LoginModule required
storeKey=true
useKeyTab=true
doNotPrompt=true
keyTab="/etc/cifsgedAlfresco.keytab"
principal="cifs/gedAlfrescoA.gct.com.tn";
};
AlfrescoHTTP
{
com.sun.security.auth.module.Krb5LoginModule required
storeKey=true
useKeyTab=true
doNotPrompt=true
keyTab="/etc/httpgedAlfresco.keytab"
principal="HTTP/gedAlfresco.gct.com.tn";
};
ShareHTTP
{
com.sun.security.auth.module.Krb5LoginModule required
storeKey=true
useKeyTab=true
doNotPrompt=true
keyTab="/etc/httpgedAlfresco.keytab"
principal="HTTP/gedAlfresco.gct.com.tn";
};
com.sun.net.ssl.client {
com.sun.security.auth.module.Krb5LoginModule sufficient;
};
other {
com.sun.security.auth.module.Krb5LoginModule sufficient;
};
I add this line login.config.url.1=file:${java.home}/lib/security/java.login.config at java/lib/security/java.security
I add Alfresco web server is in the Local Intranet security zone on IE via a GPO
I update alfresco-5.0.d/tomcat/shared/classes/alfresco/web-extension/share-config-custom.xml
<config evaluator="string-compare" condition="Kerberos" replace="true">
<kerberos>
<!--
Password for HTTP service account.
The account name *must* be built from the HTTP server name, in the format :
HTTP/<server_name>@<realm>
(NB this is because the web browser requests an ST for the
HTTP/<server_name> principal in the current realm, so if we're to decode
that ST, it has to match.)
-->
<password>secret</password>
<!--
Kerberos realm and KDC address. -->
<realm>GCT.COM.TN</realm>
<!-- Service Principal Name to use on the repository tier. This must be like: HTTP/host.name@REALM -->
<endpoint-spn>HTTP/gedAlfresco</endpoint-spn>
<!-- JAAS login configuration entry name. -->
<config-entry>ShareHTTP</config-entry>
<!-- A Boolean which when true strips the @domain sufix from Kerberos authenticated usernames.
Use together with stripUsernameSuffix property in alfresco-global.properties file. -->
<stripUserNameSuffix>true</stripUserNameSuffix>
</kerberos>
</config>
also uncomment
<config evaluator="string-compare" condition="Remote">
In Order to Enable kerberos it should logging , so could you give me the log file cause alfresco.log don't mentionned the operation , also what i have forgot to configure or steps to troubleshoot sso authentification .
Thanks for your time
03-12-2018 11:14 AM
Configuring Kerberos always is a painful experience. You have to be very precise with every configuration, or it will be a mess in the end.
Let me share with you some tips about the process that I'm missing in your steps.
Install JCE without restrictions
Download JCE Unlimited Strength from Oracle (http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html) and install it on your server
$ unzip jce_policy-8.zip
$ cd UnlimitedJCEPolicyJDK8/
$ cp local_policy.jar /usr/java/jdk1.8.0_111/jre/lib/security/
$ cp US_export_policy.jar /usr/java/jdk1.8.0_111/jre/lib/security/
Double-check names everywhere
If you miss one server name or domain name, the configuration will fail. Double check your domain (GCT.COM.TN) and admin server (srv-adgctgab.gct.com.tn) for every step.
Verify Kerberos client from command line
You can be sure that your kerberos client is working fine from server command line and discard this point of failure.
(Names in the following sample could not be exact)
$ kinit ADUser@GCT.COM.TN
Password for ADUser@GCT.COM.TN:
$ klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: ADUser@GCT.COM.TN
Valid starting Expires Service principal
31/07/17 09:50:16 31/07/17 19:50:16 krbtgt/GCT.COM.TN@GCT.COM.TN
renew until 01/08/17 09:50:07
$ kdestroy
$ klist -k -t /opt/alfresco/keytab/alfrescohttp.keytab
Keytab name: FILE:/opt/alfresco/keytab/alfrescohttp.keytab
KVNO Timestamp Principal
---- ----------------- --------------------------------------------------------
0 01/01/70 01:00:00 HTTP/gedAlfresco.gct.com.tn@GCT.COM.TN
0 01/01/70 01:00:00 HTTP/gedAlfresco.gct.com.tn@GCT.COM.TN
0 01/01/70 01:00:00 HTTP/gedAlfresco.gct.com.tn@GCT.COM.TN
0 01/01/70 01:00:00 HTTP/gedAlfresco.gct.com.tn@GCT.COM.TN
0 01/01/70 01:00:00 HTTP/gedAlfresco.gct.com.tn@GCT.COM.TN
$ kinit -k -t /opt/alfresco/keytab/alfrescohttp.keytab HTTP/gedAlfresco.gct.com.tn@GCT.COM.TN
$ klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: HTTP/gedAlfresco.gct.com.tn@GCT.COM.TN
Valid starting Expires Service principal
02/08/17 14:58:00 03/08/17 00:58:00 krbtgt/GCT.COM.TN@GCT.COM.TN
renew until 03/08/17 14:57:55
Authentication chain in alfresco.war
Verify authentication chain and users configuration in repository.
