AnsweredAssumed Answered

Problems on Configuring SSO (Kerberos )against Active Directory

Question asked by mbedoui on Mar 8, 2018
Latest reply on Mar 13, 2018 by mbedoui

I have installed Alfresco Community Edition V5.0.0 on Ubuntu 
After configuring alfresco-global.properties , import of users from AD  works very well after that ,

I 'm looking for enabling kerberos with alfresco and Active Directory 

that's why i have followed the documentation starting by :

 

 

  1.  creating a cifsUser (Do not require Kerberos preauthentication )
  2. creating an spn for the account
  3. creating a httpUser(Do not require Kerberos preauthentication )
  4. generating two keytab file based on cifs/<hostnetbios> and HTTP/<host>

under /etc/ i have filled the file krb5.conf

[libdefaults]
default_realm = GCT.COM.TN
## default_tkt_enctypes = rc4-hmac
## default_tgs_enctypes = rc4-hmac
[realms]
GCT.COM.TN = {
kdc = srv-adgctgab.gct.com.tn
admin_server = srv-adgctgab.gct.com.tn
}
[domain_realm]
srv-adgctgab.gct.com.tn = GCT.COM.TN
.srv-adgctgab.gct.com.tn = GCT.COM.TN

under  /opt/alfresco-5.0.d/java/lib/security/
i create a file java.login.config

Afresco {
com.sun.security.auth.module.Krb5LoginModule sufficient;
};

AlfrescoCIFS {
com.sun.security.auth.module.Krb5LoginModule required
storeKey=true
useKeyTab=true
doNotPrompt=true
keyTab="/etc/cifsgedAlfresco.keytab"
principal="cifs/gedAlfrescoA.gct.com.tn";
};

AlfrescoHTTP
{
com.sun.security.auth.module.Krb5LoginModule required
storeKey=true
useKeyTab=true
doNotPrompt=true
keyTab="/etc/httpgedAlfresco.keytab"
principal="HTTP/gedAlfresco.gct.com.tn";
};

ShareHTTP
{
com.sun.security.auth.module.Krb5LoginModule required
storeKey=true
useKeyTab=true
doNotPrompt=true
keyTab="/etc/httpgedAlfresco.keytab"
principal="HTTP/gedAlfresco.gct.com.tn";
};

com.sun.net.ssl.client {
com.sun.security.auth.module.Krb5LoginModule sufficient;
};

other {
com.sun.security.auth.module.Krb5LoginModule sufficient;
};

I add this line login.config.url.1=file:${java.home}/lib/security/java.login.config at java/lib/security/java.security

 

 

 

I add Alfresco web server is in the Local Intranet security zone on IE via a GPO

I update alfresco-5.0.d/tomcat/shared/classes/alfresco/web-extension/share-config-custom.xml

<config evaluator="string-compare" condition="Kerberos" replace="true">
<kerberos>
<!--
Password for HTTP service account.
The account name *must* be built from the HTTP server name, in the format :
HTTP/<server_name>@<realm>
(NB this is because the web browser requests an ST for the
HTTP/<server_name> principal in the current realm, so if we're to decode
that ST, it has to match.)
-->
<password>secret</password>
<!--
Kerberos realm and KDC address. -->
<realm>GCT.COM.TN</realm>
<!-- Service Principal Name to use on the repository tier. This must be like: HTTP/host.name@REALM -->
<endpoint-spn>HTTP/gedAlfresco</endpoint-spn>
<!-- JAAS login configuration entry name. -->
<config-entry>ShareHTTP</config-entry>
<!-- A Boolean which when true strips the @domain sufix from Kerberos authenticated usernames.
Use together with stripUsernameSuffix property in alfresco-global.properties file. -->
<stripUserNameSuffix>true</stripUserNameSuffix>
</kerberos>
</config>

also uncomment
<config evaluator="string-compare" condition="Remote">

In Order to Enable kerberos it should logging , so could you give me the log file cause alfresco.log don't mentionned the operation , also what i have forgot to configure or steps to troubleshoot sso authentification .

 

Thanks for your time 

Outcomes