SSO Kerberos

cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
tkim
Member II

SSO Kerberos


I want to make SSO environment with ActiveDirectory but I can't...
I worked in accordance with below;
 http://docs.alfresco.com/5.0/tasks/auth-kerberos-ADconfig.html
 http://docs.alfresco.com/5.0/tasks/auth-kerberos-shareSSO.html

Please teach me right way to configure SSO.


<Environment>
ActiveDirectory Domain Controller:Win2008R2
AlfrescoServer:Win2008R2
Alfresco:Community 5.1 on tomcat

<Works>
1:create account on AD.
   for HTTP and CIFS
2:execute ktpass and setspn just as http://docs.alfresco.com/5.0/tasks/auth-kerberos-ADconfig.html
3Smiley Tongueut keytab files on alfresco server; c:\etc
4:create krb5.ini in c:\windows
5:create C:\alfresco-community\java\lib\security\java.login.config
6:modify java.security
7:modify share-config-custom.xml
  - uncomment for <config evaluator="string-compare" condition="Remote">
  - set Kerberos settings
     - set password
     - set realm
     - set endpoint-spn
     - set onfig-entry
     - set stripUserNameSuffix:true

8:modify alfresco-global.properties
 authentication.chain=kerberos1:kerberos,ldap1:ldap-ad,alfrescoNtlm1:alfrescoNtlm

