Problems on Configuring SSO (Kerberos )against Active Directory

cancel
Showing results for 
Search instead for 
Did you mean: 
mbedoui
Active Member

Problems on Configuring SSO (Kerberos )against Active Directory

Jump to solution

I have installed Alfresco Community Edition V5.0.0 on Ubuntu 
After configuring alfresco-global.properties , import of users from AD  works very well after that ,

I 'm looking for enabling kerberos with alfresco and Active Directory 

that's why i have followed the documentation starting by :

  1.  creating a cifsUser (Do not require Kerberos preauthentication )
  2. creating an spn for the account
  3. creating a httpUser(Do not require Kerberos preauthentication )
  4. generating two keytab file based on cifs/<hostnetbios> and HTTP/<host>

under /etc/ i have filled the file krb5.conf

[libdefaults]
default_realm = GCT.COM.TN
## default_tkt_enctypes = rc4-hmac
## default_tgs_enctypes = rc4-hmac
[realms]
GCT.COM.TN = {
kdc = srv-adgctgab.gct.com.tn
admin_server = srv-adgctgab.gct.com.tn
}
[domain_realm]
srv-adgctgab.gct.com.tn = GCT.COM.TN
.srv-adgctgab.gct.com.tn = GCT.COM.TN

under  /opt/alfresco-5.0.d/java/lib/security/
i create a file java.login.config

Afresco {
com.sun.security.auth.module.Krb5LoginModule sufficient;
};

AlfrescoCIFS {
com.sun.security.auth.module.Krb5LoginModule required
storeKey=true
useKeyTab=true
doNotPrompt=true
keyTab="/etc/cifsgedAlfresco.keytab"
principal="cifs/gedAlfrescoA.gct.com.tn";
};

AlfrescoHTTP
{
com.sun.security.auth.module.Krb5LoginModule required
storeKey=true
useKeyTab=true
doNotPrompt=true
keyTab="/etc/httpgedAlfresco.keytab"
principal="HTTP/gedAlfresco.gct.com.tn";
};

ShareHTTP
{
com.sun.security.auth.module.Krb5LoginModule required
storeKey=true
useKeyTab=true
doNotPrompt=true
keyTab="/etc/httpgedAlfresco.keytab"
principal="HTTP/gedAlfresco.gct.com.tn";
};

com.sun.net.ssl.client {
com.sun.security.auth.module.Krb5LoginModule sufficient;
};

other {
com.sun.security.auth.module.Krb5LoginModule sufficient;
};

I add this line login.config.url.1=file:${java.home}/lib/security/java.login.config at java/lib/security/java.security

I add Alfresco web server is in the Local Intranet security zone on IE via a GPO

I update alfresco-5.0.d/tomcat/shared/classes/alfresco/web-extension/share-config-custom.xml

<config evaluator="string-compare" condition="Kerberos" replace="true">
<kerberos>
<!--
Password for HTTP service account.
The account name *must* be built from the HTTP server name, in the format :
HTTP/<server_name>@<realm>
(NB this is because the web browser requests an ST for the
HTTP/<server_name> principal in the current realm, so if we're to decode
that ST, it has to match.)
-->
<password>secret</password>
<!--
Kerberos realm and KDC address. -->
<realm>GCT.COM.TN</realm>
<!-- Service Principal Name to use on the repository tier. This must be like: HTTP/host.name@REALM -->
<endpoint-spn>HTTP/gedAlfresco</endpoint-spn>
<!-- JAAS login configuration entry name. -->
<config-entry>ShareHTTP</config-entry>
<!-- A Boolean which when true strips the @domain sufix from Kerberos authenticated usernames.
Use together with stripUsernameSuffix property in alfresco-global.properties file. -->
<stripUserNameSuffix>true</stripUserNameSuffix>
</kerberos>
</config>

also uncomment
<config evaluator="string-compare" condition="Remote">

In Order to Enable kerberos it should logging , so could you give me the log file cause alfresco.log don't mentionned the operation , also what i have forgot to configure or steps to troubleshoot sso authentification .

Thanks for your time 

1 Solution

Accepted Solutions
angelborroy
Alfresco Employee

Re: Problems on Configuring SSO (Kerberos )against Active Directory

Jump to solution

Configuring Kerberos always is a painful experience. You have to be very precise with every configuration, or it will be a mess in the end.

Let me share with you some tips about the process that I'm missing in your steps.

