Configuring the CIFS and web servers for Kerberos/AD integration

From AlfrescoWiki

Jump to: navigation, search

To enable Kerberos support against Active Directory in the Alfresco CIFS and web servers requires that the servers have a Kerberos service ticket.

The following instructions detail how to setup accounts under Active Directory for use by the Alfresco CIFS and web servers to allow single sign-on for CIFS and web clients :-

1. Create a user account for the Alfresco CIFS server using the Active Directory Users and Computers application. Use the Action->New->User menu, then enter the full name as 'Alfresco CIFS' and the user logon name as 'alfrescocifs'. Click Next, enter a password, enable 'Password never expires' and disable 'User must change password at next logon'. Click Finish. Right click the new user account name, select Properties, go to the Account tab and enable the Use DES encryption types for this account and Do not require Kerberos preauthentication options in the Account Options section.

2. Create a user account for the Alfresco web server as in step 1 using the full name 'Alfresco HTTP' and user logon name as 'alfrescohttp'.

3. Use the ktpass utility to generate key tables for the CIFS and web servers. The ktpass utility is a free download from the Microsoft site, and is also part of the Win2003 Resource Kit. The ktpass command can only be run from the Active Directory server. 

ktpass -princ cifs/<cifs-server-name>.<domain>@<realm> -pass <password> -mapuser <domain>\alfrescocifs
-crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL -mapop set +desonly -out c:\temp\alfrescocifs.keytab

ktpass -princ HTTP/<web-server-name>.<domain>@<realm> -pass <password> -mapuser <domain>\alfrescohttp
-crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL -mapop set +desonly -out c:\temp\alfrescohttp.keytab

The principal should be specified using the server name and domain in lowercase with the realm in uppercase. The service types should match cifs and HTTP. Eg. cifs/server.alfresco.org@ALFRESCO.ORG.

Note: Some versions of the ktpass command can generate invalid keytab files, download the latest version of the resource kit tools from the Microsoft site to avoid any problems.

4. Create the Service Principal Names (SPN) for the Alfresco CIFS and web server using the setspn utility. The setspn utility is a free download from the Microsoft site, and is also part of the Win2003 Resource Kit. 

setspn -a cifs/<cifs-server-name> alfrescocifs
setspn -a cifs/<cifs-server-name>.<domain> alfrescocifs

setspn -a http/<web-server-name> alfrescohttp
setspn -a http/<web-server-name>.<domain> alfrescohttp

<cifs-server-name> is the NetBIOS name of the Alfresco CIFS server when running on an Active Directory client or the host name for a client that is not an Active Directory client, ie. not logged onto the domain.

<web-server-name> is the host name that is running the Alfresco server.

Some versions of the ktpass command will add the SPN for the principal so you may only need to add the NetBIOS/short name versions of the SPNs. Use the setspn -l <account-name> command to check if the ktpass' command set the SPN.

You can list the SPNs for a server using :- 

setspn -l <account-name>

5. Copy the key table files created in step 3 to the server where Alfresco will run. Copy the files to a protected area such as C:\etc\ or /etc.

6. Setup the Kerberos ini file, the default location is C:\WINNT\krb5.ini or /etc/krb5.conf. 

[libdefaults]
 default_realm = ALFRESCO.ORG


[realms]
 ALFRESCO.ORG = {
  kdc = adsrv.alfresco.org
  admin_server = adsrv.alfresco.org
 }


[domain_realm]
 adsrv.alfresco.org = ALFRESCO.ORG
 .adsrv.alfresco.org = ALFRESCO.ORG

Note: The realm should be specified in uppercase.

7. Setup the Java login configuration file. This would usually be in the JRE\lib\security folder. Create a file named java.login.config with the following entries :- 

AlfrescoCIFS {
   com.sun.security.auth.module.Krb5LoginModule required
   storeKey=true
   useKeyTab=true
   keyTab="C:/etc/alfrescocifs.keytab"
   principal="cifs/<cifs-server-name>.<domain>";
};

AlfrescoHTTP {
   com.sun.security.auth.module.Krb5LoginModule required
   storeKey=true
   useKeyTab=true
   keyTab="C:/etc/alfrescohttp.keytab"
   principal="HTTP/<web-server-name>.<domain>";
};

8. Enable the login config file in the main Java security configuration file, usually at JRE\lib\security\java.security. Add the following line :- 

login.config.url.1=file:${java.home}/lib/security/java.login.config

9. Configure the Alfresco CIFS server to use the Kerberos authenticator in the file-servers.xml file :- 

<config evaluator="string-compare" condition="Filesystem Security">
  <authenticator type="enterprise">
    <KDC>adsrv.alfresco.org</KDC>
    <Realm>ALFRESCO.ORG</Realm>
    <Password>...</Password>
    <Principal>...</Principal>
  </authenticator>
</config>

<KDC> specifies the IP address or DNS name of the Active Directory server. <Realm> is the Kerberos realm. <Password> is the account password used when creating the alfrescocifs account in step 1. <Principal> is the value used for the ktpass -princ parameter. The optional <LoginEntry> specifies the login configuration file entry name, this defaults to AlfrescoCIFS.

10. Configure the Alfresco web server to use the Kerberos authentication web filter, in the web.xml file :- 

  <filter>
     <filter-name>Authentication Filter</filter-name>
     <filter-class>org.alfresco.web.app.servlet.KerberosAuthenticationFilter</filter-class>
     <init-param>
       <param-name>KDC</param-name>
       <param-value>adsrv.alfresco.org</param-value>
     </init-param>
     <init-param>
       <param-name>Realm</param-name>
       <param-value>ALFRESCO.ORG</param-value>
     </init-param>
     <init-param>
       <param-name>Password</param-name>
       <param-value>...</param-value>
     </init-param>
     <init-param>
       <param-name>Principal</param-name>
       <param-value>...</param-value>
     </init-param>
  </filter>

11. Configure the Alfresco WebDAV server to use the Kerberos authentication web filter. in the web.xml file :- 

  <filter>
     <filter-name>WebDAV Authentication Filter</filter-name>
     <filter-class>org.alfresco.repo.webdav.auth.KerberosAuthenticationFilter</filter-class>
     <init-param>
       <param-name>KDC</param-name>
       <param-value>adsrv.alfresco.org</param-value>
     </init-param>
     <init-param>
       <param-name>Realm</param-name>
       <param-value>ALFRESCO.ORG</param-value>
     </init-param>
     <init-param>
       <param-name>Password</param-name>
       <param-value>...</param-value>
     </init-param>
     <init-param>
       <param-name>Principal</param-name>
       <param-value>...</param-value>
     </init-param>
  </filter>


For version 2.2SP1 and 2.1SP5 and above two new Enterprise CIFS authenticator configuration options have been introduced:

  1. <kerberosDebug/> Enable the Sun JGSS/Kerberos debug output

This sets up the Java properties sun.security.jgss.debug=true and sun.security.krb5.debug=true

  1. <disableNTLM/> Do not advertise NTLMSSP support in SPNEGO mechTypes list.
Retrieved from "http://wiki.alfresco.com/wiki/Configuring_the_CIFS_and_web_servers_for_Kerberos/AD_integration"