AnsweredAssumed Answered

Kerberos: Share fails to renew/refresh ticket

Question asked by oleh on Jun 5, 2013
Latest reply on Aug 30, 2017 by resplin
We're currently having trouble with Share, we need to restart it every 10 hours.

Our setup:
Alfresco 4.0.d (community) running on Ubuntu 12.04
Windows 2008R2 AD
Kerberos SSO
Windows 7 client, IE9

Everything works fine on the Alfresco side. Alfresco Explorer and CIFS is just fine, but as soon as Share has been running for 10 hours (default ticket life time in AD) we're unable to log in. First we'll be prompted with a browser login, then windows login and after that the Share login form. If I reload the page and enter my password a couple of times it will eventually let me in and we can run for another 10 hours.

If I restart Share I get straight in after it comes up.

Is this a common issue? For me it seems Share should be able to renew the TGT?

I get this exception in the logs:


13:55:18,443  DEBUG [site.servlet.SSOAuthenticationFilter] Kerberos logon error
java.lang.IllegalStateException: This ticket is no longer valid
   at javax.security.auth.kerberos.KerberosTicket.toString(KerberosTicket.java:638)
   at java.lang.String.valueOf(String.java:2854)
   at java.lang.StringBuilder.append(StringBuilder.java:128)
   at sun.security.jgss.krb5.SubjectComber.findAux(SubjectComber.java:150)
   at sun.security.jgss.krb5.SubjectComber.find(SubjectComber.java:59)
   at sun.security.jgss.krb5.Krb5Util.getTicket(Krb5Util.java:155)
   at sun.security.jgss.krb5.Krb5Context$1.run(Krb5Context.java:606)
   at sun.security.jgss.krb5.Krb5Context$1.run(Krb5Context.java:599)
   at java.security.AccessController.doPrivileged(Native Method)
   at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:598)
   at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:248)
   at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:179)
   at org.alfresco.web.site.servlet.KerberosSessionSetupPrivilegedAction.run(KerberosSessionSetupPrivilegedAction.java:127)
   at org.alfresco.web.site.servlet.KerberosSessionSetupPrivilegedAction.run(KerberosSessionSetupPrivilegedAction.java:44)
   at java.security.AccessController.doPrivileged(Native Method)
   at javax.security.auth.Subject.doAs(Subject.java:356)
   at org.alfresco.web.site.servlet.SSOAuthenticationFilter.doKerberosLogon(SSOAuthenticationFilter.java:1009)
   at org.alfresco.web.site.servlet.SSOAuthenticationFilter.doFilter(SSOAuthenticationFilter.java:441)
   at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1326)
   at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:479)
   at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:119)
   at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:520)
   at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:227)
   at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:940)
   at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:409)
   at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:186)
   at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:874)
   at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:117)
   at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:250)
   at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:149)
   at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:110)
   at org.eclipse.jetty.server.Server.handle(Server.java:349)
   at org.eclipse.jetty.server.HttpConnection.handleRequest(HttpConnection.java:441)
   at org.eclipse.jetty.server.HttpConnection$RequestHandler.headerComplete(HttpConnection.java:904)
   at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:565)
   at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:217)
   at org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:46)
   at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:545)
   at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:43)
   at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:598)
   at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:533)
   at java.lang.Thread.run(Thread.java:722)


Any info or pointers will be very welcome!


Some setup info:

share-config-custom.xml:

   <config evaluator="string-compare" condition="Kerberos" replace="true">
      <kerberos>
         <password>password</password>
         <realm>DOMAIN.LOCAL</realm>
         <endpoint-spn>HTTP/alfresco.domain.local@DOMAIN.LOCAL</endpoint-spn>
         <config-entry>ShareHTTP</config-entry>
      </kerberos>
   </config>

Outcomes