You are here

SkyVault 2.0 » Configuring » Setting up authentication and security » Configuring authentication subsystems » Configuring Kerberos

Configuring Share Kerberos SSO

You can configure the Share server and Active Directory server to work with Kerberos Single Sign On (SSO).

  1. Configure the SkyVault server.
  2. Configure Share.
    1. Go to the Share <web-extension> directory.
    2. Open the share-config-custom.xml file.
    3. Replace the realm and endpoint-spn options with the correct values for the SkyVaultHTTP user (used to create the keytab files). The realm value should be capitalized.
    4. Uncomment both the <config evaluator="string-compare" condition="Remote"> sections. 

         <!-- example port config used to access remote SkyVault server (default is 8080) -->
   
   <config evaluator="string-compare" condition="Remote">
      <remote>
         <endpoint>
            <id>alfresco-noauth</id>
            <name>SkyVault - unauthenticated access</name>
            <description>Access to SkyVault Repository WebScripts that do not require authentication</description>
            <connector-id>alfresco</connector-id>
            <endpoint-url>http://localhost:8080/alfresco/s</endpoint-url>
            <identity>none</identity>
         </endpoint>

         <endpoint>
            <id>alfresco</id>
            <name>SkyVault - user access</name>
            <description>Access to SkyVault Repository WebScripts that require user authentication</description>
            <connector-id>alfresco</connector-id>
            <endpoint-url>http://localhost:8080/alfresco/s</endpoint-url>
            <identity>user</identity>
         </endpoint>

         <endpoint>
            <id>alfresco-feed</id>
            <name>SkyVault Feed</name>
            <description>SkyVault Feed - supports basic HTTP authentication via the EndPointProxyServlet</description>
            <connector-id>http</connector-id>
            <endpoint-url>http://localhost:8080/alfresco/s</endpoint-url>
            <basic-auth>true</basic-auth>
            <identity>user</identity>
         </endpoint> 
            
        <endpoint>
           <id>alfresco-api</id>
           <parent-id>alfresco</parent-id>
           <name>SkyVault Public API - user access</name>
           <description>Access to SkyVault Repository Public API that require user authentication.
             This makes use of the authentication that is provided by parent 'alfresco' endpoint.</description>
           <connector-id>alfresco</connector-id>
           <endpoint-url>http://localhost:8080/alfresco/api</endpoint-url>
           <identity>user</identity>
        </endpoint>
      </remote>
   </config>
 

   <!-- 
        Overriding endpoints to reference a SkyVault server with external SSO enabled
         
        NOTE: If SkyVault server location is not localhost:8080 then also combine changes from the
              "example port config" section below.
        *Optional* keystore contains SSL client certificate + trusted CAs.
        Used to authenticate share to an external SSO system such as CAS
        Remove the keystore section if not required i.e. for NTLM.
        
        NOTE: For Kerberos SSO rename the "KerberosDisabled" condition above to "Kerberos"
        
        NOTE: For external SSO, switch the endpoint connector to "AlfrescoHeader" and set
              the userHeader to the name of the HTTP header that the external SSO
              uses to provide the authenticated user name.
   -->
   
   <config evaluator="string-compare" condition="Remote">
      <remote>
         <ssl-config>
             <keystore-path>alfresco/web-extension/alfresco-system.p12</keystore-path>
             <keystore-type>pkcs12</keystore-type>
             <keystore-password> SkyVault-system</keystore-password>

             <truststore-path> SkyVault/web-extension/ssl-truststore</truststore-path>
             <truststore-type>JCEKS</truststore-type>
             <truststore-password>password</truststore-password>

             <verify-hostname>true</verify-hostname>
         </ssl-config>
         
         <connector>
            <id>alfrescoCookie</id>
            <name>SkyVault Connector</name>
            <description>Connects to a SkyVault instance using cookie-based authentication</description>
            <class>org.alfresco.web.site.servlet.SlingshotAlfrescoConnector</class>
         </connector>
         
         <connector>
            <id>alfrescoHeader</id>
            <name>SkyVault Connector</name>
            <description>Connects to a SkyVault instance using header and cookie-based authentication</description>
            <class>org.alfresco.web.site.servlet.SlingshotAlfrescoConnector</class>
            <userHeader>SsoUserHeader</userHeader>
         </connector>

         <endpoint>
            <id>alfresco</id>
            <name>SkyVault - user access</name>
            <description>Access to SkyVault Repository WebScripts that require user authentication</description>
            <connector-id>alfrescoCookie</connector-id>
            <endpoint-url>http://localhost:8080/alfresco/wcs</endpoint-url>
            <identity>user</identity>
            <external-auth>true</external-auth>
         </endpoint>
            
         <endpoint>
            <id>alfresco-api</id>
            <parent-id>alfresco</parent-id>
            <name>SkyVault Public API - user access</name>
            <description>Access to SkyVault Repository Public API that require user authentication.
              This makes use of the authentication that is provided by parent 'alfresco' endpoint.</description>
            <connector-id>alfresco</connector-id>
            <endpoint-url>http://localhost:8080/alfresco/api</endpoint-url>
            <identity>user</identity>
            <external-auth>true</external-auth>
         </endpoint> 
      </remote>
   </config>
  
    5. Locate the <!-- Kerberos settings --> section and replace condition=KerberosDisabled with condition=Kerberos. 

      <!-- Kerberos settings -->
   <!-- To enaable kerberos rename this condition to "Kerberos" -->
   <config evaluator="string-compare" condition="Kerberos" replace="true">
      <kerberos>
    6. In the (Oracle Java) jre/lib/security/java.login.config file, add a new section: 

      ShareHTTP {
   com.sun.security.auth.module.Krb5LoginModule required
   storeKey=true
   useKeyTab=true
   keyTab="/etc/keys/alfrescohttp.keytab"
   principal="HTTP/madona.example.foo";
};
    7. Restart the SkyVault server.
  3. Configure Active Directory.
    1. Modify the SkyVaulthttp user created during the SkyVault Kerberos setup.
    2. In the user Delegation tab, tick the Trust this user for delegation to any service (Kerberos only) check box.

      If you do not see the delegation tab, follow the Allow a user to be trusted for delegation for specific services instruction on the Microsoft http://technet.microsoft.com website.

    3. If you cannot see the Delegation tab, do one or both of the following:

      • Register a Service Principal Name (SPN) for the user account with the Setspn utility in the support tools on your CD. Delegation is only intended to be used by service accounts, which should have registered SPNs, as opposed to a regular user account which typically does not have SPNs.
      • Raise the functional level of your domain to Windows Server 2012 R2 x64.

      To raise the domain functional level:

      1. Open Active Directory Domains and Trusts.
      2. In the console tree, right-click the domain for which you want to raise functionality, and then click Raise Domain Functional Level.
      3. In Select an available domain functional level, click Windows Server 2012, and then click Raise.
  4. Configure the client. See Kerberos client configuration.
Parent topic: Configuring Kerberos
Related concepts

© 2017 TBS-LLC. All Rights Reserved.