Help

Apache Reverse Proxy with Kerberos SSO

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
phivuu-2
Partner
‎6 Dec 2019 0:03 PM

Apache Reverse Proxy with Kerberos SSO

Jump to solution

I have succesfully configured Kerberos and generated SPN + Keytabs to work when the Reverse Proxy is disabled. However I want it to work with the reverse proxy. From what I understand, I need to generate generate new SPN + Keytabs for the proxy DNS. Alfresco server runs on the same server as Apache reverse server.

Do I need to reconfigure krb5.ini, java.login.config and share-config-custom.xml anything?

  • krb5.ini: Points to the AD server
  • java.login.config: Currently points to the alfresco server which runs apache reverse proxy(not using the proxy DNS).
  • share-config-custom.xml: Kerberos endpoint-spn points to the alfresco server which runs apache reverse proxy(not using the proxy DNS). Remote section uses localhost.

The proxy DNS is alfrescotest.jonkoping.se. Are the commands correct or did I add one .jonkoping.se too many?

setspn -a cifs/alfrescotest.jonkoping.se alfrescocifs
setspn -a cifs/alfrescotest.jonkoping.se.jonkoping.se alfrescocifs
setspn -a HTTP/alfrescotest.jonkoping.se alfrescohttp
setspn -a HTTP/alfrescotest.jonkoping.se.jonkoping.se alfrescohttp

ktpass -princ cifs/alfrescotest.jonkoping.se.jonkoping.se@jonkoping.se -pass Password -mapuser jonkoping\alfrescocifs -crypto ALL -ptype KRB5_NT_PRINCIPAL -out d:\temp\alfrescocifs.keytab -kvno 0

ktpass -princ HTTP/alfrescotest.jonkoping.se.jonkoping.se@jonkoping.se -pass Password -mapuser jonkoping\alfrescohttp -crypto ALL -ptype KRB5_NT_PRINCIPAL -out d:\temp\alfrescohttp.keytab -kvno 0

 

Lastly, do I need to configure Apache httpd.conf anything to forward the headers to alfresco repository?

Labels
0 Kudos
1 Solution

Accepted Solutions
phivuu-2
Partner
‎14 May 2020 4:29 PM

Re: Apache Reverse Proxy with Kerberos SSO

Jump to solution

Yes, this link was also somewhat helpful https://docs.alfresco.com/sso/topics/kerberos.html
Here's my notes:

1. If there is a reverse proxy, make sure it's used to create SPN and kerberos keytabs.
Example: Proxy DNS alfresco.example.com Realm: EXAMPLE.COM
setspn -a HTTP/alfresco.example.com alfrescohttp
ktpass -princ HTTP/alfresco.example.com@EXAMPLE.COM -pass Password -mapuser example\alfrescohttp -crypto ALL -ptype KRB5_NT_PRINCIPAL -out d:\temp\alfrescohttp.keytab -kvno 0
2. Make sure AlfrescoHTTP AlfrescoCIFS AD users can be found in alfresco after a sync.
3. krb5.ini - Point at the AD server here.
4. share-config-custom.xml - Make sure endpoint-spn is pointed to the reverse proxy DNS if there is one.
5. No Kerberos module should be needed for Reverse Proxy. It should forward the Kerberos headers to alfresco repository for authentication if the SPN and keytabs are created with proxy DNS.
6. java/lib/security/java.login.config - Make sure principal is pointed to reverse proxy DNS.

 

View solution in original post

3 Replies
c-0815
Member II
‎14 May 2020 4:18 PM

Re: Apache Reverse Proxy with Kerberos SSO

Jump to solution

I have the same problem. Have you found a solution in the meantime?

regards

Ralph

0 Kudos
phivuu-2
Partner
‎14 May 2020 4:29 PM

Re: Apache Reverse Proxy with Kerberos SSO

Jump to solution

Yes, this link was also somewhat helpful https://docs.alfresco.com/sso/topics/kerberos.html
Here's my notes:

1. If there is a reverse proxy, make sure it's used to create SPN and kerberos keytabs.
Example: Proxy DNS alfresco.example.com Realm: EXAMPLE.COM
setspn -a HTTP/alfresco.example.com alfrescohttp
ktpass -princ HTTP/alfresco.example.com@EXAMPLE.COM -pass Password -mapuser example\alfrescohttp -crypto ALL -ptype KRB5_NT_PRINCIPAL -out d:\temp\alfrescohttp.keytab -kvno 0
2. Make sure AlfrescoHTTP AlfrescoCIFS AD users can be found in alfresco after a sync.
3. krb5.ini - Point at the AD server here.
4. share-config-custom.xml - Make sure endpoint-spn is pointed to the reverse proxy DNS if there is one.
5. No Kerberos module should be needed for Reverse Proxy. It should forward the Kerberos headers to alfresco repository for authentication if the SPN and keytabs are created with proxy DNS.
6. java/lib/security/java.login.config - Make sure principal is pointed to reverse proxy DNS.

 
c-0815
Member II
‎26 May 2020 2:39 PM

Re: Apache Reverse Proxy with Kerberos SSO

Jump to solution

Thank you. Now it works.

kind regards

Ralph

0 Kudos
Alfresco Content Services Forum

Ask for and offer help to other Alfresco Content Services Users and members of the Alfresco team.

Related links:

We use cookies on this site to enhance your user experience

By using this site, you are agreeing to allow us to collect and use cookies as outlined in Alfresco’s Cookie Statement and Terms of Use (and you have a legitimate interest in Alfresco and our products, authorizing us to contact you in such methods).   If you are not ok with these terms, please do not use this website.