AnsweredAssumed Answered

Share SSO with Kerberos AD

Question asked by jackjm on Jun 5, 2013
Latest reply on Jun 7, 2013 by jackjm
Hello all,

I am trying to implement SSO for share using Kerberos AD and followed the directions listed in the official documentation at docs.alfresco.com. I keep getting the following exception


2013-06-05 12:02:30,998  WARN  [site.servlet.KerberosSessionSetupPrivilegedAction] [http-80-3] Caught GSS Error
GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)
   at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:741)
   at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:323)
   at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:267)


Here is are the settings the files, the setting and the respective locations. I have turned on the debugging which printed the messages above. Any suggestions to help fix the issue will be greatly appreciated. We are running 4.0.d community on a Windows 2008 machine.

Thank you very much for your time


alfresco-global.properties
### Kerberos SSO ###
kerberos.authentication.realm=LOCAL.COM
kerberos.authentication.sso.enabled=true
kerberos.authentication.authenticateCIFS=false
kerberos.authentication.user.configEntryName=AlfrescoHTTP
kerberos.authentication.http.configEntryName=AlfrescoHTTP
#kerberos.authentication.cifs.configEntryName=AlfrescoCIFS
kerberos.authentication.stripUsernameSuffix=true
kerberos.authentication.http.password=password
kerberos.authentication.cifs.password=password
kerberos.authentication.browser.ticketLogons=true
kerberos.authentication.defaultAdministratorUserNames=usera



share-config-custom.xml
<config evaluator="string-compare" condition="Kerberos" replace="true">
   <kerberos>
      <password>password</password>
      <realm>LOCAL.COM</realm>
      <endpoint-spn>HTTP/domain@LOCAL.COM</endpoint-spn>
      <config-entry>ShareHTTP</config-entry>
   </kerberos>
</config>

<config evaluator="string-compare" condition="Remote">
      <remote>
   <connector>
            <id>alfrescoCookie</id>
            <name>Alfresco Connector</name>
            <description>Connects to an Alfresco instance using cookie-based authentication</description>
            <class>org.springframework.extensions.webscripts.connector.AlfrescoConnector</class>
         </connector>
        
    <endpoint>
            <id>alfresco</id>
            <name>Alfresco - user access</name>
            <description>Access to Alfresco Repository WebScripts that require user authentication</description>
            <connector-id>alfrescoCookie</connector-id>
            <endpoint-url>http://localhost:80/alfresco/wcs</endpoint-url>
            <identity>user</identity>
            <external-auth>true</external-auth>
         </endpoint>
      </remote>
</config>



java.login.config at C:\Alfresco\java\jre\lib\security == as described in the documentation but changing the keyTab location to C:/etc/alfresco.keytab

Also modified java.security at C:\Alfresco\java\jre\lib\security to point to java.login.config



krb5.ini at (C:\Windows)
[libdefaults]
default_realm = LOCAL.COM
default_tkt_enctypes = rc4-hmac
default_tgs_enctypes = rc4-hmac

[realms]
LOCAL.COM = {
  kdc = machine.local.com
  admin_server = machine.local.com
}

[domain_realm]
machine.local.com = LOCAL.COM
.machine.local.com = LOCAL.COM

Outcomes