AnsweredAssumed Answered

Kerberos AD Authentication via security group with SSO

Question asked by astacey on Oct 24, 2014
Hello All,

I am new to Alfresco and have built alfresco-5.0.b on RHEL 6.6. After a lot of pain i have managed to get this authenticating against our AD using kerberos. I can login to the HTTP share using AD credentials. However i would like to make alfresco only authenticate against a particular security group and to use single-sign-on. where do i configiure the security group only access? Could anyone please tell me where i am going wrong?:

global-properties:
authentication.chain=kerberos1:kerberos,alfrescoNtlm1:alfrescoNtlm
kerberos.authentication.sso.enabled=true
kerberos.authentication.authenticateCIFS=true
kerberos.authentication.stripUsernameSuffix=true

/etc/krb5.conf:
[libdefaults]
default_realm = NEW.DOMAIN.CO.UK
allow_weak_crypto = yes
default_tkt_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5 rc4-hmac
default_tgs_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5 rc4-hmac
# dns_lookup_realm = false
# dns_lookup_kdc = false
# ticket_lifetime = 24h
# renew_lifetime = 7d
# forwardable = true

[realms]
NEW.DOMAIN.CO.UK = {
  kdc = ad-server.new.domain.co.uk
  admin_server = ad-server.new.domain.co.uk
}

[domain_realm]
ad-server.new.domain.co.uk = NEW.DOMAIN.CO.UK
.ad-server.new.domain.co.uk = NEW.DOMAIN.CO.UK


/opt/alfresco-5.0.b/tomcat/shared/classes/alfresco/web-extension:
<!– Kerberos settings –>
<!– To enable kerberos rename this condition to "Kerberos" –>
<config evaluator="string-compare" condition="Kerberos" replace="true">
      <kerberos>
         <!–
            Password for HTTP service account.
            The account name *must* be built from the HTTP server name, in the format :
               HTTP/<server_name>@<realm>
            (NB this is because the web browser requests an ST for the
            HTTP/<server_name> principal in the current realm, so if we're to decode
            that ST, it has to match.)
         –>
         <password>secret-password</password>
         <!–
            Kerberos realm and KDC address.
         –>
         <realm>NEW.DOMAIN.CO.UK</realm>
         <!–
            Service Principal Name to use on the repository tier.
            This must be like: HTTP/host.name@REALM
         –>
         <endpoint-spn>HTTP/alfresco-server.new.domain.co.uk@NEW.DOMAIN.CO.UK</endpoint-spn>
         <!–
            JAAS login configuration entry name.
         –>
         <config-entry>ShareHTTP</config-entry>
        <!–
           A Boolean which when true strips the @domain sufix from Kerberos authenticated usernames.
           Use together with stripUsernameSuffix property in alfresco-global.properties file.
        –>
        <stripUserNameSuffix>true</stripUserNameSuffix>
      </kerberos>
   </config>


/opt/alfresco-5.0.b/tomcat/webapps/alfresco/WEB-INF/classes/alfresco/subsystems/Authentication/kerberos/kerberos-filter.properties:
kerberos.authentication.http.configEntryName=AlfrescoHTTP
kerberos.authentication.http.password=secret-password
kerberos.authentication.sso.enabled=true
kerberos.authentication.browser.ticketLogons=true


/opt/alfresco-5.0.b/java/lib/security/java.login.config:
Alfresco {
   com.sun.security.auth.module.Krb5LoginModule sufficient;
};

AlfrescoCIFS {
   com.sun.security.auth.module.Krb5LoginModule required
   storeKey=true
   useKeyTab=true
   keyTab="/opt/alfresco-5.0.b/keytabs/alfrescocifs.keytab"
   principal="cifs/alfresco-server.new.domain.co.uk";
};

AlfrescoHTTP {
   com.sun.security.auth.module.Krb5LoginModule required
   storeKey=true
   useKeyTab=true
   keyTab="/opt/alfresco-5.0.b/keytabs/alfrescohttp.keytab"
   principal="HTTP/alfresco-server.new.domain.co.uk";
};

ShareHTTP {
   com.sun.security.auth.module.Krb5LoginModule required
   storeKey=true
   useKeyTab=true
   keyTab="/opt/alfresco-5.0.b/keytabs/alfrescohttp.keytab"
   principal="HTTP/alfresco-server.new.domain.co.uk";
};

com.sun.net.ssl.client {
   com.sun.security.auth.module.Krb5LoginModule sufficient;
};

other {
   com.sun.security.auth.module.Krb5LoginModule sufficient;
};


i should also mention that i have not installed postgres and have installed and am using MySQL instead.

Thanks in advance for any suggestions you might have

Outcomes