Apache Reverse Proxy with Kerberos SSO

cancel
Showing results for 
Search instead for 
Did you mean: 
phivuu-2
Partner

Apache Reverse Proxy with Kerberos SSO

Jump to solution

I have succesfully configured Kerberos and generated SPN + Keytabs to work when the Reverse Proxy is disabled. However I want it to work with the reverse proxy. From what I understand, I need to generate generate new SPN + Keytabs for the proxy DNS. Alfresco server runs on the same server as Apache reverse server.

Do I need to reconfigure krb5.ini, java.login.config and share-config-custom.xml anything?

  • krb5.ini: Points to the AD server
  • java.login.config: Currently points to the alfresco server which runs apache reverse proxy(not using the proxy DNS).
  • share-config-custom.xml: Kerberos endpoint-spn points to the alfresco server which runs apache reverse proxy(not using the proxy DNS). Remote section uses localhost.

The proxy DNS is alfrescotest.jonkoping.se. Are the commands correct or did I add one .jonkoping.se too many?

setspn -a cifs/alfrescotest.jonkoping.se alfrescocifs
setspn -a cifs/alfrescotest.jonkoping.se.jonkoping.se alfrescocifs
setspn -a HTTP/alfrescotest.jonkoping.se alfrescohttp
setspn -a HTTP/alfrescotest.jonkoping.se.jonkoping.se alfrescohttp

ktpass -princ cifs/alfrescotest.jonkoping.se.jonkoping.se@jonkoping.se -pass Password -mapuser jonkoping\alfrescocifs -crypto ALL -ptype KRB5_NT_PRINCIPAL -out d:\temp\alfrescocifs.keytab -kvno 0

ktpass -princ HTTP/alfrescotest.jonkoping.se.jonkoping.se@jonkoping.se -pass Password -mapuser jonkoping\alfrescohttp -crypto ALL -ptype KRB5_NT_PRINCIPAL -out d:\temp\alfrescohttp.keytab -kvno 0

 

Lastly, do I need to configure Apache httpd.conf anything to forward the headers to alfresco repository?

1 Solution

Accepted Solutions
phivuu-2
Partner

Re: Apache Reverse Proxy with Kerberos SSO

Jump to solution

Yes, this link was also somewhat helpful https://docs.alfresco.com/sso/topics/kerberos.html
Here's my notes:

1. If there is a reverse proxy, make sure it's used to create SPN and kerberos keytabs.
Example: Proxy DNS alfresco.example.com Realm: EXAMPLE.COM
setspn -a HTTP/alfresco.example.com alfrescohttp
ktpass -princ HTTP/alfresco.example.com@EXAMPLE.COM -pass Password -mapuser example\alfrescohttp -crypto ALL -ptype KRB5_NT_PRINCIPAL -out d:\temp\alfrescohttp.keytab -kvno 0
2. Make sure AlfrescoHTTP AlfrescoCIFS AD users can be found in alfresco after a sync.
3. krb5.ini - Point at the AD server here.
4. share-config-custom.xml - Make sure endpoint-spn is pointed to the reverse proxy DNS if there is one.
5. No Kerberos module should be needed for Reverse Proxy. It should forward the Kerberos headers to alfresco repository for authentication if the SPN and keytabs are created with proxy DNS.
6. java/lib/security/java.login.config - Make sure principal is pointed to reverse proxy DNS.

 

View solution in original post

3 Replies
c-0815
Member II

Re: Apache Reverse Proxy with Kerberos SSO

Jump to solution

I have the same problem. Have you found a solution in the meantime?

regards

Ralph

phivuu-2
Partner

Re: Apache Reverse Proxy with Kerberos SSO

Jump to solution

Yes, this link was also somewhat helpful https://docs.alfresco.com/sso/topics/kerberos.html
Here's my notes:

1. If there is a reverse proxy, make sure it's used to create SPN and kerberos keytabs.
Example: Proxy DNS alfresco.example.com Realm: EXAMPLE.COM
setspn -a HTTP/alfresco.example.com alfrescohttp
ktpass -princ HTTP/alfresco.example.com@EXAMPLE.COM -pass Password -mapuser example\alfrescohttp -crypto ALL -ptype KRB5_NT_PRINCIPAL -out d:\temp\alfrescohttp.keytab -kvno 0
2. Make sure AlfrescoHTTP AlfrescoCIFS AD users can be found in alfresco after a sync.
3. krb5.ini - Point at the AD server here.
4. share-config-custom.xml - Make sure endpoint-spn is pointed to the reverse proxy DNS if there is one.
5. No Kerberos module should be needed for Reverse Proxy. It should forward the Kerberos headers to alfresco repository for authentication if the SPN and keytabs are created with proxy DNS.
6. java/lib/security/java.login.config - Make sure principal is pointed to reverse proxy DNS.

 
c-0815
Member II

Re: Apache Reverse Proxy with Kerberos SSO

Jump to solution

Thank you. Now it works.

kind regards

Ralph