Can't create/edit content after upgrade to ACS 6.2 Community

cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Partner

Can't create/edit content after upgrade to ACS 6.2 Community

Any create/edit action will geneate the same exception. The one below is when I try to upload a document. The environment is using Kerberos if that is related?

 

May 29, 2020 4:51:46 PM org.apache.catalina.core.StandardWrapperValve invoke
SEVERE: Servlet.service() for servlet [wcapiServlet] in context with path [/alfresco] threw exception
org.alfresco.rest.framework.core.exceptions.NotFoundException: 04290003 /upload blev ikke fundet
at org.alfresco.rest.api.PublicApiDeclarativeRegistry.findWebScript(PublicApiDeclarativeRegistry.java:250)
at org.alfresco.repo.webdav.auth.BaseSSOAuthenticationFilter.doFilter(BaseSSOAuthenticationFilter.java:204)
at jdk.internal.reflect.GeneratedMethodAccessor489.invoke(Unknown Source)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at org.alfresco.repo.management.subsystems.ChainingSubsystemProxyFactory$1.invoke(ChainingSubsystemProxyFactory.java:119)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:212)
at com.sun.proxy.$Proxy153.doFilter(Unknown Source)
at org.alfresco.repo.web.filter.beans.BeanProxyFilter.doFilter(BeanProxyFilter.java:89)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.alfresco.web.app.servlet.WebScriptSSOAuthenticationFilter.doFilter(WebScriptSSOAuthenticationFilter.java:124)
at jdk.internal.reflect.GeneratedMethodAccessor489.invoke(Unknown Source)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at org.alfresco.repo.management.subsystems.ChainingSubsystemProxyFactory$1.invoke(ChainingSubsystemProxyFactory.java:119)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:212)
at com.sun.proxy.$Proxy153.doFilter(Unknown Source)
at org.alfresco.repo.web.filter.beans.BeanProxyFilter.doFilter(BeanProxyFilter.java:89)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.alfresco.web.app.servlet.WebscriptCookieAuthenticationFilter.doFilter(WebscriptCookieAuthenticationFilter.java:77)
at jdk.internal.reflect.GeneratedMethodAccessor489.invoke(Unknown Source)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at org.alfresco.repo.management.subsystems.ChainingSubsystemProxyFactory$1.invoke(ChainingSubsystemProxyFactory.java:132)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:212)
at com.sun.proxy.$Proxy153.doFilter(Unknown Source)
at org.alfresco.repo.web.filter.beans.BeanProxyFilter.doFilter(BeanProxyFilter.java:89)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.alfresco.web.app.servlet.GlobalLocalizationFilter.doFilter(GlobalLocalizationFilter.java:68)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.alfresco.web.app.servlet.ClearSecurityContextFilter.doFilter(ClearSecurityContextFilter.java:53)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:493)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:137)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)
at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:660)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:798)
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:808)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1498)
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.base/java.lang.Thread.run(Thread.java:834)

 

7 Replies
Highlighted
Community Manager
Community Manager

Re: Can't create/edit content after upgrade to ACS 6.2 Community

Hi @phivuu-2,

This looks very similar to this issue => https://hub.alfresco.com/t5/alfresco-content-services-forum/kerberos-acs-6-2-community/td-p/294619.

What does your share-config-custom.xml configuration look like? Is it setup correctly for  Kerberos?

HTH,

Digital Community Manager, Alfresco Software.
Problem solved? Click Accept as Solution!
Highlighted
Partner

Re: Can't create/edit content after upgrade to ACS 6.2 Community

Hi @EddieMay 

Yes I also found this thread. I also suspect it might be Kerberos or share-config-custom.xml. Kerberos config is setup correctly and share-config-custom.xml is from Alfresco 5.2.7 before I upgraded. It worked fine on 5.2.7. I've compared the existing share-config-custom.xml with one from 6.2 and updated the remote end-points to match 6.2.

The environment previously ran in a cluster with 2 repo servers. I've disabled clustering and updated the loadbalancer(haproxy) to point to one repository. The endpoint-url in share-config-custom.xml hasn't been changed since 5.2.7. Which is the URL to the load balancer. I have a feeling there's something wrong with the endpoints?

