AnsweredAssumed Answered

SSO Kerberos

Question asked by tkim on Nov 28, 2016
Latest reply on Nov 29, 2016 by tkim


I want to make SSO environment with ActiveDirectory but I can't...
I worked in accordance with below;
 http://docs.alfresco.com/5.0/tasks/auth-kerberos-ADconfig.html
 http://docs.alfresco.com/5.0/tasks/auth-kerberos-shareSSO.html

 

Please teach me right way to configure SSO.


<Environment>
ActiveDirectory Domain Controller:Win2008R2
AlfrescoServer:Win2008R2
Alfresco:Community 5.1 on tomcat

 

<Works>
1:create account on AD.
   for HTTP and CIFS
2:execute ktpass and setspn just as http://docs.alfresco.com/5.0/tasks/auth-kerberos-ADconfig.html
3:put keytab files on alfresco server; c:\etc
4:create krb5.ini in c:\windows
5:create C:\alfresco-community\java\lib\security\java.login.config
6:modify java.security
7:modify share-config-custom.xml
  - uncomment for <config evaluator="string-compare" condition="Remote">
  - set Kerberos settings
     - set password
     - set realm
     - set endpoint-spn
     - set onfig-entry
     - set stripUserNameSuffix:true

 

8:modify alfresco-global.properties
 authentication.chain=kerberos1:kerberos,ldap1:ldap-ad,alfrescoNtlm1:alfrescoNtlm

 

