Does anyone have already configured kerberos on alfresco

cancel
Showing results for 
Search instead for 
Did you mean: 
mire323
Active Member II

Does anyone have already configured kerberos on alfresco

Hello,

Does anyone have a zip file of alfresco on docker with kerberos already integrated so i can enter my settings (kdc,realms,etc.) and get it to work somehow. I am trying to enable kerberos for weeks now and i am getting really desperate.

Please help.

Thank you in advance!

8 Replies
vidhipanchal
Established Member

Re: Does anyone have already configured kerberos on alfresco

Hi,

Please follow this link. I think it will help you.

Regards,

Vidhi

Regards,
Vidhi
fedorow
Senior Member II

Re: Does anyone have already configured kerberos on alfresco

You can find docker.zip file from Angel here

 

It helps me a lot.

mire323
Active Member II

Re: Does anyone have already configured kerberos on alfresco

Hello thank you very much for your response, i started docker container and am getting error:

javax.security.auth.login.LoginException: dev-win2008.oficina.keensoft.es: Name or service not known

I changed:

extra_hosts:
- "dev-win2008.oficina.keensoft.es:192.168.14.34"     to:

extra_hosts:
- "dev-win2008.oficina.keensoft.es:192.168.1.124" where 192.168.1.124 is my windows server ip address.

Do I need to change something else?

Thank you very much for your help i really appreciate it!

fedorow
Senior Member II

Re: Does anyone have already configured kerberos on alfresco

The "dev-win2008.oficina.keensoft.es" is Keensoft domain host name. You should replace all settings like this to yours.

mire323
Active Member II

Re: Does anyone have already configured kerberos on alfresco

Hello,

i changed it everywhere and now i got

 

2019-09-03 14:34:42,734 ERROR [site.servlet.SSOAuthenticationFilter] [localhost-startStop-1] HTTP Kerberos web filter error
share_1 | javax.security.auth.login.LoginException: null (68)
share_1 | at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:804)
share_1 | at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:617)
share_1 | at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
share_1 | at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
share_1 | at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
share_1 | at java.lang.reflect.Method.invoke(Method.java:498)
share_1 | at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755)
share_1 | at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195)
share_1 | at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682)
share_1 | at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680)
share_1 | at java.security.AccessController.doPrivileged(Native Method)
share_1 | at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
share_1 | at javax.security.auth.login.LoginContext.login(LoginContext.java:587)
share_1 | at org.alfresco.web.site.servlet.SSOAuthenticationFilter.init(SSOAuthenticationFilter.java:321)
share_1 | at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
share_1 | at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
share_1 | at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
share_1 | at java.lang.reflect.Method.invoke(Method.java:498)
share_1 | at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.invokeCustomInitMethod(AbstractAutowireCapableBeanFactory.java:1640)
share_1 | at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.invokeInitMethods(AbstractAutowireCapableBeanFactory.java:1581)
share_1 | at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1511)
share_1 | at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:521)
share_1 | at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:458)
share_1 | at org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:293)
share_1 | at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:223)
share_1 | at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:290)
share_1 | at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:191)
share_1 | at org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:636)
share_1 | at org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:938)
share_1 | at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:479)
share_1 | at org.springframework.web.context.ContextLoader.configureAndRefreshWebApplicationContext(ContextLoader.java:410)
share_1 | at org.springframework.web.context.ContextLoader.initWebApplicationContext(ContextLoader.java:306)
share_1 | at org.springframework.web.context.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:112)
share_1 | at org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:5016)
share_1 | at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5524)
share_1 | at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
share_1 | at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:901)
share_1 | at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:877)
share_1 | at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:649)
share_1 | at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:672)
share_1 | at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1859)
share_1 | at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
share_1 | at java.util.concurrent.FutureTask.run(FutureTask.java:266)
share_1 | at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
share_1 | at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
share_1 | at java.lang.Thread.run(Thread.java:748)
share_1 | Caused by: KrbException: null (68)
share_1 | at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:76)
share_1 | at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:316)
share_1 | at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:361)
share_1 | at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:776)
share_1 | ... 45 more
share_1 | Caused by: KrbException: Identifier doesn't match expected value (906)
share_1 | at sun.security.krb5.internal.KDCRep.init(KDCRep.java:140)
share_1 | at sun.security.krb5.internal.ASRep.init(ASRep.java:64)
share_1 | at sun.security.krb5.internal.ASRep.<init>(ASRep.java:59)
share_1 | at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:60)
share_1 | ... 48 more

Do you have any advice?

Thanks for your effort to help me!

fedorow
Senior Member II

Re: Does anyone have already configured kerberos on alfresco

You have to configure at last /docker/alfresco/assets/kerberos/krb5.conf

You have to mare .keytab files and configure Active Directory.

...

I don't check all your configuration files. Check it by yourself. You have Angel's sample. All steps of kerberos configuration described in official documentation.

p.s. please don't generate new topics for one subject. Let's continue here.

mire323
Active Member II

Re: Does anyone have already configured kerberos on alfresco

Hello,

I finally don't have any errors but it still doesn't work.

2019-09-05 11:22:41,321 DEBUG [app.servlet.KerberosAuthenticationFilter] [localhost-startStop-1] HTTP Kerberos login successful
2019-09-05 11:22:41,322 DEBUG [app.servlet.KerberosAuthenticationFilter] [localhost-startStop-1] Logged on using principal HTTP/alfresco.server.net@SERVER.NET
2019-09-05 11:22:41,331 DEBUG [webdav.auth.KerberosAuthenticationFilter] [localhost-startStop-1] HTTP Kerberos login successful
2019-09-05 11:22:41,331 DEBUG [webdav.auth.KerberosAuthenticationFilter] [localhost-startStop-1] Logged on using principal HTTP/alfresco.server.net@SERVER.NET

I configured Internet Explorer as so: Internet Options/Security/Intranet/Custom level/Automatic logon with current name and password.

Also i ran "kinit -p -f" for my user account and after entering password it says : 'New ticket is stored in cache file C:\Users\Mirko\krb5cc_mirko"

but when I run "klist" it says 

Current LogonId is 0:0x345b0c8b

Cached Tickets: (0)

Also i can log in using ldap accounts.

You helped a great deal so far and I am very grateful. 

If you know anything about this please help. Thank you in advance.

fedorow
Senior Member II

Re: Does anyone have already configured kerberos on alfresco

Client configuration of IE have two steps. Do you 

add Alfresco Content Services web server is in the Local Intranet security zone?

Check Tools > Internet Options > Security > Local Intranet > Sites > Advanced, and then add the necessary domain name, for example, http://server.com or http://*.company.com.

Full description is here Step 4. Kerberos client configuration 

p.s. IE and Chrome use a lot of configuration parameters, including system. Try Firefox first. It's simplest way to SSO.