4

I am trying to implement SSO for share using Kerberos AD and followed the directions listed in the official documentation at docs.alfresco.com. I keep getting the following exception

2013-06-20 18:07:37,772  DEBUG [app.servlet.KerberosAuthenticationFilter] [http-80-1] Authentication not required (filter), chaining ...
2013-06-20 18:07:37,804  DEBUG [app.servlet.KerberosAuthenticationFilter] [http-80-1] Authentication not required (filter), chaining ...
2013-06-20 18:07:37,819  DEBUG [app.servlet.KerberosAuthenticationFilter] [http-80-1] New Kerberos auth request from X.X.X.X (X.X.X.X:ZZZZ) Checksum failed !

2013-06-05 12:02:30,998  WARN  [site.servlet.KerberosSessionSetupPrivilegedAction] [http-80-3] Caught GSS Error
GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)
    at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:741)
    at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:323)
    at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:267)
    ....

Caused by: KrbException: Checksum failed
    at sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(ArcFourHmacEType.java:85)
    at sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(ArcFourHmacEType.java:77)
    at sun.security.krb5.EncryptedData.decrypt(EncryptedData.java:168)
    at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:268)
    at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:134)
    at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:79)
    at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:724)
    ... 21 more
Caused by: java.security.GeneralSecurityException: Checksum failed
    at sun.security.krb5.internal.crypto.dk.ArcFourCrypto.decrypt(ArcFourCrypto.java:388)
    at sun.security.krb5.internal.crypto.ArcFourHmac.decrypt(ArcFourHmac.java:74)
    at sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(ArcFourHmacEType.java:83)
    ... 27 more

Here is are the settings the files, the setting and the respective locations. I have turned on the debugging which printed the messages above. Any suggestions to help fix the issue will be greatly appreciated. We are running 4.0.d community on a Windows 2008 machine.

alfresco-global.properties

### Kerberos SSO ###
kerberos.authentication.realm=LOCAL.COM
kerberos.authentication.sso.enabled=true
kerberos.authentication.authenticateCIFS=false
kerberos.authentication.user.configEntryName=AlfrescoHTTP
kerberos.authentication.http.configEntryName=AlfrescoHTTP
#kerberos.authentication.cifs.configEntryName=AlfrescoCIFS
kerberos.authentication.stripUsernameSuffix=true
kerberos.authentication.http.password=password
kerberos.authentication.cifs.password=password
kerberos.authentication.browser.ticketLogons=true
kerberos.authentication.defaultAdministratorUserNames=usera

share-config-custom.xml

<config evaluator="string-compare" condition="Kerberos" replace="true">
    <kerberos>
        <password>password</password>
        <realm>LOCAL.COM</realm>
        <endpoint-spn>HTTP/domain@LOCAL.COM</endpoint-spn>
        <config-entry>ShareHTTP</config-entry>
    </kerberos>
</config>

<config evaluator="string-compare" condition="Remote">
      <remote>
    <connector>
            <id>alfrescoCookie</id>
            <name>Alfresco Connector</name>
            <description>Connects to an Alfresco instance using cookie-based authentication</description>
            <class>org.springframework.extensions.webscripts.connector.AlfrescoConnector</class>
         </connector>

     <endpoint>
            <id>alfresco</id>
            <name>Alfresco - user access</name>
            <description>Access to Alfresco Repository WebScripts that require user authentication</description>
            <connector-id>alfrescoCookie</connector-id>
            <endpoint-url>http://localhost:80/alfresco/wcs</endpoint-url>
            <identity>user</identity>
            <external-auth>true</external-auth>
         </endpoint>
      </remote>
</config>

java.login.config at C:\Alfresco\java\jre\lib\security == as described in the documentation but changing the keyTab location to C:/etc/alfresco.keytab

Also modified java.security at C:\Alfresco\java\jre\lib\security to point to java.login.config

krb5.ini at (C:\Windows)

[libdefaults]
 default_realm = LOCAL.COM
 default_tkt_enctypes = rc4-hmac
 default_tgs_enctypes = rc4-hmac 

[realms]
 LOCAL.COM = {
  kdc = machine.local.com
  admin_server = machine.local.com
 }

[domain_realm]
 machine.local.com = LOCAL.COM
 .machine.local.com = LOCAL.COM

Any suggestions on how to debug will be greatly appreciated; thank you very much.

codewrangler
  • 65
  • 2
  • 9
  • Have you tried turning up the log4j level to debugging on the relevant classes, to see what they have to say? – Gagravarr Jun 20 '13 at 17:43
  • These are the messages I am getting after un-commenting the sections for Kerberos the logj4.properties file. If there are any additional sections that need to be un-commented; please let me know and I will do so. Thank you. – codewrangler Jun 20 '13 at 21:23
  • @Gagravarr I have also added some additional messages from the log file, just in case. Thank you again. – codewrangler Jun 20 '13 at 23:54
  • I never configured Kerberos auth on Windows but could you please share the output from your keytab? On linux this is e.g. ````klist -e -k /etc/alfresco_http.keytab```` – Heiko Robert Nov 05 '19 at 08:43

1 Answers1

0

If you provide

-Dsun.security.krb5.debug=true -Dsun.security.jgss.debug=true

at the start of Alfresco, you will get some debug output.

Aoaoaoappa
  • 35
  • 1
  • 6