Auto-Login (SSO) not working - Kerberos

cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Active Member

Auto-Login (SSO) not working - Kerberos

Question: NOT ABLE TO ESTABLISH SSO using Kerberos.

Environment Details

alfresco-community-installer-201611-EA-win-x64

Windows server 2008 R2 Standard.

***** Find all the files in the attachments

 

Steps Performed:

1) created two LDAP users - name: AlfrescoHTTP, password: ***, name: AlfrescoCIFS, password: ***

2) a) Enable Password never expires.
    b) Disable User must change password at next logon.
    c) Select the Account tab and enable the Do not require Kerberos preauthentication option in the Account          Options section.
    d)
In the user Delegation tab, select the Trust this user for delegation to any service (Kerberos only) check box.

3) Created Keytab files for both users, kept at location C:\alf\ on server (aaa), 

4) Created "krb5.ini" file on server (aaa) at location, C:\Windows\

5) Created "java.login.config" file at location <install-path>:\Alfresco\instance\java\lib\security\ 

6) Edited "java.security" file at <install-path>:\Alfresco\instance\java\lib\security\ path and appended following,

      login.config.url.1=file:${java.home}/lib/security/java.login.config 

7) Edited alfresco-global.properties file.

8) Edited share-config-custom.xml file.

9) Restarted the alfresco services.

Log Files:

alfrescotomcat-stdout.2017-06-12.log

2017-06-12 12:34:36,168 INFO [alfresco.repo.admin] [localhost-startStop-1] Using database URL 'jdbcSmiley Tongueostgresql://localhost:5432/alfresco' with user 'alfresco'.
2017-06-12 12:34:36,168 INFO [alfresco.repo.admin] [localhost-startStop-1] Connected to database PostgreSQL version 9.4.4
2017-06-12 12:34:45,980 INFO [domain.schema.SchemaBootstrap] [localhost-startStop-1] Ignoring script patch (post-Hibernate): patch.db-V4.2-metadata-query-indexes
2017-06-12 12:34:45,980 INFO [domain.schema.SchemaBootstrap] [localhost-startStop-1] Ignoring script patch (post-Hibernate): patch.db-V5.1-metadata-query-indexes
2017-06-12 12:34:45,980 INFO [domain.schema.SchemaBootstrap] [localhost-startStop-1] Ignoring script patch (post-Hibernate): patch.db-V5.2-remove-jbpm-tables-from-db
2017-06-12 12:34:57,667 INFO [management.subsystems.ChildApplicationContextFactory] [localhost-startStop-1] Starting 'Authentication' subsystem, ID: [Authentication, managed, kerberos1]
2017-06-12 12:34:57,902 DEBUG [app.servlet.KerberosAuthenticationFilter] [localhost-startStop-1] HTTP Kerberos login successful
2017-06-12 12:34:57,902 DEBUG [app.servlet.KerberosAuthenticationFilter] [localhost-startStop-1] Logged on using principal HTTP/HOST.comp.com@COMP.COM
2017-06-12 12:34:57,933 DEBUG [webdav.auth.KerberosAuthenticationFilter] [localhost-startStop-1] HTTP Kerberos login successful
2017-06-12 12:34:57,933 DEBUG [webdav.auth.KerberosAuthenticationFilter] [localhost-startStop-1] Logged on using principal HTTP/HOST.comp.com@COMP.COM
2017-06-12 12:34:58,042 INFO [management.subsystems.ChildApplicationContextFactory] [localhost-startStop-1] Startup of 'Authentication' subsystem, ID: [Authentication, managed, kerberos1] complete
2017-06-12 12:34:58,042 INFO [management.subsystems.ChildApplicationContextFactory] [localhost-startStop-1] Starting 'Authentication' subsystem, ID: [Authentication, managed, ldap1]
2017-06-12 12:34:58,324 INFO [management.subsystems.ChildApplicationContextFactory] [localhost-startStop-1] Startup of 'Authentication' subsystem, ID: [Authentication, managed, ldap1] complete

Alfresco.log file

2017-06-12 17:05:21,669 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] [http-apr-8080-exec-3] New Kerberos auth request from 127.0.0.1 (127.0.0.1:57333)
2017-06-12 17:05:21,669 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] [http-apr-8080-exec-3] Issuing login challenge to browser.
2017-06-12 17:05:27,888 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] [http-apr-8080-exec-7] New Kerberos auth request from 127.0.0.1 (127.0.0.1:57341)
2017-06-12 17:05:27,888 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] [http-apr-8080-exec-7] Issuing login challenge to browser.
2017-06-12 17:05:28,044 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] [http-apr-8080-exec-12] New Kerberos auth request from 127.0.0.1 (127.0.0.1:57341)
2017-06-12 17:05:28,044 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] [http-apr-8080-exec-12] Issuing login challenge to browser.
2017-06-12 17:05:28,982 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] [http-apr-8080-exec-15] New Kerberos auth request from 127.0.0.1 (127.0.0.1:57339)
2017-06-12 17:05:28,982 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] [http-apr-8080-exec-15] Issuing login challenge to browser.@#

Badim Bdgeiastacey _Aingaran PillaiYacine Zribi

Question: Want to know whether the steps which are performed for Kerberso sso are correct or some more config need to be done. Not able to figure out from the logs files what is the exact error. How do I proceed further in investigating and establishing SSO. 

4 Replies
Highlighted
Active Member

Re: Auto-Login (SSO) not working - Kerberos

  1. http://hostSmiley Tongueort/alfresco getting logged in via kerbero

Output:

2017-06-12 17:05:27,888 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] [http-apr-8080-exec-7] New Kerberos auth request from 127.0.0.1 (127.0.0.1:57341)
2017-06-12 17:05:27,888 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] [http-apr-8080-exec-7] Issuing login challenge to browser.

 

  1. http://hostSmiley Tongueort/share NOT getting logged in via kerberos

Output:
2017-06-15 13:02:35,220 DEBUG [webdav.auth.KerberosAuthenticationFilter] [http-apr-8080-exec-1] New Kerberos auth request from 10.172.0.215 (10.172.0.215:53162)
2017-06-15 13:02:35,220 DEBUG [webdav.auth.KerberosAuthenticationFilter] [http-apr-8080-exec-1] Issuing login challenge to browser.
2017-06-15 13:02:35,282 DEBUG [webdav.auth.KerberosAuthenticationFilter] [http-apr-8080-exec-6] Create the User environment for: SomeUserName
2017-06-15 13:02:35,282 DEBUG [webdav.auth.KerberosAuthenticationFilter] [http-apr-8080-exec-6] User SomeUserName logged on via Kerberos
2017-06-15 13:02:35,282 DEBUG [webdav.auth.KerberosAuthenticationFilter] [http-apr-8080-exec-6] Authenticated through Kerberos.
2017-06-15 13:03:51,999 DEBUG [webdav.auth.KerberosAuthenticationFilter] [http-apr-8080-exec-8] Found a session user: SomeUserName
2017-06-15 13:03:51,999 DEBUG [webdav.auth.KerberosAuthenticationFilter] [http-apr-8080-exec-8] Authentication not required (user), chaining ...

Highlighted
Active Member

Re: Auto-Login (SSO) not working - Kerberos

There was issue with a module which was installed.

Once the module was uninstalled, kerberos started working

Highlighted
Advanced II

Re: Auto-Login (SSO) not working - Kerberos

May I ask which module was it?

Active Member

Re: Auto-Login (SSO) not working - Kerberos

It was a custom made module.

share-config-custom.xml file placed inside of web-extension folder.

The file shouldn't have been in that location.