Solved: Re: Problems on Configuring SSO (Kerberos )against...

mbedoui · ‎8 Mar 2018

I have installed Alfresco Community Edition V5.0.0 on Ubuntu
After configuring alfresco-global.properties , import of users from AD works very well after that ,

I 'm looking for enabling kerberos with alfresco and Active Directory

that's why i have followed the documentation starting by :

creating a cifsUser (Do not require Kerberos preauthentication )
creating an spn for the account
creating a httpUser(Do not require Kerberos preauthentication )
generating two keytab file based on cifs/<hostnetbios> and HTTP/<host>

under /etc/ i have filled the file krb5.conf

[libdefaults]
default_realm = GCT.COM.TN
## default_tkt_enctypes = rc4-hmac
## default_tgs_enctypes = rc4-hmac
[realms]
GCT.COM.TN = {
kdc = srv-adgctgab.gct.com.tn
admin_server = srv-adgctgab.gct.com.tn
}
[domain_realm]
srv-adgctgab.gct.com.tn = GCT.COM.TN
.srv-adgctgab.gct.com.tn = GCT.COM.TN

under /opt/alfresco-5.0.d/java/lib/security/
i create a file java.login.config

Afresco {
com.sun.security.auth.module.Krb5LoginModule sufficient;
};

AlfrescoCIFS {
com.sun.security.auth.module.Krb5LoginModule required
storeKey=true
useKeyTab=true
doNotPrompt=true
keyTab="/etc/cifsgedAlfresco.keytab"
principal="cifs/gedAlfrescoA.gct.com.tn";
};

AlfrescoHTTP
{
com.sun.security.auth.module.Krb5LoginModule required
storeKey=true
useKeyTab=true
doNotPrompt=true
keyTab="/etc/httpgedAlfresco.keytab"
principal="HTTP/gedAlfresco.gct.com.tn";
};

ShareHTTP
{
com.sun.security.auth.module.Krb5LoginModule required
storeKey=true
useKeyTab=true
doNotPrompt=true
keyTab="/etc/httpgedAlfresco.keytab"
principal="HTTP/gedAlfresco.gct.com.tn";
};

com.sun.net.ssl.client {
com.sun.security.auth.module.Krb5LoginModule sufficient;
};

other {
com.sun.security.auth.module.Krb5LoginModule sufficient;
};

I add this line login.config.url.1=file:${java.home}/lib/security/java.login.config at java/lib/security/java.security

I add Alfresco web server is in the Local Intranet security zone on IE via a GPO

I update alfresco-5.0.d/tomcat/shared/classes/alfresco/web-extension/share-config-custom.xml

<config evaluator="string-compare" condition="Kerberos" replace="true">
<kerberos>

<password>secret</password>

<realm>GCT.COM.TN</realm>

<endpoint-spn>HTTP/gedAlfresco</endpoint-spn>

<config-entry>ShareHTTP</config-entry>

<stripUserNameSuffix>true</stripUserNameSuffix>
</kerberos>
</config>

also uncomment
<config evaluator="string-compare" condition="Remote">

In Order to Enable kerberos it should logging , so could you give me the log file cause alfresco.log don't mentionned the operation , also what i have forgot to configure or steps to troubleshoot sso authentification .

Thanks for your time

angelborroy · ‎12 Mar 2018

Configuring Kerberos always is a painful experience. You have to be very precise with every configuration, or it will be a mess in the end.

Let me share with you some tips about the process that I'm missing in your steps.

Install JCE without restrictions

Download JCE Unlimited Strength from Oracle (http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html) and install it on your server

$ unzip jce_policy-8.zip
$ cd UnlimitedJCEPolicyJDK8/
$ cp local_policy.jar /usr/java/jdk1.8.0_111/jre/lib/security/
$ cp US_export_policy.jar /usr/java/jdk1.8.0_111/jre/lib/security/

Double-check names everywhere

If you miss one server name or domain name, the configuration will fail. Double check your domain (GCT.COM.TN) and admin server (srv-adgctgab.gct.com.tn) for every step.

Verify Kerberos client from command line

You can be sure that your kerberos client is working fine from server command line and discard this point of failure.

(Names in the following sample could not be exact)

$ kinit ADUser@GCT.COM.TN
Password for ADUser@GCT.COM.TN:

$ klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: ADUser@GCT.COM.TN

Valid starting Expires Service principal
31/07/17 09:50:16 31/07/17 19:50:16 krbtgt/GCT.COM.TN@GCT.COM.TN
 renew until 01/08/17 09:50:07

$ kdestroy

$ klist -k -t /opt/alfresco/keytab/alfrescohttp.keytab
Keytab name: FILE:/opt/alfresco/keytab/alfrescohttp.keytab
KVNO Timestamp Principal
---- ----------------- --------------------------------------------------------
 0 01/01/70 01:00:00 HTTP/gedAlfresco.gct.com.tn@GCT.COM.TN
 0 01/01/70 01:00:00 HTTP/gedAlfresco.gct.com.tn@GCT.COM.TN
 0 01/01/70 01:00:00 HTTP/gedAlfresco.gct.com.tn@GCT.COM.TN
 0 01/01/70 01:00:00 HTTP/gedAlfresco.gct.com.tn@GCT.COM.TN
 0 01/01/70 01:00:00 HTTP/gedAlfresco.gct.com.tn@GCT.COM.TN

$ kinit -k -t /opt/alfresco/keytab/alfrescohttp.keytab HTTP/gedAlfresco.gct.com.tn@GCT.COM.TN

$ klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: HTTP/gedAlfresco.gct.com.tn@GCT.COM.TN

Valid starting Expires Service principal
02/08/17 14:58:00 03/08/17 00:58:00 krbtgt/GCT.COM.TN@GCT.COM.TN
 renew until 03/08/17 14:57:55

Authentication chain in alfresco.war

Verify authentication chain and users configuration in repository.

$ vi /opt/alfresco/tomcat/shared/classes/alfresco-global.properties

authentication.chain=alfinst:alfrescoNtlm,kerberos1:kerberos,ldap1:ldap-ad

# Kerberos
kerberos.authentication.realm=GCT.COM.TN
kerberos.authentication.user.configEntryName=Alfresco
kerberos.authentication.defaultAdministratorUserNames=administrator,admin,adminAlfresco,administrador
kerberos.authentication.cifs.configEntryName=AlfrescoCIFS
kerberos.authentication.cifs.password=xxxxxxxxx
kerberos.authentication.http.configEntryName=AlfrescoHTTP
kerberos.authentication.http.password=xxxxxxxxx
kerberos.authentication.sso.enabled=true

Remote section in share.war

Verify your Kerberos credentials and uncomment remote connector in Share webapp.

$ vi /opt/alfresco/tomcat/shared/classes/alfresco/web-extension/share-config-custom.xml

 <config evaluator="string-compare" condition="Kerberos" replace="true">
     <kerberos>
         <password>xxxxxxxxx</password>
         <realm>GCT.COM.TN</realm>
         <endpoint-spn>HTTP/gedAlfresco.gct.com.tn@GCT.COM.TN</endpoint-spn>
         <config-entry>ShareHTTP</config-entry>
         <stripUserNameSuffix>true</stripUserNameSuffix>
     </kerberos>
 </config>

 <config evaluator="string-compare" condition="Remote">
 <remote>
<!-- 
 <ssl-config>
 <keystore-path>alfresco/web-extension/alfresco-system.p12</keystore-path>
 <keystore-type>pkcs12</keystore-type>
 <keystore-password>alfresco-system</keystore-password>

<truststore-path>alfresco/web-extension/ssl-truststore</truststore-path>
 <truststore-type>JCEKS</truststore-type>
 <truststore-password>password</truststore-password>

<verify-hostname>true</verify-hostname>
 </ssl-config>
-->
...
 </remote>
 </config>

Login for Kerberos and JVM

Your java.login.config and java.security settings look fine.

Include your configuration for Tomcat

You can use setenv.sh config file

$ vi /opt/alfresco/tomcat/bin/setenv.sh

JAVA_OPTS="$JAVA_OPTS -Djava.security.krb5.conf=/etc/krb5.conf"

Browsers

It works fine with IE, just add Alfresco Site (http://gedalfresco.gct.com.tn:8080) to Local Intranet option and mark "Automatically logon with current username and password" flag.

Chrome and Firefox will requiere further configuration: https://docs.alfresco.com/community/concepts/auth-kerberos-clientconfig.html

WARNING: I've included some highlights about Kerberos configuration but probably some paths or names are wrong. Just to include a checkpoint for you in order to validate your installation. Probably you have to find a typo somewhere and it will be done.

Hyland Developer Evangelist

View solution in original post

angelborroy · ‎12 Mar 2018

Sorry, I cannot understand what's your problem.

What is not working?

Hyland Developer Evangelist

mbedoui · ‎12 Mar 2018

the first point , i doubt that kerberos is well configured cause the file 'alfresco.log' don't contain any indication to sso but synchronization of users from ldap works very well that's why i'm looking to the file where login operation is written.

Second point it's not work as we except ::

login page will disappear if the user session on our domain is open .

But the current situation is a login page that enable user connects to the share based on his ldap credentials .

It requires some investigation on logging file to understand the cause .Thanks

mbedoui · ‎12 Mar 2018

Ouups a warning in alfresco.log

2018-03-12 17:11:58,375 WARN [org.alfresco.web.app.servlet.NTLMAuthenticationFilter] [http-apr-8080-exec-1] NTLM filter, error resolving CIFS host nameGEDALFRESCOA
2018-03-12 17:11:58,376 INFO [org.alfresco.web.app.servlet.NTLMAuthenticationFilter] [http-apr-8080-exec-1] NTLM filter using server name gedAlfresco

FYI: a hostname is gedAlfresco , with a FQDN http://gedalfresco.gct.com.tn:8080/share/page/ returns Login authentication failed. Please close and re-open Safari to try again. on chrome but the login page appears on IE .

angelborroy · ‎12 Mar 2018

Configuring Kerberos always is a painful experience. You have to be very precise with every configuration, or it will be a mess in the end.

Let me share with you some tips about the process that I'm missing in your steps.

Install JCE without restrictions

Download JCE Unlimited Strength from Oracle (http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html) and install it on your server

$ unzip jce_policy-8.zip
$ cd UnlimitedJCEPolicyJDK8/
$ cp local_policy.jar /usr/java/jdk1.8.0_111/jre/lib/security/
$ cp US_export_policy.jar /usr/java/jdk1.8.0_111/jre/lib/security/

Double-check names everywhere

If you miss one server name or domain name, the configuration will fail. Double check your domain (GCT.COM.TN) and admin server (srv-adgctgab.gct.com.tn) for every step.

Verify Kerberos client from command line

You can be sure that your kerberos client is working fine from server command line and discard this point of failure.

(Names in the following sample could not be exact)

$ kinit ADUser@GCT.COM.TN
Password for ADUser@GCT.COM.TN:

$ klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: ADUser@GCT.COM.TN

Valid starting Expires Service principal
31/07/17 09:50:16 31/07/17 19:50:16 krbtgt/GCT.COM.TN@GCT.COM.TN
 renew until 01/08/17 09:50:07

$ kdestroy

$ klist -k -t /opt/alfresco/keytab/alfrescohttp.keytab
Keytab name: FILE:/opt/alfresco/keytab/alfrescohttp.keytab
KVNO Timestamp Principal
---- ----------------- --------------------------------------------------------
 0 01/01/70 01:00:00 HTTP/gedAlfresco.gct.com.tn@GCT.COM.TN
 0 01/01/70 01:00:00 HTTP/gedAlfresco.gct.com.tn@GCT.COM.TN
 0 01/01/70 01:00:00 HTTP/gedAlfresco.gct.com.tn@GCT.COM.TN
 0 01/01/70 01:00:00 HTTP/gedAlfresco.gct.com.tn@GCT.COM.TN
 0 01/01/70 01:00:00 HTTP/gedAlfresco.gct.com.tn@GCT.COM.TN

$ kinit -k -t /opt/alfresco/keytab/alfrescohttp.keytab HTTP/gedAlfresco.gct.com.tn@GCT.COM.TN

$ klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: HTTP/gedAlfresco.gct.com.tn@GCT.COM.TN

Valid starting Expires Service principal
02/08/17 14:58:00 03/08/17 00:58:00 krbtgt/GCT.COM.TN@GCT.COM.TN
 renew until 03/08/17 14:57:55

Authentication chain in alfresco.war

Verify authentication chain and users configuration in repository.

$ vi /opt/alfresco/tomcat/shared/classes/alfresco-global.properties

authentication.chain=alfinst:alfrescoNtlm,kerberos1:kerberos,ldap1:ldap-ad

# Kerberos
kerberos.authentication.realm=GCT.COM.TN
kerberos.authentication.user.configEntryName=Alfresco
kerberos.authentication.defaultAdministratorUserNames=administrator,admin,adminAlfresco,administrador
kerberos.authentication.cifs.configEntryName=AlfrescoCIFS
kerberos.authentication.cifs.password=xxxxxxxxx
kerberos.authentication.http.configEntryName=AlfrescoHTTP
kerberos.authentication.http.password=xxxxxxxxx
kerberos.authentication.sso.enabled=true

Remote section in share.war

Verify your Kerberos credentials and uncomment remote connector in Share webapp.

$ vi /opt/alfresco/tomcat/shared/classes/alfresco/web-extension/share-config-custom.xml

 <config evaluator="string-compare" condition="Kerberos" replace="true">
     <kerberos>
         <password>xxxxxxxxx</password>
         <realm>GCT.COM.TN</realm>
         <endpoint-spn>HTTP/gedAlfresco.gct.com.tn@GCT.COM.TN</endpoint-spn>
         <config-entry>ShareHTTP</config-entry>
         <stripUserNameSuffix>true</stripUserNameSuffix>
     </kerberos>
 </config>

 <config evaluator="string-compare" condition="Remote">
 <remote>
<!-- 
 <ssl-config>
 <keystore-path>alfresco/web-extension/alfresco-system.p12</keystore-path>
 <keystore-type>pkcs12</keystore-type>
 <keystore-password>alfresco-system</keystore-password>

<truststore-path>alfresco/web-extension/ssl-truststore</truststore-path>
 <truststore-type>JCEKS</truststore-type>
 <truststore-password>password</truststore-password>

<verify-hostname>true</verify-hostname>
 </ssl-config>
-->
...
 </remote>
 </config>

Login for Kerberos and JVM

Your java.login.config and java.security settings look fine.

Include your configuration for Tomcat

You can use setenv.sh config file

$ vi /opt/alfresco/tomcat/bin/setenv.sh

JAVA_OPTS="$JAVA_OPTS -Djava.security.krb5.conf=/etc/krb5.conf"

Browsers

It works fine with IE, just add Alfresco Site (http://gedalfresco.gct.com.tn:8080) to Local Intranet option and mark "Automatically logon with current username and password" flag.

Chrome and Firefox will requiere further configuration: https://docs.alfresco.com/community/concepts/auth-kerberos-clientconfig.html

WARNING: I've included some highlights about Kerberos configuration but probably some paths or names are wrong. Just to include a checkpoint for you in order to validate your installation. Probably you have to find a typo somewhere and it will be done.

Hyland Developer Evangelist

mbedoui · ‎13 Mar 2018

I'm going to check the configuration according to your recommendation , but in parallel with this action I'm looking to know the log file realted to kerberos ,activate log if already disabled and cause of this warning and errors

2018-03-12 17:11:58,375 WARN [org.alfresco.web.app.servlet.NTLMAuthenticationFilter] [http-apr-8080-exec-1] NTLM filter, error resolving CIFS host nameGEDALFRESCOA

FYI: a hostname is gedAlfresco , with a FQDN http://gedalfresco.gct.com.tn:8080/share/page/ returns Login authentication failed. Please close and re-open Safari to try again. on chrome but the login page appears on IE .

angelborroy · ‎13 Mar 2018

Probably you missed

ntlm.authentication.sso.enabled=false

configuration.

Hyland Developer Evangelist

mbedoui · ‎13 Mar 2018

I would like to thank you for your support and your time , it's works :

2018-03-13 17:41:22,941 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] [http-apr-8080-exec-7] Authentication not required (filter), chaining ...
2018-03-13 17:41:22,948 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] [http-apr-8080-exec-10] Authentication not required (filter), chaining ...
2018-03-13 17:41:22,995 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] [http-apr-8080-exec-1] Found a session user: *****
2018-03-13 17:41:22,997 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] [http-apr-8080-exec-1] Authentication not required (user), chaining ..

Problems on Configuring SSO (Kerberos )against Active Directory

Problems on Configuring SSO (Kerberos )against Active Directory

Re: Problems on Configuring SSO (Kerberos )against Active Directory

Re: Problems on Configuring SSO (Kerberos )against Active Directory

Re: Problems on Configuring SSO (Kerberos )against Active Directory

Re: Problems on Configuring SSO (Kerberos )against Active Directory

Re: Problems on Configuring SSO (Kerberos )against Active Directory

Re: Problems on Configuring SSO (Kerberos )against Active Directory

Re: Problems on Configuring SSO (Kerberos )against Active Directory

Re: Problems on Configuring SSO (Kerberos )against Active Directory

Problems on Configuring SSO (Kerberos )against Active Directory

Problems on Configuring SSO (Kerberos )against Active Directory

Re: Problems on Configuring SSO (Kerberos )against Active Directory

Re: Problems on Configuring SSO (Kerberos )against Active Directory

Re: Problems on Configuring SSO (Kerberos )against Active Directory

Re: Problems on Configuring SSO (Kerberos )against Active Directory

Re: Problems on Configuring SSO (Kerberos )against Active Directory

Re: Problems on Configuring SSO (Kerberos )against Active Directory

Re: Problems on Configuring SSO (Kerberos )against Active Directory

Re: Problems on Configuring SSO (Kerberos )against Active Directory

We use cookies on this site to enhance your user experience