AnsweredAssumed Answered

Kerberos problem

Question asked by borisstankov on Apr 15, 2015
Latest reply on Jul 25, 2017 by tanmaysalve
Hello,

I need some help with configuring the Kerberos Single-Sign On with my alfresco. Here are more details about the env:
Alfresco Community 5.0.c on CentOS 6.6 (Final).
My AD is on Windows Server 2012.
I'm configuring the the Kerberos to go agains this AD and to autheticate my users with the tickets directly from there so they wouldn't have to login every time to it.

I have those configs:

1. in /etc/krb5.conf

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_keytab_name = FILE:/etc/httpportal2.keytab
default_realm = CORP.INT
ticket_lifetime = 24h
renew_lifetime = 7d
default_tkt_enctypes = rc4-hmac
default_tgs_enctypes = rc4-hmac
forwardable = true
# proxiable = true

[realms]
CORP.INT = {
  kdc = dc1.corp.int
  admin_server = dc1.corp.int
}

[domain_realm]
.corp.int = CORP.INT
corp.int = CORP.INT


2. global properties:

authentication.chain=kerberos1:kerberos,alfinst:alfrescoNtlm

kerberos.authentication.realm=DOMAIN
kerberos.authentication.sso.enabled=true
kerberos.authentication.authenticateCIFS=false
kerberos.authentication.user.configEntryName=Alfresco
kerberos.authentication.cifs.password=Password
kerberos.authentication.cifs.configEntryName=AlfrescoCIFS
kerberos.authentication.stripUsernameSuffix=true
kerberos.authentication.http.password=Password
kerberos.authentication.http.configEntryName=AlfrescoHTTP
kerberos.authentication.browser.ticketLogons=true


3. In /opt/alfresco-5.0/tomcat/bin/setenv.sh

JAVA_HOME=/opt/alfresco-5.0/java
JRE_HOME=$JAVA_HOME
JAVA_OPTS="-XX:+DisableExplicitGC -Djava.awt.headless=true -Dalfresco.home=/opt/alfresco-5.0 -Dcom.sun.management.jmxremote -Dsun.security.krb5.msinterop.kstring=true -XX:ReservedCodeCacheSize=128m $JAVA_OPTS "
JAVA_OPTS="-XX:MaxPermSize=5120M -Xms4096M -Xmx5120M $JAVA_OPTS " # java-memory-settings
export JAVA_HOME
export JRE_HOME
export JAVA_OPTS


4. I have configured the share-config-custom.xml as explained in the alfresco wiki.

5. IN /opt/alfresco-5.0/java/lib/security/java.security I've added this row:
login.config.url.1=file:${java.home}/lib/security/java.login.config

6. IN /opt/alfresco-5.0/java/lib/security/java.login.config I have this:

Alfresco {
        com.sun.security.auth.module.Krb5LoginModule sufficient;
    };

    AlfrescoCIFS {
        com.sun.security.auth.module.Krb5LoginModule required
        storeKey=true
        useKeyTab=true
        keyTab="/etc/cifsportal2.keytab"
        principal="cifs/portal2.domain";
    };

    AlfrescoHTTP {
        com.sun.security.auth.module.Krb5LoginModule required
        storeKey=true
        useKeyTab=true
        keyTab="/etc/httpportal2.keytab"
        principal="HTTP/portal2.domain";
    };
  
    ShareHTTP {
        com.sun.security.auth.module.Krb5LoginModule required
        storeKey=true
        useKeyTab=true
        keyTab="/etc/httpportal2.keytab"
        principal="HTTP/portal2.domain";
    };

    com.sun.net.ssl.client {
        com.sun.security.auth.module.Krb5LoginModule sufficient;
    };

    other {
        com.sun.security.auth.module.Krb5LoginModule sufficient;
   };


7. Also the keytabs are at the specified dir: /etc with the same names with 777 permissions and they are generated with the correct kvno version.
   
   
This is the error message from he catalina.out log file (it came to the loop of those several messages):



2015-04-14 15:51:49,435  DEBUG [webdav.auth.KerberosAuthenticationFilter] [http-apr-8080-exec-9] Performing fallback authentication…
Apr 14, 2015 3:51:49 PM org.apache.catalina.core.StandardWrapperValve invoke