Install JCE without restrictions

Download JCE Unlimited Strength from Oracle (http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html) and install it on your server

$ unzip jce_policy-8.zip
$ cd UnlimitedJCEPolicyJDK8/
$ cp local_policy.jar /usr/java/jdk1.8.0_111/jre/lib/security/
$ cp US_export_policy.jar /usr/java/jdk1.8.0_111/jre/lib/security/

Double-check names everywhere

If you miss one server name or domain name, the configuration will fail. Double check your domain (GCT.COM.TN) and admin server (srv-adgctgab.gct.com.tn) for every step. 

Verify Kerberos client from command line

You can be sure that your kerberos client is working fine from server command line and discard this point of failure.

(Names in the following sample could not be exact)

$ kinit ADUser@GCT.COM.TN
Password for ADUser@GCT.COM.TN:

$ klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: ADUser@GCT.COM.TN

Valid starting Expires Service principal
31/07/17 09:50:16 31/07/17 19:50:16 krbtgt/GCT.COM.TN@GCT.COM.TN
renew until 01/08/17 09:50:07

$ kdestroy

$ klist -k -t /opt/alfresco/keytab/alfrescohttp.keytab
Keytab name: FILE:/opt/alfresco/keytab/alfrescohttp.keytab
KVNO Timestamp Principal
---- ----------------- --------------------------------------------------------
0 01/01/70 01:00:00 HTTP/gedAlfresco.gct.com.tn@GCT.COM.TN
0 01/01/70 01:00:00 HTTP/gedAlfresco.gct.com.tn@GCT.COM.TN
0 01/01/70 01:00:00 HTTP/gedAlfresco.gct.com.tn@GCT.COM.TN
0 01/01/70 01:00:00 HTTP/gedAlfresco.gct.com.tn@GCT.COM.TN
0 01/01/70 01:00:00 HTTP/gedAlfresco.gct.com.tn@GCT.COM.TN

$ kinit -k -t /opt/alfresco/keytab/alfrescohttp.keytab HTTP/gedAlfresco.gct.com.tn@GCT.COM.TN

$ klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: HTTP/gedAlfresco.gct.com.tn@GCT.COM.TN

Valid starting Expires Service principal
02/08/17 14:58:00 03/08/17 00:58:00 krbtgt/GCT.COM.TN@GCT.COM.TN
renew until 03/08/17 14:57:55

Authentication chain in alfresco.war

Verify authentication chain and users configuration in repository.

$ vi /opt/alfresco/tomcat/shared/classes/alfresco-global.properties

authentication.chain=alfinst:alfrescoNtlm,kerberos1:kerberos,ldap1:ldap-ad

# Kerberos
kerberos.authentication.realm=GCT.COM.TN
kerberos.authentication.user.configEntryName=Alfresco
kerberos.authentication.defaultAdministratorUserNames=administrator,admin,adminAlfresco,administrador
kerberos.authentication.cifs.configEntryName=AlfrescoCIFS
kerberos.authentication.cifs.password=xxxxxxxxx
kerberos.authentication.http.configEntryName=AlfrescoHTTP
kerberos.authentication.http.password=xxxxxxxxx
kerberos.authentication.sso.enabled=true

Remote section in share.war

Verify your Kerberos credentials and uncomment remote connector in Share webapp. 

$ vi /opt/alfresco/tomcat/shared/classes/alfresco/web-extension/share-config-custom.xml

<config evaluator="string-compare" condition="Kerberos" replace="true">
     <kerberos>
         <password>xxxxxxxxx</password>
         <realm>GCT.COM.TN</realm>
         <endpoint-spn>HTTP/gedAlfresco.gct.com.tn@GCT.COM.TN</endpoint-spn>
         <config-entry>ShareHTTP</config-entry>
         <stripUserNameSuffix>true</stripUserNameSuffix>
     </kerberos>
</config>

<config evaluator="string-compare" condition="Remote">
<remote>
<!--
<ssl-config>
<keystore-path>alfresco/web-extension/alfresco-system.p12</keystore-path>
<keystore-type>pkcs12</keystore-type>
<keystore-password>alfresco-system</keystore-password>

<truststore-path>alfresco/web-extension/ssl-truststore</truststore-path>
<truststore-type>JCEKS</truststore-type>
<truststore-password>password</truststore-password>

<verify-hostname>true</verify-hostname>
</ssl-config>
-->
...
</remote>
</config>

Login for Kerberos and JVM

Your java.login.config and java.security settings look fine.

Include your configuration for Tomcat

You can use setenv.sh config file

$ vi /opt/alfresco/tomcat/bin/setenv.sh

JAVA_OPTS="$JAVA_OPTS -Djava.security.krb5.conf=/etc/krb5.conf"

Browsers

It works fine with IE, just add Alfresco Site (http://gedalfresco.gct.com.tn:8080) to Local Intranet option and mark "Automatically logon with current username and password" flag.

