I have been trying to get Kerberos and LDAP chaining to work using the instructions at
In Share, I can log in through the login screen and authenticate against Kerberos users; LDAP synchronization is also working.
However, I can't log in to the Alfresco backend web application. I get (on screen)
org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'authenticationFilter' defined in file [/opt/alfresco/tomcat/webapps/alfresco/WEB-INF/classes/alfresco/subsystems/Authentication/kerberos/kerberos-filter-context.xml]: Invocation of init method failed; nested exception is javax.servlet.ServletException: Failed to login HTTP server service caused by: javax.servlet.ServletException: Failed to login HTTP server service
I don't see why this happens as I thought the HTTP server service was only used when SSO was enabled, and I have set kerberos.authentication.sso.enabled to false.
Investigating, I created a HTTP principal for the service, but this also failed with the same message and the logs:
17:29:36,557 ERROR [app.servlet.KerberosAuthenticationFilter] HTTP Kerberos web filter error javax.security.auth.login.LoginException: Integrity check on decrypted field failed (31) at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:659) [snip] Caused by: KrbException: Integrity check on decrypted field failed (31) at sun.security.krb5.internal.crypto.DesCbcEType.decrypt(DesCbcEType.java:154) at sun.security.krb5.internal.crypto.DesCbcEType.decrypt(DesCbcEType.java:125) at sun.security.krb5.EncryptedData.decrypt(EncryptedData.java:167) at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:87) at sun.security.krb5.KrbAsReq.getReply(KrbAsReq.java:486) at sun.security.krb5.Credentials.sendASRequest(Credentials.java:406) at sun.security.krb5.Credentials.acquireTGT(Credentials.java:356) at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:629) ... 64 more
I didn't initially supply a kerberos.authentication.http.password because I'm using a keytab file in java.login.config and am not responsible for the password.
When I switched to using an explicit password (kinit.java working fine for the principal) I still got this error.
Our Kerberos server (not AD) supports DES3-CBC-SHA1-KD key type only and I haven't knowingly told JAAS to use a particular one (maybe I should ?)
My questions then:
1. Should I worry about kerberos.authentication.http.password ?
2. Anyone have any hints about why the encryption is failing ? Is it the key type ?
3. Why is the Alfresco web client trying to authenticate this way at all, given that I have supposedly disabled the HTTP SSO service ?