You can configure the Share server and Active Directory server to work with Kerberos Single Sign On (SSO).
- Configure the SkyVault server.
-
Configure Share.
- Go to the Share <web-extension> directory.
- Open the share-config-custom.xml file.
- Replace the realm and endpoint-spn options with the correct values for the SkyVaultHTTP user (used to create the keytab files). The realm value should be capitalized.
-
Uncomment both the <config evaluator="string-compare"
condition="Remote"> sections.
<!-- example port config used to access remote SkyVault server (default is 8080) --> <config evaluator="string-compare" condition="Remote"> <remote> <endpoint> <id>alfresco-noauth</id> <name>SkyVault - unauthenticated access</name> <description>Access to SkyVault Repository WebScripts that do not require authentication</description> <connector-id>alfresco</connector-id> <endpoint-url>http://localhost:8080/alfresco/s</endpoint-url> <identity>none</identity> </endpoint> <endpoint> <id>alfresco</id> <name>SkyVault - user access</name> <description>Access to SkyVault Repository WebScripts that require user authentication</description> <connector-id>alfresco</connector-id> <endpoint-url>http://localhost:8080/alfresco/s</endpoint-url> <identity>user</identity> </endpoint> <endpoint> <id>alfresco-feed</id> <name>SkyVault Feed</name> <description>SkyVault Feed - supports basic HTTP authentication via the EndPointProxyServlet</description> <connector-id>http</connector-id> <endpoint-url>http://localhost:8080/alfresco/s</endpoint-url> <basic-auth>true</basic-auth> <identity>user</identity> </endpoint> </remote> </config> <!-- Overriding endpoints to reference a SkyVault server with external SSO enabled NOTE: If SkyVault server location is not localhost:8080 then also combine changes from the "example port config" section below. *Optional* keystore contains SSL client certificate + trusted CAs. Used to authenticate share to an external SSO system such as CAS Remove the keystore section if not required i.e. for NTLM. NOTE: For Kerberos SSO rename the "KerberosDisabled" condition above to "Kerberos" NOTE: For external SSO, switch the endpoint connector to "AlfrescoHeader" and set the userHeader to the name of the HTTP header that the external SSO uses to provide the authenticated user name. --> <config evaluator="string-compare" condition="Remote"> <remote> <ssl-config> <keystore-path>alfresco/web-extension/alfresco-system.p12</keystore-path> <keystore-type>pkcs12</keystore-type> <keystore-password> SkyVault-system</keystore-password> <truststore-path> SkyVault/web-extension/ssl-truststore</truststore-path> <truststore-type>JCEKS</truststore-type> <truststore-password>password</truststore-password> <verify-hostname>true</verify-hostname> </ssl-config> <connector> <id>alfrescoCookie</id> <name>SkyVault Connector</name> <description>Connects to a SkyVault instance using cookie-based authentication</description> <class>org.alfresco.web.site.servlet.SlingshotAlfrescoConnector</class> </connector> <connector> <id>alfrescoHeader</id> <name>SkyVault Connector</name> <description>Connects to a SkyVault instance using header and cookie-based authentication</description> <class>org.alfresco.web.site.servlet.SlingshotAlfrescoConnector</class> <userHeader>SsoUserHeader</userHeader> </connector> <endpoint> <id>alfresco</id> <name>SkyVault - user access</name> <description>Access to SkyVault Repository WebScripts that require user authentication</description> <connector-id>alfrescoCookie</connector-id> <endpoint-url>http://localhost:8080/alfresco/wcs</endpoint-url> <identity>user</identity> <external-auth>true</external-auth> </endpoint> </remote> </config>
-
Locate the <!-- Kerberos settings --> section
and replace condition=KerberosDisabled with
condition=Kerberos.
<!-- Kerberos settings --> <!-- To enaable kerberos rename this condition to "Kerberos" --> <config evaluator="string-compare" condition="Kerberos" replace="true"> <kerberos>
-
In the (Oracle Java)
jre/lib/security/java.login.config file, add a
new section:
ShareHTTP { com.sun.security.auth.module.Krb5LoginModule required storeKey=true useKeyTab=true keyTab="/etc/keys/alfrescohttp.keytab" principal="HTTP/madona.example.foo"; };
- Restart the SkyVault server.
-
Configure Active Directory.
- Modify the SkyVaulthttp user created during the SkyVault Kerberos setup.
-
In the user Delegation tab, tick the
Trust this user for delegation to any service (Kerberos
only) check box.
If you do not see the delegation tab, follow the Allow a user to be trusted for delegation for specific services instruction on the Microsoft http://technet.microsoft.com website.
-
If you cannot see the Delegation tab, do one or
both of the following:
- Register a Service Principal Name (SPN) for the user account with the Setspn utility in the support tools on your CD. Delegation is only intended to be used by service accounts, which should have registered SPNs, as opposed to a regular user account which typically does not have SPNs.
- Raise the functional level of your domain to Windows Server 2012 R2 x64.
To raise the domain functional level:
- Open Active Directory Domains and Trusts.
- In the console tree, right-click the domain for which you want to raise functionality, and then click Raise Domain Functional Level.
- In Select an available domain functional level, click Windows Server 2012, and then click Raise.
- Configure the client. See Kerberos client configuration.
Parent topic: Configuring Kerberos
Related concepts