<Error log>
2016-11-28 15:55:32,028 INFO  [org.alfresco.repo.management.subsystems.ChildApplicationContextFactory] [localhost-startStop-1] Starting 'Authentication' subsystem, ID: [Authentication, managed, kerberos1]
2016-11-28 15:55:32,262 ERROR [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] [localhost-startStop-1] HTTP Kerberos web filter error
javax.security.auth.login.LoginException: Pre-authentication information was invalid (24)
    at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Unknown Source)
    at com.sun.security.auth.module.Krb5LoginModule.login(Unknown Source)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
    at java.lang.reflect.Method.invoke(Unknown Source)
    at javax.security.auth.login.LoginContext.invoke(Unknown Source)
    at javax.security.auth.login.LoginContext.access$000(Unknown Source)
    at javax.security.auth.login.LoginContext$4.run(Unknown Source)
    at javax.security.auth.login.LoginContext$4.run(Unknown Source)
    at java.security.AccessController.doPrivileged(Native Method)
    at javax.security.auth.login.LoginContext.invokePriv(Unknown Source)
    at javax.security.auth.login.LoginContext.login(Unknown Source)
    at org.alfresco.repo.webdav.auth.BaseKerberosAuthenticationFilter.init(BaseKerberosAuthenticationFilter.java:182)
    at org.alfresco.web.app.servlet.KerberosAuthenticationFilter.init(KerberosAuthenticationFilter.java:56)
    at org.alfresco.repo.webdav.auth.BaseSSOAuthenticationFilter.afterPropertiesSet(BaseSSOAuthenticationFilter.java:146)
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.invokeInitMethods(AbstractAutowireCapableBeanFactory.java:1573)
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1511)
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:521)
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:458)
    at org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:293)
    at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:223)
    at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:290)
    at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:191)
    at org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:636)
    at org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:934)
    at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:479)
    at org.alfresco.repo.management.subsystems.ChildApplicationContextFactory$ApplicationContextState.start(ChildApplicationContextFactory.java:814)
    at org.alfresco.repo.management.subsystems.AbstractPropertyBackedBean.start(AbstractPropertyBackedBean.java:1086)
    at org.alfresco.repo.management.subsystems.AbstractPropertyBackedBean.getState(AbstractPropertyBackedBean.java:308)
    at org.alfresco.repo.management.subsystems.ChildApplicationContextFactory.getApplicationContext(ChildApplicationContextFactory.java:440)
    at org.alfresco.repo.management.subsystems.DefaultChildApplicationContextManager$ApplicationContextManagerState.getApplicationContext(DefaultChildApplicationContextManager.java:360)
    at org.alfresco.repo.management.subsystems.DefaultChildApplicationContextManager$ApplicationContextManagerState.start(DefaultChildApplicationContextManager.java:306)
    at org.alfresco.repo.management.subsystems.AbstractPropertyBackedBean.start(AbstractPropertyBackedBean.java:1086)
    at org.alfresco.repo.management.subsystems.AbstractPropertyBackedBean.getState(AbstractPropertyBackedBean.java:308)
    at org.alfresco.repo.management.subsystems.DefaultChildApplicationContextManager.getInstanceIds(DefaultChildApplicationContextManager.java:180)
    at org.alfresco.repo.security.authentication.subsystems.SubsystemChainingAuthenticationService.refreshBeans(SubsystemChainingAuthenticationService.java:89)
    at org.alfresco.repo.security.authentication.subsystems.SubsystemChainingAuthenticationService.getUsableAuthenticationServices(SubsystemChainingAuthenticationService.java:185)
    at org.alfresco.repo.security.authentication.AbstractChainingAuthenticationService.getDefaultAdministratorUserNames(AbstractChainingAuthenticationService.java:566)
    at org.alfresco.repo.security.authority.AuthorityServiceImpl.getRoleAuthorities(AuthorityServiceImpl.java:260)
    at org.alfresco.repo.security.authority.AuthorityServiceImpl.access$0(AuthorityServiceImpl.java:255)
    at org.alfresco.repo.security.authority.AuthorityServiceImpl$UserAuthoritySet.<init>(AuthorityServiceImpl.java:746)
    at org.alfresco.repo.security.authority.AuthorityServiceImpl.getAuthoritiesForUser(AuthorityServiceImpl.java:251)
    at org.alfresco.repo.security.authority.AuthorityServiceImpl.isAdminAuthority(AuthorityServiceImpl.java:169)
    at org.alfresco.service.cmr.workflow.WorkflowPermissionInterceptor.invoke(WorkflowPermissionInterceptor.java:55)
    at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
    at org.alfresco.repo.security.permissions.impl.ExceptionTranslatorMethodInterceptor.invoke(ExceptionTranslatorMethodInterceptor.java:46)
    at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
    at org.alfresco.repo.audit.AuditMethodInterceptor.invoke(AuditMethodInterceptor.java:159)
    at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
    at org.springframework.transaction.interceptor.TransactionInterceptor$1.proceedWithInvocation(TransactionInterceptor.java:96)
    at org.springframework.transaction.interceptor.TransactionAspectSupport.invokeWithinTransaction(TransactionAspectSupport.java:260)
    at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:94)
    at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
    at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
    at com.sun.proxy.$Proxy71.isDefinitionDeployed(Unknown Source)
    at org.alfresco.repo.workflow.WorkflowDeployer.init(WorkflowDeployer.java:299)
    at org.alfresco.repo.workflow.WorkflowDeployer$1$1.doWork(WorkflowDeployer.java:512)
    at org.alfresco.repo.security.authentication.AuthenticationUtil.runAs(AuthenticationUtil.java:548)
    at org.alfresco.repo.workflow.WorkflowDeployer$1.execute(WorkflowDeployer.java:508)
    at org.alfresco.repo.transaction.RetryingTransactionHelper.doInTransaction(RetryingTransactionHelper.java:457)
    at org.alfresco.repo.workflow.WorkflowDeployer.onBootstrap(WorkflowDeployer.java:503)
    at org.springframework.extensions.surf.util.AbstractLifecycleBean.onApplicationEvent(AbstractLifecycleBean.java:56)
    at org.alfresco.repo.management.SafeApplicationEventMulticaster.multicastEventInternal(SafeApplicationEventMulticaster.java:207)
    at org.alfresco.repo.management.SafeApplicationEventMulticaster.multicastEvent(SafeApplicationEventMulticaster.java:178)
    at org.springframework.context.support.AbstractApplicationContext.publishEvent(AbstractApplicationContext.java:334)
    at org.springframework.context.support.AbstractApplicationContext.finishRefresh(AbstractApplicationContext.java:950)
    at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:482)
    at org.springframework.web.context.ContextLoader.configureAndRefreshWebApplicationContext(ContextLoader.java:410)
    at org.springframework.web.context.ContextLoader.initWebApplicationContext(ContextLoader.java:306)
    at org.springframework.web.context.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:112)
    at org.alfresco.web.app.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:63)
    at org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:5016)
    at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5524)
    at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
    at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:901)
    at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:877)
    at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:649)
    at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:672)
    at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1859)
    at java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source)
    at java.util.concurrent.FutureTask.run(Unknown Source)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
    at java.lang.Thread.run(Unknown Source)
Caused by: KrbException: Pre-authentication information was invalid (24)
    at sun.security.krb5.KrbAsRep.<init>(Unknown Source)
    at sun.security.krb5.KrbAsReqBuilder.send(Unknown Source)
    at sun.security.krb5.KrbAsReqBuilder.action(Unknown Source)
    ... 85 more
Caused by: KrbException: Identifier doesn't match expected value (906)
    at sun.security.krb5.internal.KDCRep.init(Unknown Source)
    at sun.security.krb5.internal.ASRep.init(Unknown Source)
    at sun.security.krb5.internal.ASRep.<init>(Unknown Source)
    ... 88 more

