AnsweredAssumed Answered

Alfresco CE 4.2e kerberos SSO

Question asked by vgusev2007 on Mar 7, 2014
Latest reply on Mar 7, 2014 by vgusev2007
Hi all! I'll be glad if you help me!

I need to setup SSO. I run alfresco on Ubuntu 12.04 srv x64

I use the how-to: http://docs.alfresco.com/4.2/index.jsp?topic=%2Fcom.alfresco.enterprise.doc%2Ftasks%2Fauth-kerberos-ADconfig.html

So, I have like this:


/opt/alfresco-4.2.e/java/jre/lib/security/java.login.config

Alfresco {
   com.sun.security.auth.module.Krb5LoginModule sufficient;
};

AlfrescoCIFS {
   com.sun.security.auth.module.Krb5LoginModule required
   storeKey=true
   useKeyTab=true
   keyTab="/etc/cifsalfresco-dev.keytab"
   principal="cifs/alfresco-dev.tokk.domain";
};

AlfrescoHTTP
{
   com.sun.security.auth.module.Krb5LoginModule required
   storeKey=true
   useKeyTab=true
   keyTab="/etc/httpalfresco-dev.keytab"
   principal="HTTP/alfresco-dev.tokk.domain";
};

ShareHTTP
{
   com.sun.security.auth.module.Krb5LoginModule required
   storeKey=true
   useKeyTab=true
   keyTab="/etc/httpalfresco-dev.keytab"
   principal="HTTP/alfresco-dev.tokk.domain";
};

com.sun.net.ssl.client {
   com.sun.security.auth.module.Krb5LoginModule sufficient;
};

other {
   com.sun.security.auth.module.Krb5LoginModule sufficient;
};


/opt/alfresco-4.2.e/tomcat/webapps/alfresco/WEB-INF/classes/alfresco/subsystems/Authentication/kerberos/kerberos-authentication.properties

kerberos.authentication.sso.enabled=true
kerberos.authentication.authenticateCIFS=true

kerberos.authentication.realm=TOKK.DOMAIN
kerberos.authentication.user.configEntryName=Alfresco
kerberos.authentication.defaultAdministratorUserNames=administrator

kerberos.authentication.cifs.configEntryName=AlfrescoCIFS
kerberos.authentication.cifs.password=KAYshnz29
kerberos.authentication.authenticateCIFS=true

kerberos.authentication.http.configEntryName=AlfrescoHTTP
kerberos.authentication.http.password=KAYshnz29

kerberos.authentication.stripUsernameSuffix=true


/opt/alfresco-4.2.e/tomcat/shared/classes/alfresco-global.properties


###############################
## Common Alfresco Properties #
###############################

dir.root=/opt/alfresco-4.2.e/alf_data

alfresco.context=alfresco
alfresco.host=127.0.0.1
alfresco.port=8080
alfresco.protocol=http

share.context=share
share.host=127.0.0.1
share.port=8080
share.protocol=http

### database connection properties ###
db.driver=org.postgresql.Driver
db.username=alfresco
db.password=vtuf,jcc
db.name=alfresco
db.url=jdbc:postgresql://localhost:5432/${db.name}

### FTP Server Configuration ###
ftp.enabled=true
ftp.port=21

### RMI service ports ###
alfresco.rmi.services.port=50500
avm.rmi.service.port=0
avmsync.rmi.service.port=0
attribute.rmi.service.port=0
authentication.rmi.service.port=0
repo.rmi.service.port=0
action.rmi.service.port=0
deployment.rmi.service.port=0

### External executable locations ###
ooo.exe=/opt/alfresco-4.2.e/libreoffice/program/soffice.bin
ooo.enabled=true
ooo.port=8100
img.root=/opt/alfresco-4.2.e/common
img.dyn=${img.root}/lib
img.exe=${img.root}/bin/convert
swf.exe=/opt/alfresco-4.2.e/common/bin/pdf2swf
swf.languagedir=/opt/alfresco-4.2.e/common/japanese

jodconverter.enabled=false
jodconverter.officeHome=/opt/alfresco-4.2.e/libreoffice
jodconverter.portNumbers=8100

### Initial admin password ###
alfresco_user_store.adminpassword=4b68d597112ce6490a339eeaf4051735

### E-mail site invitation setting ###
notification.email.siteinvite=false

### License location ###
dir.license.external=/opt/alfresco-4.2.e

### Solr indexing ###
index.subsystem.name=solr
dir.keystore=${dir.root}/keystore
solr.port.ssl=8443

### BPM Engine ###
system.workflow.engine.jbpm.enabled=false

### CIFS settings ###
cifs.enabled=true
cifs.serverName=alfresco-dev
cifs.domain=TOKK.DOMAIN
cifs.hostannounce=true
cifs.sessionTimeout=900

### authentication ###
kerberos1:kerberos


cat /opt/alfresco-4.2.e/java/jre/lib/security/java.security |grep login.config.url
#login.config.url.1=file:${user.home}/.java.login.config
login.config.url.1=file:${java.home}/lib/security/java.login.config


So, I have tested my keytab files, it looks like good!


root@alfresco-dev:~# kinit -V -k -t /etc/httpalfresco-dev.keytab HTTP/alfresco-dev.tokk.domain
Using default cache: /tmp/krb5cc_0
Using principal: HTTP/alfresco-dev.tokk.domain@TOKK.DOMAIN
Using keytab: /etc/httpalfresco-dev.keytab
Authenticated to Kerberos v5
root@alfresco-dev:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: HTTP/alfresco-dev.tokk.domain@TOKK.DOMAIN

Valid starting       Expires              Service principal
06.03.2014 16:36:47  07.03.2014 02:36:47  krbtgt/TOKK.DOMAIN@TOKK.DOMAIN
   renew until 07.03.2014 16:36:47


I have setup my Internet Explorer as shown in how-to. My Windows is in a domain, and I have a TGT. When I start my IE I see just login page on the address: http://alfresco-dev.tokk.domain:8080/share/page/  I can login via local admin by use it's password… It is very strange… I have setup: kerberos1:kerberos only.

Please tell me, how-to debug my configuration. I want to know about path my config files. Is it correct? Please help me with it.

It's a fresh setup alfresco, so I don't have any ldap settings and other settings. May be I need it before kerberos? I want to test SSO only for auth only, after that I'll be setup ldap-ad sync for group and permissions control of my user.

Outcomes