Help

ACS 7.3 CE Kerberos SSO not working, always shows login page

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
rrosell
Member II
‎27 Jul 2023 3:03 PM

ACS 7.3 CE Kerberos SSO not working, always shows login page

Jump to solution

Hi folks,

I recently installed ACS 7.3.1 on Windows Server 2022, following these instructions:
https://javaworld-abhinav.blogspot.com/2022/05/setup-acs-7-ass-2-and-local-windows.html
- Tomcat 9.0.72
- OpenJDK 11.0.19
- ActiveMQ 5.17.4
- PostgreSQL 15.3
- ASS 2.0.6
- Transform Core-AiO 2.7.1

That works so far, ldap-AD sync is running and I can log in with my AD user.

Then I wanted to configure Kerberos SSO and followed these instructions:
- https://docs.alfresco.com/identity-service/latest/tutorial/sso/
- https://hub.alfresco.com/t5/alfresco-content-services-forum/acs-7-3-kerberos-sso-authentication-for-...
- https://hub.alfresco.com/t5/alfresco-content-services-forum/kerberos-sso-configuration/td-p/304314
-https://docs.alfresco.com/content-services/community/admin/auth-sync/
I also tried different constellations resulting from the pages.

User alfrescosso created, SPN's set, keytab created and distributed, Configs adjusted and so on.

I changed the port from 8080 to 80.

Firefox, Edge (Chromium) and IE are configured accordingly.

Now when I go to http://<server>/share/, the orange login page always appears.

Is there anything else I need to take care of?

Or can someone post working config files (share-config-custom.xml, alfresco-global.properties, java.login.config, ...)?

Thanks

Greetings
Robert

0 Kudos
1 Solution

Accepted Solutions
rrosell
Member II
‎28 Jul 2023 3:27 PM

Re: ACS 7.3 CE Kerberos SSO not working, always shows login page

Jump to solution

Hi,

I have solved it in the meantime.
I have reset the whole share-config-custom.xml and started again. I included both <config evaluator="string-compare" condition="Remote"> sections.

After that I got a java error for the Kerberos connection: GSSException: No valid credentials provided (Mechanism level: KDC cannot accommodate requested option (13))

I was able to fix this by changing the AD user for delegation to "Trust the user for delegation to specified services only".
https://stackoverflow.com/questions/72651807/krberror-kdc-cannot-accommodate-requested-option-when-c...

View solution in original post

0 Kudos
3 Replies
abhinavmishra14
Advanced
‎27 Jul 2023 6:49 PM

Re: ACS 7.3 CE Kerberos SSO not working, always shows login page

Jump to solution

you may have missed any config or miss configure. Try to revisit the steps and see if you can locate anything. 

Also try to see if you find any errors in alfresco.log, share.log and catalina.out.

~Abhinav
(ACSCE, AWS SAA, Azure Admin)
0 Kudos
Sandra09
Member II
‎28 Jul 2023 7:01 AM

Re: ACS 7.3 CE Kerberos SSO not working, always shows login page

Jump to solution

You can double-check that the DNS is correctly resolving the hostname of your ACS server. Also, ensure that the hostname used in the SPNs matches the server's actual hostname. Or Enable Kerberos debugging to check if there are any errors or issues with the Kerberos authentication process. You can add the following property to the "alfresco-global.properties" file:

kerberos.authentication.debug=true
myfedloan
0 Kudos
rrosell
Member II
‎28 Jul 2023 3:27 PM

Re: ACS 7.3 CE Kerberos SSO not working, always shows login page

Jump to solution

Hi,

I have solved it in the meantime.
I have reset the whole share-config-custom.xml and started again. I included both <config evaluator="string-compare" condition="Remote"> sections.

After that I got a java error for the Kerberos connection: GSSException: No valid credentials provided (Mechanism level: KDC cannot accommodate requested option (13))

I was able to fix this by changing the AD user for delegation to "Trust the user for delegation to specified services only".
https://stackoverflow.com/questions/72651807/krberror-kdc-cannot-accommodate-requested-option-when-c...

0 Kudos
Alfresco Content Services Forum

Ask for and offer help to other Alfresco Content Services Users and members of the Alfresco team.

Related links:

We use cookies on this site to enhance your user experience

By using this site, you are agreeing to allow us to collect and use cookies as outlined in Alfresco’s Cookie Statement and Terms of Use (and you have a legitimate interest in Alfresco and our products, authorizing us to contact you in such methods).   If you are not ok with these terms, please do not use this website.