AnsweredAssumed Answered

Auto-Login (SSO) not working - Kerberos

Question asked by tanmaysalve on Jun 12, 2017
Latest reply on Jul 26, 2017 by tanmaysalve

Question: NOT ABLE TO ESTABLISH SSO using Kerberos.

 

Environment Details

alfresco-community-installer-201611-EA-win-x64

Windows server 2008 R2 Standard.

 

***** Find all the files in the attachments

 

Steps Performed:

1) created two LDAP users - name: AlfrescoHTTP, password: ***, name: AlfrescoCIFS, password: ***

2) a) Enable Password never expires.
    b) Disable User must change password at next logon.
    c) Select the Account tab and enable the Do not require Kerberos preauthentication option in the Account          Options section.
    d)
In the user Delegation tab, select the Trust this user for delegation to any service (Kerberos only) check box.

3) Created Keytab files for both users, kept at location C:\alf\ on server (aaa), 

4) Created "krb5.ini" file on server (aaa) at location, C:\Windows\

5) Created "java.login.config" file at location <install-path>:\Alfresco\instance\java\lib\security\ 

6) Edited "java.security" file at <install-path>:\Alfresco\instance\java\lib\security\ path and appended following,

      login.config.url.1=file:${java.home}/lib/security/java.login.config 

7) Edited alfresco-global.properties file.

8) Edited share-config-custom.xml file.

9) Restarted the alfresco services.

 

 

Log Files:

alfrescotomcat-stdout.2017-06-12.log

2017-06-12 12:34:36,168 INFO [alfresco.repo.admin] [localhost-startStop-1] Using database URL 'jdbc:postgresql://localhost:5432/alfresco' with user 'alfresco'.
2017-06-12 12:34:36,168 INFO [alfresco.repo.admin] [localhost-startStop-1] Connected to database PostgreSQL version 9.4.4
2017-06-12 12:34:45,980 INFO [domain.schema.SchemaBootstrap] [localhost-startStop-1] Ignoring script patch (post-Hibernate): patch.db-V4.2-metadata-query-indexes
2017-06-12 12:34:45,980 INFO [domain.schema.SchemaBootstrap] [localhost-startStop-1] Ignoring script patch (post-Hibernate): patch.db-V5.1-metadata-query-indexes
2017-06-12 12:34:45,980 INFO [domain.schema.SchemaBootstrap] [localhost-startStop-1] Ignoring script patch (post-Hibernate): patch.db-V5.2-remove-jbpm-tables-from-db
2017-06-12 12:34:57,667 INFO [management.subsystems.ChildApplicationContextFactory] [localhost-startStop-1] Starting 'Authentication' subsystem, ID: [Authentication, managed, kerberos1]
2017-06-12 12:34:57,902 DEBUG [app.servlet.KerberosAuthenticationFilter] [localhost-startStop-1] HTTP Kerberos login successful
2017-06-12 12:34:57,902 DEBUG [app.servlet.KerberosAuthenticationFilter] [localhost-startStop-1] Logged on using principal HTTP/HOST.comp.com@COMP.COM
2017-06-12 12:34:57,933 DEBUG [webdav.auth.KerberosAuthenticationFilter] [localhost-startStop-1] HTTP Kerberos login successful
2017-06-12 12:34:57,933 DEBUG [webdav.auth.KerberosAuthenticationFilter] [localhost-startStop-1] Logged on using principal HTTP/HOST.comp.com@COMP.COM
2017-06-12 12:34:58,042 INFO [management.subsystems.ChildApplicationContextFactory] [localhost-startStop-1] Startup of 'Authentication' subsystem, ID: [Authentication, managed, kerberos1] complete
2017-06-12 12:34:58,042 INFO [management.subsystems.ChildApplicationContextFactory] [localhost-startStop-1] Starting 'Authentication' subsystem, ID: [Authentication, managed, ldap1]
2017-06-12 12:34:58,324 INFO [management.subsystems.ChildApplicationContextFactory] [localhost-startStop-1] Startup of 'Authentication' subsystem, ID: [Authentication, managed, ldap1] complete

 

Alfresco.log file

2017-06-12 17:05:21,669 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] [http-apr-8080-exec-3] New Kerberos auth request from 127.0.0.1 (127.0.0.1:57333)
2017-06-12 17:05:21,669 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] [http-apr-8080-exec-3] Issuing login challenge to browser.
2017-06-12 17:05:27,888 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] [http-apr-8080-exec-7] New Kerberos auth request from 127.0.0.1 (127.0.0.1:57341)
2017-06-12 17:05:27,888 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] [http-apr-8080-exec-7] Issuing login challenge to browser.
2017-06-12 17:05:28,044 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] [http-apr-8080-exec-12] New Kerberos auth request from 127.0.0.1 (127.0.0.1:57341)
2017-06-12 17:05:28,044 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] [http-apr-8080-exec-12] Issuing login challenge to browser.
2017-06-12 17:05:28,982 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] [http-apr-8080-exec-15] New Kerberos auth request from 127.0.0.1 (127.0.0.1:57339)
2017-06-12 17:05:28,982 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] [http-apr-8080-exec-15] Issuing login challenge to browser.@#

 

Badim Bdgei astacey _ Aingaran Pillai Yacine Zribi

Question: Want to know whether the steps which are performed for Kerberso sso are correct or some more config need to be done. Not able to figure out from the logs files what is the exact error. How do I proceed further in investigating and establishing SSO. 

Outcomes