I am trying to implement SSO for sharing using Kerberos AD and follow the directions given in the official documentation at docs.alfresco.com. I keep getting the next exception
2013-06-20 18:07:37,772 DEBUG [app.servlet.KerberosAuthenticationFilter] [http-80-1] Authentication not required (filter), chaining ... 2013-06-20 18:07:37,804 DEBUG [app.servlet.KerberosAuthenticationFilter] [http-80-1] Authentication not required (filter), chaining ... 2013-06-20 18:07:37,819 DEBUG [app.servlet.KerberosAuthenticationFilter] [http-80-1] New Kerberos auth request from XXXX (XXXX:ZZZZ) Checksum failed ! 2013-06-05 12:02:30,998 WARN [site.servlet.KerberosSessionSetupPrivilegedAction] [http-80-3] Caught GSS Error GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed) at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:741) at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:323) at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:267) .... Caused by: KrbException: Checksum failed at sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(ArcFourHmacEType.java:85) at sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(ArcFourHmacEType.java:77) at sun.security.krb5.EncryptedData.decrypt(EncryptedData.java:168) at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:268) at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:134) at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:79) at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:724) ... 21 more Caused by: java.security.GeneralSecurityException: Checksum failed at sun.security.krb5.internal.crypto.dk.ArcFourCrypto.decrypt(ArcFourCrypto.java:388) at sun.security.krb5.internal.crypto.ArcFourHmac.decrypt(ArcFourHmac.java:74) at sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(ArcFourHmacEType.java:83) ... 27 more
Here are the file settings, settings, and corresponding places. I turned on debugging, which printed the messages above. Any suggestions for fixing the problem will be greatly appreciated. We run the 4.0.d community on a computer running Windows 2008.
alfresco-global.properties
kerberos.authentication.realm=LOCAL.COM kerberos.authentication.sso.enabled=true kerberos.authentication.authenticateCIFS=false kerberos.authentication.user.configEntryName=AlfrescoHTTP kerberos.authentication.http.configEntryName=AlfrescoHTTP
share-config-custom.xml
<config evaluator="string-compare" condition="Kerberos" replace="true"> <kerberos> <password>password</password> <realm>LOCAL.COM</realm> <endpoint-spn>HTTP/ domain@LOCAL.COM </endpoint-spn> <config-entry>ShareHTTP</config-entry> </kerberos> </config> <config evaluator="string-compare" condition="Remote"> <remote> <connector> <id>alfrescoCookie</id> <name>Alfresco Connector</name> <description>Connects to an Alfresco instance using cookie-based authentication</description> <class>org.springframework.extensions.webscripts.connector.AlfrescoConnector</class> </connector> <endpoint> <id>alfresco</id> <name>Alfresco - user access</name> <description>Access to Alfresco Repository WebScripts that require user authentication</description> <connector-id>alfrescoCookie</connector-id> <endpoint-url>http://localhost:80/alfresco/wcs</endpoint-url> <identity>user</identity> <external-auth>true</external-auth> </endpoint> </remote> </config>
java.login.config in C: \ Alfresco \ java \ jre \ lib \ security == as described in the documentation, but changing the location of keyTab to C: /etc/alfresco.keytab
Also changed java.security in C: \ Alfresco \ java \ jre \ lib \ security to point to java.login.config
krb5.ini in (C: \ Windows)
[libdefaults] default_realm = LOCAL.COM default_tkt_enctypes = rc4-hmac default_tgs_enctypes = rc4-hmac [realms] LOCAL.COM = { kdc = machine.local.com admin_server = machine.local.com } [domain_realm] machine.local.com = LOCAL.COM .machine.local.com = LOCAL.COM
Any debugging suggestions are welcome; thank you very much.