AnsweredAssumed Answered

Kerberos problems: Default realm not specified

Question asked by gronfelt on Dec 27, 2011
Latest reply on Feb 6, 2015 by aditya_chaudhari
I'm trying to set up authentication and SSO with AD through Kerberos. I've followed the documentation for 4.0 but can't get it to work.

This is my kerberos-filter.properties

kerberos.authentication.http.configEntryName=AlfrescoHTTP
kerberos.authentication.http.password=********
kerberos.authentication.sso.enabled=true
kerberos.authentication.browser.ticketLogons=true

I've created this krb5.ini in C:\WINNT:

[libdefaults]
default_realm = MYDOMAIN.LOCAL
default_tkt_enctypes = rc4-hmac
default_tgs_enctypes = rc4-hmac

[realms]
MYDOMAIN.LOCAL = {
  kdc = adserver.mydomain.local
  admin_server = adserver.mydomain.local
}

[domain_realm]
adserver.mydomain.local = MYDOMAIN.LOCAL
.adserver.mydomain.local = MYDOMAIN.LOCAL

However, when I try to access the Alfresco application I get the following error:

org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'globalAuthenticationFilter' defined in file [C:\Alfresco\tomcat\webapps\alfresco\WEB-INF\classes\alfresco\subsystems\Authentication\kerberos\kerberos-filter-context.xml]: Invocation of init method failed; nested exception is javax.servlet.ServletException: Failed to login HTTP server service
caused by:
javax.servlet.ServletException: Failed to login HTTP server service

This is in stdout.log:

Caused by: KrbException: Null realm name (601) - default realm not specified
   at sun.security.krb5.KrbAsReq.createMessage(KrbAsReq.java:474)
   at sun.security.krb5.KrbAsReq.init(KrbAsReq.java:374)
   at sun.security.krb5.KrbAsReq.<init>(KrbAsReq.java:260)
   at sun.security.krb5.KrbAsReq.<init>(KrbAsReq.java:61)
   at sun.security.krb5.Credentials.sendASRequest(Credentials.java:396)
   at sun.security.krb5.Credentials.acquireTGT(Credentials.java:355)
   at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:662)
   … 44 more

It seems that the krb5.ini settings are not used, since the error says that the default realm is not specified. What could be the cause of this? I've also tried to put the file in <alfresco>/java/jre/lib/security, but that doesn't make any difference.

I also have another question on the subject: The 4.0 documentation states that one should change the settings in share-config-custom.xml.sample to get SSO working with Share and Kerberos, however my share-config-custom.xml.sample does not contain any lines about Kerberos. Am I looking in the wrong place (<alfresco>/tomcat/shared/classes/alfresco/web-extensions).

Outcomes