AnsweredAssumed Answered

Kerberos issue Client sent an NTLMSSP security blob not able to SSO

Question asked by aditya_chaudhari on Feb 9, 2015
Latest reply on Feb 12, 2015 by aditya_chaudhari
Hi Forum ,
i am setting kerberos authentication .
In my logs i am able to see
 INFO  [management.subsystems.ChildApplicationContextFactory] [localhost-startStop-1] Starting 'Authentication' subsystem, ID: [Authentication, managed, kerberos1]
2015-02-09 10:52:19,943  DEBUG [app.servlet.KerberosAuthenticationFilter] [localhost-startStop-1] HTTP Kerberos login successful


But when I login from client it prompts for Windows pop up for login.
I want to achieve SSO with kerberos to both Explorer and Share.
Below is my configuration

I have refereed below link for kerberos configuration
http://www.anotherstrangerme.com/afresco-integration-with-active-directory-using-kerberos/

Step 1: Created two accounts in AD AlfresoHTTP and AlfrescoCIFS with settings given in link above.
Step 2: used ktpass command
<blockcode>
ktpass -princ cifs/<cifs-server-name>.<domain>@<realm> -pass <password> -mapuser <domainnetbios>\alfrescocifs -crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL -mapop set +desonly -out c:\temp\alfrescocifs.keytab

ktpass -princ HTTP/<web-server-name>.<domain>@<realm> -pass <password> -mapuser <domainnetbios>\alfrescohttp -crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL -mapop set +desonly -out c:\temp\alfrescohttp.keytab

</blockcode>

Please note I have used -crypto DES-CBC-MD5  will this really matters??am i right here?can i use this??Please suggest right approach.

Step 3: krb5.ini  (ini file as i am doing it on windows server 2008 R2 )

[libdefaults]
default_realm = ALFRESCO.ORG
[realms]
ALFRESCO.ORG = {
kdc = adsrv.alfresco.org
admin_server = adsrv.alfresco.org
}
[domain_realm]
adsrv.alfresco.org = ALFRESCO.ORG
.adsrv.alfresco.org = ALFRESCO.ORG

with my appropriate settings
But here i have not mentioned
default_tkt_enctypes =  and
default_tgs_enctypes =   

i tried with using DES-CBC-MD5 but it did not work

step 4 :

Alfresco {
com.sun.security.auth.module.Krb5LoginModule sufficient;
};
AlfrescoCIFS {
com.sun.security.auth.module.Krb5LoginModule required
storeKey=true
useKeyTab=true
keyTab=”C:/temp/alfrescocifs.keytab”
principal=”cifs/<cifs-server-name>.<domain>”;
};
AlfrescoHTTP {
com.sun.security.auth.module.Krb5LoginModule required
storeKey=true
useKeyTab=true
keyTab=”C:/temp/alfrescohttp.keytab”
principal=”HTTP/<web-server-name>.<domain>”;
};
com.sun.net.ssl.client {
com.sun.security.auth.module.Krb5LoginModule sufficient;
};
other {
com.sun.security.auth.module.Krb5LoginModule sufficient;
}


step 5: in JRE\lib\security\java.security.
login.config.url.1=file:C:/Alfresco/java/jre/lib/security/java.login.config 

and chain as below:
authentication.chain=kerberos1:kerberos,ldap1:ldap-ad

My Qproblem :
1) not able to SSO on Alfresco ( Share not yet configured )
2) On attempt to login with link
http://server-name:8080/alfresco/
It prompt me windows login screen and then alfresco login screen if my password is correct.

My Log says as bwlow :

2015-02-09 10:54:36,959  INFO  [site.servlet.SSOAuthenticationFilter] [localhost-startStop-1] SSOAuthenticationFilter initialised.
2015-02-09 10:55:39,407  DEBUG [app.servlet.KerberosAuthenticationFilter] [http-apr-8080-exec-3] New Kerberos auth request from 10.0.2.22 (10.0.2.22:60268)
2015-02-09 10:55:39,407  DEBUG [app.servlet.KerberosAuthenticationFilter] [http-apr-8080-exec-3] Issuing login challenge to browser.
2015-02-09 10:55:39,438  DEBUG [app.servlet.KerberosAuthenticationFilter] [http-apr-8080-exec-4] Client sent an NTLMSSP security blob
2015-02-09 10:55:39,438  DEBUG [app.servlet.KerberosAuthenticationFilter] [http-apr-8080-exec-4] Clearing session.
2015-02-09 10:55:39,438  DEBUG [app.servlet.KerberosAuthenticationFilter] [http-apr-8080-exec-4] Issuing login challenge to browser.
2015-02-09 10:56:06,785  DEBUG [app.servlet.KerberosAuthenticationFilter] [http-apr-8080-exec-6] Login page requested, chaining …
2015-02-09 10:56:07,503  DEBUG [app.servlet.KerberosAuthenticationFilter] [http-apr-8080-exec-8] Authentication not required (filter), chaining …



version using 4.2e

Please help me to understand and to solve where i am going wrong
Please let me know if any other information is required.

Outcomes