Chrome and Firefox will requiere further configuration: https://docs.alfresco.com/community/concepts/auth-kerberos-clientconfig.html 

WARNING: I've included some highlights about Kerberos configuration but probably some paths or names are wrong. Just to include a checkpoint for you in order to validate your installation. Probably you have to find a typo somewhere and it will be done.

Hyland Developer Evangelist

View solution in original post

7 Replies
angelborroy
Alfresco Employee

Re: Problems on Configuring SSO (Kerberos )against Active Directory

Jump to solution

Sorry, I cannot understand what's your problem.

What is not working?

Hyland Developer Evangelist
mbedoui
Active Member

Re: Problems on Configuring SSO (Kerberos )against Active Directory

Jump to solution

the first point , i doubt that kerberos is well configured cause the file 'alfresco.log'  don't contain any indication to sso but synchronization of users from ldap works very well that's why i'm looking to the file where login operation is written.

Second point it's not work as we except ::

login page will disappear  if the user session on our  domain is open .

But the current situation is a login page that enable user connects to the share based on his ldap credentials .

It requires some investigation on logging file to understand the cause .Thanks 

mbedoui
Active Member

Re: Problems on Configuring SSO (Kerberos )against Active Directory

Jump to solution

Ouups a warning in alfresco.log

2018-03-12 17:11:58,375 WARN [org.alfresco.web.app.servlet.NTLMAuthenticationFilter] [http-apr-8080-exec-1] NTLM filter, error resolving CIFS host nameGEDALFRESCOA
2018-03-12 17:11:58,376 INFO [org.alfresco.web.app.servlet.NTLMAuthenticationFilter] [http-apr-8080-exec-1] NTLM filter using server name gedAlfresco

FYI: a hostname is gedAlfresco , with a FQDN  http://gedalfresco.gct.com.tn:8080/share/page/   returns Login authentication failed. Please close and re-open Safari to try again. on  chrome  but the login page appears  on IE .

angelborroy
Alfresco Employee

Re: Problems on Configuring SSO (Kerberos )against Active Directory

Jump to solution

Configuring Kerberos always is a painful experience. You have to be very precise with every configuration, or it will be a mess in the end.

Let me share with you some tips about the process that I'm missing in your steps.

Install JCE without restrictions

Download JCE Unlimited Strength from Oracle (http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html) and install it on your server

$ unzip jce_policy-8.zip
$ cd UnlimitedJCEPolicyJDK8/
$ cp local_policy.jar /usr/java/jdk1.8.0_111/jre/lib/security/
$ cp US_export_policy.jar /usr/java/jdk1.8.0_111/jre/lib/security/

Double-check names everywhere

If you miss one server name or domain name, the configuration will fail. Double check your domain (GCT.COM.TN) and admin server (srv-adgctgab.gct.com.tn) for every step. 

Verify Kerberos client from command line

You can be sure that your kerberos client is working fine from server command line and discard this point of failure.

(Names in the following sample could not be exact)

$ kinit ADUser@GCT.COM.TN
Password for ADUser@GCT.COM.TN:

$ klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: ADUser@GCT.COM.TN

Valid starting Expires Service principal
31/07/17 09:50:16 31/07/17 19:50:16 krbtgt/GCT.COM.TN@GCT.COM.TN
renew until 01/08/17 09:50:07

$ kdestroy

$ klist -k -t /opt/alfresco/keytab/alfrescohttp.keytab
Keytab name: FILE:/opt/alfresco/keytab/alfrescohttp.keytab
KVNO Timestamp Principal
---- ----------------- --------------------------------------------------------
0 01/01/70 01:00:00 HTTP/gedAlfresco.gct.com.tn@GCT.COM.TN
0 01/01/70 01:00:00 HTTP/gedAlfresco.gct.com.tn@GCT.COM.TN
0 01/01/70 01:00:00 HTTP/gedAlfresco.gct.com.tn@GCT.COM.TN
0 01/01/70 01:00:00 HTTP/gedAlfresco.gct.com.tn@GCT.COM.TN
0 01/01/70 01:00:00 HTTP/gedAlfresco.gct.com.tn@GCT.COM.TN

$ kinit -k -t /opt/alfresco/keytab/alfrescohttp.keytab HTTP/gedAlfresco.gct.com.tn@GCT.COM.TN

$ klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: HTTP/gedAlfresco.gct.com.tn@GCT.COM.TN

Valid starting Expires Service principal
02/08/17 14:58:00 03/08/17 00:58:00 krbtgt/GCT.COM.TN@GCT.COM.TN
renew until 03/08/17 14:57:55

Authentication chain in alfresco.war

Verify authentication chain and users configuration in repository.