SEVERE: Servlet.service() for servlet [cmisatom10] in context with path [/alfresco] threw exception
org.alfresco.service.namespace.InvalidQNameException: A QName must consist of a local name
   at org.alfresco.service.namespace.QName.createQName(QName.java:87)
   at org.alfresco.repo.security.person.PersonServiceImpl.getChildNameLower(PersonServiceImpl.java:1768)
   at org.alfresco.repo.security.person.PersonServiceImpl.getPersonOrNullImpl(PersonServiceImpl.java:537)
   at org.alfresco.repo.security.person.PersonServiceImpl.getUserIdentifier(PersonServiceImpl.java:1880)
   at org.alfresco.repo.security.authentication.AuthenticationComponentImpl$1$1.doWork(AuthenticationComponentImpl.java:93)
   at org.alfresco.repo.security.authentication.AuthenticationComponentImpl$1$1.doWork(AuthenticationComponentImpl.java:90)
   at org.alfresco.repo.tenant.TenantUtil.runAsWork(TenantUtil.java:119)
   at org.alfresco.repo.tenant.TenantUtil.runAsTenant(TenantUtil.java:88)
   at org.alfresco.repo.tenant.TenantUtil$1.doWork(TenantUtil.java:62)
   at org.alfresco.repo.security.authentication.AuthenticationUtil.runAs(AuthenticationUtil.java:548)
   at org.alfresco.repo.tenant.TenantUtil.runAsUserTenant(TenantUtil.java:58)
   at org.alfresco.repo.tenant.TenantUtil.runAsSystemTenant(TenantUtil.java:112)
   at org.alfresco.repo.security.authentication.AuthenticationComponentImpl$1.execute(AuthenticationComponentImpl.java:89)
   at org.alfresco.repo.security.authentication.AuthenticationComponentImpl$1.execute(AuthenticationComponentImpl.java:86)
   at org.alfresco.repo.transaction.RetryingTransactionHelper.doInTransaction(RetryingTransactionHelper.java:454)
   at org.alfresco.repo.transaction.RetryingTransactionHelper.doInTransaction(RetryingTransactionHelper.java:342)
   at org.alfresco.repo.security.authentication.AuthenticationComponentImpl.authenticateImpl(AuthenticationComponentImpl.java:84)
   at org.alfresco.repo.security.authentication.AbstractAuthenticationComponent.authenticate(AbstractAuthenticationComponent.java:162)
   at org.alfresco.repo.security.authentication.AuthenticationServiceImpl.authenticate(AuthenticationServiceImpl.java:68)
   at org.alfresco.repo.security.authentication.AbstractChainingAuthenticationService.authenticate(AbstractChainingAuthenticationService.java:195)
   at sun.reflect.GeneratedMethodAccessor593.invoke(Unknown Source)
   at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
   at java.lang.reflect.Method.invoke(Unknown Source)
   at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:317)
   at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:183)
   at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:150)
   at net.sf.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor.invoke(MethodSecurityInterceptor.java:80)
   at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
   at org.alfresco.repo.security.permissions.impl.ExceptionTranslatorMethodInterceptor.invoke(ExceptionTranslatorMethodInterceptor.java:46)
   at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
   at org.alfresco.repo.audit.AuditMethodInterceptor.invoke(AuditMethodInterceptor.java:159)
   at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
   at org.springframework.transaction.interceptor.TransactionInterceptor$1.proceedWithInvocation(TransactionInterceptor.java:96)
   at org.springframework.transaction.interceptor.TransactionAspectSupport.invokeWithinTransaction(TransactionAspectSupport.java:260)
   at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:94)
   at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
   at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
   at com.sun.proxy.$Proxy64.authenticate(Unknown Source)
   at org.alfresco.repo.webdav.auth.SSOFallbackBasicAuthenticationDriver.authenticateRequest(SSOFallbackBasicAuthenticationDriver.java:120)
   at org.alfresco.repo.webdav.auth.BaseSSOAuthenticationFilter.performFallbackAuthentication(BaseSSOAuthenticationFilter.java:604)
   at org.alfresco.repo.webdav.auth.BaseKerberosAuthenticationFilter.authenticateRequest(BaseKerberosAuthenticationFilter.java:279)
   at org.alfresco.repo.webdav.auth.BaseSSOAuthenticationFilter.doFilter(BaseSSOAuthenticationFilter.java:155)
   at sun.reflect.GeneratedMethodAccessor595.invoke(Unknown Source)
   at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
   at java.lang.reflect.Method.invoke(Unknown Source)
   at org.alfresco.repo.management.subsystems.ChainingSubsystemProxyFactory$1.invoke(ChainingSubsystemProxyFactory.java:112)
   at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
   at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
   at com.sun.proxy.$Proxy274.doFilter(Unknown Source)
   at org.alfresco.repo.web.filter.beans.BeanProxyFilter.doFilter(BeanProxyFilter.java:82)
   at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
   at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
   at org.alfresco.web.app.servlet.CmisSecurityContextCleanerFilter.doFilter(CmisSecurityContextCleanerFilter.java:49)
   at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
   at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
   at org.alfresco.web.app.servlet.GlobalLocalizationFilter.doFilter(GlobalLocalizationFilter.java:61)
   at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
   at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
   at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
   at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
   at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:501)
   at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170)
   at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:98)
   at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950)
   at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
   at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
   at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1040)
   at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:607)
   at org.apache.tomcat.util.net.AprEndpoint$SocketWithOptionsProcessor.run(AprEndpoint.java:2378)
   at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
   at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
   at java.lang.Thread.run(Unknown Source)
   
   
   

15:51:49,588 WARN  [org.alfresco.wcm.client.util.impl.GuestSessionFactoryImpl] WQS unable to connect to repository: Internal Server Error




Please let me know where is my mistake and why I'm unable to autheticate via kerberos. Also if you need anything else from me about the problem.



Thanks a lot in advance!

Outcomes