AnsweredAssumed Answered

Alfresco authentication using kerberos

Question asked by thanhdc on Sep 18, 2013
Latest reply on Oct 13, 2013 by mrogers
Hi Mates,

I am writing this hopefully somebody will help me to fix the issue regarding Kerberos Authentication. I follow to this documentation http://www.anotherstrangerme.com/afresco-integration-with-active-directory-using-kerberos/ to configure kerberos authentication, but can't get it working. Below is my configuration:

1.

authentication.chain=kerberos1:kerberos

2.

kerberos.authentication.realm=MYCOMPANY.COM
kerberos.authentication.sso.enabled=true
kerberos.authentication.authenticateCIFS=true
kerberos.authentication.user.configEntryName=Alfresco
kerberos.authentication.cifs.configEntryName=alfrescocifs
kerberos.authentication.http.configEntryName=alfrescohttp
kerberos.authentication.cifs.password=secrect
kerberos.authentication.http.password=secrect
kerberos.authentication.defaultAdministratorUserNames=alfrescocifs
kerberos.authentication.cifs.enableTicketCracking=false
kerberos.authentication.stripUsernameSuffix=true

3.

Alfresco {
    com.sun.security.auth.module.Krb5LoginModule sufficient;
};

AlfrescoCIFS {
    com.sun.security.auth.module.Krb5LoginModule required
    storeKey=true
    debug=true
    useKeyTab=true
    keyTab="/opt/alfresco/alfrescocifs.keytab"
    isInitiator=false
    principal="cifs/alfresco.vng.com.vn";
};

AlfrescoHTTP {
    com.sun.security.auth.module.Krb5LoginModule required
    storeKey=true
    debug=true
    useKeyTab=true
    keyTab="/opt/alfresco/alfrescohttp.keytab"
    isInitiator=false
    principal="HTTP/alfresco.vng.com.vn";
};

ShareHTTP {
    com.sun.security.auth.module.Krb5LoginModule required
    storeKey=true
    useKeyTab=true
    keyTab="/etc/krb5.alfresco.http.keytab"
    isInitiator=false
    principal="HTTP/alfresco.vng.com.vn";
};

com.sun.net.ssl.client {
    com.sun.security.auth.module.Krb5LoginModule sufficient;
};

other {
    com.sun.security.auth.module.Krb5LoginModule sufficient;
};

4.

ktpass /princ cifs/alfresco.vng.com.vn@MYCOMPANY.COM -pass secrect /mapuser VNG\alfrescocifs -crypto All /ptype KRB5_NT_PRINCIPAL /mapop set +desonly -out D:\Alfresco\alfrescocifs.keytab

ktpass /princ HTTP/alfresco.vng.com.vn@MYCOMPANY.COM /pass secrect  /mapuser VNG\alfrescohttp -crypto All /ptype KRB5_NT_PRINCIPAL /mapop set +desonly -out D:\Alfresco\alfrescohttp.keytab


setspn -a cifs/alfresco alfrescocifs
setspn -a cifs/alfresco.mycompany.com alfrescocifs

setspn -a HTTP/alfresco alfrescohttp
setspn -a HTTP/alfresco.mycompany.com alfrescohttp

setspn -l alfrescocifs
setspn -l alfrescohttp


5.

[libdefaults]
default_realm = MYCOMPANY.COM
[realms]
MYCOMPANY.COM = {
kdc = vnghcmads03.vng.com.vn
admin_server = vnghcmads01.mycompany.com
}
[domain_realm]
vnghcmads01.mycompany.com = MYCOMPANY.COM
.vnghcmads01.mycompany.com = MYCOMPANY.COM


But when I login to http://alfresco.mycompany.com:8080/alfresco - I'm getting the error

Error creating bean with name 'cifsAuthenticator' defined in file [/opt/alfresco/tomcat/webapps/alfresco/WEB-INF/classes/alfresco/subsystems/Authentication/kerberos/kerberos-authentication-context.xml]: Invocation of init method failed; nested exception is org.alfresco.jlan.server.config.InvalidConfigurationException: Failed to login CIFS server service

Any help would be appriciated !

Best regards,

Outcomes