Home

Kerberos difficulties

You are here

15 posts / 0 new
Last post
Kerberos difficulties

Hi,
I have been trying to get Kerberos and LDAP chaining to work using the instructions at
http://wiki.alfresco.com/wiki/Alfresco_Authentication_Subsystems

In Share, I can log in through the login screen and authenticate against Kerberos users; LDAP synchronization is also working.
However, I can't log in to the Alfresco backend web application. I get (on screen)

org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'authenticationFilter' defined in file [/opt/alfresco/tomcat/webapps/alfresco/WEB-INF/classes/alfresco/subsystems/Authentication/kerberos/kerberos-filter-context.xml]: Invocation of init method failed; nested exception is javax.servlet.ServletException: Failed to login HTTP server service
caused by:
javax.servlet.ServletException: Failed to login HTTP server service

I don't see why this happens as I thought the HTTP server service was only used when SSO was enabled, and I have set kerberos.authentication.sso.enabled to false.

Investigating, I created a HTTP principal for the service, but this also failed with the same message and the logs:

17:29:36,557  ERROR [app.servlet.KerberosAuthenticationFilter] HTTP Kerberos web filter error
javax.security.auth.login.LoginException: Integrity check on decrypted field failed (31)
	at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:659)
[snip]
Caused by: KrbException: Integrity check on decrypted field failed (31)
	at sun.security.krb5.internal.crypto.DesCbcEType.decrypt(DesCbcEType.java:154)
	at sun.security.krb5.internal.crypto.DesCbcEType.decrypt(DesCbcEType.java:125)
	at sun.security.krb5.EncryptedData.decrypt(EncryptedData.java:167)
	at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:87)
	at sun.security.krb5.KrbAsReq.getReply(KrbAsReq.java:486)
	at sun.security.krb5.Credentials.sendASRequest(Credentials.java:406)
	at sun.security.krb5.Credentials.acquireTGT(Credentials.java:356)
	at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:629)
	... 64 more

I didn't initially supply a kerberos.authentication.http.password because I'm using a keytab file in java.login.config and am not responsible for the password.
When I switched to using an explicit password (kinit.java working fine for the principal) I still got this error.
Our Kerberos server (not AD) supports DES3-CBC-SHA1-KD key type only and I haven't knowingly told JAAS to use a particular one (maybe I should ?)

My questions then:
1. Should I worry about kerberos.authentication.http.password ?
2. Anyone have any hints about why the encryption is failing ? Is it the key type ?
3. Why is the Alfresco web client trying to authenticate this way at all, given that I have supposedly disabled the HTTP SSO service ?

Re: Kerberos difficulties

1. I think you have exposed a problem with the Kerberos authentication subsystem. The http.password indeed should only be relevant when kerberos.authentication.sso.enabled=true but it is trying to validate everything at startup. For now, you will have to work around this by creating the HTTP principal anyway (as you have done). I have logged

https://issues.alfresco.com/jira/browse/ETHREEOH-2617

2. Does any of this help:

http://forums.sun.com/thread.jspa?threadID=5250326
http://jhelvoort.wordpress.com/2009/01/02/integrity-check-on-decrypted-field-failed-31/
http://mailman.mit.edu/pipermail/kerberos/2006-November/010849.html

?

3. Good question. It shouldn't and soon won't.

Re: Kerberos difficulties

dward wrote:
1. I think you have exposed a problem with the Kerberos authentication subsystem. The http.password indeed should only be relevant when kerberos.authentication.sso.enabled=true but it is trying to validate everything at startup. For now, you will have to work around this by creating the HTTP principal anyway (as you have done)

OK, good - FYI the same is true of the CIFS principal - I needed to create it even with kerberos.authentication.authenicateCIFS set to false.

1. No, realm is already in uppercase.
2. This poster gets the message from kinit, but I have no problems logging in with kinit (including java kinit)
3. I think this poster had problems with the enctype - I suppose this may be possible, but I haven't found out how I can force JAAS to use a particular one, and surely that would also impact kinit.java ?

