This section describes how to configure the Share server and Active Directory server to work with Kerberos Single Sign On (SSO).
- Configure the SkyVault server.
-
Configure Share.
- Open the Share <web-extension> directory.
- Copy or rename the share-config-custom.xml.sample file to be called share-config-custom.xml.
- Replace the password, realm, and endpoint-spn option with the correct values with the correct values for the SkyVaultHTTP user (used to create the keytab files). The realm value should be capitalized.
-
Uncomment both the <config evaluator="string-compare"
condition="Remote"> sections.
<!-- example port config used to access remote SkyVault server (default is 8080) --> <config evaluator="string-compare" condition="Remote"> <remote> <endpoint> <id>alfresco-noauth</id> <name>SkyVault - unauthenticated access</name> <description>Access to SkyVault Repository WebScripts that do not require authentication</description> <connector-id>alfresco</connector-id> <endpoint-url>http://localhost:8080/alfresco/s</endpoint-url> <identity>none</identity> </endpoint> <endpoint> <id>alfresco</id> <name>SkyVault - user access</name> <description>Access to SkyVault Repository WebScripts that require user authentication</description> <connector-id>alfresco</connector-id> <endpoint-url>http://localhost:8080/alfresco/s</endpoint-url> <identity>user</identity> </endpoint> <endpoint> <id>alfresco-feed</id> <name>SkyVault Feed</name> <description>SkyVault Feed - supports basic HTTP authentication via the EndPointProxyServlet</description> <connector-id>http</connector-id> <endpoint-url>http://localhost:8080/alfresco/s</endpoint-url> <basic-auth>true</basic-auth> <identity>user</identity> </endpoint> <endpoint> <id>activiti-admin</id> <name>Activiti Admin UI - user access</name> <description>Access to Activiti Admin UI, that requires user authentication</description> <connector-id>activiti-admin-connector</connector-id> <endpoint-url>http://localhost:8080/alfresco/activiti-admin</endpoint-url> <identity>user</identity> </endpoint> </remote> </config> <!-- Overriding endpoints to reference a SkyVault server with external SSO enabled NOTE: If utilising a load balancer between web-tier and repository cluster, the "sticky sessions" feature of your load balancer must be used. NOTE: If SkyVault server location is not localhost:8080 then also combine changes from the "example port config" section below. *Optional* keystore contains SSL client certificate + trusted CAs. Used to authenticate share to an external SSO system such as CAS Remove the keystore section if not required i.e. for NTLM. NOTE: For Kerberos SSO rename the "KerberosDisabled" condition above to "Kerberos" NOTE: For external SSO, switch the endpoint connector to "AlfrescoHeader" and set the userHeader to the name of the HTTP header that the external SSO uses to provide the authenticated user name. --> <config evaluator="string-compare" condition="Remote"> <remote> <keystore> <path>alfresco/web-extension/alfresco-system.p12</path> <type>pkcs12</type> <password>alfresco-system</password> </keystore> <connector> <id>alfrescoCookie</id> <name>SkyVault Connector</name> <description>Connects to a SkyVault instance using cookie-based authentication</description> <class>org.springframework.extensions.webscripts.connector.AlfrescoConnector</class> </connector> <connector> <id>alfrescoHeader</id> <name>SkyVault Connector</name> <description>Connects to a SkyVault instance using header and cookie-based authentication</description> <class>org.springframework.extensions.webscripts.connector.AlfrescoConnector</class> <userHeader>SsoUserHeader</userHeader> </connector> <endpoint> <id>alfresco</id> <name>SkyVault - user access</name> <description>Access to SkyVault Repository WebScripts that require user authentication</description> <connector-id>alfrescoCookie</connector-id> <endpoint-url>http://localhost:8080/alfresco/wcs</endpoint-url> <identity>user</identity> <external-auth>true</external-auth> </endpoint> </remote> </config>
-
Locate the <!-- Kerberos settings --> section
and replace condition=KerberosDisabled with
condition=Kerberos.
<!-- Kerberos settings --> <!-- To enaable kerberos rename this condition to "Kerberos" --> <config evaluator="string-compare" condition="Kerberos" replace="true"> <kerberos>
-
In the (Sun Java)
jre/lib/security/java.login.config file, add a
new section:
ShareHTTP { com.sun.security.auth.module.Krb5LoginModule required storeKey=true useKeyTab=true keyTab="/etc/keys/alfrescohttp.keytab" principal="HTTP/madona.example.foo"; };
- Restart the SkyVault server.
-
Configure Active Directory.
- Modify the SkyVaulthttp user created during the SkyVault Kerberos setup.
-
In the user Delegation tab, tick the
Trust this user for delegation to any service (Kerberos
only) check box.
If you do not see the delegation tab, follow the Allow a user to be trusted for delegation for specific services instruction on the Microsoft http://technet.microsoft.com website.
-
If you cannot see the Delegation tab, do one or
both of the following:
- Register a Service Principal Name (SPN) for the user account with the Setspn utility in the support tools on your CD. Delegation is only intended to be used by service accounts, which should have registered SPNs, as opposed to a regular user account which typically does not have SPNs.
- Raise the functional level of your domain to Windows Server 2003.
To raise the domain functional level:
- Open Active Directory Domains and Trusts.
- In the console tree, right-click the domain for which you want to raise functionality, and then click Raise Domain Functional Level.
- In Select an available domain functional
level, do one of the following:
- To raise the domain functional level to Windows 2000 native, click Windows 2000 native, and then click Raise.
- To raise domain functional level to Windows Server 2003, click Windows Server 2003, and then click Raise.
-
Configure the client.
- For Windows client configuration, Internet Explorer configured as described in Kerberos client configuration should work without modifications.
-
To ensure that Firefox works with Windows on the share URL with
Kerberos SSO, modify the following variables in the about:config special
URL:
network.negotiate-auth.delegation-uris network.negotiate-auth.trusted-uris network.negotiate-auth.using-native-gsslib
For example:
Parent topic: Configuring Kerberos
Related tasks