AnsweredAssumed Answered

Kerberos configuration problem (Labs 3Stable)

Question asked by bramthielemans on Sep 7, 2009
Latest reply on Sep 23, 2009 by bramthielemans
Hi

We're having some problems setting up Kerberos for a SSO configuration.

We've followed the procedures on http://wiki.alfresco.com/wiki/Configuring_the_CIFS_and_web_servers_for_Kerberos/AD_integration and http://wiki.alfresco.com/wiki/Enterprise_Security_and_Authentication_Configuration#JAAS_-_Java_Authentication_and_Authorization_Service to set up JAAS + Kerberos, as a preparation before the actual SSO configuration, but we're running into some problems.

I'll describe the steps we've taken so far:

1. Enabled and modified the jaas-authentication-context.xml file
<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE beans PUBLIC '-//SPRING//DTD BEAN//EN' 'http://www.springframework.org/dtd/spring-beans.dtd'>

<beans>
      
    <bean id="authenticationComponent"
                 class="org.alfresco.repo.security.authentication.jaas.JAASAuthenticationComponent">
        <property name="realm">
            <value>NEFRA.PARAS</value>
        </property>
        <property name="jaasConfigEntryName">
            <value>AlfrescoHTTP</value>
        </property>
    </bean>
   
    <bean name="authenticationDao" class="org.alfresco.repo.security.authentication.DefaultMutableAuthenticationDao" >
        <property name="allowDeleteUser">
            <value>true</value>
        </property>
    </bean>   

</beans>

2. Edited the java.login.config file in C:\Program Files\Java\jdk1.6.0_14\jre\lib\security
Alfresco {
   com.sun.security.auth.module.Krb5LoginModule sufficient;
};

com.sun.net.ssl.client {
   com.sun.security.auth.module.Krb5LoginModule sufficient;
};

other {
   com.sun.security.auth.module.Krb5LoginModule sufficient;
};

AlfrescoHTTP {
   com.sun.security.auth.module.Krb5LoginModule required
   storeKey=true
   useKeyTab=true
   keyTab="C:/etc/alfrescohttp.keytab"
   principal="HTTP/nef-alfresco.nefra.paras.org";
};
(I'm not 100% sure if this is the value we specified for the principal, I don't have access to the file atm)

3. Added the following line to the java.security file in the same folder as java.login.config file.
login.config.url.1=file:${java.home}/lib/security/java.login.config

4. Put the krb5.ini file under C:\Windows

5. Put the alfrescohttp.keytab file under C:\etc\alfrescohttp.keytab


When we start alfresco, we cannot login with any user credentials that should be valid for the Active Directory. We've then tried to set up the Kerberos authentication filter for the web client in Alfresco web.xml file.
<filter>
    <filter-name>Authentication Filter</filter-name>
    <filter-class>org.alfresco.web.app.servlet.KerberosAuthenticationFilter</filter-class>
    <init-param>
        <param-name>KDC</param-name>
        <param-value>root2.paras.org:88</param-value>
    </init-param>
        <init-param>
            <param-name>Realm</param-name>
            <param-value>NEFRA.PARAS</param-value>
        </init-param>
    <init-param>
        <param-name>Password</param-name>
        <param-value>password</param-value>
    </init-param>
    <init-param>
        <param-name>Principal</param-name>
        <param-value>alfrescouser</param-value>
    </init-param>
</filter>

But then we get an error message when starting Alfresco:
javax.servlet.ServletException: Failed to get local server name
         at org.alfresco.repo.webdav.auth.BaseSSOAuthenticationFilter.init(BaseSSOAuthenticationFilter.java:220).


After which Alfresco shuts down.

I've found a JIRA entry about the same error: https://issues.alfresco.com/jira/browse/ETHREEOH-2584. But I don't think this is the problem since:
- The affects version specified is 3.1 SP1, we're running Labs 3Stable (which is equivalent to 3.0.1, I think)
- The BaseSSOAuthenticationFilter code snippet in the JIRA entry doesn't match that of the 3Stable one.

Some extra info:
We're running Alfresco Labs 3Stable on a Windows 2003 server.
We've setup LDAP user synchronization.
We've previously successfully (kind of) used NTLM authentication, but came to the conclusion that NTLM + SSO would not work in our situation.


If anyone has any ideas/suggestions/remarks/…, they are more than welcome :)


Thanks

Bram

Outcomes