AnsweredAssumed Answered

Config  Kerberos SSO,  step by step

Question asked by badim on Oct 27, 2016
Latest reply on Nov 1, 2016 by badim

i have

ms ldap - win2008r2 - mydomen.local

dc01.mydomen.local - controller domen

client  - win7

alfresco server - fs02.mydomen.local

 

 

a need  step by step config kerberos!

 

my step:

1. install alfresco-community-installer-201605-linux-x64.bin

in directory  /opt/alfresco-community

(centos 7 - domen member)

 

2. creat two users on domen controller

     name: AlfrescoHTTP(alfrescohttp@mydomen.local)

     password: 12345678

and

name: AlfrescoCIFS(alfrescocifs@mydomen.local)

password: 12345678

 

3. on controller domen execute command

setspn -a cifs/fs02 alfrescocifs

setspn -a cifs/fs02.mydomen.local alfrescocifs

setspn -a HTTP/fs02 alfrescohttp

setspn -a HTTP/fs02.mydomen.local alfrescohttp

 

4. in Account tab set "enable" the Do not require Kerberos preauthentication option in the Account Options section

for users AlfrescoHTTP und AlfrescoCIFS

 

5. for user AlfrescoHTTP in Delegation tab clicking the radio button Trust this user for delegation to any service (kerberos only).

 

6. Make keytab files for AlfrescoCIFS

ktpass -princ cifs/fs02.mydomen.local@MYDOMEN.LOCAL -pass 12345678 -mapuser mydomen\alfrescocifs -crypto ALL -ptype KRB5_NT_PRINCIPAL -out c:\temp\alfrescocifs.keytab -kvno 0

and for user AlfrescoHTTP

ktpass -princ HTTP/fs02.mydomen.local@MYDOMEN.LOCAL -pass 12345678 -mapuser mydomen\alfrescohttp -crypto ALL -ptype KRB5_NT_PRINCIPAL -out c:\temp\alfrescohttp.keytab -kvno 0

 

7. Copy files c:\temp\alfrescohttp.keytab and c:\temp\alfrescocifs.keytab to alfresco server => ( fs02)    /ets/keys/alfrescohttp.keytab and ets/keys/alfrescocifs.keytab

 

8. Edit file ets/krb5.conf

[logging]

default = FILE:/usr/local/samba/var/log/krb5libs.log

kdc = FILE:/usr/local/samba/var/log/krb5kdc.log

admin_server = FILE:/usr/local/samba/var/log/kadmind.log

 

[libdefaults]

default_realm = MYDOMEN.LOCAL

 

 

[realms]

MYDOMEN.LOCAL = {

   default_domain = MYDOMEN.LOCAL

  kdc = dc01.mydomen.local

  admin_server = dc01.mydomen.local

}

 

[domain_realm]

mydomen.local = MYDOMEN.LOCAL

.mydomen.local = MYDOMEN.LOCAL

 

dc01.mydomen.local = MYDOMEN.LOCAL

.dc01.mydomen.local = MYDOMEN.LOCAL

(dc01.mydomen.local - controller domen)

 

9. create file /opt/alfresco-community/java/lib/security/java.login.config

Alfresco {

   com.sun.security.auth.module.Krb5LoginModule sufficient;

};

 

AlfrescoCIFS {

   com.sun.security.auth.module.Krb5LoginModule required

   storeKey=true

   useKeyTab=true

   keyTab="/etc/keys/alfrescocifs.keytab"

   principal="cifs/fs02.mydomen.local";

};

 

AlfrescoHTTP {

   com.sun.security.auth.module.Krb5LoginModule required

   storeKey=true

   useKeyTab=true

   keyTab="/etc/keys/alfrescohttp.keytab"

   principal="HTTP/fs02.mydomen.local";

};

ShareHTTP

{

   com.sun.security.auth.module.Krb5LoginModule required

   storeKey=true

   debug=true

   useKeyTab=true

   doNotPrompt=true

   keyTab="/etc/keys/alfrescohttp.keytab"

   principal="HTTP/fs02.mydomen.local";

};

 

com.sun.net.ssl.client {

   com.sun.security.auth.module.Krb5LoginModule sufficient;

};

 

other {

   com.sun.security.auth.module.Krb5LoginModule sufficient;

};

 

10. add line in file /opt/alfresco-community/java/lib/security/java.security

login.config.url.1=file:${java.home}/lib/security/java.login.config

 

11. edit file /opt/alfresco-community/tomcat/shared/classes/alfresco-global.properties

add lines:

authentication.chain=ldap1:ldap-ad,kerberos1:kerberos

 

ntlm.authentication.sso.enabled = true
ntlm.authentication.browser.ticketLogons=true

ldap.authentication.active=false
ldap.authentication.userNameFormat=%s@mydomen.local
ldap.authentication.allowGuestLogin=false
ldap.authentication.java.naming.provider.url=ldap://dc01.mydomen.local:389
ldap.authentication.defaultAdministratorUserNames=Administrator,alfresco,admin

ldap.synchronization.active=true
ldap.synchronization.java.naming.security.principal=user_alfresco@mydomen.local
ldap.synchronization.java.naming.security.credentials=12345678

ldap.synchronization.groupSearchBase=ou=Group,dc=mydomen,dc=local
ldap.synchronization.userSearchBase=ou=user,dc=mydomen,dc=local

 

filesystem.domainMappings=MYDOMEN
filesystem.domainMappings.value.MYDOMEN.subnet=192.168.0.0
filesystem.domainMappings.value.MYDOMEN.mask=255.255.255.0

 

### Kerberos properties ###

kerberos.authentication.sso.enabled=true
kerberos.authentication.defaultAdministratorUserNames=admin
kerberos.authentication.user.configEntryName=Alfresco
kerberos.authentication.cifs.configEntryName=AlfrescoCIFS
kerberos.authentication.cifs.password=12345678
kerberos.authentication.http.configEntryName=AlfrescoHTTP
kerberos.authentication.http.password=12345678
kerberos.authentication.authenticateCIFS=true
kerberos.authentication.realm=MYDOMEN.LOCAL
kerberos.authentication.stripUsernameSuffix=true

kerberos.authentication.browser.ticketLogons=true
kerberos.authentication.sso.fallback.enabled=true

ou=Group,dc=mydomen,dc=local - content group for export in Alfresco
ou=user,dc=mydomen,dc=local - content user for export in Alfresco

12. cread user in controller domen

login: user_alfresco@mydomen.local

password: 12345678

 

13. i do:

"open Active Directory Users and Computers, right click on the domain, and select 'Delegate Control...'  Click 'Next', then select the user that you are using for the LDAP bind and click 'Next'.  The permission that they will need is on the next screen 'Read all inetOrgPerson information.'  "

 

14. Edit /opt/alfresco-community/tomcat/shared/classes/alfresco/web-extension/share-config-custom.xml

 

Change ALFRESCO.ORG  -> MYDOMEN.LOCAL

Change servrer name of you server name

Uncomment Kerberos section

 

 

reboot server alfresco - fs02

 

15. edit settings internet explorer (IE11)

Check Tools > Internet Options > Security > Local Intranet

add domen http:/*.mydomen.local

Check Tools > Internet Options > Security > Custom Level and make sure Automatic logon with current username and password is selected

 

 

 

 

working!!!

 

 

Outcomes