I tried switching from keytab to password and providing this password in the properties file (and the principal in java.login.config). kinit and kinit.java were fine, but no luck with Alfresco.
Finally, I get the 'integrity check' message from kinit.java if I supply the wrong password, so I'm now wondering if the keytab file is being misread somehow

Re: Kerberos difficulties

To followup...

I changed the java.login.config to use my own principal instead of HTTP/server.x.y.z , supplying my password in the properties file, and this worked[1], so I guess it's something on the kerberos side. The only thing I can think of is that for some reason Alfresco needs a user principal not a host principal, but I'm not clear on the difference.

[1] Well, it allowed me to access the Alfresco web client with SSO disabled, at least.

Re: Kerberos difficulties

FYI a fix has been checked in to HEAD, revision 15729. Here's the change comment:

ETHREEOH-2617: When SSO is disabled in a subsystem, disable initialization of its filters 
- Do not validate filter configuration parameters in NTLM and Kerberos authentication filters when the filter is disabled

FYI there did not appear to be a problem with the CIFS authenticators, which already suppress their initialization when disabled.

Re: Kerberos difficulties

I am able to login with accounts in my Active Directory in the Share webapp, but I can not access the Alfresco webapp:

[url='http://imgur.com/U4Jn7.png'][/url]

11:40:57,528 ERROR [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] HTTP Kerberos web filter error
 
javax.security.auth.login.LoginException: Pre-authentication information was invalid (24)

Re: Kerberos difficulties

Please let me know if I am not clear. I am not an expert :/

Also, though I have Cifs.enabled = false everywhere I can find, I still get the following error when I login via kerberos on the Share app:

14:59:41,586 ERROR [org.alfresco.web.scripts.AbstractRuntime] Exception from executeScript - redirecting to status template error: Error creating bean with name 'cifsAuthenticator' defined in file [C:\Alfresco\tomcat\webapps\alfresco\WEB-INF\classes\alfresco\subsystems\Authentication\kerberos\kerberos-authentication-context.xml]: Invocation of init method failed; nested exception is org.alfresco.jlan.server.config.InvalidConfigurationException: Failed to login CIFS server service
org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'cifsAuthenticator' defined in file [C:\Alfresco\tomcat\webapps\alfresco\WEB-INF\classes\alfresco\subsystems\Authentication\kerberos\kerberos-authentication-context.xml]: Invocation of init method failed; nested exception is org.alfresco.jlan.server.config.InvalidConfigurationException: Failed to login CIFS server service
Caused by: org.alfresco.jlan.server.config.InvalidConfigurationException: Failed to login CIFS server service

I thought it wasn't supposed to try Cifs authentication if it is disabled in kerberos-authentication.xml. I have file server disabled as well.

Re: Kerberos difficulties

Did you include this in alfresco-global.properties ?

kerberos.authentication.authenticateCIFS=false

Re: Kerberos difficulties

dward wrote:
Did you include this in alfresco-global.properties ?

kerberos.authentication.authenticateCIFS=false

Thanks for the reply!

I already had 'kerberos.authentication.authenticateCIFS=false' in my kerberos authentication properties file, but to humor the point I added it to alfresco global properties as well.

I still get the same error:

10:39:32,347 ERROR [org.alfresco.web.scripts.AbstractRuntime] Exception from executeScript - redirecting to status template error: Error creating bean with name 'cifsAuthenticator' defined in file [C:\Alfresco\tomcat\webapps\alfresco\WEB-INF\classes\alfresco\subsystems\Authentication\kerberos\kerberos-authentication-context.xml]: Invocation of init method failed; nested exception is org.alfresco.jlan.server.config.InvalidConfigurationException: Failed to login CIFS server service

Regardless, I am more concerened about not being able to login into the alfresco webapp when kerberos authentication is enabled, as you can see from my screenshot 3 posts up.

Re: Kerberos difficulties

You need to understand how to control subsystem properties rather than randomly editing different files.

I've just double-checked the configuration and think I have found the problem. I will re-open the bug and ensure that it is fixed in HEAD.

It's this line in network-protocol-context.xml

<!-- CIFS authentication -->
<bean id="cifsAuthenticatorBase" abstract="true" init-method="initialize">
...

Even though CifsAuthenticatorBase implements InitializingBean, initialize() has been declared as the init-method. This means that the logic that only calls initialize() when the active flag is set will be bypassed.

