![\"\"](\"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2022\/04\/2e1ax_default_entry_MIT-Kerberos.jpg\")
<\/p>\n<\/p>\n
In the previous blog, I described How to install and manage a Kerberos Server<\/a> but that’s useless if there are no clients and if no application have been kerberized! That’s why in this blog I will explain in the first part how to install a kerberos client in linux. The second part will be dedicated to the configuration of a browser to use Kerberos tickets and the last part will explain how to configure a popular application to use the newly created Kerberos MIT KDC. This application is Alfresco (leader in Open Source solutions for Electronic Content Management).<\/p>\n For this blog, let’s define the following properties\/variables:<\/p>\n All configurations below have been tested on our infrastructure.<\/p>\n On this part, I will only present how to install a Linux Client. I think the Mac release is available as part of the Mac OS X since version 10.3 (the current release is Mavericks: 10.9) and so there is nothing to do to install a Kerberos client but this installation isn’t configured. The Windows installation is quite easy if you use the installer but this isn’t a perfect solution. I think the best solution for windows would be to use the Windows implementation of Kerberos to configure the connection to a Linux KDC but this is a little bit more complex and I personally have troubles to configure that…<\/p>\n So, all steps to install a Linux client are quite the same as those to install a Kerberos Server. Indeed, there is no specific source code for the client and so the basic installation is the same but it’s not the case for the configuration.<\/p>\n Obviously, the first thing to do is to download the current release of the MIT Kerberos distribution for the target operating system. This could be done at the following URL: http:\/\/web.mit.edu\/kerberos\/dist\/index.html.<\/a> The current Linux release is krb5-1.12.1-signed.tar:<\/p>\n As you can see, this file is signed and you could (should) verify the integrity and identity of the software. This can be done, for example, using GNU Privacy Guard:<\/p>\n After that, just extract the MIT Kerberos source code:<\/p>\n <\/p>\n At this step, Kerberos should be installed properly and the binaries, libraries and the documentation should be under \/usr\/local. The default location is sufficient for a client installation:<\/p>\n To set up a linux client, there is only one step remaining: tell Kerberos where to find a KDC. This is done through a configuration file named krb5.conf. In the following configuration, I’ve included two lines (forwardable and proxiable) that are important for Alfresco SSO using Kerberos to work properly. These two lines aren’t mandatory for other kerberized applications:<\/p>\n That should be enough to obtain a ticket for the test user (“kinit mpatou” OR “kinit mpatou@EXAMPLE.COM”) and delete this ticket:<\/p>\n Now the client should be able to acquire the first ticket (TGT) but that’s not enough! The next step is to configure the Browser to use tickets. Indeed, if the client tries to access to a kerberized application, the browser has to present a ticket for that application to be logged in automatically.