AnsweredAssumed Answered

Kerberos authentication

Question asked by luishuang on Dec 30, 2011
Latest reply on Jan 3, 2012 by gronfelt
I can logon with alfresco explorer but not alfresco share. When I try and logon to alfresco share, it actually brings up a windows popup box. If I use an AD account it won't let me on but the builtin alfresco admin would work. I can't see any errors in catalina.out and if I run kinit on the alfresco server, it is using authenticating correctly using kerberos.

My java.login.config file
Alfresco {
   com.sun.security.auth.module.Krb5LoginModule sufficient;
};

svc-alfrescocifs {
   com.sun.security.auth.module.Krb5LoginModule required
   storeKey=true
   useKeyTab=true
   keyTab="/etc/svc-alfrescocifs.keytab"
   principal="cifs/srv11-0015.inst.camlab";
};

svc-alfrescohttp {
   com.sun.security.auth.module.Krb5LoginModule required
   storeKey=true
   useKeyTab=true
   keyTab="/etc/svc-alfrescohttp.keytab"
   principal="HTTP/srv11-0015.inst.camlab";
};

com.sun.net.ssl.client {
   com.sun.security.auth.module.Krb5LoginModule sufficient;
};

other {
   com.sun.security.auth.module.Krb5LoginModule sufficient;
};


ShareHTTP {
   com.sun.security.auth.module.Krb5LoginModule required
   storeKey=true
   useKeyTab=true
   keyTab="/etc/svc-alfrescohttp.keytab"
   principal="HTTP/srv11-0015.inst.camlab";

and krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = INST.CAMLAB
default_tkt_enctypes = rc4-hmac
default_tgs_enctypes = rc4-hmac

dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes

[realms]
INST.CAMLAB = {
  kdc = instlab01.inst.camlab:88
  admin_server = instlab01.inst.camlab:749
  default_domain = inst.camlab
}

[domain_realm]
instlab01.inst.camlab = INST.CAMLAB
.instlab01.inst.camlab = INST.CAMLAB

share-config-custom.xml
 <!– Kerberos settings –>
   <!– To enaable kerberos rename this condition to "Kerberos" –>
   <config evaluator="string-compare" condition="Kerberos" replace="true">
      <kerberos>
         <!–
            Password for HTTP service account.
            The account name *must* be built from the HTTP server name, in the format :
               HTTP/<server_name>@<realm>
            (NB this is because the web browser requests an ST for the
            HTTP/<server_name> principal in the current realm, so if we're to decode
            that ST, it has to match.)
         –>
         <password>xxxxx</password>
         <!–
            Kerberos realm and KDC address.
         –>
         <realm>INST.CAMLAB</realm>
         <!–
            Service Principal Name to use on the repository tier.
            This must be like: HTTP/host.name@REALM
         –>
         <endpoint-spn>HTTP/SRV11-0015@INST.CAMLAB</endpoint-spn>
         <!–
            JAAS login configuration entry name.
         –>
         <config-entry>ShareHTTP</config-entry>
      </kerberos>
   </config>


and my alfresco-global.properties
authentication.chain=alfrescoNtlm1:alfrescoNtlm,kerberos1:kerberos
ntlm.authentication.sso.enabled=true
alfresco.authentication.authenticateCIFS=true

Outcomes