5 Replies
angelborroy
Expert

Re: SSO Kerberos

Can you include your krb5.ini content?

Software Engineer in Alfresco Search Team.
tkim
Member II

Re: SSO Kerberos

This is my krb5.ini.

---

[logging]
 default = FILE:C:\work\krb5libs.log
 kdc = FILE:C:\work\krb5kdc.log
 admin_server = FILE:C:\work\kadmind.log
 
[libdefaults]
default_realm = OURDOMAIN.LOCAL
default_tkt_enctypes = rc4-hmac
default_tgs_enctypes = rc4-hmac

[realms]
OURDOMAIN.LOCAL = {
   kdc = dcsvr.ourdomain.local
   admin_server = dcsvr.ourdomain.local
}

[domain_realm]
dcsvr.ourdomain.local = OURDOMAIN.LOCAL
.dcsvr.ourdomain.local = OURDOMAIN.LOCAL

---

angelborroy
Expert

Re: SSO Kerberos

Try removing encryption lines:

default_tkt_enctypes = rc4-hmac
default_tgs_enctypes = rc4-hmac

Software Engineer in Alfresco Search Team.
tkim
Member II

Re: SSO Kerberos

thx for reply!


I  modified java.login.config; adding "@OURDOMAIN.LOCAL", and also removed encryption lines from krb5.ini.
Now, when I started Alfresco service, no error was happened and the logs appeared like below;

2016-11-29 13:54:25,483 INFO  [org.alfresco.repo.management.subsystems.ChildApplicationContextFactory] [localhost-startStop-1] Starting 'Authentication' subsystem, ID: [Authentication, managed, kerberos1]
2016-11-29 13:54:25,593 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] [localhost-startStop-1] HTTP Kerberos login successful
2016-11-29 13:54:25,593 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] [localhost-startStop-1] Logged on using principal HTTP/xxxx
2016-11-29 13:54:25,624 DEBUG [org.alfresco.repo.webdav.auth.KerberosAuthenticationFilter] [localhost-startStop-1] HTTP Kerberos login successful
2016-11-29 13:54:25,624 DEBUG [org.alfresco.repo.webdav.auth.KerberosAuthenticationFilter] [localhost-startStop-1] Logged on using principal HTTP/xxxx
2016-11-29 13:54:25,686 INFO  [org.alfresco.repo.management.subsystems.ChildApplicationContextFactory] [localhost-startStop-1] Startup of 'Authentication' subsystem, ID: [Authentication, managed, kerberos1] complete

But I can not do SSO.
When I access alfresco from IE, the basic authentication dialog appears; maybe come from Alfrescontlm.
IE settings is OK like http://docs.alfresco.com/4.0/tasks/auth-kerberos-clientconfig.html.

1:Kerberos SSO means that no authentication dialog appears, right?
2:my configuration is wrong or not enogh?

This is my config.

