You are here

Configuring Share Kerberos SSO

This section describes how to configure the Share server and Active Directory server to work with Kerberos Single Sign On (SSO).

  1. Configure the Alfresco server.
  2. Configure Share.
    1. Open the Share <web-extension> directory.
    2. Copy or rename the share-config-custom.xml.sample file to be called share-config-custom.xml.
    3. Replace the password, realm, and endpoint-spn option with the correct values with the correct values for the AlfrescoHTTP user (used to create the keytab files). The realm value should be capitalized.
    4. Uncomment both the <config evaluator="string-compare" condition="Remote"> sections.

         <!-- example port config used to access remote Alfresco server (default is 8080) -->
         
         <config evaluator="string-compare" condition="Remote">
            <remote>
               <endpoint>
                  <id>alfresco-noauth</id>
                  <name>Alfresco - unauthenticated access</name>
                  <description>Access to Alfresco Repository WebScripts that do not require authentication</description>
                  <connector-id>alfresco</connector-id>
                  <endpoint-url>http://localhost:8080/alfresco/s</endpoint-url>
                  <identity>none</identity>
               </endpoint>
      
               <endpoint>
                  <id>alfresco</id>
                  <name>Alfresco - user access</name>
                  <description>Access to Alfresco Repository WebScripts that require user authentication</description>
                  <connector-id>alfresco</connector-id>
                  <endpoint-url>http://localhost:8080/alfresco/s</endpoint-url>
                  <identity>user</identity>
               </endpoint>
      
               <endpoint>
                  <id>alfresco-feed</id>
                  <name>Alfresco Feed</name>
                  <description>Alfresco Feed - supports basic HTTP authentication via the EndPointProxyServlet</description>
                  <connector-id>http</connector-id>
                  <endpoint-url>http://localhost:8080/alfresco/s</endpoint-url>
                  <basic-auth>true</basic-auth>
                  <identity>user</identity>
               </endpoint>
               
               <endpoint>
                  <id>activiti-admin</id>
                  <name>Activiti Admin UI - user access</name>
                  <description>Access to Activiti Admin UI, that requires user authentication</description>
                  <connector-id>activiti-admin-connector</connector-id>
                  <endpoint-url>http://localhost:8080/alfresco/activiti-admin</endpoint-url>
                  <identity>user</identity>
               </endpoint>
            </remote>
         </config>
       
      
         <!-- 
              Overriding endpoints to reference an Alfresco server with external SSO enabled
              NOTE: If utilising a load balancer between web-tier and repository cluster, the "sticky
                    sessions" feature of your load balancer must be used.
              NOTE: If alfresco server location is not localhost:8080 then also combine changes from the
                    "example port config" section below.
              *Optional* keystore contains SSL client certificate + trusted CAs.
              Used to authenticate share to an external SSO system such as CAS
              Remove the keystore section if not required i.e. for NTLM.
              
              NOTE: For Kerberos SSO rename the "KerberosDisabled" condition above to "Kerberos"
              
              NOTE: For external SSO, switch the endpoint connector to "AlfrescoHeader" and set
                    the userHeader to the name of the HTTP header that the external SSO
                    uses to provide the authenticated user name.
         -->
         
         <config evaluator="string-compare" condition="Remote">
            <remote>
               <keystore>
                   <path>alfresco/web-extension/alfresco-system.p12</path>
                   <type>pkcs12</type>
                   <password>alfresco-system</password>
               </keystore>
               
               <connector>
                  <id>alfrescoCookie</id>
                  <name>Alfresco Connector</name>
                  <description>Connects to an Alfresco instance using cookie-based authentication</description>
                  <class>org.springframework.extensions.webscripts.connector.AlfrescoConnector</class>
               </connector>
               
               <connector>
                  <id>alfrescoHeader</id>
                  <name>Alfresco Connector</name>
                  <description>Connects to an Alfresco instance using header and cookie-based authentication</description>
                  <class>org.springframework.extensions.webscripts.connector.AlfrescoConnector</class>
                  <userHeader>SsoUserHeader</userHeader>
               </connector>
      
               <endpoint>
                  <id>alfresco</id>
                  <name>Alfresco - user access</name>
                  <description>Access to Alfresco Repository WebScripts that require user authentication</description>
                  <connector-id>alfrescoCookie</connector-id>
                  <endpoint-url>http://localhost:8080/alfresco/wcs</endpoint-url>
                  <identity>user</identity>
                  <external-auth>true</external-auth>
               </endpoint>
            </remote>
         </config>
         
                                  
    5. Locate the <!-- Kerberos settings --> section and replace condition=KerberosDisabled with condition=Kerberos.

      <!-- Kerberos settings -->
         <!-- To enaable kerberos rename this condition to "Kerberos" -->
         <config evaluator="string-compare" condition="Kerberos" replace="true">
            <kerberos>
    6. In the (Sun Java) jre/lib/security/java.login.config file, add a new section:

      ShareHTTP {
         com.sun.security.auth.module.Krb5LoginModule required
         storeKey=true
         useKeyTab=true
         keyTab="/etc/keys/alfrescohttp.keytab"
         principal="HTTP/madona.example.foo";
      };
    7. Restart the Alfresco server.
  3. Configure Active Directory.
    1. Modify the alfrescohttp user created during the Alfresco Kerberos setup.
    2. In the user Delegation tab, tick the Trust this user for delegation to any service (Kerberos only) check box.

      If you do not see the delegation tab, follow the Allow a user to be trusted for delegation for specific services instruction on the Microsoft http://technet.microsoft.com website.

    3. If you cannot see the Delegation tab, do one or both of the following:

      • Register a Service Principal Name (SPN) for the user account with the Setspn utility in the support tools on your CD. Delegation is only intended to be used by service accounts, which should have registered SPNs, as opposed to a regular user account which typically does not have SPNs.
      • Raise the functional level of your domain to Windows Server 2003.

      To raise the domain functional level:

      1. Open Active Directory Domains and Trusts.
      2. In the console tree, right-click the domain for which you want to raise functionality, and then click Raise Domain Functional Level.
      3. In Select an available domain functional level, do one of the following:
        • To raise the domain functional level to Windows 2000 native, click Windows 2000 native, and then click Raise.
        • To raise domain functional level to Windows Server 2003, click Windows Server 2003, and then click Raise.
  4. Configure the client.
    1. For Windows client configuration, Internet Explorer configured as described in Kerberos client configuration should work without modifications.
    2. To ensure that Firefox works with Windows on the share URL with Kerberos SSO, modify the following variables in the about:config special URL:

      network.negotiate-auth.delegation-uris
      network.negotiate-auth.trusted-uris
      network.negotiate-auth.using-native-gsslib

      For example: