AnsweredAssumed Answered

Kerberos SSO for Share (and Alfresco) struggles

Question asked by john_pen on Nov 10, 2014
Latest reply on Jun 14, 2017 by tanmaysalve
Hi folks,

I'm looking for some help on this subject really, and any assistance is greatly appreciated.

I basically followed the instructions in the below guides to get to the position I am currently in now:
http://docs.alfresco.com/4.0/tasks/auth-kerberos-ADconfig.html
http://docs.alfresco.com/4.0/tasks/auth-kerberos-shareSSO.html

Firstly I should start my saying my knowledge of Alfresco ranges between none and very little (remove "of Alfresco" from that statement and the same could still be said!) but I've been tasked with configuring Kerberos SSO for Share and Alfresco web apps. So imagine my surprise when I actually managed to get it working, quickly followed by my dismay when it suddenly decided to stop working. I've read over a number of other posts where people are experiencing similar issues but have not found anything that has helped to resolve my issue as yet.

Current state of affairs - When browsing (in both Chrome and IE) to /alfresco or /share, a credentials dialog box now appears, which when cancelled takes me to the respective app login page where I am able to log in using Windows credentials. Previously I would be logged straight into the app without any prompts - the only thing I know to have changed from the working config is a new keytab file was created, although this does appears to authenticate properly ("kinit -k -t…" comes back successful).

Our environment looks something like the below:
Alfresco Community Edition 4.0.d (running on Ubuntu 12.04 LTS)
Java 7 (OpenJDK 7)
Server 2008 R2 Active Directory Domain Controller

I have enabled Kerberos debugging but the Alfresco.log isn't really forthcoming with any useful information (to me at least) so I was wondering how else I can find the root cause of this problem?

Unfortunately I'm unable to attach files so I have reluctantly pasted below various config/log files (or extracts), having removed actual config specific to our environment.

###alfresco-global.properties:###
#Authentication Chain
authentication.chain=kerberos1:kerberos,dc1:ldap-ad,alfinst:alfrescoNtlm
ntlm.authentication.sso.enabled=false

###kerberos-authentication.properties###
kerberos.authentication.realm=DOMAIN.LOCAL
kerberos.authentication.sso.enabled=true
kerberos.authentication.authenticateCIFS=true
kerberos.authentication.user.configEntryName=Alfresco
kerberos.authentication.cifs.password=<Password>
kerberos.authentication.cifs.configEntryName=AlfrescoCIFS
kerberos.authentication.stripUsernameSuffix=true
kerberos.authentication.http.password=<Password>
kerberos.authentication.http.configEntryName=AlfrescoHTTP
kerberos.authentication.defaultAdministratorUserNames=admin,administrator
kerberos.authentication.browser.ticketLogons=true

###krb5.conf###
[libdefaults]
   default_realm = <MYDOMAIN.LOCAL>

# The following krb5.conf variables are only for MIT Kerberos.
   krb4_config = /etc/krb.conf
   krb4_realms = /etc/krb.realms
   kdc_timesync = 1
   ccache_type = 4
   forwardable = true
   proxiable = true


   default_tgs_enctypes = arcfour-hmac-md5
   default_tkt_enctypes = arcfour-hmac-md5
   permitted_enctypes = arcfour-hmac-md5

# The following libdefaults parameters are only for Heimdal Kerberos.
   v4_instance_resolve = false
   v4_name_convert = {
      host = {
         rcmd = host
         ftp = ftp
      }
      plain = {
         something = something-else
      }
   }
   fcc-mit-ticketflags = true

[realms]
   <MYDOMAIN.LOCAL> = {
      kdc = <domaincontroller.mydomain.local>
      admin_server = <domaincontroller.mydomain.local>
      default_domain = <MYDOMAIN.LOCAL>
}

[domain_realm]
   .<mydomain.local> = <MYDOMAIN.LOCAL>
   <mydomain.local> = <MYDOMAIN.LOCAL>

###java.security###
login.config.url.1=file:${java.home}/lib/security/java.login.config   

###java.login###
Alfresco {
   com.sun.security.auth.module.Krb5LoginModule sufficient;
};

AlfrescoCIFS {
   com.sun.security.auth.module.Krb5LoginModule required
   storeKey=true
   useKeyTab=true
   keyTab="/etc/keys/cifs<server FQDN>.keytab"
   principal="cifs/cifs<server FQDN>";
};