 

<config evaluator="string-compare" condition="Remote">
<remote>
<endpoint>
<id>alfresco-noauth</id>
<name>Alfresco - unauthenticated access</name>
<description>Access to Alfresco Repository WebScripts that do not require authentication</description>
<connector-id>alfresco</connector-id>
<endpoint-url>http://loadbalancer.net:9080/alfresco/s</endpoint-url>
<identity>none</identity>
</endpoint>

<endpoint>
<id>alfresco</id>
<name>Alfresco - user access</name>
<description>Access to Alfresco Repository WebScripts that require user authentication</description>
<connector-id>alfresco</connector-id>
<endpoint-url>http://loadbalancer.net:9080/alfresco/s</endpoint-url>
<identity>user</identity>
</endpoint>

<endpoint>
<id>alfresco-feed</id>
<name>Alfresco Feed</name>
<description>Alfresco Feed - supports basic HTTP authentication via the EndPointProxyServlet</description>
<connector-id>http</connector-id>
<endpoint-url>http://loadbalancer.net:9080/alfresco/s</endpoint-url>
<basic-auth>true</basic-auth>
<identity>user</identity>
</endpoint>

<endpoint>
<id>alfresco-api</id>
<parent-id>alfresco</parent-id>
<name>Alfresco Public API - user access</name>
<description>Access to Alfresco Repository Public API that require user authentication.
This makes use of the authentication that is provided by parent 'alfresco' endpoint.</description>
<connector-id>alfresco</connector-id>
<endpoint-url>http://loadbalancer.net:9080/alfresco/api</endpoint-url>
<identity>user</identity>
</endpoint>

</remote>
</config>

<!--
Overriding endpoints to reference an Alfresco server with external SSO enabled
NOTE: If utilising a load balancer between web-tier and repository cluster, the "sticky
sessions" feature of your load balancer must be used.
NOTE: If alfresco server location is not localhost:8080 then also combine changes from the
"example port config" section below.
*Optional* keystore contains SSL client certificate + trusted CAs.
Used to authenticate share to an external SSO system such as CAS
Remove the keystore section if not required i.e. for NTLM.

NOTE: For Kerberos SSO rename the "KerberosDisabled" condition above to "Kerberos"

NOTE: For external SSO, switch the endpoint connector to "AlfrescoHeader" and set
the userHeader to the name of the HTTP header that the external SSO
uses to provide the authenticated user name.
-->
<config evaluator="string-compare" condition="Remote">
<remote>
<keystore>
<path>alfresco/web-extension/alfresco-system.p12</path>
<type>pkcs12</type>
<password>password</password>
</keystore>

<connector>
<id>alfrescoCookie</id>
<name>Alfresco Connector</name>
<description>Connects to an Alfresco instance using cookie-based authentication</description>
<class>org.alfresco.web.site.servlet.SlingshotAlfrescoConnector</class>
</connector>

<connector>
<id>alfrescoHeader</id>
<name>Alfresco Connector</name>
<description>Connects to an Alfresco instance using header and cookie-based authentication</description>
<class>org.alfresco.web.site.servlet.SlingshotAlfrescoConnector</class>
<userHeader>SsoUserHeader</userHeader>
</connector>

<endpoint>
<id>alfresco</id>
<name>Alfresco - user access</name>
<description>Access to Alfresco Repository WebScripts that require user authentication</description>
<connector-id>alfrescoCookie</connector-id>
<endpoint-url>http://loadbalancer.net:9080/alfresco/wcs</endpoint-url>
<identity>user</identity>
<!-- BUG, set to false or patch see https://issues.alfresco.com/jira/browse/MNT-15899 -->
<external-auth>true</external-auth>
</endpoint>

<endpoint>
<id>alfresco-feed</id>
<parent-id>alfresco</parent-id>
<name>Alfresco Feed</name>
<description>Alfresco Feed - supports basic HTTP authentication via the EndPointProxyServlet</description>
<connector-id>alfrescoHeader</connector-id>
<endpoint-url>http://loadbalancer.net:9080/alfresco/wcs</endpoint-url>
<identity>user</identity>
<external-auth>true</external-auth>
</endpoint>

<endpoint>
<id>alfresco-api</id>
<parent-id>alfresco</parent-id>
<name>Alfresco Public API - user access</name>
<description>Access to Alfresco Repository Public API that require user authentication.
This makes use of the authentication that is provided by parent 'alfresco' endpoint.</description>
<connector-id>alfrescoHeader</connector-id>
<endpoint-url>http://loadbalancer.net:9080/alfresco/api</endpoint-url>
<identity>user</identity>
<external-auth>true</external-auth>
</endpoint>
</remote>

Highlighted
Partner

Re: Can't create/edit content after upgrade to ACS 6.2 Community

I tried to enable alfresco default authentication authentication.chain=alfrescoNtlm1:alfrescoNtlm previously authentication.chain=nu1kerb:kerberos,ldap1:ldap,ldap3:ldap

And then tried to reproduce the issue with the local admin user. It works fine. So I guess it's either kerberos or ldap that is wrong? Do you think I need to look at share-custom-config.xml? Or perhaps I need to generate new kerberos keytabs? Maybe I can check if ldap works.