<\/p>\n Open a new window\/tab in Mozilla Firefox:<\/p>\n i. Mac<\/strong><\/p>\n Modify the Google Chrome application with:<\/p>\n <\/p>\n ii. Linux<\/strong><\/p>\n Modify Google Chrome with:<\/p>\n iii. Windows<\/strong><\/p>\n Modify the Google Chrome shortcut with:<\/p>\n Open a new window\/tab in Internet Explorer and:<\/p>\n If everything works fine, then the client should be able to access to kerberized applications. If it’s not the case, a good start to debug the kerberos installation is to use a network analyzer like WireShark.<\/p>\n Actual test configuration:<\/p>\n So let’s begin the configuration of a Kerberized application with Alfresco. The first thing to know about Alfresco is that Alfresco uses two main Web Clients: Alfresco Explorer and Alfresco Share. The first one is the core of Alfresco and the second one is the new interface (mainly oriented on collaboration) that uses a proxy to ask Explorer to do the job. The configuration of Alfresco Explorer is quite easy but to get Alfresco Share working it’s not the same as Share add a new layer above Explorer.<\/p>\n If nothing is specified, all modifications below should be done on alf01.example.com, the Alfresco host server.<\/p>\n For Kerberos to work properly, the maxHttpHeaderSize must be increased:<\/p>\n Then the authentication chain must allow Kerberos tickets to be used to authenticate a user:<\/p>\n After that, the Kerberos subsystem must be configured:<\/p>\n <\/p>\n Once this is done, the KDC must be configured to recognize Alfresco as a Kerberized application. For that purpose, enter in the KDC kadmin interface. Caution, this requires the installation of a Kerberos Server on kdc01oel.example.com as described in the previous blog (the important part is that kadmin must be available from a remote computer) and the installation of a Kerberos Client on alf01.example.com. If your kadmin doesn’t work from a remote location, you will have to use the kadmin.local interface on the KDC host server.<\/p>\n This will create 2 files named ‘krb5cifs.keytab’ and ‘krb5http.keytab’ on the host where the kadmin was run. That means that if you used the kadmin from alf01.example.com, then there is nothing more to do but if you used the kadmin or kadmin.local from kdc01oel.example.com, then those 2 files must be moved to alf01.example.com:<\/p>\n Create or update the config file for the Java Security. Be careful that this is the Java used by Alfresco:<\/p>\n Configure the default Java Security to use our custom configuration by adding a line at the end of the file:<\/p>\n Finally, update the share-config-custom.xml file to contain the Kerberos configuration (the three images are in a unique file attached in this blog -> share-config-custom.zip<\/a>):<\/p>\n That could be enough to get the Kerberos SSO working for Alfresco Explorer and Alfresco Share. I think there are some additional steps to get the Alfresco CIFS working too but I’m not sure. Moreover, it’s possible that you get some strange exceptions that prevent Alfresco to authenticate your Kerberos Ticket. That probably comes from the Java Cryptography Extension that is missing on your Alfresco server. For that purpose, download the JCE corresponding to the Java version used by Alfresco (JCE6 or JCE7) and deploy it (I assume below that the JCE7 is under \/opt):<\/p>\n I hope I was clear enough in my explanations and I hope I was able to share (a little bit?) my passion for open source solutions! In the previous blog, I described How to install and manage a Kerberos Server but that’s useless if there are no clients and if no application have been kerberized! That’s why in this blog I will explain in the first part how to install a kerberos client in linux. The second part will be dedicated […]<\/p>\n","protected":false},"author":20,"featured_media":2166,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[197],"tags":[3169,101,444,370,445],"type_dbi":[],"class_list":["post-3814","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-application-integration-middleware","tag-alfresco","tag-installation","tag-kerberos","tag-open-source","tag-sso"],"acf":[],"yoast_head":"\n\n
1. Install MIT Kerberos Client<\/h3>\n
# wget\u00a0 http:\/\/web.mit.edu\/kerberos\/dist\/krb5\/1.12\/krb5-1.12.1-signed.tar\n\u00a0\u00a0\u00a0 --2014-04-01 14:00:28--\u00a0 http:\/\/web.mit.edu\/kerberos\/dist\/krb5\/1.12\/krb5-1.12.1-signed.tar\n\u00a0\u00a0\u00a0 Resolving web.mit.edu... 23.58.214.151\n\u00a0\u00a0\u00a0 Connecting to web.mit.edu|23.58.214.151|:80... connected.\n\u00a0\u00a0\u00a0 HTTP request sent, awaiting response... 200 OK\n\u00a0\u00a0\u00a0 Length: 11950080 (11M) [application\/x-tar]\n\u00a0\u00a0\u00a0 Saving to: \u201ckrb5-1.12.1-signed.tar\u201d\n\u00a0\u00a0\u00a0 100%[===============================================>] 11,950,080\u00a0 1.52M\/s\u00a0\u00a0 in 7.3s\n\u00a0\u00a0\u00a0 2014-04-01 14:00:38 (1.56 MB\/s) - \u201ckrb5-1.12.1-signed.tar\u201d saved [11950080\/11950080]\n# tar\u00a0 -xvf krb5-1.12.1-signed.tar \n\u00a0\u00a0\u00a0 krb5-1.12.1.tar.gz\n\u00a0\u00a0\u00a0 krb5-1.12.1.tar.gz.asc<\/pre>\n
# gpg\u00a0 --verify\u00a0 krb5-1.12.1.tar.gz.asc<\/pre>\n
# tar\u00a0 -zxf\u00a0 krb5-1.12.1.tar.gz\n# cd\u00a0 krb5-1.12.1\/src\/\n# .\/configure\n\u00a0\u00a0\u00a0 ......\n# yum\u00a0 install\u00a0 *yacc*\n\u00a0\u00a0\u00a0 ......\n# make\n\u00a0\u00a0\u00a0 ......\n# make\u00a0 install<\/pre>\n
# krb5-config\u00a0 --all\n\u00a0\u00a0\u00a0 Version:\u00a0\u00a0\u00a0\u00a0 Kerberos 5 release 1.12.1\n\u00a0\u00a0\u00a0 Vendor:\u00a0\u00a0\u00a0\u00a0\u00a0 Massachusetts Institute of Technology\n\u00a0\u00a0\u00a0 Prefix:\u00a0\u00a0\u00a0\u00a0\u00a0 \/usr\/local\n\u00a0\u00a0\u00a0 Exec_prefix: \/usr\/local<\/pre>\n
# vi\u00a0 \/etc\/krb5.conf\n\u00a0\u00a0\u00a0 [libdefaults]\n\u00a0\u00a0\u00a0 \u00a0\u00a0\u00a0 default_realm = EXAMPLE.COM\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 forwardable = true\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \u00a0 \u00a0 \u00a0 \u00a0\u00a0 {Line only important for Alfresco}\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 proxiable = true\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \u00a0\u00a0 \u00a0\u00a0\u00a0\u00a0 {Line only important for Alfresco}\n\u00a0\u00a0\u00a0 [realms]\n\u00a0\u00a0\u00a0 \u00a0\u00a0\u00a0 EXAMPLE.COM = {\n\u00a0\u00a0\u00a0 \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 kdc = kdc01oel.example.com:88\n\u00a0\u00a0\u00a0 \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 admin_server = kdc01oel.example.com:749\n\u00a0\u00a0\u00a0 \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 default_domain = example.com\n\u00a0\u00a0\u00a0 \u00a0 }\n\u00a0\u00a0\u00a0 [domain_realm]\n\u00a0\u00a0\u00a0 \u00a0\u00a0\u00a0 .example.com = EXAMPLE.COM\n\u00a0\u00a0\u00a0 \u00a0\u00a0\u00a0 example.com = EXAMPLE.COM<\/pre>\n# klist\n\u00a0\u00a0\u00a0 klist: Credentials cache file '\/tmp\/krb5cc_0' not found\n# kinit\u00a0 mpatou\n\u00a0\u00a0\u00a0 Password for mpatou@EXAMPLE.COM:\n# klist\n\u00a0\u00a0\u00a0 Ticket cache: FILE:\/tmp\/krb5cc_0\n\u00a0\u00a0\u00a0 Default principal: mpatou@EXAMPLE.COM\n\u00a0\u00a0\u00a0 Valid starting\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \u00a0 \u00a0 \u00a0\u00a0 Expires\u00a0\u00a0\u00a0\u00a0\u00a0 \u00a0 \u00a0 \u00a0 \u00a0\u00a0 Service principal\n\u00a0\u00a0\u00a0 05\/20\/2014 10:54:48 \u00a0 \u00a0 05\/20\/2014 20:54:48 \u00a0 \u00a0 krbtgt\/mpatou@EXAMPLE.COM\n\u00a0\u00a0\u00a0 renew until 05\/21\/2014 10:54:47\n# kdestroy\n# klist\n\u00a0\u00a0\u00a0 klist: Credentials cache file '\/tmp\/krb5cc_0' not found<\/pre>\n
2. Configure the Browser<\/h3>\n
a. Mozilla Firefox (Window\/Linux\/Mac)<\/h4>\n
\n
b. Google Chrome<\/h4>\n
open 'Google Chrome.app' --args --auth-schemes=\"basic,digest,ntlm,negotiate\" --auth-server-whitelist=\"*EXAMPLE.COM\" --auth-negotiate-delegate-whitelist=\"*EXAMPLE.COM\"<\/pre>\n
google-chrome --enable-plugins --args --auth-server-whitelist=\"*EXAMPLE.COM\" --auth-negotiate-delegate-whitelist=\"*EXAMPLE.COM\" --auth-schemes=\"basic,digest,ntlm,negotiate\"<\/pre>\n
chrome.exe --auth-schemes=\"basic,digest,ntlm,negotiate\" --auth-server-whitelist=\"*EXAMPLE.COM\" --auth-negotiate-delegate-whitelist=\"*EXAMPLE.COM\"<\/pre>\n
c. Internet Explorer<\/h4>\n
\n
3. Configure Alfresco to use Kerberos SSO<\/h3>\n
\n
# vi\u00a0 \/opt\/alfresco\/alfresco-4.2.c\/tomcat\/conf\/server.xml\n\u00a0\u00a0\u00a0Connector port=\"8080\" URIEncoding=\"UTF-8\" protocol=\"HTTP\/1.1\" connectionTimeout=\"20000\" redirectPort=\"8443\" maxHttpHeaderSize=\"32768\"<\/pre>\n
# vi\u00a0 \/opt\/alfresco\/alfresco-4.2.c\/tomcat\/shared\/classes\/alfresco-global.properties:\n\u00a0\u00a0\u00a0 authentication.chain=kerberos1:kerberos,alfrescoNtlm1:alfrescoNtlm<\/pre>\n
# cd\u00a0 \/opt\/alfresco\/alfresco-4.2.c\/tomcat\/shared\/classes\/alfresco\/extension\/subsystems\n# vi\u00a0 Authentication\/kerberos\/kerberos1\/kerberos-authentication.properties\n\u00a0\u00a0\u00a0 kerberos.authentication.realm=EXAMPLE.COM\n\u00a0\u00a0\u00a0 kerberos.authentication.sso.enabled=true\n\u00a0\u00a0\u00a0 kerberos.authentication.authenticateCIFS=false\n\u00a0\u00a0\u00a0 kerberos.authentication.user.configEntryName=Alfresco\n\u00a0\u00a0\u00a0 kerberos.authentication.cifs.password=ChangeMe\n\u00a0\u00a0\u00a0 kerberos.authentication.cifs.configEntryName=AlfrescoCIFS\n\u00a0\u00a0\u00a0 kerberos.authentication.stripUsernameSuffix=true\n\u00a0\u00a0\u00a0 kerberos.authentication.http.password=ChangeMe\n\u00a0\u00a0\u00a0 kerberos.authentication.http.configEntryName=AlfrescoHTTP\n\u00a0\u00a0\u00a0 kerberos.authentication.defaultAdministratorUserNames=admin,xxx,yyy\n\u00a0\u00a0\u00a0 kerberos.authentication.browser.ticketLogons=true<\/pre>\n
# \/usr\/local\/bin\/kadmin\n\u00a0\u00a0\u00a0 addprinc\u00a0 cifs\/alf01.example.com@EXAMPLE.COM\n\u00a0\u00a0\u00a0 addprinc\u00a0 HTTP\/alf01.example.com@EXAMPLE.COM\n\u00a0\u00a0\u00a0 ktadd\u00a0 -k\u00a0 \/etc\/krb5cifs.keytab\u00a0 cifs\/alf01.example.com@EXAMPLE.COM\n\u00a0\u00a0\u00a0 ktadd\u00a0 -k\u00a0 \/etc\/krb5http.keytab\u00a0 HTTP\/alf01.example.com@EXAMPLE.COM
<\/code><\/pre>\n# cd\u00a0 \/etc\n# scp\u00a0 krb5cifs.keytab\u00a0 root@alf01.example.com:\/etc\nenter password:\n# scp\u00a0 krb5http.keytab\u00a0 root@alf01.example.com:\/etc\nenter password:<\/pre>\n
