Could we make the kerberos users alfrescocifs and alfrescohttp to allow customers to have several alfresco instances (e.g: test, validation and production environments) authenticate against the same AD server

cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Active Member

Could we make the kerberos users alfrescocifs and alfrescohttp to allow customers to have several alfresco instances (e.g: test, validation and production environments) authenticate against the same AD server

Two Instances:

UAT (ip1), PROD(ip2)

Steps Performed:

First kerberos configuration on UAT - successful

Second kerberos configuration on PROD - successful

then,

On UAT,

when, 1.1.1.1:8080/share, it gives cannot found.

alfresco and share application throws exception.

Reason:

****-**-** **:**:**,925 ERROR [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] [localhost-startStop-1] HTTP Kerberos web filter error
javax.security.auth.login.LoginException: Client not found in Kerberos database (6)
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Unknown Source)
at com.sun.security.auth.module.Krb5LoginModule.login(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at javax.security.auth.login.LoginContext.invoke(Unknown Source)
at javax.security.auth.login.LoginContext.access$000(Unknown Source)
at javax.security.auth.login.LoginContext$4.run(Unknown Source)
at javax.security.auth.login.LoginContext$4.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(Unknown Source)
at javax.security.auth.login.LoginContext.login(Unknown Source)
at org.alfresco.repo.webdav.auth.BaseKerberosAuthenticationFilter.init(BaseKerberosAuthenticationFilter.java:189)
at org.alfresco.web.app.servlet.KerberosAuthenticationFilter.init(KerberosAuthenticationFilter.java:63)
at org.alfresco.repo.webdav.auth.BaseSSOAuthenticationFilter.afterPropertiesSet(BaseSSOAuthenticationFilter.java:153)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.invokeInitMethods(AbstractAutowireCapableBeanFactory.java:1573)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1511)
at .

.

.

.

.

.

.

.

.

.org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:938)
at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:479)
at org.springframework.web.context.ContextLoader.configureAndRefreshWebApplicationContext(ContextLoader.java:410)
at org.springframework.web.context.ContextLoader.initWebApplicationContext(ContextLoader.java:306)
at org.springframework.web.context.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:112)
at org.alfresco.web.app.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:70)
at org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:5016)
at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5524)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:901)
at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:877)
at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:649)
at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:672)
at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1859)
at java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source)
at java.util.concurrent.FutureTask.run(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
Caused by: KrbException: Client not found in Kerberos database (6)
at sun.security.krb5.KrbAsRep.<init>(Unknown Source)
at sun.security.krb5.KrbAsReqBuilder.send(Unknown Source)
at sun.security.krb5.KrbAsReqBuilder.action(Unknown Source)
... 65 more
Caused by: KrbException: Identifier doesn't match expected value (906)
at sun.security.krb5.internal.KDCRep.init(Unknown Source)
at sun.security.krb5.internal.ASRep.init(Unknown Source)
at sun.security.krb5.internal.ASRep.<init>(Unknown Source)
... 68 more

2 Replies
Highlighted
Master

Re: Could we make the kerberos users alfrescocifs and alfrescohttp to allow customers to have several alfresco instances (e.g: test, validation and production environments) authenticate against the same AD server

You cannot use Kerberos on an IP-based host. Give UAT a proper domain name and use that to address it, and it should work with Kerberos (provided you set up the SPN in AD as well).

Also, make sure that the user has the SPNs for all the relevant systems, and use the most up-to-date keytab for all systems. Ideally, you would create separate system users in AD for each environment and only have them associated with the SPNs of their environment.

Highlighted
Active Member

Re: Could we make the kerberos users alfrescocifs and alfrescohttp to allow customers to have several alfresco instances (e.g: test, validation and production environments) authenticate against the same AD server

Hi Axel,

Thanks for your reply

We only have two kerberos users alfrescohttp and alfrescocifs currently which worked for one host server (UAT), then we ran the ktpass command which change the principal name with a different host(prod) for the same mentioned kerberos users. It worked for prod but stopped working for UAT (which is obvious)

We are supposed to run several instances of alfresco in our organisation and it would be difficult to manage creation of these users again and again.

Hence I need to know if there is a way out where we can use the same users for several alfresco instances to authenticate against the same AD server though not recommended