AnsweredAssumed Answered

Alfresco 4 Community + Kerberos

Question asked by lefton4ya on Nov 15, 2011
Latest reply on Jan 30, 2012 by throwback
Situation:

I am an IT developer for a department at a university and users want a fileshare that they can access from anywhere with any computer, including a "mapped drive" and I figured Alfresco Share with webdav and/or CIFS would be a great way.    Note, most computers are not on the same domain or even the same network as the Alfresco server, so SSO is not an option, but I wanted a secure way of authentication that would allow CIFS so that left alfrescoNtlm or Kerberos.  I set up the Alfresco Community Edition 4.0 server using the wizard (except changed tomcat ports to 80 and 443) on a Windows Server 2008 64-bit and got it working fairly well with built in permissions.  However, I would prefer not having to manage a separate list of users/passwords so I thought Kerberos authentication is the best option and am trying to configure it according to documentation at http://docs.alfresco.com/4.0/topic/com.alfresco.enterprise.doc/concepts/auth-kerberos-intro.html but as I am a newbie am having trouble getting it to work and (but I will have to change it back to alfrescoNtlm if I can't get it to work.  Any help is appreciated.


We have a very unique set-up for Kerberos, so let me give you that info first.  I have replaced the name of our university with [university] in all documentation below.
NetBIOS domain name: ADS
servers: ADS.UNIVERSITY.EDU
ADS realm/domain name is ADS.UNIVERSITY.EDU
MIT Kerberos Realm name: INS.UNIV.EDU (note this is a different domain name then the AD server)

So when we log onto computers on the domain we use ADS as our domain but I must run these ksetup commands on a PC before it joins:
ksetup /addkdc INS.UNIV.EDU KERBEROS.UNIV.EDU
ksetup /addkdc INS.UNIV.EDU KERBEROS2.UNIV.EDU
ksetup /addkdc INS.UNIV.EDU KERBEROS3.UNIV.EDU

I followed the instructions on the DOC page for configuring Kerberos authentication to the best of my ability but have an error on alfresco explorer and cannot get CIFS or WebDAV to map.  Hers is some stripped-down relevant files:

alfresco-global.properties
dir.root=E:/Alfresco/alf_data

alfresco.context=alfresco
alfresco.host=127.0.0.1
alfresco.port=80
alfresco.protocol=http

share.context=share
share.host=127.0.0.1
share.port=80
share.protocol=http

### authentication ###
# alfrescoNtlm1:alfrescoNtlm,passthru1:passthru,ldap1:ldap
# alfrescoNtlm1:alfrescoNtlm
alfrescoNtlm1:alfrescoNtlm,kerberos1:kerberos


### CIFS settings ###
cifs.enabled=true
cifs.serverName=alfresco
cifs.domain=
cifs.hostannounce=true
cifs.sessionTimeout=900
repository.properties
authentication.chain=alfrescoNtlm1:alfrescoNtlm,kerberos1:kerberos
alfresco-authentication.properties
ntlm.authentication.sso.enabled=false
alfresco.authentication.allowGuestLogin=true
alfresco.authentication.authenticateCIFS=true
kerberos-authentication.properties
kerberos.authentication.realm=INS.UNIV.EDU
kerberos.authentication.sso.enabled=false
kerberos.authentication.user.configEntryName=Alfresco
kerberos.authentication.cifs.configEntryName=AlfrescoCIFS
kerberos.authentication.cifs.password=password1 ### I put text of real AD user password here
kerberos.authentication.http.configEntryName=AlfrescoHTTP
kerberos.authentication.http.password=password1 ### I put text of real AD user password here
kerberos.authentication.defaultAdministratorUserNames=admin,auser ### auser1 is a username that is both in AD as well as alfresco - I don't know what this refers to
kerberos.authentication.authenticateCIFS=true
I also made AD users AlfrescoCIFS & AlfrescoHTTP and did ktpass output and setspn as described in doc and created java.login.config.  I am not sure I did this right because our situation is unique.  These are the commands I ran:
ktpass -princ cifs/alfresco.university.edu@INS.UNIV.EDU -pass password1 -mapuser ADS\AlfrescoCIFS -crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL -out E:\Alfresco\AlfrescoCIFS.keytab -kvno 0
ktpass -princ HTTP/alfresco.university.edu@INS.UNIV.EDU -pass password1 -mapuser ADS\AlfrescoHTTP -crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL -out E:\Alfresco\AlfrescoHTTP.keytab -kvno 0

setspn -a cifs/alfresco AlfrescoCIFS
setspn -a cifs/alfresco.university.edu AlfrescoCIFS

setspn -a HTTP/alfresco AlfrescoHTTP
setspn -a HTTP/alfresco.university.edu AlfrescoHTTP

setspn -l AlfrescoCIFS
setspn -l AlfrescoHTTP
java.login.config
Alfresco {
   com.sun.security.auth.module.Krb5LoginModule sufficient;
};

AlfrescoCIFS {
   com.sun.security.auth.module.Krb5LoginModule required
   storeKey=true
   useKeyTab=true
   keyTab="E:/Alfresco/AlfrescoCIFS.keytab"
   principal="cifs/alfresco.university.edu";
};

