Help

Kerberos SSO + Active Directory

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
emelbye
Active Member
‎25 Apr 2014 5:54 PM

Kerberos SSO + Active Directory

Hola comunidad,

Quiero acceder a Share automaticamente por Kerberos SSO con los usuarios de mi dominio pero no le encuentro la vuelta. Puedo acceder a Alfresco sin problemas, pero no a share. Al final pueden ver los logs.

Servidores: Todos pegados al dominio MIDOMINIO.NET
* w2008alfresco - (Alfresco) Windows Server 2008 R2
* AD01 - (Active Directory) Windows Server 2008 R2
* clientexp - (Maquina cliente) - Windows XP SP3 / Internet Explorer 6 / Firefox 28
* cliente01 (Maquina cliente) - Windows 7 / Internet Explorer 11 / Firefox 28


1) En active directory AD01 cree el usuario 'alfrescohttp'
          - No requere autenticacion Kerberos previa
          - La contraseña No caduca

2) En active directory  AD01 ejecute

ktpass -princ HTTP/w2008alfresco.midominio.net@MIDOMINIO.NET -pass MIPASSWORD -mapuser midominio\alfrescohttp -crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL -out c:\temp\alfrescohttp.keytab -kvno 0


3) Copiar keytab a maquina alfresco (w2008alfresco)

4) Crear servicios en AD01
 
setspn -a HTTP/W2008ALFRESCO alfrescohttp
setspn -a HTTP/W2008ALFRESCO.midominio.net alfrescohttp


5) Configurar C:\Windows\krb5.ini (De servidor w2008alfresco)

[libdefaults]
default_realm = MIDOMINIO.NET
default_tkt_enctypes = rc4-hmac
default_tgs_enctypes = rc4-hmac

[realms]
MIDOMINIO.NET = {
   kdc = ad01.midominio.net
   admin_server = ad01.midominio.net
}

[domain_realm]
ad01.midominio.net = MIDOMINIO.NET
.ad01.midominio.net = MIDOMINIO.NET


6) Crear java.login.config en C:/Alfresco/java/jre/lib/security (maquina w2008alfresco)


Alfresco {
   com.sun.security.auth.module.Krb5LoginModule sufficient;
};

AlfrescoHTTP
{
   com.sun.security.auth.module.Krb5LoginModule required
   storeKey=true
   useKeyTab=true
   keyTab="C:/Alfresco/keytab/alfrescohttp.keytab"
   principal="HTTP/W2008ALFRESCO.midominio.net";
};

ShareHTTP
{
   com.sun.security.auth.module.Krb5LoginModule required
   storeKey=true
   useKeyTab=true
   keyTab="C:/Alfresco/keytab/alfrescohttp.keytab"
   principal="HTTP/W2008ALFRESCO.midominio.net";
};

com.sun.net.ssl.client {
   com.sun.security.auth.module.Krb5LoginModule sufficient;
};

other {
   com.sun.security.auth.module.Krb5LoginModule sufficient;
};


7) Apuntar clase de login en C:/Alfresco/java/jre/lib/security/java.security (Maquina w2008alfresco)

login.config.url.1=file:C:/Alfresco/java/jre/lib/security/java.login.config


Agregue los sitios http://w2008alfresco y http://w2008alfresco.midominio.net en internet explorer en la intranet de las maquinas cliente. Ademas en las opciones marque "Iniciar Sesion automatico con nombre de usuario y contraseña".

8) Renombre el archivo share-config-custom.xml.sample a share-config-custom.xml

9) Descomente las dos sessiones Remote

10) Reemplace KerberosDisables por Kerberos con los siguientes datos


<config evaluator="string-compare" condition="Kerberos" replace="true">
      <kerberos>
         <password>MIPASSWORD</password>
         <realm>MIDOMINIO.NET</realm>
         <endpoint-spn>HTTP/w2008ALFRESCO.midominio.net@MIDOMINIO.NET</endpoint-spn>
         <config-entry>ShareHTTP</config-entry>
      </kerberos>
   </config>


11) En active directory, en el usuario alfrescohttop en la pestaña de delegacion marque "Trust this user for delegation to any service (Kerberos only)"

12) En firefox modifique las configuraciones
network.negotiate-auth.delegation-uris
network.negotiate-auth.trusted-uris
network.negotiate-auth.using-native-gsslib


13) alfresco.properties

authentication.chain=kerberos1:kerberos,alfrescoNtlm1:alfrescoNtlm

kerberos.authentication.realm=MIDOMINIO.NET
kerberos.authentication.sso.enabled=true

kerberos.authentication.authenticateCIFS=false
kerberos.authentication.user.configEntryName=Alfresco
kerberos.authentication.http.configEntryName=AlfrescoHTTP
kerberos.authentication.http.password=MIPASSWORD
kerberos.authentication.defaultAdministratorUserNames=admin
kerberos.authentication.stripUsernameSuffix=true


logs. Cuando quiero acceder


 Search Subject for Kerberos V5 ACCEPT cred (HTTP/W2008ALFRESCO.midominio.net@MIDOMINIO.NET, sun.security.jgss.krb5.Krb5AcceptCredential)
Found KeyTab
Found KerberosKey for HTTP/W2008ALFRESCO.midominio.net@MIDOMINIO.NET
Entered Krb5Context.acceptSecContext with state=STATE_NEW
Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23.
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
Using builtin default etypes for permitted_enctypes
default etypes for permitted_enctypes: 17 16 23 1 3.
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
System time adjusted
object 0: 1398444344146/146721
replay cache found.
>>> KrbApReq: authenticate succeed.
Krb5Context setting peerSeqNumber to: 1290115219
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
Krb5Context setting mySeqNumber to: 75067258
2014-04-25 13:45:44,053  WARN  [site.servlet.KerberosSessionSetupPrivilegedAction] [http-apr-8080-exec-9] credentials can not be delegated!

0 Kudos
Reply
1 Reply
jonvargas
Active Member
‎20 Oct 2014 5:40 AM

Re: Kerberos SSO + Active Directory

Hola,

Entiendo que requieras una customización de Alfresco Share para que Single Sign On funcione correctamente.

Revisaste esto?

http://docs.alfresco.com/4.2/tasks/auth-kerberos-shareSSO.html

Saludos.
0 Kudos
Reply
The Archive

Content from pre 2016 and from language groups that have been closed.

Content is read-only.

We use cookies on this site to enhance your user experience

By using this site, you are agreeing to allow us to collect and use cookies as outlined in Alfresco’s Cookie Statement and Terms of Use (and you have a legitimate interest in Alfresco and our products, authorizing us to contact you in such methods).   If you are not ok with these terms, please do not use this website.