$ vi /opt/alfresco/tomcat/shared/classes/alfresco-global.properties
authentication.chain=alfinst:alfrescoNtlm,kerberos1:kerberos,ldap1:ldap-ad
# Kerberos
kerberos.authentication.realm=GCT.COM.TN
kerberos.authentication.user.configEntryName=Alfresco
kerberos.authentication.defaultAdministratorUserNames=administrator,admin,adminAlfresco,administrador
kerberos.authentication.cifs.configEntryName=AlfrescoCIFS
kerberos.authentication.cifs.password=xxxxxxxxx
kerberos.authentication.http.configEntryName=AlfrescoHTTP
kerberos.authentication.http.password=xxxxxxxxx
kerberos.authentication.sso.enabled=true
Remote section in share.war
Verify your Kerberos credentials and uncomment remote connector in Share webapp.
$ vi /opt/alfresco/tomcat/shared/classes/alfresco/web-extension/share-config-custom.xml
<config evaluator="string-compare" condition="Kerberos" replace="true">
<kerberos>
<password>xxxxxxxxx</password>
<realm>GCT.COM.TN</realm>
<endpoint-spn>HTTP/gedAlfresco.gct.com.tn@GCT.COM.TN</endpoint-spn>
<config-entry>ShareHTTP</config-entry>
<stripUserNameSuffix>true</stripUserNameSuffix>
</kerberos>
</config>
<config evaluator="string-compare" condition="Remote">
<remote>
<!--
<ssl-config>
<keystore-path>alfresco/web-extension/alfresco-system.p12</keystore-path>
<keystore-type>pkcs12</keystore-type>
<keystore-password>alfresco-system</keystore-password>
<truststore-path>alfresco/web-extension/ssl-truststore</truststore-path>
<truststore-type>JCEKS</truststore-type>
<truststore-password>password</truststore-password>
<verify-hostname>true</verify-hostname>
</ssl-config>
-->
...
</remote>
</config>
Login for Kerberos and JVM
Your java.login.config and java.security settings look fine.
Include your configuration for Tomcat
You can use setenv.sh config file
$ vi /opt/alfresco/tomcat/bin/setenv.sh
JAVA_OPTS="$JAVA_OPTS -Djava.security.krb5.conf=/etc/krb5.conf"
Browsers
It works fine with IE, just add Alfresco Site (http://gedalfresco.gct.com.tn:8080) to Local Intranet option and mark "Automatically logon with current username and password" flag.
Chrome and Firefox will requiere further configuration: https://docs.alfresco.com/community/concepts/auth-kerberos-clientconfig.html
WARNING: I've included some highlights about Kerberos configuration but probably some paths or names are wrong. Just to include a checkpoint for you in order to validate your installation. Probably you have to find a typo somewhere and it will be done.
03-12-2018 07:32 AM
Sorry, I cannot understand what's your problem.
What is not working?
03-12-2018 07:56 AM
the first point , i doubt that kerberos is well configured cause the file 'alfresco.log' don't contain any indication to sso but synchronization of users from ldap works very well that's why i'm looking to the file where login operation is written.
Second point it's not work as we except ::
login page will disappear if the user session on our domain is open .
But the current situation is a login page that enable user connects to the share based on his ldap credentials .
It requires some investigation on logging file to understand the cause .Thanks
03-12-2018 09:22 AM
Ouups a warning in alfresco.log
2018-03-12 17:11:58,375 WARN [org.alfresco.web.app.servlet.NTLMAuthenticationFilter] [http-apr-8080-exec-1] NTLM filter, error resolving CIFS host nameGEDALFRESCOA
2018-03-12 17:11:58,376 INFO [org.alfresco.web.app.servlet.NTLMAuthenticationFilter] [http-apr-8080-exec-1] NTLM filter using server name gedAlfresco
FYI: a hostname is gedAlfresco , with a FQDN http://gedalfresco.gct.com.tn:8080/share/page/ returns Login authentication failed. Please close and re-open Safari to try again. on chrome but the login page appears on IE .
03-12-2018 11:14 AM
Configuring Kerberos always is a painful experience. You have to be very precise with every configuration, or it will be a mess in the end.
Let me share with you some tips about the process that I'm missing in your steps.
Install JCE without restrictions
Download JCE Unlimited Strength from Oracle (http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html) and install it on your server
$ unzip jce_policy-8.zip
$ cd UnlimitedJCEPolicyJDK8/
$ cp local_policy.jar /usr/java/jdk1.8.0_111/jre/lib/security/
$ cp US_export_policy.jar /usr/java/jdk1.8.0_111/jre/lib/security/
Double-check names everywhere
If you miss one server name or domain name, the configuration will fail. Double check your domain (GCT.COM.TN) and admin server (srv-adgctgab.gct.com.tn) for every step.
