AnsweredAssumed Answered

Kerberos + Active Directory

Question asked by emelbye on Apr 25, 2014
Latest reply on May 5, 2014 by emelbye
First… Sorry my english!!!!!!!!!


Hi comuninity,

I want to access Share automatically using Kerberos SSO with my domain users. I can access Alfresco with SSO, but not Share.

Servers: All the machines are in my domain MIDOMINIO.NET
* w2008alfresco - (Alfresco) Windows Server 2008 R2
* AD01 - (Active Directory) Windows Server 2008 R2
* clientexp - (Maquina cliente) - Windows XP SP3 / Internet Explorer 6 / Firefox 28
* cliente01 (Maquina cliente) - Windows 7 / Internet Explorer 11 / Firefox 28


1) In my active directory AD01 i create the user  'alfrescohttp'
          - Not requiere previous kerberos authentication
          - Password never expires

2) In active directory  AD01 I execute

ktpass -princ HTTP/w2008alfresco.midominio.net@MIDOMINIO.NET -pass MIPASSWORD -mapuser midominio\alfrescohttp -crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL -out c:\temp\alfrescohttp.keytab -kvno 0


3) I copy keytab in alfresco server (w2008alfresco)

4) I execute in AD01
 
setspn -a HTTP/W2008ALFRESCO alfrescohttp
setspn -a HTTP/W2008ALFRESCO.midominio.net alfrescohttp


5) Configuration  C:\Windows\krb5.ini (Server w2008alfresco)

[libdefaults]
default_realm = MIDOMINIO.NET
default_tkt_enctypes = rc4-hmac
default_tgs_enctypes = rc4-hmac

[realms]
MIDOMINIO.NET = {
   kdc = ad01.midominio.net
   admin_server = ad01.midominio.net
}

[domain_realm]
ad01.midominio.net = MIDOMINIO.NET
.ad01.midominio.net = MIDOMINIO.NET


6) I create java.login.config in C:/Alfresco/java/jre/lib/security (w2008alfresco machine)


Alfresco {
   com.sun.security.auth.module.Krb5LoginModule sufficient;
};

AlfrescoHTTP
{
   com.sun.security.auth.module.Krb5LoginModule required
   storeKey=true
   useKeyTab=true
   keyTab="C:/Alfresco/keytab/alfrescohttp.keytab"
   principal="HTTP/W2008ALFRESCO.midominio.net";
};

ShareHTTP
{
   com.sun.security.auth.module.Krb5LoginModule required
   storeKey=true
   useKeyTab=true
   keyTab="C:/Alfresco/keytab/alfrescohttp.keytab"
   principal="HTTP/W2008ALFRESCO.midominio.net";
};

com.sun.net.ssl.client {
   com.sun.security.auth.module.Krb5LoginModule sufficient;
};

other {
   com.sun.security.auth.module.Krb5LoginModule sufficient;
};


7) I change the line in file C:/Alfresco/java/jre/lib/security/java.security (w2008alfresco machine)

login.config.url.1=file:C:/Alfresco/java/jre/lib/security/java.login.config


Add the sities http://w2008alfresco and http://w2008alfresco.midominio.net in internet explorer. Intranet zone on the client machines. Login automatic with name and password checked.

8) Rename the file share-config-custom.xml.sample to share-config-custom.xml

9) Uncomment the "Remote" seccions

10) Replace KerberosDisables to Kerberos with the next data


<config evaluator="string-compare" condition="Kerberos" replace="true">
      <kerberos>
         <password>MIPASSWORD</password>
         <realm>MIDOMINIO.NET</realm>
         <endpoint-spn>HTTP/w2008ALFRESCO.midominio.net@MIDOMINIO.NET</endpoint-spn>
         <config-entry>ShareHTTP</config-entry>
      </kerberos>
   </config>


11) In active directory, in the user alfrescohttop properties, i checked "Trust this user for delegation to any service (Kerberos only)"

12) Firefox configuration
network.negotiate-auth.delegation-uris
network.negotiate-auth.trusted-uris
network.negotiate-auth.using-native-gsslib


13) alfresco.properties

authentication.chain=kerberos1:kerberos,alfrescoNtlm1:alfrescoNtlm

kerberos.authentication.realm=MIDOMINIO.NET
kerberos.authentication.sso.enabled=true

kerberos.authentication.authenticateCIFS=false
kerberos.authentication.user.configEntryName=Alfresco
kerberos.authentication.http.configEntryName=AlfrescoHTTP
kerberos.authentication.http.password=MIPASSWORD
kerberos.authentication.defaultAdministratorUserNames=admin
kerberos.authentication.stripUsernameSuffix=true


When i want to access, a dialog appears and the log is:


Search Subject for Kerberos V5 ACCEPT cred (HTTP/W2008ALFRESCO.midominio.net@MIDOMINIO.NET, sun.security.jgss.krb5.Krb5AcceptCredential)
Found KeyTab
Found KerberosKey for HTTP/W2008ALFRESCO.midominio.net@MIDOMINIO.NET
Entered Krb5Context.acceptSecContext with state=STATE_NEW
Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23.
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
Using builtin default etypes for permitted_enctypes
default etypes for permitted_enctypes: 17 16 23 1 3.
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
System time adjusted
object 0: 1398444344146/146721
replay cache found.
>>> KrbApReq: authenticate succeed.
Krb5Context setting peerSeqNumber to: 1290115219
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
Krb5Context setting mySeqNumber to: 75067258
2014-04-25 13:45:44,053  WARN  [site.servlet.KerberosSessionSetupPrivilegedAction] [http-apr-8080-exec-9] credentials can not be delegated!

Outcomes