Configuring Kerberos against Active Directory

The following instructions describe how to set up accounts under Active Directory for use by Alfresco.
  1. Create a user account for the Alfresco CIFS server using the Active Directory Users and Computers application.
    1. Use the Action > New > User menu, then enter the full name as Alfresco CIFS and the user login name as alfrescocifs.
    2. Click Next.
    3. Enter a password.
    4. Enable Password never expires and disable User must change password at next logon.
    5. Click Finish.
    6. Right-click the new user account name, and then select Properties.
    7. Select the Account tab and enable the Do not require Kerberos preauthentication option in the Account Options section.
  2. Create a user account for the Alfresco SSO authentication filters, following the instructions in step one, using the full name Alfresco HTTP and the user login name as alfrescohttp.
  3. Use the ktpass utility to generate key tables for the Alfresco CIFS and web server.
    The ktpass command can only be run from the Active Directory server.
    ktpass -princ cifs/<cifs-server-name>.<domain>@<realm> -pass <password> -mapuser <domainnetbios>\alfrescocifs 
-crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL -out c:\temp\alfrescocifs.keytab -kvno 0
    ktpass -princ HTTP/<web-server-name>.<domain>@<realm> -pass <password> -mapuser <domainnetbios>\alfrescohttp 
-crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL -out c:\temp\alfrescohttp.keytab -kvno 0
    1. Specify the realm as the domain in upper case. For example, if the domain is alfresco.org then the realm is ALFRESCO.ORG.
    2. <web-server-name> is the host name that is running the Alfresco server.
    3. Specify <cifs-server-name> as the NetBIOS name of the Alfresco CIFS server when running on an Active Directory client or the host name for a client that is not an Active Directory client, that is, not logged onto the domain.
    4. Specify <domain> as the DNS domain. For example alfresco.org.
    5. Specify <domainnetbios> as the netbios name. For example alfresco.
    Some versions of the ktpass command can generate invalid keytab files. Download the latest version of the support tools from the Microsoft site to avoid any problems.
  4. Create the Service Principal Names (SPN) for the Alfresco CIFS and web server using the setspn utility. The setspn utility is a free download from the Microsoft site, and is also part of the Windows 2003 Support Tools download.
    setspn -a cifs/<cifs-server-name> alfrescocifs
setspn -a cifs/<cifs-server-name>.<domain> alfrescocifs
    setspn -a HTTP/<web-server-name> alfrescohttp
setspn -a HTTP/<web-server-name>.<domain> alfrescohttp
    Some versions of the ktpass command will add the SPN for the principal so you may only need to add the NetBIOS/short name versions of the SPNs. Use the setspn -l <account-name> command to check if the ktpass command set the SPN. You can list the SPNs for a server using the following:
    setspn -l <account-name>
    For example: 
    setspn -l alfrescocifs
setspn -l alfrescohttp
  5. Copy the key table files created in step 3 to the server where Alfresco will run. Copy the files to a protected area such as C:\etc\ or /etc.
  6. Set up the Kerberos ini file.
    The default location is %WINDIR%\krb5.ini, where %WINDIR% is the location of your Windows directory, for example C:\Windows\krb5.ini.
    [libdefaults]
 default_realm = ALFRESCO.ORG
 default_tkt_enctypes = rc4-hmac
 default_tgs_enctypes = rc4-hmac 

[realms]
 ALFRESCO.ORG = {
  kdc = adsrv.alfresco.org
  admin_server = adsrv.alfresco.org
 }

[domain_realm]
 adsrv.alfresco.org = ALFRESCO.ORG
 .adsrv.alfresco.org = ALFRESCO.ORG
    The realm should be specified in uppercase.
  7. Set up the Java login configuration file.
    For JBoss 5, open the $JBOSS_HOME/server/default/conf/login-config.xml file. Add the following entries inside the <policy> tag:
     <application-policy name="Alfresco">
   <authentication>
     <login-module code="com.sun.security.auth.module.Krb5LoginModule" flag="sufficient"/>
   </authentication>
 </application-policy> 

 <application-policy name="AlfrescoCIFS">
   <authentication>
     <login-module code="com.sun.security.auth.module.Krb5LoginModule" flag="required">
       <module-option name="debug">true</module-option>
       <module-option name="storeKey">true</module-option>
       <module-option name="useKeyTab">true</module-option>
       <module-option name="isInitiator">false</module-option>
       <module-option name="keyTab">C:/etc/alfrescocifs.keytab</module-option>
       <module-option name="principal">cifs/<cifs-server-name>.domain</module-option>
     </login-module>
   </authentication>
 </application-policy> 

 <application-policy name="AlfrescoHTTP">
   <authentication>
     <login-module code="com.sun.security.auth.module.Krb5LoginModule" flag="required">
       <module-option name="debug">true</module-option>
       <module-option name="storeKey">true</module-option>
       <module-option name="isInitiator">false</module-option>
       <module-option name="useKeyTab">true</module-option>
       <module-option name="keyTab">C:/etc/alfrescohttp.keytab</module-option>
       <module-option name="principal">HTTP/<web-server-name>.<domain></module-option>
     </login-module>
   </authentication>
 </application-policy>
    For other environments, in the JRE\lib\security folder (for example, /usr/local/jdk1.6.0_03/jre/lib/security), create a file named java.login.config with the following entries:
    Alfresco {
   com.sun.security.auth.module.Krb5LoginModule sufficient;
};

AlfrescoCIFS {
   com.sun.security.auth.module.Krb5LoginModule required
   storeKey=true
   useKeyTab=true
   keyTab="C:/etc/alfrescocifs.keytab"
   principal="cifs/<cifs-server-name>.<domain>";
};

AlfrescoHTTP {
   com.sun.security.auth.module.Krb5LoginModule required
   storeKey=true
   useKeyTab=true
   keyTab="C:/etc/alfrescohttp.keytab"
   principal="HTTP/<web-server-name>.<domain>";
};

com.sun.net.ssl.client {
   com.sun.security.auth.module.Krb5LoginModule sufficient;
};

other {
   com.sun.security.auth.module.Krb5LoginModule sufficient;
};
  8. Enable the login configuration file by adding the following line to the main Java security configuration file, usually at JRE\lib\security\java.security. 
    login.config.url.1=file:${java.home}/lib/security/java.login.config
Did this topic help you?

Click here to provide feedback.