AnsweredAssumed Answered

Kerberos difficulties

Question asked by doiheartwentyone on Aug 5, 2009
Latest reply on Aug 26, 2009 by dward
Hi,
I have been trying to get Kerberos and LDAP chaining to work using the instructions at
http://wiki.alfresco.com/wiki/Alfresco_Authentication_Subsystems

In Share, I can log in through the login screen and authenticate against Kerberos users; LDAP synchronization is also working.
However, I can't log in to the Alfresco backend web application. I get (on screen)

org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'authenticationFilter' defined in file [/opt/alfresco/tomcat/webapps/alfresco/WEB-INF/classes/alfresco/subsystems/Authentication/kerberos/kerberos-filter-context.xml]: Invocation of init method failed; nested exception is javax.servlet.ServletException: Failed to login HTTP server service
caused by:
javax.servlet.ServletException: Failed to login HTTP server service

I don't see why this happens as I thought the HTTP server service was only used when SSO was enabled, and I have set kerberos.authentication.sso.enabled to false.

Investigating, I created a HTTP principal for the service, but this also failed with the same message and the logs:

17:29:36,557  ERROR [app.servlet.KerberosAuthenticationFilter] HTTP Kerberos web filter error
javax.security.auth.login.LoginException: Integrity check on decrypted field failed (31)
   at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:659)
[snip]
Caused by: KrbException: Integrity check on decrypted field failed (31)
   at sun.security.krb5.internal.crypto.DesCbcEType.decrypt(DesCbcEType.java:154)
   at sun.security.krb5.internal.crypto.DesCbcEType.decrypt(DesCbcEType.java:125)
   at sun.security.krb5.EncryptedData.decrypt(EncryptedData.java:167)
   at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:87)
   at sun.security.krb5.KrbAsReq.getReply(KrbAsReq.java:486)
   at sun.security.krb5.Credentials.sendASRequest(Credentials.java:406)
   at sun.security.krb5.Credentials.acquireTGT(Credentials.java:356)
   at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:629)
   … 64 more


I didn't initially supply a kerberos.authentication.http.password because I'm using a keytab file in java.login.config and am not responsible for the password.
When I switched to using an explicit password (kinit.java working fine for the principal) I still got this error.
Our Kerberos server (not AD) supports DES3-CBC-SHA1-KD key type only and I haven't knowingly told JAAS to use a particular one (maybe I should ?)

My questions then:
1. Should I worry about kerberos.authentication.http.password ?
2. Anyone have any hints about why the encryption is failing ? Is it the key type ?
3. Why is the Alfresco web client trying to authenticate this way at all, given that I have supposedly disabled the HTTP SSO service ?

Outcomes