To enable full Kerberos support in Alfresco requires that the CIFS server and the SSO authentication filters each have a Kerberos service ticket.
The Kerberos subsystem supports the following properties.
- The Kerberos realm with which to authenticate. The realm should be the domain upper cased; an example is that if the domain is alfresco.org then the realm should be ALFRESCO.ORG.
- A Boolean that when true enables SPNEGO/Kerberos based Single Sign On (SSO) functionality in the web client. When false and no other members of the authentication chain support SSO, password-based login will be used.
- A Boolean that when true enables Kerberos authentication in the CIFS server. When false and no other members of the authentication chain support CIFS authentication, the CIFS server will be disabled.
- The name of the entry in the JAAS configuration file that should be used for password-based authentication. The default value Alfresco is recommended.
- The name of the entry in the JAAS configuration file that should be used for CIFS authentication. The default value AlfrescoCIFS is recommended.
- The name of the entry in the JAAS configuration file that should be used for web-based single-sign on (SSO). The default value AlfrescoHTTP is recommended.
- The password for the CIFS Kerberos principal.
- The password for the HTTP Kerberos principal.
- A comma separated list of user names who should be considered administrators by default.
- A Boolean which when true strips the @domain sufix from Kerberos authenticated usernames in CIFS, SPP, WebDAV and the Web Client when false, it enables a multi-domain customer to use the @domain sufix.
For Kerberos to work with user names that contain non-ASCII characters, add the following option to JAVA_OPTS for the Share JVM: