Credentials can not be delegated - Alfresco Share
- by leftcase
I've hit a brick wall configuring Alfresco 4.0.d on Redhat 6.
I'm using Kerberos authentication, it seems to be working normally, and single sign on is working on the main alfresco app itself. I've been through the configuration steps to get the share app working, but try as I may, I keep getting this error in catalina.out each time a browser accesses http://server:8080/share along with a 'Windows Security' password box.
WARN [site.servlet.KerberosSessionSetupPrivilegedAction] credentials can not be delegated!
Here's what I've done so far:
Using AD users and computers, selected the alfrescohttp account, and selected 'trust this user for delegation to any service (Kerberos only).
Copied /opt/alfresco-4.0.d/tomcat/shared/classes/alfresco/web-extension/share-config-custom.xml.sample to share-config-custom.xml and edited like this:
<config evaluator="string-compare" condition="Kerberos" replace="true">
<kerberos>
<password>*****</password>
<realm>MYDOMAIN.CO.UK</realm>
<endpoint-spn>HTTP/[email protected]</endpoint-spn>
<config-entry>ShareHTTP</config-entry>
</kerberos>
</config>
<config evaluator="string-compare" condition="Remote">
<remote>
<keystore>
<path>alfresco/web-extension/alfresco-system.p12</path>
<type>pkcs12</type>
<password>alfresco-system</password>
</keystore>
<connector>
<id>alfrescoCookie</id>
<name>Alfresco Connector</name>
<description>Connects to an Alfresco instance using cookie-based authentication</description>
<class>org.springframework.extensions.webscripts.connector.AlfrescoConnector</class>
</connector>
<endpoint>
<id>alfresco</id>
<name>Alfresco - user access</name>
<description>Access to Alfresco Repository WebScripts that require user authentication</description>
<connector-id>alfrescoCookie</connector-id>
<endpoint-url>http://localhost:8080/alfresco/wcs</endpoint-url>
<identity>user</identity>
<external-auth>true</external-auth>
</endpoint>
</remote>
</config>
Setup the /etc/krb5.conf file like this:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = MYDOMAIN.CO.UK
default_tkt_enctypes = rc4-hmac
default_tgs_enctypes = rc4-hmac
forwardable = true
proxiable = true
[realms]
MYDOMAIN.CO.UK = {
kdc = mydc.mydomain.co.uk
admin_server = mydc.mydomain.co.uk
}
[domain_realm]
.mydc.mydomain.co.uk = MYDOMAIN.CO.UK
mydc.mydomain.co.uk = MYDOMAIN.CO.UK
/opt/alfresco-4.0.d/java/jre/lib/security/java.login.config is configured like this:
Alfresco {
com.sun.security.auth.module.Krb5LoginModule sufficient;
};
AlfrescoCIFS {
com.sun.security.auth.module.Krb5LoginModule required
storeKey=true
useKeyTab=true
keyTab="/etc/alfrescocifs.keytab"
principal="cifs/server.mydomain.co.uk";
};
AlfrescoHTTP {
com.sun.security.auth.module.Krb5LoginModule required
storeKey=true
useKeyTab=true
keyTab="/etc/alfrescohttp.keytab"
principal="HTTP/server.mydomain.co.uk";
};
com.sun.net.ssl.client {
com.sun.security.auth.module.Krb5LoginModule sufficient;
};
other {
com.sun.security.auth.module.Krb5LoginModule sufficient;
};
ShareHTTP {
com.sun.security.auth.module.Krb5LoginModule required
storeKey=true
useKeyTab=true
keyTab="/etc/alfrescohttp.keytab"
principal="HTTP/server.mydomain.co.uk";
};
And finally, the following settings in alfresco-global.conf
authentication.chain=kerberos1:kerberos,alfrescoNtlm1:alfrescoNtlm
kerberos.authentication.real=MYDOMAIN.CO.UK
kerberos.authentication.user.configEntryName=Alfresco
kerberos.authentication.cifs.configEntryName=AlfrescoCIFS
kerberos.authentication.http.configEntryName=AlfrescoHTTP
kerberos.authentication.cifs.password=******
kerberos.authentication.http.password=*****
kerberos.authentication.defaultAdministratorUserNames=administrator
ntlm.authentication.sso.enabled=true
As I say, I've hit a brick wall with this and I'd really appreciate any help you can give me! This question is also posted on the Alfresco forum, but I wondered if any folk here on serverfault have come across similar implementation challenges?