<krb5.ini>
---
[logging]
 default = FILE:C:\work\krb5libs.log
 kdc = FILE:C:\work\krb5kdc.log
 admin_server = FILE:C:\work\kadmind.log
 
[libdefaults]
default_realm = OURDOMAIN.LOCAL
default_tkt_enctypes = rc4-hmac
default_tgs_enctypes = rc4-hmac

[realms]
OURDOMAIN.LOCAL = {
   kdc = dcsvr.ourdomain.local
   admin_server = dcsvr.ourdomain.local
}

[domain_realm]
dcsvr.ourdomain.local = OURDOMAIN.LOCAL
.dcsvr.ourdomain.local = OURDOMAIN.LOCAL
---

<java.login.config>
---
Alfresco {
com.sun.security.auth.module.Krb5LoginModule sufficient;
};

AlfrescoCIFS {
com.sun.security.auth.module.Krb5LoginModule required
   storeKey=true
   useKeyTab=true
   keyTab="C:/etc/cifs.keytab"
   principal="cifs/alfrescoserver.ourdomain.local@OURDOMAIN.LOCAL";
};

AlfrescoHTTP {
com.sun.security.auth.module.Krb5LoginModule required
   storeKey=true
   useKeyTab=true
   keyTab="C:/etc/http7.keytab"
   principal="HTTP/alfrescoserver.ourdomain.local@OURDOMAIN.LOCAL";
};

ShareHTTP
{
   com.sun.security.auth.module.Krb5LoginModule required
   storeKey=true
   useKeyTab=true
   keyTab="C:/etc/http.keytab"
   principal="HTTP/alfrescoserver.ourdomain.local@OURDOMAIN.LOCAL";
};
com.sun.net.ssl.client {
com.sun.security.auth.module.Krb5LoginModule sufficient;
};
other {
com.sun.security.auth.module.Krb5LoginModule sufficient;
};
---

<share-config-custom.xml(a part of)>
---
<config evaluator="string-compare" condition="Kerberos" replace="true">
   <kerberos>
      <password>mypassword</password>
      <realm>OURDOMAIN.LOCAL</realm>
      <endpoint-spn>HTTP/alfrescoserver.ourdomain.local@OURDOMAIN.LOCAL</endpoint-spn>
      <config-entry>AlfrescoHTTP</config-entry>
     <stripUserNameSuffix>true</stripUserNameSuffix>
   </kerberos>
</config>

and uncomment <config evaluator="string-compare" condition="Remote"> sections.
---

<kerberos-filter.properties>
---
kerberos.authentication.http.configEntryName=AlfrescoHTTP
kerberos.authentication.http.password=mypassword
kerberos.authentication.sso.enabled=true
kerberos.authentication.browser.ticketLogons=true
kerberos.authentication.sso.fallback.enabled=true
---

<alfresco-global.properties>
---

authentication.chain=kerberos1:kerberos,ldap1:ldap-ad,alfrescoNtlm1:alfrescoNtlm


#NTLM
ntlm.authentication.sso.enabled=false


#LDAP

#LADAP Sync
ldap.authentication.userNameFormat=%s@ourdomain.local

ldap.authentication.java.naming.provider.url=ldap://IPAddress for domain controller:389

ldap.synchronization.java.naming.security.principal=username@ourdomain.local
ldap.synchronization.java.naming.security.credentials=mypassword

#user

ldap.synchronization.userSearchBase=DC\=ourdomain,DC\=local
ldap.synchronization.personType=person

ldap.synchronization.userIdAttributeName=sAMAccountName
ldap.synchronization.userFirstNameAttributeName=givenName
ldap.synchronization.userLastNameAttributeName=sn

#group
ldap.synchronization.groupSearchBase=DC\=ourdomain,DC\=local
ldap.synchronization.groupType=organizationalUnit

# Sync
synchronization.synchronizeChangesOnly=false
synchronization.allowDeletions=true
synchronization.syncWhenMissingPeopleLogIn=true
synchronization.syncOnStartup=true

ldap.synchronization.enableProgressEstimation=true

ldap.synchronization.active=true
ldap.authentication.allowGuestLogin=true

synchronization.synchronizeChangesOnly=false

---

tkim
Member II

Re: SSO Kerberos

adding information.

When I accessed Alfresco from IE and appears basic authentication dialog, these logs were put out.

2016-11-29 14:50:52,728 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] [http-apr-8080-exec-5] Authentication not required (filter), chaining ...
2016-11-29 14:50:52,806 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] [http-apr-8080-exec-6] Authentication not required (filter), chaining ...
2016-11-29 14:50:52,822 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] [http-apr-8080-exec-7] New Kerberos auth request from 127.0.0.1 (127.0.0.1:58954)
2016-11-29 14:50:52,822 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] [http-apr-8080-exec-7] Issuing login challenge to browser.