A workaround is to put the following in $TOMCAT_HOME/shared/classes/alfresco/extension/temp-context.xml

<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE beans PUBLIC '-//SPRING//DTD BEAN//EN' 'http://www.springframework.org/dtd/spring-beans.dtd'>
 
<beans>
 
    <!-- Fix initialization of CIFS authenticators -->
    <bean id="cifsAuthenticatorBase" abstract="true">
        <property name="config">
            <ref bean="fileServerConfiguration" />
        </property>
        <property name="authenticationService">
            <ref bean="authenticationService" />
        </property>
        <property name="authenticationComponent">
            <ref bean="authenticationComponent" />
        </property>
        <property name="nodeService">
            <ref bean="NodeService" />
        </property>
        <property name="personService">
            <ref bean="personService" />
        </property>
        <property name="transactionService">
            <ref bean="transactionService" />
        </property>
        <property name="authorityService">
            <ref bean="authorityService" />
        </property>
        <property name="diskInterface">
            <ref bean="contentDiskDriver" />
        </property>
    </bean>
 
</beans>

Re: Kerberos difficulties

This is now fixed in HEAD.

Re: Kerberos difficulties

Thank you for your time and patience. I will confess that after changing kerberos authentication properties and the error persisted I declared war on all things cifs in /alfresco.

I followed your instructions but there was a "The processing instruction target matching "[xX][mM][lL]" error when importing the file. It had to do with whitespace in the file, I think it was a formatting problem when copying it over. Anyways, deleted the whitespace and it imported and ran fine.

I no longer get the "Failed to login CIFS server service" error when each time I login with an AD account. Good catch!

I still receive the following error when trying to access the Alfresco webapp. The problem in the screenshot I posted a while back still happens.

11:40:57,528 ERROR [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] HTTP Kerberos web filter error
 
javax.security.auth.login.LoginException: Pre-authentication information was invalid (24)"

Does this mean that I am doing something wrong? Did I setup my keytab incorrectly or something? However, I am able to login with AD accounts just fine...

Re: Kerberos difficulties

I don't understand. The screenshot is of the HTTP service login problem, which was fixed by

https://issues.alfresco.com/jira/browse/ETHREEOH-2617

Aren't you running with a recent 3.3 build?

As for the other error, what do you mean by "I am able to login with AD accounts just fine". What are you trying to log in with then?

If you are trying to log in as an internal Alfresco user, such as admin, you will need alfrescoNtlm in your authentication chain.

If this explains the problem, but you are still getting a nast exception on your screen when you enter an invalid password, there is still a bug somewhere.

I'm hoping to set up a Kerberos system soon so that I can investigate properly.

Re: Kerberos difficulties

Sorry for being unclear.

I am running Alfresco 3.2 but will download the latest build now.

I am able to login to the Share webapp with Active Directory user-names. The user is then auto-created inside of Alfresco.

Now, when I try to access the Alfresco webapp, the screenshot error occurs. I never see the login screen... nothing except for that screenshot.

So it probably is this SSO bug, I will try it out on the new build.

Edit: Tried it in 3.3 and the same error occurs. I really think it might be I misconfigured kerberos, though I can use the Share webapp just fine.

Re: Kerberos difficulties

Did you build from HEAD? It does work, I promise!

I've managed to set up Kerberos on a VM and I think I've resolved the problem with the CIFS and HTTP service principals.

See this bug comment https://issues.alfresco.com/jira/browse/ETHREEOH-425?focusedCommentId=29595&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#action_29595

It seems that if you did change the accounts to use DES encryption, you would have to reset the passwords, as otherwise they are not cached with DES encryption.

And for Java 6, you can use RC4-HMAC-NT encryption instead. So the new ktpass commands are the following (after deselecting the use DES encryption option and resetting the password on both accounts). I've updated the wiki.

ktpass -princ cifs/.@ -pass -mapuser \alfrescocifs -crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL -out c:\temp\alfrescocifs.keytab
ktpass -princ HTTP/.@ -pass -mapuser \alfrescohttp -crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL -out c:\temp\alfrescohttp.keytab

forums index