Kerberos SSO configuration

cancel
Showing results for 
Search instead for 
Did you mean: 
statira
Active Member

Kerberos SSO configuration

Hi guys. I'm trying to set up Kerberos + SSO on alfresco 5.2 server based on this tutorial https://hub.alfresco.com/t5/alfresco-content-services-hub/configuring-the-cifs-and-web-servers-for-k....
But I'm getting
ERROR [org.alfresco.web.site.servlet.SSOAuthenticationFilter] [localhost-startStop-1] HTTP Kerberos web filter error
javax.security.auth.login.LoginException: Unable to obtain password from user

Any 

I've created AD users myalfcifs and myalfhttp and enabled Do not require Kerberos preauthentication options in the Account Options. Created key tables with
ktpass -princ cifs/alfresco.mycomp.com@MYCOMP.COM -pass D password1 -mapuser mycomp\myalfcifs -crypto all -ptype KRB5_NT_PRINCIPAL -out c:\temp\myalfcifs .keytab -kvno 0
and
ktpass -princ HTTP/alfresco.mycomp.com@MYCOMP.COM -pass D password2 -mapuser mycomp\myalfhttp -crypto all -ptype KRB5_NT_PRINCIPAL -out c:\temp\myalfhttp .keytab -kvno 0
Created SPN
setspn -a cifs/alfresco myalfcifs
setspn -a cifs/alfresco myalfhttp

I'm not sure whether I should my username myalfcifs/http instead of AlfrescoCIFS/HTTP to in java.login.config (tried both ways with no difference)

AlfrescoCIFS {
com.sun.security.auth.module.Krb5LoginModule required
storeKey=true
useKeyTab=true
keyTab="/etc/keys/myalfcifs.keytab"
principal="cifs/alfresco.mycomp.com";
};

related alfresco-global.properties configuration:

authentication.chain=ldap1:ldap-ad,kerberos1:kerberos

ntlm.authentication.sso.enabled=false
ntlm.authentication.browser.ticketLogons=true
ldap.authentication.active=false
ldap.authentication.userNameFormat=%s
ldap.authentication.allowGuestLogin=false
ldap.authentication.escapeCommasInBind=false
ldap.authentication.escapeCommasInUid=false
ldap.authentication.java.naming.security.authentication=simple
ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
ldap.authentication.java.naming.provider.url=ldap://dc.mycomp.com:389

synchronization.synchronizeChangesOnly=false
synchronization.import.cron=0 2 * * * ?
synchronization.syncWhenMissingPeopleLogIn=true
synchronization.autoCreatePeopleOnLogin=true

ldap.synchronization.active=true
ldap.synchronization.queryBatchSize=1000
ldap.synchronization.java.naming.security.authenticaton=simple
ldap.synchronization.java.naming.security.principal=user_alfresco@mycomp.com
ldap.synchronization.java.naming.security.credentials=Password
ldap.synchronization.groupSearchBase=dc\=mycomp,dc\=com
ldap.synchronization.userSearchBase=dc\=mycomp,dc\=com

### Kerberos properties ###
kerberos.authentication.sso.enabled=true
kerberos.authentication.defaultAdministratorUserNames=admin
kerberos.authentication.user.configEntryName=Alfresco
kerberos.authentication.cifs.configEntryName=myalfcifs
kerberos.authentication.cifs.password=password1
kerberos.authentication.http.configEntryName=myalfhttp
kerberos.authentication.http.password=password2
kerberos.authentication.authenticateCIFS=true
kerberos.authentication.realm=MYCOMP.COM
kerberos.authentication.stripUsernameSuffix=true
kerberos.authentication.browser.ticketLogons=true
kerberos.authentication.sso.fallback.enabled=true

share-config-custom.xml Kerberos settings:

<!-- To enable kerberos rename this condition to "Kerberos" -->
<config evaluator="string-compare" condition="Kerberos" replace="true">
<kerberos>
<password>password2</password>
<realm>MYCOMP.COM</realm>
<endpoint-spn>HTTP/alfresco.mycomp.com@MYCOMP.COM</endpoint-spn>
<config-entry>ShareHTTP</config-entry>
<stripUserNameSuffix>true</stripUserNameSuffix>
</kerberos>
</config>

+ uncommented <config evaluator="string-compare" condition="Remote"> sections