AnsweredAssumed Answered

Kerberos SSO disconnect/ lockout

Question asked by danielguerra on Aug 22, 2011
Hi,

I have gotten Kerberos SSO working with Alfresco…I am able to browse my sites in the my network places view as well as through the share web interface without having to enter any credentials. 

I can log in to Alfresco fine and navigate my network places fine and preform edit/add/delete functions from Windows Explorer.  However I run into problems when I start to use the Alfresco Outlook IMAP integration.  When I click on the folders for my Alfresco Sites I am prompted to enter my password, even though the IMAP settings already has my password.  Outlook does not accept my password and eventually I get locked out.  This only happens for one account in Alfresco, all of our other ones have not experienced this problem yet.

Any ideas what could be causing the authentication problems?

The logs show:

14:08:13,959  DEBUG [authentication.jaas.JAASAuthenticationComponent] Failed to authenticate user "neo4"
org.alfresco.repo.security.authentication.AuthenticationException: 07160832 Login Failed
   at org.alfresco.repo.security.authentication.jaas.JAASAuthenticationComponent.authenticateImpl(JAASAuthenticationComponent.java:143)
   at org.alfresco.repo.security.authentication.AbstractAuthenticationComponent.authenticate(AbstractAuthenticationComponent.java:158)
   at org.alfresco.repo.security.authentication.AuthenticationServiceImpl.authenticate(AuthenticationServiceImpl.java:65)
   at org.alfresco.repo.security.authentication.AbstractChainingAuthenticationService.authenticate(AbstractChainingAuthenticationService.java:180)
   at sun.reflect.GeneratedMethodAccessor529.invoke(Unknown Source)
   at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
   at java.lang.reflect.Method.invoke(Method.java:597)
   at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:307)
   at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:183)
   at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:150)
   at net.sf.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor.invoke(MethodSecurityInterceptor.java:80)
   at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
   at org.alfresco.repo.security.permissions.impl.ExceptionTranslatorMethodInterceptor.invoke(ExceptionTranslatorMethodInterceptor.java:44)
   at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
   at org.alfresco.repo.audit.AuditMethodInterceptor.proceedWithAudit(AuditMethodInterceptor.java:217)
   at org.alfresco.repo.audit.AuditMethodInterceptor.proceed(AuditMethodInterceptor.java:184)
   at org.alfresco.repo.audit.AuditMethodInterceptor.invoke(AuditMethodInterceptor.java:137)
   at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
   at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:107)
   at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
   at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:202)
   at $Proxy53.authenticate(Unknown Source)
   at org.alfresco.repo.imap.AlfrescoImapUserManager.test(AlfrescoImapUserManager.java:111)
   at com.icegreen.greenmail.imap.commands.LoginCommand.doProcess(LoginCommand.java:36)
   at com.icegreen.greenmail.imap.commands.CommandTemplate.process(CommandTemplate.java:45)
   at com.icegreen.greenmail.imap.ImapRequestHandler.doProcessRequest(ImapRequestHandler.java:91)
   at com.icegreen.greenmail.imap.ImapRequestHandler.handleRequest(ImapRequestHandler.java:48)
   at com.icegreen.greenmail.imap.ImapHandler.run(ImapHandler.java:103)
Caused by: javax.security.auth.login.LoginException: Pre-authentication information was invalid (24)
   at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:696)
   at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:542)
   at sun.reflect.GeneratedMethodAccessor532.invoke(Unknown Source)
   at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
   at java.lang.reflect.Method.invoke(Method.java:597)
   at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
   at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
   at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
   at java.security.AccessController.doPrivileged(Native Method)
   at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
   at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
   at org.alfresco.repo.security.authentication.jaas.JAASAuthenticationComponent.authenticateImpl(JAASAuthenticationComponent.java:137)
   … 27 more
Caused by: KrbException: Pre-authentication information was invalid (24)
   at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:66)
   at sun.security.krb5.KrbAsReq.getReply(KrbAsReq.java:449)
   at sun.security.krb5.Credentials.sendASRequest(Credentials.java:406)
   at sun.security.krb5.Credentials.acquireTGT(Credentials.java:378)
   at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:662)
   … 38 more
Caused by: KrbException: Identifier doesn't match expected value (906)
   at sun.security.krb5.internal.KDCRep.init(KDCRep.java:133)
   at sun.security.krb5.internal.ASRep.init(ASRep.java:58)
   at sun.security.krb5.internal.ASRep.<init>(ASRep.java:53)
   at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:50)
   … 42 more

Outcomes