ShareHTTP {
   com.sun.security.auth.module.Krb5LoginModule required
   storeKey=true
   useKeyTab=true
   keyTab="/etc/keys/http<server FQDN>.keytab"
   principal="HTTP/<server FQDN>";
};

AlfrescoHTTP {
   com.sun.security.auth.module.Krb5LoginModule required
   storeKey=true
   useKeyTab=true
   keyTab="/etc/keys/http<server FQDN>.keytab"
   principal="HTTP/<server FQDN>";
};

com.sun.net.ssl.client {
   com.sun.security.auth.module.Krb5LoginModule sufficient;
};

other {
   com.sun.security.auth.module.Krb5LoginModule sufficient;
};

###share-config-custom.xml###
<!– Kerberos settings –>
   <!– To enable kerberos rename this condition to "Kerberos" –>
   <config evaluator="string-compare" condition="Kerberos" replace="true">
      <kerberos>
         <!–
            Password for HTTP service account.
            The account name *must* be built from the HTTP server name, in the format :
               HTTP/<server_name>@<realm>
            (NB this is because the web browser requests an ST for the
            HTTP/<server_name> principal in the current realm, so if we're to decode
            that ST, it has to match.)
         –>
         <password>Password</password>
         <!–
            Kerberos realm and KDC address.
         –>
         <realm>MYDOMAIN.LOCAL</realm>
         <!–
            Service Principal Name to use on the repository tier.
            This must be like: HTTP/host.name@REALM
         –>
         <endpoint-spn>HTTP/serverFQDN@MYDOMAIN.LOCAL</endpoint-spn>
         <!–
            JAAS login configuration entry name.
         –>
         <config-entry>ShareHTTP</config-entry>
      </kerberos>
   </config>

   <!– example port config used to access remote Alfresco server (default is 8080) –>
  
I also uncommented the two following "<config evaluator="string-compare" condition="Remote">" sections in this file.

###Alfresco.log###
15:25:00,559 INFO  [org.apache.chemistry.opencmis.browser.BrowseServlet] Allow pattern: http.*
15:26:54,832 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] HTTP Kerberos login successful
15:26:54,833 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] Logged on using principal HTTP/server.mydomain.local@MYDOMAIN.LOCAL
15:26:54,845 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] Authentication not required (filter), chaining …
15:26:54,891 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] Authentication not required (filter), chaining …
15:26:54,917 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] Authentication not required (filter), chaining …
15:26:54,935 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] New Kerberos auth request from 127.0.0.1 (127.0.0.1:39732)
15:27:12,794 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] New Kerberos auth request from 127.0.0.1 (127.0.0.1:38034)
15:27:12,804 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] New Kerberos auth request from 127.0.0.1 (127.0.0.1:47490)
15:27:12,816 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] Authentication not required (filter), chaining …
15:27:12,854 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] Authentication not required (filter), chaining …
15:27:12,868 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] Authentication not required (filter), chaining …
15:27:13,647 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] Authentication not required (filter), chaining …
15:27:13,661 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] Authentication not required (filter), chaining …
15:27:13,714 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] New Kerberos auth request from 127.0.0.1 (127.0.0.1:49959)
15:27:13,720 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] New Kerberos auth request from 127.0.0.1 (127.0.0.1:57950)
15:27:14,185 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] Authentication not required (filter), chaining …
15:27:14,199 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] Authentication not required (filter), chaining …
15:27:14,220 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] Authentication not required (filter), chaining …
15:27:14,742 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] New Kerberos auth request from 127.0.0.1 (127.0.0.1:49811)
15:27:14,749 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] New Kerberos auth request from 127.0.0.1 (127.0.0.1:49266)
15:27:43,509 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] New Kerberos auth request from 127.0.0.1 (127.0.0.1:57304)
15:27:43,513 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] New Kerberos auth request from 127.0.0.1 (127.0.0.1:58560)
15:27:48,110 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] New Kerberos auth request from x.x.x.x (x.x.x.x:38935)
15:27:48,115 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] Client sent an NTLMSSP security blob **prompted in browser for domain credentials at this point**
15:27:52,152 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] Login page requested, chaining …

Apologies for the information overload! Again, thanks to anyone who takes the time to look at this, it's a real pain.

Regards,
John



Outcomes