AnsweredAssumed Answered

SSO doesn't work with reverse proxy

Question asked by vgusev2007 on Jul 17, 2014
Latest reply on Oct 17, 2014 by vgusev2007
Hi all!

I use Alfresco 4.2.2 Enterprice on a Linux platform.

I have setup SSO via: http://docs.alfresco.com/4.2/tasks/auth-kerberos-ADconfig.html it works fine. But, I need to setup a reverse proxy (I use nginx). It works too, but SSO.


PLEASE read my logs and sheme, I'd like if you help me.


So, I have the following scheme:

Webbrowser (Firefox) -> https://portal.company.ru (server A with nginx as a reverse proxy) -> http://alfresco-prd.company.local:8080 (alfresco local server)


So, if I connect to alfresco without server A, I have success, but when I use nginx I have fail… :(

Please read my logs:


2014-07-17 09:48:03,169  DEBUG [app.servlet.KerberosAuthenticationFilter] [http-bio-8080-exec-2] New Kerberos auth request from 192.168.9.2 (192.168.9.2:50938)
2014-07-17 09:48:03,169  DEBUG [app.servlet.KerberosAuthenticationFilter] [http-bio-8080-exec-2] Issuing login challenge to browser.
2014-07-17 09:48:03,216  ERROR [org.alfresco.fileserver] [http-bio-8080-exec-3] Error from JLAN
GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)
….
   at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
   at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
   at java.lang.Thread.run(Thread.java:722)
Caused by: KrbException: Checksum failed
   at sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(ArcFourHmacEType.java:102)
   at sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(ArcFourHmacEType.java:94)
   at sun.security.krb5.EncryptedData.decrypt(EncryptedData.java:177)
   at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:278)
   at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:144)
   at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:108)
   at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:771)
   … 36 more
Caused by: java.security.GeneralSecurityException: Checksum failed
   at sun.security.krb5.internal.crypto.dk.ArcFourCrypto.decrypt(ArcFourCrypto.java:408)
   at sun.security.krb5.internal.crypto.ArcFourHmac.decrypt(ArcFourHmac.java:91)
   at sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(ArcFourHmacEType.java:100)
   … 42 more
2014-07-17 09:48:03,217  DEBUG [app.servlet.KerberosAuthenticationFilter] [http-bio-8080-exec-3] No SPNEGO response, Kerberos logon failed
2014-07-17 09:48:03,218  DEBUG [app.servlet.KerberosAuthenticationFilter] [http-bio-8080-exec-3] Failed SPNEGO authentication.
2014-07-17 09:48:03,218  DEBUG [app.servlet.KerberosAuthenticationFilter] [http-bio-8080-exec-3] Clearing session.
2014-07-17 09:48:03,218  DEBUG [app.servlet.KerberosAuthenticationFilter] [http-bio-8080-exec-3] Issuing login challenge to browser.
2014-07-17 09:48:03,267  DEBUG [app.servlet.KerberosAuthenticationFilter] [http-bio-8080-exec-4] Login page requested, chaining …


I have the following ngnix conf:


root@gateway:~# cat /etc/nginx/conf.d-backup/alfresco.conf
proxy_cache_path /var/cache/nginx/alfresco levels=1 keys_zone=alfrescocache:256m max_size=512m inactive=1440m;

upstream alfresco {
server alfresco-prd.company.local:8080;
}

upstream sharepoint {
server alfresco-prd.company.local:7071;
}

server {
listen 80 ;
server_name portal.company.ru www.portal.company.ru
server_name_in_redirect off;
rewrite ^ https://$host$request_uri? permanent;
}

server {
listen 443 ssl;
server_name portal.company.ru www.portal.company.ru;
root /etc/nginx/conf.d/alfresco;
index index.html index.htm;
rewrite ^/$ /share;

ssl on;
ssl_certificate /etc/nginx/conf.d/alfresco/alfserver.crt;
ssl_certificate_key /etc/nginx/conf.d/alfresco/alfserver.key;

   location /robots.txt {
        alias /etc/nginx/conf.d/alfresco/robots.txt;
   }

   location / {
   try_files $uri $uri/ /index.html;
   }

error_page 502 503 504 /maintenance.html;

   location = /maintenance.html {
   root /etc/nginx/conf.d/alfresco;
   }

   location /alfresco {
   client_max_body_size 0;
   proxy_http_version 1.1;
   proxy_set_header Host $http_host;
   proxy_pass http://alfresco;
   proxy_set_header X-Real-IP $remote_addr;
   proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
   proxy_set_header X-Forwarded-Server $host;
   }

   location /share {
   client_max_body_size 0;
   proxy_http_version 1.1;
   proxy_pass http://alfresco;
   proxy_set_header Host $http_host;
   proxy_set_header X-Real-IP $remote_addr;
   proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
   proxy_set_header X-Forwarded-Server $host;
   }

   location /share/proxy/alfresco {
   client_max_body_size 0;
   proxy_http_version 1.1;
   proxy_pass http://alfresco;
   proxy_set_header Host $http_host;
   proxy_set_header X-Real-IP $remote_addr;
   proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
   proxy_set_header X-Forwarded-Host $http_host;
   proxy_set_header X-Forwarded-Server $host;
   proxy_intercept_errors on;
   error_page 502 503 504 =401 /maintenance.html;
   }

   location /share/res/ {
   proxy_http_version 1.1;
   proxy_pass http://alfresco;
   proxy_set_header Host $http_host;
   proxy_cache alfrescocache;
   proxy_cache_min_uses 1;
   proxy_cache_valid 200 302 1440m;
   proxy_cache_valid 404 1m;
   proxy_cache_use_stale updating error timeout invalid_header http_500 http_502 http_503 http_504;
   }
}

server {
listen 7070 ssl;
server_name portal.company.ru;
ssl on;
ssl_certificate /etc/nginx/conf.d/alfresco/alfserver.crt;
ssl_certificate_key /etc/nginx/conf.d/alfresco/alfserver.key;
ssl_session_timeout 5m;
ssl_protocols SSLv2 SSLv3 TLSv1;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;

   location / {
   client_max_body_size 0;
   proxy_http_version 1.1;
   proxy_buffering off;
   proxy_pass http://sharepoint;
   proxy_set_header Host $http_host;
   proxy_set_header X-Real-IP $remote_addr;
   proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
   proxy_set_header X-Forwarded-Host $http_host;
   proxy_set_header X-Forwarded-Server $host;
   }
}


I think it is bad because I rewrite hostname during in reverse proxy…

I have setup different SPN in kerberos: portal.company.ru alfresco-prd.company.local without success. :(


Is it possible to use reverse proxy with alfresco and SSO?

Outcomes