$ vi /opt/alfresco/tomcat/shared/classes/alfresco-global.properties

authentication.chain=alfinst:alfrescoNtlm,kerberos1:kerberos,ldap1:ldap-ad

# Kerberos
kerberos.authentication.realm=GCT.COM.TN
kerberos.authentication.user.configEntryName=Alfresco
kerberos.authentication.defaultAdministratorUserNames=administrator,admin,adminAlfresco,administrador
kerberos.authentication.cifs.configEntryName=AlfrescoCIFS
kerberos.authentication.cifs.password=xxxxxxxxx
kerberos.authentication.http.configEntryName=AlfrescoHTTP
kerberos.authentication.http.password=xxxxxxxxx
kerberos.authentication.sso.enabled=true

Remote section in share.war

Verify your Kerberos credentials and uncomment remote connector in Share webapp. 

$ vi /opt/alfresco/tomcat/shared/classes/alfresco/web-extension/share-config-custom.xml

<config evaluator="string-compare" condition="Kerberos" replace="true">
     <kerberos>
         <password>xxxxxxxxx</password>
         <realm>GCT.COM.TN</realm>
         <endpoint-spn>HTTP/gedAlfresco.gct.com.tn@GCT.COM.TN</endpoint-spn>
         <config-entry>ShareHTTP</config-entry>
         <stripUserNameSuffix>true</stripUserNameSuffix>
     </kerberos>
</config>

<config evaluator="string-compare" condition="Remote">
<remote>
<!--
<ssl-config>
<keystore-path>alfresco/web-extension/alfresco-system.p12</keystore-path>
<keystore-type>pkcs12</keystore-type>
<keystore-password>alfresco-system</keystore-password>

<truststore-path>alfresco/web-extension/ssl-truststore</truststore-path>
<truststore-type>JCEKS</truststore-type>
<truststore-password>password</truststore-password>

<verify-hostname>true</verify-hostname>
</ssl-config>
-->
...
</remote>
</config>

Login for Kerberos and JVM

Your java.login.config and java.security settings look fine.

Include your configuration for Tomcat

You can use setenv.sh config file

$ vi /opt/alfresco/tomcat/bin/setenv.sh

JAVA_OPTS="$JAVA_OPTS -Djava.security.krb5.conf=/etc/krb5.conf"

Browsers

It works fine with IE, just add Alfresco Site (http://gedalfresco.gct.com.tn:8080) to Local Intranet option and mark "Automatically logon with current username and password" flag.

Chrome and Firefox will requiere further configuration: https://docs.alfresco.com/community/concepts/auth-kerberos-clientconfig.html 

WARNING: I've included some highlights about Kerberos configuration but probably some paths or names are wrong. Just to include a checkpoint for you in order to validate your installation. Probably you have to find a typo somewhere and it will be done.

Hyland Developer Evangelist
mbedoui
Active Member

Re: Problems on Configuring SSO (Kerberos )against Active Directory

Jump to solution

I'm going to check the configuration according to your recommendation , but in parallel with this action  I'm looking to know the log file realted to kerberos ,activate log if already disabled and cause of this warning and errors 

2018-03-12 17:11:58,375 WARN [org.alfresco.web.app.servlet.NTLMAuthenticationFilter] [http-apr-8080-exec-1] NTLM filter, error resolving CIFS host nameGEDALFRESCOA

FYI: a hostname is gedAlfresco , with a FQDN  http://gedalfresco.gct.com.tn:8080/share/page/   returns Login authentication failed. Please close and re-open Safari to try again. on  chrome  but the login page appears  on IE .

angelborroy
Alfresco Employee

Re: Problems on Configuring SSO (Kerberos )against Active Directory

Jump to solution

Probably you missed

ntlm.authentication.sso.enabled=false

configuration.

Hyland Developer Evangelist
mbedoui
Active Member

Re: Problems on Configuring SSO (Kerberos )against Active Directory

Jump to solution

I would like to thank you for your support and your time , it's works :

2018-03-13 17:41:22,941 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] [http-apr-8080-exec-7] Authentication not required (filter), chaining ...
2018-03-13 17:41:22,948 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] [http-apr-8080-exec-10] Authentication not required (filter), chaining ...
2018-03-13 17:41:22,995 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] [http-apr-8080-exec-1] Found a session user: *****
2018-03-13 17:41:22,997 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] [http-apr-8080-exec-1] Authentication not required (user), chaining ..