AlfrescoHTTP {
   com.sun.security.auth.module.Krb5LoginModule required
   storeKey=true
   useKeyTab=true
   keyTab="E:/Alfresco/AlfrescoCIFS.keytab"
   principal="HTTP/alfresco.university.edu";
};

com.sun.net.ssl.client {
   com.sun.security.auth.module.Krb5LoginModule sufficient;
};

other {
   com.sun.security.auth.module.Krb5LoginModule sufficient;
};
When I log into alfresco share, I can use alfresco users and passwords but not AD ones.  Do I need to set up Authorities and/or ACL's first?
When I open the address for alfresco explorer, I get this error:
org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'globalAuthenticationFilter' defined in file [E:\Alfresco\tomcat\webapps\alfresco\WEB-INF\classes\alfresco\subsystems\Authentication\kerberos\kerberos-filter-context.xml]: Invocation of init method failed; nested exception is javax.servlet.ServletException: Failed to login HTTP server service
   org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1420)
   org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:519)
   org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:456)
   org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:291)
   org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:222)
   org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:288)
   org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:190)
   org.springframework.context.support.AbstractApplicationContext.getBean(AbstractApplicationContext.java:1075)
   org.alfresco.repo.management.subsystems.ChainingSubsystemProxyFactory$1.invoke(ChainingSubsystemProxyFactory.java:96)
   org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
   org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:202)
   $Proxy244.doFilter(Unknown Source)
   org.alfresco.repo.web.filter.beans.BeanProxyFilter.doFilter(BeanProxyFilter.java:82)
   org.alfresco.web.app.servlet.GlobalLocalizationFilter.doFilter(GlobalLocalizationFilter.java:58)
root cause

javax.servlet.ServletException: Failed to login HTTP server service
   org.alfresco.repo.webdav.auth.BaseKerberosAuthenticationFilter.init(BaseKerberosAuthenticationFilter.java:179)
   org.alfresco.web.app.servlet.KerberosAuthenticationFilter.init(KerberosAuthenticationFilter.java:72)
   org.alfresco.repo.webdav.auth.BaseSSOAuthenticationFilter.afterPropertiesSet(BaseSSOAuthenticationFilter.java:115)
   org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.invokeInitMethods(AbstractAutowireCapableBeanFactory.java:1477)
   org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1417)
   org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:519)
   org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:456)
   org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:291)
   org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:222)
   org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:288)
   org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:190)
   org.springframework.context.support.AbstractApplicationContext.getBean(AbstractApplicationContext.java:1075)
   org.alfresco.repo.management.subsystems.ChainingSubsystemProxyFactory$1.invoke(ChainingSubsystemProxyFactory.java:96)
   org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
   org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:202)
   $Proxy244.doFilter(Unknown Source)
   org.alfresco.repo.web.filter.beans.BeanProxyFilter.doFilter(BeanProxyFilter.java:82)
   org.alfresco.web.app.servlet.GlobalLocalizationFilter.doFilter(GlobalLocalizationFilter.java:58)
And this is the end of the log file:
 2011-11-11 17:30:07,292  ERROR [app.servlet.KerberosAuthenticationFilter] [http-80-1] HTTP Kerberos web filter error
javax.security.auth.login.LoginException: null (68)
   at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:696)
   at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:542)
   at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
   at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
   at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
   at java.lang.reflect.Method.invoke(Method.java:597)
   at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
   at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
   at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
   at java.security.AccessController.doPrivileged(Native Method)
   at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
   at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
   at org.alfresco.repo.webdav.auth.BaseKerberosAuthenticationFilter.init(BaseKerberosAuthenticationFilter.java:165)
   at org.alfresco.web.app.servlet.KerberosAuthenticationFilter.init(KerberosAuthenticationFilter.java:72)
   at org.alfresco.repo.webdav.auth.BaseSSOAuthenticationFilter.afterPropertiesSet(BaseSSOAuthenticationFilter.java:115)
   at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.invokeInitMethods(AbstractAutowireCapableBeanFactory.java:1477)
   at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1417)
   at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:519)
   at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:456)
   at org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:291)
   at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:222)
   at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:288)
   at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:190)
   at org.springframework.context.support.AbstractApplicationContext.getBean(AbstractApplicationContext.java:1075)
   at org.alfresco.repo.management.subsystems.ChainingSubsystemProxyFactory$1.invoke(ChainingSubsystemProxyFactory.java:96)
   at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
   at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:202)
   at $Proxy244.doFilter(Unknown Source)
   at org.alfresco.repo.web.filter.beans.BeanProxyFilter.doFilter(BeanProxyFilter.java:82)
   at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
   at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
   at org.alfresco.web.app.servlet.GlobalLocalizationFilter.doFilter(GlobalLocalizationFilter.java:58)
   at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
   at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
   at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
   at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
   at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:465)
   at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
   at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
   at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
   at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
   at org.apache.coyote.http11.Http11AprProcessor.process(Http11AprProcessor.java:859)
   at org.apache.coyote.http11.Http11AprProtocol$Http11ConnectionHandler.process(Http11AprProtocol.java:579)
   at org.apache.tomcat.util.net.AprEndpoint$Worker.run(AprEndpoint.java:1555)
   at java.lang.Thread.run(Thread.java:619)
Caused by: KrbException: null (68)
   at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:66)
   at sun.security.krb5.KrbAsReq.getReply(KrbAsReq.java:449)
   at sun.security.krb5.Credentials.sendASRequest(Credentials.java:406)
   at sun.security.krb5.Credentials.acquireTGT(Credentials.java:355)
   at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:662)
   … 44 more
Caused by: KrbException: Identifier doesn't match expected value (906)
   at sun.security.krb5.internal.KDCRep.init(KDCRep.java:133)
   at sun.security.krb5.internal.ASRep.init(ASRep.java:58)
   at sun.security.krb5.internal.ASRep.<init>(ASRep.java:53)
   at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:50)
   … 48 more

Anything I did wrong or still need to do to get Kerberos to work?

Outcomes