Alfresco Share - Kerberos SSO issue

Question

Every 10 hours our Kerberos tickets expire (we're hooked up with Win2k8r2 AD), which leaves the users unable to login. At least that's what the users say.

It makes sense that the ticket expires, but somehow Share does not seem to be able to retrieve a new one smoothly, which I believe it should be able to.

Our setup:

• Alfresco 4.0.d (community) running on Ubuntu 12.04
• JDK7 (we've tried with JDK6 aswell)
• Windows 2008R2 AD
• Kerberos SSO
• Windows 7 client, IE9

Everything works fine on the Alfresco side. Alfresco Explorer and CIFS is just fine, but as soon as Share has been running for 10 hours (default ticket life time in AD) we're unable to log in. First we'll be prompted with a browser login, then windows login and after that the Share login form. If I reload the page and enter my password a couple of times it will eventually let me in and we can run for another 10 hours. Another solution is to restart Share, and then the users arent affected by this. This points towards being an issue with Share, rather on the client, but I could be wrong.

Any pointers would be very welcome, I'm quite stuck on this issue.

We get this exception:

13:55:18,443  DEBUG [site.servlet.SSOAuthenticationFilter] Kerberos logon error
    java.lang.IllegalStateException: This ticket is no longer valid
    at javax.security.auth.kerberos.KerberosTicket.toString(KerberosTicket.java:638)
    at java.lang.String.valueOf(String.java:2854)
    at java.lang.StringBuilder.append(StringBuilder.java:128)
    at sun.security.jgss.krb5.SubjectComber.findAux(SubjectComber.java:150)
    at sun.security.jgss.krb5.SubjectComber.find(SubjectComber.java:59)
    at sun.security.jgss.krb5.Krb5Util.getTicket(Krb5Util.java:155)
    at sun.security.jgss.krb5.Krb5Context$1.run(Krb5Context.java:606)
    at sun.security.jgss.krb5.Krb5Context$1.run(Krb5Context.java:599)
    at java.security.AccessController.doPrivileged(Native Method)
    at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:598)
    at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:248)
    at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:179)
    at org.alfresco.web.site.servlet.KerberosSessionSetupPrivilegedAction.run(KerberosSessionSetupPrivilegedAction.java:127)
    at org.alfresco.web.site.servlet.KerberosSessionSetupPrivilegedAction.run(KerberosSessionSetupPrivilegedAction.java:44)
    at java.security.AccessController.doPrivileged(Native Method)
    at javax.security.auth.Subject.doAs(Subject.java:356)
    at org.alfresco.web.site.servlet.SSOAuthenticationFilter.doKerberosLogon(SSOAuthenticationFilter.java:1009)
    at org.alfresco.web.site.servlet.SSOAuthenticationFilter.doFilter(SSOAuthenticationFilter.java:441)
    at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1326)
    at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:479)
    at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:119)
    at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:520)
    at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:227)
    at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:940)
    at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:409)
    at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:186)
    at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:874)
    at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:117)
    at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:250)
    at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:149)
    at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:110)
    at org.eclipse.jetty.server.Server.handle(Server.java:349)
    at org.eclipse.jetty.server.HttpConnection.handleRequest(HttpConnection.java:441)
    at org.eclipse.jetty.server.HttpConnection$RequestHandler.headerComplete(HttpConnection.java:904)
    at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:565)
    at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:217)
    at org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:46)
    at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:545)
    at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:43)
    at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:598)
    at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:533)
    at java.lang.Thread.run(Thread.java:722)

Bit more info, java.login.config:

ShareHTTP {
   com.sun.security.auth.module.Krb5LoginModule required
   storeKey=true
   useKeyTab=true
   keyTab="/opt/share/kerberos/alfrescohttp.keytab"
   principal="HTTP/alfresco.domain.local@DOMAIN.LOCAL";
};

share-config-custom.xml:

<config evaluator="string-compare" condition="Kerberos" replace="true">
  <kerberos>
     <password>password</password>
     <realm>DOMAIN.LOCAL</realm>
     <endpoint-spn>HTTP/alfresco.domain.local@DOMAIN.LOCAL</endpoint-spn>
     <config-entry>ShareHTTP</config-entry>
  </kerberos>
</config>

I've followed the instructions here: http://wiki.alfresco.com/wiki/Alfresco_Authentication_Subsystems#Kerberos everything is set up exactly as the docs says.

Please let me know if I should provide additional info.

Answer 1

Select in your AD User manager(advanced) for the ShareHTTP Tab: Account Check Do not require Kerberos preauthentication

And follow the online docs, which are more up to date and are being updated more often.