Sunday, September 11, 2016

Kerberos authentication is not working; now what?



Debugging Kerberos authentication should be approached in a two-step process. The first is to make sure the Active Directory Kerberos users are properly created and Kerberos is configured correctly. You will use the “klist” and “kinit” commands to verify the Kerberos setup. The second, is to login into your Alfresco instance with Kerberos set as the only authentication option in your Authentication Chain. If the login fails you should turn on Kerberos debugging. This breaks the debugging into two separate phases; #1) the Kerberos install/configuration on your Active Directory server and #2) your Alfresco configuration and edited configuration files.

Phase #1:

Verify that the Kerberos users are properly created and Kerberos is configured correctly.

cd /etc

klist -k httpredhat.keytab

Keytab name: FILE:httpredhat.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   0 HTTP/redhat.formtek.local@FORMTEK.LOCAL
                                 
klist -k cifsredhat.keytab

Keytab name: FILE:cifsredhat.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   0 CIFS/redhat.formtek.local@FORMTEK.LOCAL

kinit -k –V -t /etc/keys/cifsredhat.keytab "CIFS/redhat.formtek.local"

Authenticated to Kerberos v5 

kinit -k –V -t /etc/keys/httpredhat.keytab "HTTP/redhat.formtek.local"

Authenticated to Kerberos v5

Phase #2:

If Phase #1 is verified and returning the proper values but your Alfresco authentication login fails you can now debug Kerberos issues using the log4j properties in the alfresco.log file. The file is located in ‘<Alfresco_Home>/tomcat/webapps/alfresco/WEB-INF/classes’ and is named ‘log4j.properties’.

log4j.logger.org.alfresco.web.app.servlet.KerberosAuthenticationFilter=debug
log4j.logger.org.alfresco.repo.webdav.auth.KerberosAuthenticationFilter=debug
 
NOTE: Make sure you add this to the end of the file or verify that there is only a single instance of these entries. 

The following is a sample login output:

16:16:17,818 DEBUG [app.servlet.KerberosAuthenticationFilter] New Kerberos auth request from 192.168.1.90 (192.168.1.90:22350)
16:16:18,036 DEBUG [app.servlet.KerberosAuthenticationFilter] User user1 logged on via Kerberos

No comments:

Post a Comment