Reputation: 409
Alfresco - Kerberos SSO issue after 10 hours - credentials can not be delegated
we have configured Kerberos SSO in Alfresco Community 7.3 (docker instalation) and everything is working properly. User logs into Windows and gets access to Alfresco Share without a need to enter credentials.
But, SSO stops working for the Alfresco Share after 10 hours (default ticket lifetime in AD) of running Alfresco Share. Renewing of Kerberos tickets not working for Alfresco Share. In log it writes warning:
WARN [site.servlet.KerberosSessionSetupPrivilegedAction] [http-nio-8080-exec-2] credentials can not be delegated!
Alfresco API (eg. /alfresco/api/-default-/public/alfresco/versions/1/people/-me-) works correctly with SSO also after 10 hours and Kerberos ticket is renewed properly, but SSO to Alfresco Share still not worked. After restart Alfresco Share the SSO is working for new 10 hour interval.
LOG from Alfresco Share
(real domain replaced with DOMAIN.LOCAL, real user replaced with username, real principal replaced with [email protected])
Found KeyTab /etc/alfresco.keytab for HTTP/[email protected]
Found ticket for HTTP/[email protected] to go to krbtgt/[email protected] expiring on Mon Dec 02 20:53:26 CET 2024
Removed and destroyed the expired Ticket
Destroyed KerberosTicket
Found ticket for [email protected] to go to HTTP/[email protected] expiring on Mon Dec 02 20:53:26 CET 2024
Removed and destroyed the expired Ticket
Destroyed KerberosTicket
Entered Krb5Context.acceptSecContext with state=STATE_NEW
Looking for keys for: HTTP/[email protected]
Added key: 18, version: 14
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
default etypes for permitted_enctypes: 18.
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
MemoryCache: add 1733214106/000040/337274E60DE6EBB25D556DFE9379D79E49896CA751E2E9E323D7E6E85615F44E/[email protected] to [email protected]|HTTP/[email protected]
>>> KrbApReq: authenticate succeed.
Krb5Context setting peerSeqNumber to: 1696515610
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
Krb5Context setting mySeqNumber to: 805644649
>>> Constrained deleg from GSSCaller{UNKNOWN}
2024-12-03T09:22:04,007 [] WARN [site.servlet.KerberosSessionSetupPrivilegedAction] [http-nio-8080-exec-2] credentials can not be delegated!
Our setup:
- AD/DC: win2019
- Client PC: win10
- Alfresco server: Host OS (Ubuntu 24) with docker containers - Alfresco 7.4 CE - OpenJDK 17.0.6
alfresco-global.properties
(real domain replaced with DOMAIN.LOCAL, real password replaced with secret)
# Configuration of authentication chain
authentication.chain=kerberos1:kerberos,alfinst:alfrescoNtlm,ldap1:ldap-ad
# Kerberos configuration
kerberos.authentication.realm=DOMAIN.LOCAL
kerberos.authentication.sso.enabled=true
kerberos.authentication.user.configEntryName=Alfrecso
kerberos.authentication.defaultAdministratorUserNames=Administrator,admin
kerberos.authentication.cifs.enabled=false
kerberos.authentication.http.configEntryName=AlfrescoHTTP
kerberos.authentication.http.password=secret
kerberos.authentication.http.allowGuest=false
kerberos.authentication.http.allowed.useragents=.*
krb5.conf
(real domain replaced with DOMAIN.LOCAL, real AD server address replaced with ad.server.address)
[libdefaults]
default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
default_realm = DOMAIN.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = true
[realms]
DOMAIN.LOCAL = {
kdc = ad.server.address
admin_server = ad.server.address
}
[domain_realm]
.domain.local = DOMAIN.LOCAL
domain.local = DOMAIN.LOCAL
jaas.config - ACS
(real principal replaced with [email protected])
Alfresco {
com.sun.security.auth.module.Krb5LoginModule sufficient;
};
AlfrescoHTTP
{
com.sun.security.auth.module.Krb5LoginModule required
storeKey=true
useKeyTab=true
doNotPrompt=true
keyTab="/etc/alfresco.keytab"
principal="HTTP/[email protected]";
};
com.sun.net.ssl.client {
com.sun.security.auth.module.Krb5LoginModule sufficient;
};
other {
com.sun.security.auth.module.Krb5LoginModule sufficient;
};
jaas.config - Share
(real principal replaced with [email protected])
Alfresco {
com.sun.security.auth.module.Krb5LoginModule sufficient;
};
ShareHTTP
{
com.sun.security.auth.module.Krb5LoginModule required
storeKey=true
useKeyTab=true
doNotPrompt=true
keyTab="/etc/alfresco.keytab"
principal="HTTP/[email protected]";
};
com.sun.net.ssl.client {
com.sun.security.auth.module.Krb5LoginModule sufficient;
};
other {
com.sun.security.auth.module.Krb5LoginModule sufficient;
};
share-config-custom.xml
(real domain replaced with DOMAIN.LOCAL, real password replaced with secret, real principal replaced with [email protected])
<!-- Kerberos settings -->
<!-- To enable kerberos rename this condition to "Kerberos" -->
<config evaluator="string-compare" condition="Kerberos" replace="true">
<kerberos>
<password>secret</password>
<realm>DOMAIN.LOCAL</realm>
<endpoint-spn>HTTP/[email protected]</endpoint-spn>
<config-entry>ShareHTTP</config-entry>
<stripUserNameSuffix>true</stripUserNameSuffix>
</kerberos>
</config>
We were trying many changes in AD/DC and in domain group policy, trying many solutions founded in Stackoverflow and Alfresco forum, but everything without success.
Any ideas or help is really appreciated!
Thanks in advance
Upvotes: 1
Views: 71
Answers (0)
Related Questions
- JDK 17 (Java 17) +Kerberos authentication fail
- Spring Security Kerberos + AD, Checksum Fail
- Keycloak + Kerberos authentication: Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - RC4 with HMAC
- Confusion about Java App auth in AD based on Kerberos MSLSA ticket cache
- checksum failed: Kerberos / Spring / Active Directory (2008)
- Change the default maximum ticket life of a kerberos principal
- Alfresco Share - Kerberos SSO issue