Highlighted
Partner

Re: Can't create/edit content after upgrade to ACS 6.2 Community

I solved the issue by changed wcs endpoints to s.

Are the wcs endpoints deprecated or something? The default share-custom-config.xml for 6.2 Community contains them.

Highlighted
Community Manager
Community Manager

Re: Can't create/edit content after upgrade to ACS 6.2 Community

Hi @phivuu-2,

Glad you got it working. There's an explation of /wcs vs /s endpoints here - hope that helps. 

Cheers,

Digital Community Manager, Alfresco Software.
Problem solved? Click Accept as Solution!
Partner

Re: Can't create/edit content after upgrade to ACS 6.2 Community

@EddieMay 

Although I'm able to manually login with the synced user without any issue. I haven't tested SSO yet because I'm on a Linux environment. I took a look at the link you provided and it looks like /wcs endpoint is needed for Kerberos SSO to work correctly?

Highlighted
Partner

Re: Can't create/edit content after upgrade to ACS 6.2 Community

The end user reported that SSO is not working. So it looks like the /wcs endpoint is needed for Kerberos SSO? Could this be a bug in 6.2 Community?

 

SSO is working with /wcs but with the exception in the repository as shown in the first post. Share is also showing an exception:

2020-06-09 13:00:40,781  WARN  [site.servlet.KerberosSessionSetupPrivilegedAction] [http-nio-8080-exec-5] Caught GSS Error
 GSSException: No valid credentials provided (Mechanism level: KDC cannot accommodate requested option (13))
	at java.security.jgss/sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:771)
	at java.security.jgss/sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:266)
	at java.security.jgss/sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:196)
	at org.alfresco.web.site.servlet.KerberosSessionSetupPrivilegedAction.run(KerberosSessionSetupPrivilegedAction.java:134)
	at org.alfresco.web.site.servlet.KerberosSessionSetupPrivilegedAction.run(KerberosSessionSetupPrivilegedAction.java:51)
	at java.base/java.security.AccessController.doPrivileged(Native Method)
	at java.base/javax.security.auth.Subject.doAs(Subject.java:361)
	at org.alfresco.web.site.servlet.SSOAuthenticationFilter.doKerberosLogon(SSOAuthenticationFilter.java:1326)
	at org.alfresco.web.site.servlet.SSOAuthenticationFilter.doFilter(SSOAuthenticationFilter.java:653)
	at org.alfresco.web.site.servlet.SSOAuthenticationFilter.doFilter(SSOAuthenticationFilter.java:443)
	at org.springframework.extensions.webscripts.servlet.BeanProxyFilter.doFilter(BeanProxyFilter.java:80)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.alfresco.web.site.servlet.MTAuthenticationFilter.doFilter(MTAuthenticationFilter.java:81)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:493)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:137)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)
	at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:660)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
	at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:798)
	at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
	at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:808)
	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1498)
	at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
	at java.base/java.lang.Thread.run(Thread.java:834)
Caused by: KrbException: KDC cannot accommodate requested option (13)
	at java.security.jgss/sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:70)
	at java.security.jgss/sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:251)
	at java.security.jgss/sun.security.krb5.KrbTgsReq.sendAndGetCreds(KrbTgsReq.java:262)
	at java.security.jgss/sun.security.krb5.internal.CredentialsUtil.acquireS4U2proxyCreds(CredentialsUtil.java:96)
	at java.security.jgss/sun.security.krb5.Credentials.acquireS4U2proxyCreds(Credentials.java:469)
	at java.security.jgss/sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:699)
	... 32 more
Caused by: KrbException: Identifier doesn't match expected value (906)
	at java.security.jgss/sun.security.krb5.internal.KDCRep.init(KDCRep.java:140)
	at java.security.jgss/sun.security.krb5.internal.TGSRep.init(TGSRep.java:65)
	at java.security.jgss/sun.security.krb5.internal.TGSRep.<init>(TGSRep.java:60)
	at java.security.jgss/sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:55)
	... 37 more