AnsweredAssumed Answered

Credentials can not be delegated - Alfresco Share

Question asked by leftcase on Jun 15, 2012
Latest reply on Jun 16, 2012 by leftcase
Hi folks,

I've hit a brick wall configuring Alfresco 4.0.d on Redhat 6.

I'm using Kerberos authentication, it seems to be working normally, and single sign on is working on the main alfresco app itself. I've been through the configuration steps to get the share app working, but try as I may, I keep getting this error in catalina.out each time a browser accesses http://server:8080/share along with a 'Windows Security' password box.

WARN  [site.servlet.KerberosSessionSetupPrivilegedAction] credentials can not be delegated!
Here's what I've done so far:

Using AD users and computers, selected the alfrescohttp account, and selected 'trust this user for delegation to any service (Kerberos only).

Copied /opt/alfresco-4.0.d/tomcat/shared/classes/alfresco/web-extension/share-config-custom.xml.sample to share-config-custom.xml and edited like this:

   <config evaluator="string-compare" condition="Kerberos" replace="true">
      <kerberos>
         <password>*****</password>
         <realm>MYDOMAIN.CO.UK</realm>
         <endpoint-spn>HTTP/server.mydomain.co.uk@MYDOMAIN.CO.UK</endpoint-spn>
         <config-entry>ShareHTTP</config-entry>
      </kerberos>
   </config>


   <config evaluator="string-compare" condition="Remote">
      <remote>
         <keystore>
             <path>alfresco/web-extension/alfresco-system.p12</path>
             <type>pkcs12</type>
             <password>alfresco-system</password>
         </keystore>

         <connector>
            <id>alfrescoCookie</id>
            <name>Alfresco Connector</name>
            <description>Connects to an Alfresco instance using cookie-based authentication</description>
            <class>org.springframework.extensions.webscripts.connector.AlfrescoConnector</class>
         </connector>

         <endpoint>
            <id>alfresco</id>
            <name>Alfresco - user access</name>
            <description>Access to Alfresco Repository WebScripts that require user authentication</description>
            <connector-id>alfrescoCookie</connector-id>
            <endpoint-url>http://localhost:8080/alfresco/wcs</endpoint-url>
            <identity>user</identity>
            <external-auth>true</external-auth>
         </endpoint>
      </remote>
   </config>

Setup the /etc/krb5.conf file like this:

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = MYDOMAIN.CO.UK
default_tkt_enctypes = rc4-hmac
default_tgs_enctypes = rc4-hmac
forwardable = true
proxiable = true

[realms]
MYDOMAIN.CO.UK = {
  kdc = mydc.mydomain.co.uk
  admin_server = mydc.mydomain.co.uk
}

[domain_realm]
.mydc.mydomain.co.uk = MYDOMAIN.CO.UK
mydc.mydomain.co.uk = MYDOMAIN.CO.UK

/opt/alfresco-4.0.d/java/jre/lib/security/java.login.config is configured like this:


Alfresco {
   com.sun.security.auth.module.Krb5LoginModule sufficient;
};

AlfrescoCIFS {
   com.sun.security.auth.module.Krb5LoginModule required
   storeKey=true
   useKeyTab=true
   keyTab="/etc/alfrescocifs.keytab"
   principal="cifs/server.mydomain.co.uk";
};

AlfrescoHTTP {
   com.sun.security.auth.module.Krb5LoginModule required
   storeKey=true
   useKeyTab=true
   keyTab="/etc/alfrescohttp.keytab"
   principal="HTTP/server.mydomain.co.uk";
};

com.sun.net.ssl.client {
   com.sun.security.auth.module.Krb5LoginModule sufficient;
};

other {
   com.sun.security.auth.module.Krb5LoginModule sufficient;
};

ShareHTTP {
com.sun.security.auth.module.Krb5LoginModule required
storeKey=true
useKeyTab=true
keyTab="/etc/alfrescohttp.keytab"
principal="HTTP/server.mydomain.co.uk";
};

And finally, the following settings in alfresco-global.conf


authentication.chain=kerberos1:kerberos,alfrescoNtlm1:alfrescoNtlm

kerberos.authentication.real=MYDOMAIN.CO.UK
kerberos.authentication.user.configEntryName=Alfresco
kerberos.authentication.cifs.configEntryName=AlfrescoCIFS
kerberos.authentication.http.configEntryName=AlfrescoHTTP
kerberos.authentication.cifs.password=******
kerberos.authentication.http.password=*****
kerberos.authentication.defaultAdministratorUserNames=administrator

ntlm.authentication.sso.enabled=true

As I say, I've hit a brick wall with this and I'd really appreciate any help you can give me!

Outcomes