<Error log>
2016-11-28 15:55:32,028 INFO  [org.alfresco.repo.management.subsystems.ChildApplicationContextFactory] [localhost-startStop-1] Starting 'Authentication' subsystem, ID: [Authentication, managed, kerberos1]
2016-11-28 15:55:32,262 ERROR [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] [localhost-startStop-1] HTTP Kerberos web filter error
javax.security.auth.login.LoginException: Pre-authentication information was invalid (24)
    at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Unknown Source)
    at com.sun.security.auth.module.Krb5LoginModule.login(Unknown Source)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
    at java.lang.reflect.Method.invoke(Unknown Source)
    at javax.security.auth.login.LoginContext.invoke(Unknown Source)
    at javax.security.auth.login.LoginContext.access$000(Unknown Source)
    at javax.security.auth.login.LoginContext$4.run(Unknown Source)
    at javax.security.auth.login.LoginContext$4.run(Unknown Source)
    at java.security.AccessController.doPrivileged(Native Method)
    at javax.security.auth.login.LoginContext.invokePriv(Unknown Source)
    at javax.security.auth.login.LoginContext.login(Unknown Source)
    at org.alfresco.repo.webdav.auth.BaseKerberosAuthenticationFilter.init(BaseKerberosAuthenticationFilter.java:182)
    at org.alfresco.web.app.servlet.KerberosAuthenticationFilter.init(KerberosAuthenticationFilter.java:56)
    at org.alfresco.repo.webdav.auth.BaseSSOAuthenticationFilter.afterPropertiesSet(BaseSSOAuthenticationFilter.java:146)
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.invokeInitMethods(AbstractAutowireCapableBeanFactory.java:1573)
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1511)
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:521)
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:458)
    at org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:293)
    at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:223)
    at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:290)
    at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:191)
    at org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:636)
    at org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:934)
    at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:479)
    at org.alfresco.repo.management.subsystems.ChildApplicationContextFactory$ApplicationContextState.start(ChildApplicationContextFactory.java:814)
    at org.alfresco.repo.management.subsystems.AbstractPropertyBackedBean.start(AbstractPropertyBackedBean.java:1086)
    at org.alfresco.repo.management.subsystems.AbstractPropertyBackedBean.getState(AbstractPropertyBackedBean.java:308)
    at org.alfresco.repo.management.subsystems.ChildApplicationContextFactory.getApplicationContext(ChildApplicationContextFactory.java:440)
    at org.alfresco.repo.management.subsystems.DefaultChildApplicationContextManager$ApplicationContextManagerState.getApplicationContext(DefaultChildApplicationContextManager.java:360)
    at org.alfresco.repo.management.subsystems.DefaultChildApplicationContextManager$ApplicationContextManagerState.start(DefaultChildApplicationContextManager.java:306)
    at org.alfresco.repo.management.subsystems.AbstractPropertyBackedBean.start(AbstractPropertyBackedBean.java:1086)
    at org.alfresco.repo.management.subsystems.AbstractPropertyBackedBean.getState(AbstractPropertyBackedBean.java:308)
    at org.alfresco.repo.management.subsystems.DefaultChildApplicationContextManager.getInstanceIds(DefaultChildApplicationContextManager.java:180)
    at org.alfresco.repo.security.authentication.subsystems.SubsystemChainingAuthenticationService.refreshBeans(SubsystemChainingAuthenticationService.java:89)
    at org.alfresco.repo.security.authentication.subsystems.SubsystemChainingAuthenticationService.getUsableAuthenticationServices(SubsystemChainingAuthenticationService.java:185)
    at org.alfresco.repo.security.authentication.AbstractChainingAuthenticationService.getDefaultAdministratorUserNames(AbstractChainingAuthenticationService.java:566)
    at org.alfresco.repo.security.authority.AuthorityServiceImpl.getRoleAuthorities(AuthorityServiceImpl.java:260)
    at org.alfresco.repo.security.authority.AuthorityServiceImpl.access$0(AuthorityServiceImpl.java:255)
    at org.alfresco.repo.security.authority.AuthorityServiceImpl$UserAuthoritySet.<init>(AuthorityServiceImpl.java:746)
    at org.alfresco.repo.security.authority.AuthorityServiceImpl.getAuthoritiesForUser(AuthorityServiceImpl.java:251)
    at org.alfresco.repo.security.authority.AuthorityServiceImpl.isAdminAuthority(AuthorityServiceImpl.java:169)
    at org.alfresco.service.cmr.workflow.WorkflowPermissionInterceptor.invoke(WorkflowPermissionInterceptor.java:55)
    at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
    at org.alfresco.repo.security.permissions.impl.ExceptionTranslatorMethodInterceptor.invoke(ExceptionTranslatorMethodInterceptor.java:46)
    at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
    at org.alfresco.repo.audit.AuditMethodInterceptor.invoke(AuditMethodInterceptor.java:159)
    at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
    at org.springframework.transaction.interceptor.TransactionInterceptor$1.proceedWithInvocation(TransactionInterceptor.java:96)
    at org.springframework.transaction.interceptor.TransactionAspectSupport.invokeWithinTransaction(TransactionAspectSupport.java:260)
    at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:94)
    at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
    at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
    at com.sun.proxy.$Proxy71.isDefinitionDeployed(Unknown Source)
    at org.alfresco.repo.workflow.WorkflowDeployer.init(WorkflowDeployer.java:299)
    at org.alfresco.repo.workflow.WorkflowDeployer$1$1.doWork(WorkflowDeployer.java:512)
    at org.alfresco.repo.security.authentication.AuthenticationUtil.runAs(AuthenticationUtil.java:548)
    at org.alfresco.repo.workflow.WorkflowDeployer$1.execute(WorkflowDeployer.java:508)
    at org.alfresco.repo.transaction.RetryingTransactionHelper.doInTransaction(RetryingTransactionHelper.java:457)
    at org.alfresco.repo.workflow.WorkflowDeployer.onBootstrap(WorkflowDeployer.java:503)
    at org.springframework.extensions.surf.util.AbstractLifecycleBean.onApplicationEvent(AbstractLifecycleBean.java:56)
    at org.alfresco.repo.management.SafeApplicationEventMulticaster.multicastEventInternal(SafeApplicationEventMulticaster.java:207)
    at org.alfresco.repo.management.SafeApplicationEventMulticaster.multicastEvent(SafeApplicationEventMulticaster.java:178)
    at org.springframework.context.support.AbstractApplicationContext.publishEvent(AbstractApplicationContext.java:334)
    at org.springframework.context.support.AbstractApplicationContext.finishRefresh(AbstractApplicationContext.java:950)
    at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:482)
    at org.springframework.web.context.ContextLoader.configureAndRefreshWebApplicationContext(ContextLoader.java:410)
    at org.springframework.web.context.ContextLoader.initWebApplicationContext(ContextLoader.java:306)
    at org.springframework.web.context.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:112)
    at org.alfresco.web.app.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:63)
    at org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:5016)
    at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5524)
    at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
    at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:901)
    at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:877)
    at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:649)
    at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:672)
    at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1859)
    at java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source)
    at java.util.concurrent.FutureTask.run(Unknown Source)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
    at java.lang.Thread.run(Unknown Source)
Caused by: KrbException: Pre-authentication information was invalid (24)
    at sun.security.krb5.KrbAsRep.<init>(Unknown Source)
    at sun.security.krb5.KrbAsReqBuilder.send(Unknown Source)
    at sun.security.krb5.KrbAsReqBuilder.action(Unknown Source)
    ... 85 more
Caused by: KrbException: Identifier doesn't match expected value (906)
    at sun.security.krb5.internal.KDCRep.init(Unknown Source)
    at sun.security.krb5.internal.ASRep.init(Unknown Source)
    at sun.security.krb5.internal.ASRep.<init>(Unknown Source)
    ... 88 more

Outcomes