Verify Kerberos client from command line
You can be sure that your kerberos client is working fine from server command line and discard this point of failure.
(Names in the following sample could not be exact)
$ kinit ADUser@GCT.COM.TN
Password for ADUser@GCT.COM.TN:
$ klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: ADUser@GCT.COM.TN
Valid starting Expires Service principal
31/07/17 09:50:16 31/07/17 19:50:16 krbtgt/GCT.COM.TN@GCT.COM.TN
renew until 01/08/17 09:50:07
$ kdestroy
$ klist -k -t /opt/alfresco/keytab/alfrescohttp.keytab
Keytab name: FILE:/opt/alfresco/keytab/alfrescohttp.keytab
KVNO Timestamp Principal
---- ----------------- --------------------------------------------------------
0 01/01/70 01:00:00 HTTP/gedAlfresco.gct.com.tn@GCT.COM.TN
0 01/01/70 01:00:00 HTTP/gedAlfresco.gct.com.tn@GCT.COM.TN
0 01/01/70 01:00:00 HTTP/gedAlfresco.gct.com.tn@GCT.COM.TN
0 01/01/70 01:00:00 HTTP/gedAlfresco.gct.com.tn@GCT.COM.TN
0 01/01/70 01:00:00 HTTP/gedAlfresco.gct.com.tn@GCT.COM.TN
$ kinit -k -t /opt/alfresco/keytab/alfrescohttp.keytab HTTP/gedAlfresco.gct.com.tn@GCT.COM.TN
$ klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: HTTP/gedAlfresco.gct.com.tn@GCT.COM.TN
Valid starting Expires Service principal
02/08/17 14:58:00 03/08/17 00:58:00 krbtgt/GCT.COM.TN@GCT.COM.TN
renew until 03/08/17 14:57:55
Authentication chain in alfresco.war
Verify authentication chain and users configuration in repository.
$ vi /opt/alfresco/tomcat/shared/classes/alfresco-global.properties
authentication.chain=alfinst:alfrescoNtlm,kerberos1:kerberos,ldap1:ldap-ad
# Kerberos
kerberos.authentication.realm=GCT.COM.TN
kerberos.authentication.user.configEntryName=Alfresco
kerberos.authentication.defaultAdministratorUserNames=administrator,admin,adminAlfresco,administrador
kerberos.authentication.cifs.configEntryName=AlfrescoCIFS
kerberos.authentication.cifs.password=xxxxxxxxx
kerberos.authentication.http.configEntryName=AlfrescoHTTP
kerberos.authentication.http.password=xxxxxxxxx
kerberos.authentication.sso.enabled=true
Remote section in share.war
Verify your Kerberos credentials and uncomment remote connector in Share webapp.
$ vi /opt/alfresco/tomcat/shared/classes/alfresco/web-extension/share-config-custom.xml
<config evaluator="string-compare" condition="Kerberos" replace="true">
<kerberos>
<password>xxxxxxxxx</password>
<realm>GCT.COM.TN</realm>
<endpoint-spn>HTTP/gedAlfresco.gct.com.tn@GCT.COM.TN</endpoint-spn>
<config-entry>ShareHTTP</config-entry>
<stripUserNameSuffix>true</stripUserNameSuffix>
</kerberos>
</config>
<config evaluator="string-compare" condition="Remote">
<remote>
<!--
<ssl-config>
<keystore-path>alfresco/web-extension/alfresco-system.p12</keystore-path>
<keystore-type>pkcs12</keystore-type>
<keystore-password>alfresco-system</keystore-password>
<truststore-path>alfresco/web-extension/ssl-truststore</truststore-path>
<truststore-type>JCEKS</truststore-type>
<truststore-password>password</truststore-password>
<verify-hostname>true</verify-hostname>
</ssl-config>
-->
...
</remote>
</config>
Login for Kerberos and JVM
Your java.login.config and java.security settings look fine.
Include your configuration for Tomcat
You can use setenv.sh config file
$ vi /opt/alfresco/tomcat/bin/setenv.sh
JAVA_OPTS="$JAVA_OPTS -Djava.security.krb5.conf=/etc/krb5.conf"
Browsers
It works fine with IE, just add Alfresco Site (http://gedalfresco.gct.com.tn:8080) to Local Intranet option and mark "Automatically logon with current username and password" flag.
Chrome and Firefox will requiere further configuration: https://docs.alfresco.com/community/concepts/auth-kerberos-clientconfig.html
WARNING: I've included some highlights about Kerberos configuration but probably some paths or names are wrong. Just to include a checkpoint for you in order to validate your installation. Probably you have to find a typo somewhere and it will be done.
Explore our Alfresco products with the links below. Use labels to filter content by product module.