AnsweredAssumed Answered

Kerberos issue Client sent an NTLMSSP security blob not able to SSO

Question asked by aditya_chaudhari on Feb 9, 2015
Latest reply on Feb 12, 2015 by aditya_chaudhari
Hi Forum ,
i am setting kerberos authentication .
In my logs i am able to see
 INFO  [management.subsystems.ChildApplicationContextFactory] [localhost-startStop-1] Starting 'Authentication' subsystem, ID: [Authentication, managed, kerberos1]
2015-02-09 10:52:19,943  DEBUG [app.servlet.KerberosAuthenticationFilter] [localhost-startStop-1] HTTP Kerberos login successful

But when I login from client it prompts for Windows pop up for login.
I want to achieve SSO with kerberos to both Explorer and Share.
Below is my configuration

I have refereed below link for kerberos configuration

Step 1: Created two accounts in AD AlfresoHTTP and AlfrescoCIFS with settings given in link above.
Step 2: used ktpass command
ktpass -princ cifs/<cifs-server-name>.<domain>@<realm> -pass <password> -mapuser <domainnetbios>\alfrescocifs -crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL -mapop set +desonly -out c:\temp\alfrescocifs.keytab

ktpass -princ HTTP/<web-server-name>.<domain>@<realm> -pass <password> -mapuser <domainnetbios>\alfrescohttp -crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL -mapop set +desonly -out c:\temp\alfrescohttp.keytab


Please note I have used -crypto DES-CBC-MD5  will this really matters??am i right here?can i use this??Please suggest right approach.

Step 3: krb5.ini  (ini file as i am doing it on windows server 2008 R2 )

default_realm = ALFRESCO.ORG
kdc =
admin_server =
[domain_realm] = ALFRESCO.ORG = ALFRESCO.ORG

with my appropriate settings
But here i have not mentioned
default_tkt_enctypes =  and
default_tgs_enctypes =   

i tried with using DES-CBC-MD5 but it did not work

step 4 :

Alfresco { sufficient;
AlfrescoCIFS { required
AlfrescoHTTP { required
}; { sufficient;
other { sufficient;

step 5: in JRE\lib\security\

and chain as below:

My Qproblem :
1) not able to SSO on Alfresco ( Share not yet configured )
2) On attempt to login with link
It prompt me windows login screen and then alfresco login screen if my password is correct.

My Log says as bwlow :

2015-02-09 10:54:36,959  INFO  [site.servlet.SSOAuthenticationFilter] [localhost-startStop-1] SSOAuthenticationFilter initialised.
2015-02-09 10:55:39,407  DEBUG [app.servlet.KerberosAuthenticationFilter] [http-apr-8080-exec-3] New Kerberos auth request from (
2015-02-09 10:55:39,407  DEBUG [app.servlet.KerberosAuthenticationFilter] [http-apr-8080-exec-3] Issuing login challenge to browser.
2015-02-09 10:55:39,438  DEBUG [app.servlet.KerberosAuthenticationFilter] [http-apr-8080-exec-4] Client sent an NTLMSSP security blob
2015-02-09 10:55:39,438  DEBUG [app.servlet.KerberosAuthenticationFilter] [http-apr-8080-exec-4] Clearing session.
2015-02-09 10:55:39,438  DEBUG [app.servlet.KerberosAuthenticationFilter] [http-apr-8080-exec-4] Issuing login challenge to browser.
2015-02-09 10:56:06,785  DEBUG [app.servlet.KerberosAuthenticationFilter] [http-apr-8080-exec-6] Login page requested, chaining …
2015-02-09 10:56:07,503  DEBUG [app.servlet.KerberosAuthenticationFilter] [http-apr-8080-exec-8] Authentication not required (filter), chaining …

version using 4.2e

Please help me to understand and to solve where i am going wrong
Please let me know if any other information is required.