The Java Authentication and Authorization Service (JAAS) is used within the Kerberos subsystem to support Kerberos authentication of user names and passwords. You can choose to use Kerberos against an Active Directory server in preference to LDAP or alfrescoNtlm as it provides strong encryption without using SSL. It would still be possible to export user registry information using a chained LDAP subsystem.
Use this information to enable Kerberos with SSO.
If you want to enable Kerberos without SSO, you’ll be authenticated using LDAP AD and the password will be sent to the LDAP AD in clear text.
This information assumes that your LDAP AD server is active and available and will be used for two reasons in Alfresco.
- For importing users - Active Directory is used for importing the users in Alfresco.
- For communicating with the Key Distribution Center (KDC) - In most cases, KDC runs on the Active Directory server, so it needs to be accessible by Alfresco. When Alfresco receives a Kerberos authentication request, it uses Active Directory to import all the users that you’re authenticating against into Alfresco.
Active Directory is not used for LDAP authentication; it is used for Kerberos authentication.
Enable Kerberos authentication
Use this information to enable and configure Kerberos authentication.
Kerberos configuration requires the following main tasks.
- Step 1. Configure Kerberos with Active Directory
- Step 2. Configure Kerberos on Alfresco server
- Step 3. Configure Alfresco Share Kerberos SSO
- Step 4. Kerberos client configuration
How Kerberos sits in the overall authentication chain?
If you use Kerberos for authentication and LDAP AD for synchronizing the user accounts in to Alfresco, you must disable LDAP authentication. If you’re using SSO and do not disable LDAP authentication, Kerberos authentication will fail.
In order to use all the benefits of Kerberos SSO, enable Kerberos using Directory Management in the Admin Console.
-
In the Repo Admin Console, click Directory Management under Directories.
You see the Directory Management page.
-
Under Authentication Chain, specify a name and set the type to Kerberos.
Note: When you add the authentication types, make sure they’re in the following order: Kerberos, LDAP AD, and alfrescoNtlm. -
Click Add, and then Save to add the new Kerberos type element in the authentication chain list.
-
Select Kerberos from Browser Based Automatic Login.
-
For configuring Kerberos configure Kerberos using the configuration properties in the Admin Console, see Configure Kerberos.