Configuring the CIFS and web servers for Kerberos/AD integration

From AlfrescoWiki

Jump to: navigation, search

To enable Kerberos support against Active Directory in the Alfresco CIFS and web servers requires that the servers have a Kerberos service ticket.

The following instructions detail how to setup accounts under Active Directory for use by the Alfresco CIFS and web servers to allow single sign-on for CIFS and web clients :-

1. Create a user account for the Alfresco CIFS server using the Active Directory Users and Computers application. Use the Action->New->User menu, then enter the full name as 'Alfresco CIFS' and the user logon name as 'alfrescocifs'. Click Next, enter a password, enable 'Password never expires' and disable 'User must change password at next logon'. Click Finish.

2. Create a user account for the Alfresco web server as in step 1 using the full name 'Alfresco HTTP' and user logon name as 'alfrescohttp'.

3. Create the Service Principal Names (SPN) for the Alfresco CIFS and web server using the setspn utility. The setspn utility is a free download from the Microsoft site, and is also part of the Win2003 Resource Kit. 

setspn -a cifs/<cifs-server-name> alfrescocifs
setspn -a cifs/<cifs-server-name>.<domain> alfrescocifs

setspn -a http/<web-server-name> alfrescohttp
setspn -a http/<web-server-name>.<domain> alfrescohttp

<cifs-server-name> is the NetBIOS name of the Alfresco CIFS server when running on an Active Directory client or the host name for a client that is not an Active Directory client, ie. not logged onto the domain.

<web-server-name> is the host name that is running the Alfresco server.

You can list the SPNs for a server using :- 

setspn -l <account-name>

4. Use the ktpass utility to generate key tables for the CIFS and web servers. The ktpass utility is a free download from the Microsoft site, and is also part of the Win2003 Resource Kit. The ktpass command can only be run from the Active Directory server. 

ktpass -princ cifs/<cifs-server-name>.<domain>@<realm> -pass <password> -mapuser alfrescocifs
-crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL -mapop set +desonly -out c:\temp\alfrescocifs.keytab

ktpass -princ HTTP/<web-server-name>.<domain>@<realm> -pass <password> -mapuser alfrescohttp
-crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL -mapop set +desonly -out c:\temp\alfrescohttp.keytab

Note: Some versions of the ktpass command can generate invalid keytab files, download the latest version of the resource kit tools from the Microsoft site to avoid any problems.

5. Copy the key table files created in step 4 to the server where Alfresco will run. Copy the files to a protected area such as C:\etc\ or /etc.

6. Setup the Kerberos ini file, the default location is C:\WINNT\krb5.ini or /etc/krb5.conf. 

[libdefaults]
 default_realm = ALFRESCO.ORG


[realms]
 ALFRESCO.ORG = {
  kdc = adsrv.alfresco.org
  admin_server = adsrv.alfresco.org
 }


[domain_realm]
 adsrv.alfresco.org = ALFRESCO.ORG
 .adsrv.alfresco.org = ALFRESCO.ORG

Note: The realm should be specified in uppercase.

7. Setup the Java login configuration file. This would usually be in the JRE\lib\security folder. Create a file named java.login.config with the following entries :- 

AlfrescoCIFS {
   com.sun.security.auth.module.Krb5LoginModule required
   storeKey=true
   useKeyTab=true
   keyTab="C:/etc/alfrescocifs.keytab"
   principal="cifs/<cifs-server-name>";
};

AlfrescoHTTP {
   com.sun.security.auth.module.Krb5LoginModule required
   storeKey=true
   useKeyTab=true
   keyTab="C:/etc/alfrescohttp.keytab"
   principal="HTTP/<web-server-name>";
};


8. Enable the login config file in the main Java security configuration file, usually at JRE\lib\security\java.security. Add the following line :- 

login.config.url.1=file:${java.home}/lib/security/java.login.config

9. Configure the Alfresco CIFS server to use the Kerberos authenticator in the file-servers.xml file :- 

<config evaluator="string-compare" condition="Filesystem Security">
  <authenticator type="enterprise">
    <KDC>adsrv.alfresco.org</KDC>
    <Realm>ALFRESCO.ORG</Realm>
    <Password>...</Password>
  </authenticator>
</config>

<KDC> specifies the IP address or DNS name of the Active Directory server. <Realm> is the Kerberos realm. <Password> is the account password used when creating the alfrescocifs account in step 1. The optional <LoginEntry> specifies the login configuration file entry name, this defaults to AlfrescoCIFS.

10. Configure the Alfresco web server to use the Kerberos authentication web filter, in the web.xml file :- 

  <filter>
     <filter-name>Authentication Filter</filter-name>
     <filter-class>org.alfresco.web.app.servlet.KerberosAuthenticationFilter</filter-class>
     <init-param>
       <param-name>KDC</param-name>
       <param-value>adsrv.alfresco.org</param-value>
     </init-param>
     <init-param>
       <param-name>Realm</param-name>
       <param-value>ALFRESCO.ORG</param-value>
     </init-param>
     <init-param>
       <param-name>Password</param-name>
       <param-value>...</param-value>
     </init-param>
  </filter>

11. Configure the Alfresco WebDAV server to use the Kerberos authentication web filter. in the web.xml file :- 

  <filter>
     <filter-name>WebDAV Authentication Filter</filter-name>
     <filter-class>org.alfresco.repo.webdav.auth.KerberosAuthenticationFilter</filter-class>
     <init-param>
       <param-name>KDC</param-name>
       <param-value>adsrv.alfresco.org</param-value>
     </init-param>
     <init-param>
       <param-name>Realm</param-name>
       <param-value>ALFRESCO.ORG</param-value>
     </init-param>
     <init-param>
       <param-name>Password</param-name>
       <param-value>...</param-value>
     </init-param>
  </filter>
Retrieved from "http://wiki.alfresco.com/wiki/Configuring_the_CIFS_and_web_servers_for_Kerberos/AD_integration"