# vi\u00a0 \/opt\/alfresco\/alfresco-4.2.c\/java\/jre\/lib\/security\/java.login.config:\n\u00a0\u00a0\u00a0 Alfresco {\n\u00a0\u00a0\u00a0 \u00a0\u00a0\u00a0 com.sun.security.auth.module.Krb5LoginModule sufficient;\n\u00a0\u00a0\u00a0 };<\/pre>\n\u00a0\u00a0\u00a0 AlfrescoCIFS {\n\u00a0\u00a0\u00a0 \u00a0\u00a0\u00a0 com.sun.security.auth.module.Krb5LoginModule required\n\u00a0\u00a0\u00a0 \u00a0\u00a0\u00a0 storeKey=true\n\u00a0\u00a0\u00a0 \u00a0\u00a0\u00a0 useKeyTab=true\n\u00a0\u00a0\u00a0 \u00a0\u00a0\u00a0 keyTab=\"\/etc\/krb5cifs.keytab\"\n\u00a0\u00a0\u00a0 \u00a0\u00a0\u00a0 principal=\"cifs\/alf01.example.com\";\n\u00a0\u00a0\u00a0 };\n\u00a0\u00a0\u00a0 AlfrescoHTTP {\n\u00a0\u00a0\u00a0 \u00a0\u00a0\u00a0 com.sun.security.auth.module.Krb5LoginModule required\n\u00a0\u00a0\u00a0 \u00a0\u00a0\u00a0 storeKey=true\n\u00a0\u00a0\u00a0 \u00a0\u00a0\u00a0 useKeyTab=true\n\u00a0\u00a0\u00a0 \u00a0\u00a0\u00a0 keyTab=\"\/etc\/krb5http.keytab\"\n\u00a0\u00a0\u00a0 \u00a0\u00a0\u00a0 principal=\"HTTP\/alf01.example.com\";\n\u00a0\u00a0\u00a0 };\n\u00a0\u00a0\u00a0 ShareHTTP {\n\u00a0\u00a0\u00a0 \u00a0\u00a0\u00a0 com.sun.security.auth.module.Krb5LoginModule required\n\u00a0\u00a0\u00a0 \u00a0\u00a0\u00a0 storeKey=true\n\u00a0\u00a0\u00a0 \u00a0\u00a0\u00a0 useKeyTab=true\n\u00a0\u00a0\u00a0 \u00a0\u00a0\u00a0 keyTab=\"\/etc\/krb5http.keytab\"\n\u00a0\u00a0\u00a0 \u00a0\u00a0\u00a0 principal=\"HTTP\/alf01.example.com\";\n\u00a0\u00a0\u00a0 };\n\u00a0\u00a0\u00a0 com.sun.net.ssl.client {\n\u00a0\u00a0\u00a0 \u00a0\u00a0\u00a0 com.sun.security.auth.module.Krb5LoginModule sufficient;\n\u00a0\u00a0\u00a0 };\n\u00a0\u00a0\u00a0 other {\n\u00a0\u00a0\u00a0 \u00a0\u00a0\u00a0 com.sun.security.auth.module.Krb5LoginModule sufficient;\n\u00a0\u00a0\u00a0 };<\/pre>\n# vi\u00a0 \/opt\/alfresco\/alfresco-4.2.c\/java\/jre\/lib\/security\/java.security:\n\u00a0\u00a0\u00a0 login.config.url.1=file:${java.home}\/lib\/security\/java.login.config<\/pre>\n# vi \/opt\/alfresco\/alfresco-4.2.c\/tomcat\/shared\/classes\/alfresco\/web-extension\/share-config-custom.xml<\/pre>\n
![\"ShareCustom1.png\"](\"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2022\/04\/ShareCustom1.png\" "\\"ShareCustom1.png\\"")
<\/a>![\"ShareCustom2.png\"](\"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2022\/04\/ShareCustom2.png\" "\\"ShareCustom2.png\\"")
<\/a>![\"ShareCustom3.png\"](\"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2022\/04\/ShareCustom3.png\" "\\"ShareCustom3.png\\"")
<\/a><\/p>\n# unzip\u00a0 \/opt\/UnlimitedJCEPolicyJDK7.zip\n# cd\u00a0 \/opt\/alfresco\/alfresco-4.2.c\/java\/jre\/lib\/security\n# cp\u00a0 local_policy.jar\u00a0 local_policy.jar.orig\n# cp\u00a0 US_export_policy.jar\u00a0 US_export_policy.jar.orig\n# cd\u00a0 \/opt\/UnlimitedJCEPolicy\n# cp\u00a0 local_policy.jar\u00a0 \/opt\/alfresco\/alfresco-4.2.c\/java\/jre\/lib\/security\/\n# cp\u00a0 US_export_policy.jar\u00a0 \/opt\/alfresco\/alfresco-4.2.c\/java\/jre\/lib\/security\/<\/pre>\n
\nGood luck with Kerberos and Alfresco!<\/p>\n","protected":false},"excerpt":{"rendered":"