AnsweredAssumed Answered

Kerberos SSO unsupported SPNEGO

Question asked by svent on Dec 17, 2012
Latest reply on Jan 21, 2016 by tcuser
Hi there

I'm trying to use SSO Kerberos with Alfresco 4.2c on Tomcat 7 (Ubuntu, OpenJDK 7) and Kerberos (Ubuntu, MIT krb5). When I try to access alfresco from my Mac (using Firefox or Google Chrome) I get redirected to username/password login form (which actually works fine).

Debug messages in the alfresco log look as follows:

2012-12-17 18:29:43,369  DEBUG [app.servlet.KerberosAuthenticationFilter] [http-bio-8080-exec-1] New Kerberos auth request from xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx:49251)
2012-12-17 18:29:43,369  DEBUG [app.servlet.KerberosAuthenticationFilter] [http-bio-8080-exec-1] Issuing login challenge to browser.
2012-12-17 18:29:43,424  DEBUG [app.servlet.KerberosAuthenticationFilter] [http-bio-8080-exec-1] Unsupported SPNEGO mechanism 1.3.6.1.4.1.311.2.2.10
2012-12-17 18:29:43,424  DEBUG [app.servlet.KerberosAuthenticationFilter] [http-bio-8080-exec-1] Clearing session.
2012-12-17 18:29:43,424  DEBUG [app.servlet.KerberosAuthenticationFilter] [http-bio-8080-exec-1] Issuing login challenge to browser.
2012-12-17 18:29:43,525  DEBUG [app.servlet.KerberosAuthenticationFilter] [http-bio-8080-exec-4] Login page requested, chaining …

alfresco-global.properties looks as follows:

authentication.chain=kerberos:kerberos

#krb5
kerberos.authentication.realm=XXX.XX
kerberos.authentication.sso.enabled=true
kerberos.authentication.authenticateCIFS=true
kerberos.authentication.user.configEntryName=Alfresco
kerberos.authentication.cifs.configEntryName=AlfrescoCIFS
kerberos.authentication.http.configEntryName=AlfrescoHTTP
kerberos.authentication.cifs.password=xxx
kerberos.authentication.http.password=xxx
kerberos.authentication.defaultAdministratorUserNames=xxx

alfresco.login.config (included in java.security) looks as follows:

Alfresco {
   com.sun.security.auth.module.Krb5LoginModule sufficient;
};

AlfrescoCIFS {
   com.sun.security.auth.module.Krb5LoginModule required
   storeKey=true
   useKeyTab=true
   keyTab="/etc/alfresco.keytab"
   principal="cifs/xxx.xxx.xx";
};

AlfrescoHTTP {
   com.sun.security.auth.module.Krb5LoginModule required
   storeKey=true
   useKeyTab=true
   keyTab="/etc/alfresco.keytab"
   principal="HTTP/xxx.xxx.xx";
};

Alfresco Server Kerberos krb5.conf looks as follows:

[realms]
   XXX.XX = {
      kdc = kerberos.xxx.xx
      admin_server = kerberos.xxx.xx
   }

[domain_realm]
   .xxx.xx = XXX.XX

[login]
   krb4_convert = true
   krb4_get_tickets = false

I looked into the sources of alfresco and it seems that SPNEGO mech 1.3.6.1.4.1.311.2.2.30 is supported but not 1.3.6.1.4.1.311.2.2.10

Need I further configuration in my Firefox/Chrome/Mac? I (unfortunately) do not know much about kerberos negotiation mechs.

Thanks for any suggestions

Outcomes