AnsweredAssumed Answered

Kerberos difficulties

Question asked by doiheartwentyone on Aug 5, 2009
Latest reply on Aug 26, 2009 by dward
I have been trying to get Kerberos and LDAP chaining to work using the instructions at

In Share, I can log in through the login screen and authenticate against Kerberos users; LDAP synchronization is also working.
However, I can't log in to the Alfresco backend web application. I get (on screen)

org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'authenticationFilter' defined in file [/opt/alfresco/tomcat/webapps/alfresco/WEB-INF/classes/alfresco/subsystems/Authentication/kerberos/kerberos-filter-context.xml]: Invocation of init method failed; nested exception is javax.servlet.ServletException: Failed to login HTTP server service
caused by:
javax.servlet.ServletException: Failed to login HTTP server service

I don't see why this happens as I thought the HTTP server service was only used when SSO was enabled, and I have set kerberos.authentication.sso.enabled to false.

Investigating, I created a HTTP principal for the service, but this also failed with the same message and the logs:

17:29:36,557  ERROR [app.servlet.KerberosAuthenticationFilter] HTTP Kerberos web filter error Integrity check on decrypted field failed (31)
Caused by: KrbException: Integrity check on decrypted field failed (31)
   … 64 more

I didn't initially supply a kerberos.authentication.http.password because I'm using a keytab file in java.login.config and am not responsible for the password.
When I switched to using an explicit password ( working fine for the principal) I still got this error.
Our Kerberos server (not AD) supports DES3-CBC-SHA1-KD key type only and I haven't knowingly told JAAS to use a particular one (maybe I should ?)

My questions then:
1. Should I worry about kerberos.authentication.http.password ?
2. Anyone have any hints about why the encryption is failing ? Is it the key type ?
3. Why is the Alfresco web client trying to authenticate this way at all, given that I have supposedly disabled the HTTP SSO service ?