AnsweredAssumed Answered

Kerberos Share SSO  - trying out whats new in HEAD

Question asked by loftux Moderator on Jun 15, 2010
Latest reply on Oct 29, 2013 by jean-rémyrevy
I'm trying to set up the new SSO mechanism found in HEAD that will support Kerberos SSO for Share.
And of course there is a lot of guesswork when playing with the latest stuff  :)

I'm getting this error
12:11:11,580 WARN  [org.alfresco.web.site.servlet.KerberosSessionSetupPrivilegedAction] credentials can not be delegated!

So I made sure the accounts set up kerberos for had the setting "trusted for delegation" ticked in AD. Didn't help.
in krkb5.conf i have
        forwardable = true
        proxiable = true


This is what I have in share-config-custom.xml
   <config evaluator="string-compare" condition="Remote">
     <remote>
        
        <connector>
           <id>alfrescoCookie</id>
           <name>Alfresco Connector</name>
           <description>Connects to an Alfresco instance using cookie-based authentication</description>
           <class>org.springframework.extensions.webscripts.connector.AlfrescoConnector</class>
        </connector>
                 
        <endpoint>
           <id>alfresco</id>
           <name>Alfresco - user access</name>
           <description>Access to Alfresco Repository WebScripts that require user authentication</description>
           <connector-id>alfrescoCookie</connector-id>
           <endpoint-url>http://alfresco.alf.se:8080/alfresco/wcs</endpoint-url>
           <identity>user</identity>
           <external-auth>true</external-auth>
        </endpoint>

     </remote>
  </config>
Should I use alfrescoCookie as connector-id? The server endpoint-url uses the same server-name as for the security principals.

As for the Share Kerberos config
   <!– Kerberos settings –>
   <config evaluator="string-compare" condition="Kerberos" replace="true">
      <kerberos>
         <password>secret</password>
         <realm>ALF.SE</realm>
         <endpoint-spn>HTTP/alfresco.alf.se@ALF.SE</endpoint-spn>
         <config-entry>AlfrescoHTTP</config-entry>
      </kerberos>
   </config>
I re-used the Config for Alfresco Explorer, is that allowed?
I tried to create a separate keytab for Share, but since HTTP/alfresco.alf.se@ALF.SE was and they are on the same server, I used HTTPSHARE/alfresco.alf.se@ALF.SE for the user created. Didnt work.
Is there a rule that the prefix for HTTP application must be exactly that? If so, then my understanding is that the only way to get this setup to work is to setup Share and Alfresco on separate servers.

Outcomes