AnsweredAssumed Answered

Kerberos SSO (against AD) sometimes fails on Share (4.0.d)

Question asked by oleh on May 17, 2013
I've recently implemented Kerberos SSO on both CIFS and Share. At first glance everything looks fine, it works smooth.

Until later durring the day, when users starts to be prompted for passwords.

My first instinct is that we're dealing with expired Kerberos tickets. Enabling debugging, yup, it seems so:

Found ticket for OLEH@MYDOMAIN.LOCAL to go to HTTP/alfresco.local@DOMAIN.LOCAL expiring on Fri May 17 03:47:56 WGST 2013
04:52:06,730  DEBUG [site.servlet.SSOAuthenticationFilter] Kerberos logon error
java.lang.IllegalStateException: This ticket is no longer valid


I restart my borwser and get issued a new ticket and everything is good.

After this I check my ticket with klist. I have a nice valid and renewable ticket that lasts for 10 hours.

1-5 hours later (random, no system in the timeframe) I experience EXACTLY the same thing. Login prompt (windows login, not Share login page). Verify the ticket, it's still valid. I restart the browser and we're good to go again.

However, from the logs it does not say that my ticket is no longer valid, it says:


Search Subject for Kerberos V5 ACCEPT cred (HTTP/alfresco.DOMAIN.LOCAL@DOMAIN.LOCAL, sun.security.jgss.krb5.Krb5AcceptCredential)
Found key for HTTP/alfresco.DOMAIN.LOCAL@DOMAIN.LOCAL(23)
Entered Krb5Context.acceptSecContext with state=STATE_NEW
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
Using builtin default etypes for permitted_enctypes
default etypes for permitted_enctypes: 3 1 23 16 17 18.
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> Config reset default kdc DOMAIN.LOCAL
replay cache for oleh@DOMAIN.LOCAL is null.
object 0: 1368700723000/198
object 0: 1368700723000/198
>>> KrbApReq: authenticate succeed.
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>>Delegated Creds have pname=oleh@DOMAIN.LOCAL sname=krbtgt/DOMAIN.LOCAL@DOMAIN.LOCAL authtime=null starttime=20130516102536Z endtime=20130516202533ZrenewTill=2013052310253
3Z
Krb5Context setting peerSeqNumber to: 145069278
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
Krb5Context setting mySeqNumber to: 607740720
Entered Krb5Context.initSecContext with state=STATE_NEW

Found ticket for HTTP/alfresco.DOMAIN.LOCAL@DOMAIN.LOCAL to go to krbtgt/DOMAIN.LOCAL@DOMAIN.LOCAL expiring on Thu May 16 15:49:24 WGST 2013
Found ticket for OLEH@DOMAIN.LOCAL to go to HTTP/alfresco.DOMAIN.LOCAL@DOMAIN.LOCAL expiring on Thu May 16 15:16:15 WGST 2013

Service ticket not found in the subject
>>> Credentials acquireServiceCreds: same realm
default etypes for default_tgs_enctypes: 23.
>>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbKdcReq send: kdc=10.66.60.20 UDP:88, timeout=30000, number of retries =3, #bytes=1627
>>> KDCCommunication: kdc=10.66.60.20 UDP:88, timeout=30000,Attempt =1, #bytes=1627
>>> KrbKdcReq send: #bytes read=116
>>> KrbKdcReq send: #bytes read=116
>>> KDCRep: init() encoding tag is 126 req type is 13
>>>KRBError:
         sTime is Thu May 16 08:38:43 WGST 2013 1368700723000
         suSec is 284507
         error code is 52
         error Message is Response too big for UDP, retry with TCP
         realm is DOMAIN.LOCAL
         sname is HTTP/alfresco.DOMAIN.LOCAL
         msgType is 30
>>> KrbKdcReq send: kdc=10.66.60.20 TCP:88, timeout=30000, number of retries =3, #bytes=1621
>>>DEBUG: TCPClient reading 1578 bytes
>>> KrbKdcReq send: #bytes read=1578
>>> KrbKdcReq send: #bytes read=1578
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbApReq: APOptions are 00100000 00000000 00000000 00000000
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
Krb5Context setting mySeqNumber to: 857087925
Created InitSecContextToken:
0000: 01 00 6E 82 0C 14 30 82   0C 10 A0 03 02 01 05 A1  ..n…0………
0010: 03 02 01 0E A2 07 03 05   00 20 00 00 00 A3 82 04  ……… ……
0020: FB 61 82 04 F7 30 82 04   F3 A0 03 02 01 05 A1 15  .a…0……….
0030: 1B 13 4E 55 4B 49 53 53   49 4F 52 46 49 49 54 2E  ..DOMAIN.
0040: 49 4E 54 52 41 A2 2E 30   2C A0 03 02 01 00 A1 25  INTRA..0,……%
0050: 30 23 1B 04 48 54 54 50   1B 1B 6E 75 6B 69 64 6F  0#..HTTP..alfresc
0060: 63 2E 6E 75 6B 69 73 73   69 6F 72 66 69 69 74 2E  o.DOMAIN.
0070: 69 6E 74 72 61 A3 82 04   A3 30 82 04 9F A0 03 02  local….0……
0080: 01 17 A1 03 02 01 0E A2   82 04 91 04 82 04 8D F7  …………….
0090: 22 0C A3 CB 00 21 0F 90   81 A9 9B 5E 1E 43 CD 36  "….!…..^.C.6
00A0: 33 F0 93 EC E8 5D E0 55   AA 7F A5 AE 34 5E 4F 98  3….].U….4^O.
00B0: F2 EB 80 5C 56 23 D8 3F   CF 9F EA 0D 8B 2C E7 73  …\V#.?…..,.s
00C0: E4 F5 BB 06 84 56 DA D4   25 EE D4 A8 F0 D4 C5 29  …..V..%……)
00D0: 6A 32 2C DD A0 50 1B DD   14 78 CA 98 9B AD 34 B0  j2,..P…x….4.
00E0: AF 87 E4 A6 47 BF FF E1   EA 14 6A B8 C8 BC D9 EA  ….G…..j…..
[a lot more hex code]


What could cause this?
I checked time on the servers and they were NOT in sync. I setup NTP and now they are, but the problem still persists.

I also experience that I have to restart Share every 10 hours, after the Kerberos ticket for my AlfrescoHTTP expires,
it can't renew it.

It only seems to be a problem with Share. Alfresco explorer and CIFS works just fine.

Any pointers could be most welcome!

More details about my setup:
Alfresco 4.0.d
Win 2008 r2 server (AD)

Alfresco config:

kerberos.authentication.realm=DOMAIN.LOCAL
kerberos.authentication.sso.enabled=true
kerberos.authentication.authenticateCIFS=true
kerberos.authentication.user.configEntryName=Alfresco
kerberos.authentication.cifs.configEntryName=AlfrescoCIFS
kerberos.authentication.http.configEntryName=AlfrescoHTTP
kerberos.authentication.stripUsernameSuffix=true
kerberos.authentication.cifs.password=[pass]
kerberos.authentication.http.password=[pass]
kerberos.authentication.defaultAdministratorUserNames=oleh
authentication.chain=kerberos1:kerberos,ldap1:ldap


share-config-custom.xml:

   <config evaluator="string-compare" condition="Kerberos" replace="true">
      <kerberos>
         <password>[pass]</password>
         <realm>DOMAIN.LOCAL</realm>
         <endpoint-spn>HTTP/alfresco.domain.local@DOMAIN.LOCAL</endpoint-spn>
         <config-entry>ShareHTTP</config-entry>
      </kerberos>
   </config>


Outcomes