AnsweredAssumed Answered

SSO with Kerberos : Client sent an NTLMSSP security blob

Question asked by mlagneaux on Apr 27, 2011
Latest reply on May 30, 2011 by kronzucker
Hello,

I'm trying to configure Alfresco to run SSO using Kerberos.


Here's the environment I'm working on:
- My PC is part of domaine.fr. That's the client in my test. It runs on Windows 7 Pro and tests are made with IE8.
- The Alfresco server is a CentOS 5 VM. Alfresco 3.3g is running on Tomcat 6.
- Finally, I've created an Active Directory on a Windows Server 2008 R2 VM. This VM is the domain controller for domaine.local (domain netbios name = DOMAINE0) that I've created specially for this test.

I do not have DNS, so I work with IP:
- Client: xx.xx.xx.35
- Server Alf xx.xx.xx.60
- Server AD: xx.xx.xx.28

First of all, I've tested my environment by setting up passthru => No problem.
When I access to the webapp, I have a Windows login window that appears. I enter the login / password of an account of my AD indicating DOMAINE0 and I automatically connect to Alfresco (bypassing the login page).

After this first test (to control that SSO with passthru is OK), I've followed the instructions in the Kerberos Alfresco wiki page. In my case, CIFS will not be activated, so I've only considered instructions concerning HTTP configuration.
- Create Account alfrescohttp in AD (enable options "Password never expires", "Use DES encryption types for Kerberos" and "Pre-authentication Kerberos is not necessary").
- Generate the keytab on the AD server with the following parameters:
=> @ HTTP/xx.xx.xx.60 DOMAINE.LOCAL
=> DOMAINE0 \ alfrescohttp
  That made me an SPN:
setspn-l alfrescohttp
ServicePrincipalName names registered for CN = HTTP Alfresco, OU = users, OU = ged, OR = esi,
DC = domain, DC = local:
        HTTP/xx.xx.xx.60
- On my Alfresco server, I added a directory kerberos in the Tomcat directory where I placed the following files:
=> The keytab generated previously;
=> Krb5.conf
 
[Libdefaults]
default_realm = DOMAINE.LOCAL
default_tkt_enctypes = rc4-hmac
default_tgs_enctypes = rc4-hmac

[Realms]
EUROGICIEL.LOCAL = {
  kdc = xx.xx.xx.28
  admin_server = xx.xx.xx.28
}

[Domain_realm]
. Domaine.local = DOMAINE.LOCAL

=> java.login.config
 
Alfresco {
   Sufficient com.sun.security.auth.module.Krb5LoginModule;
};

AlfrescoHTTP {
   com.sun.security.auth.module.Krb5LoginModule required
   debug = true
   storeKey = true
   useKeyTab = true
   keytab = "/ usr/share/tomcat6/kerberos/alfrescohttp.keytab"
   main = "HTTP/xx.xx.xx.60";
};

com.sun.net.ssl.client {
   Sufficient com.sun.security.auth.module.Krb5LoginModule;
};

Other {
   Sufficient com.sun.security.auth.module.Krb5LoginModule;
};



- Always on the Alfresco server, I changed the setting JAVA_OPTS to obtain:
 
JAVA_OPTS = "-Xmx2048m-XX: MaxPermSize = 256m-Djava.security.auth.login.config =/usr/share/tomcat6/kerberos/java.login.config-Djava.security.krb5.conf=/usr/share/tomcat6/kerberos/krb5.conf "


- I modified the file alfresco-global.properties for:
 

authentication.chain = kerberos1: kerberos
kerberos.authentication.realm = DOMAINE.LOCAL
kerberos.authentication.sso.enabled = true
kerberos.authentication.authenticateCIFS = false
Alfresco kerberos.authentication.user.configEntryName =
kerberos.authentication.http.configEntryName = AlfrescoHTTP
kerberos.authentication.http.password = secret
kerberos.authentication.defaultAdministratorUserNames = mlagneaux
kerberos.authentication.http.kerberosDebug = true


- I also enabled logs about kerberos in log4j.properties.


When starting Tomcat, I get the following logs indicating that all goes well:
 
17:15:12,932 User: System DEBUG [webdav.auth.KerberosAuthenticationFilter] HTTP Kerberos login successful
17:15:12,933 User: System DEBUG [webdav.auth.KerberosAuthenticationFilter] Logged on using main HTTP/xx.xx.xx.60 @ DOMAINE.LOCAL


But, when I try to access to the webapp with my AD user, I get the Windows login window where I enter the login and password indicating DOMAINE0 but the connection is KO. After a few tries, I get a blank page.
In the log file, I get the following messages:
 
17:24:02,121 DEBUG [app.servlet.KerberosAuthenticationFilter] Kerberos auth request from New xx.xx.xx.35 (xx.xx.xx.35: 62,790)
17:24:02,130 DEBUG [app.servlet.KerberosAuthenticationFilter] Client feels NTLMSSP year security blob

Is there a conf to do on the client? (In IE, the site is within the intranet zone and automatic authentication is enabled for intranet sites).
The use of IP can be a problem?

Are there other logs that might help me to see where is the problem?
Are there any other info (especially on the AD server) that could be useful?

Thank you in advance for your help.

Outcomes