To enable full Kerberos support in Content Services and the SSO authentication filters, each need a Kerberos service ticket.
The Kerberos subsystem supports the following properties:
Property | Description |
---|---|
kerberos.authentication.realm | The Kerberos realm with which to authenticate. The realm should be the domain name in upper case; for example, if the domain is alfresco.org then the realm should be ALFRESCO.ORG. |
kerberos.authentication.sso.enabled | A value of true enables SPNEGO/Kerberos based Single Sign On (SSO) functionality in the web client. If the value is false and no other members of the authentication chain support SSO, password-based login is used. |
kerberos.authentication.sso.fallback.enabled | If SSO fails, a fallback authentication mechanism is used. The default value is true. |
kerberos.authentication.user.configEntryName | The name of the entry in the JAAS configuration file that is used for password-based authentication. The default value Alfresco is recommended. |
kerberos.authentication.http.configEntryName | The name of the entry in the JAAS configuration file that is used for web-based Single-Sign On (SSO). The default value AlfrescoHTTP is recommended. |
kerberos.authentication.defaultAdministratorUserNames | A comma separated list of user names that are treated as administrators by default. |
kerberos.authentication.browser.ticketLogons | Authentication using a ticket parameter in the request URL. The default value is true. Note that WebDAV URLs always accept ticket parameters. |
kerberos.authentication.stripUsernameSuffix | A value of true strips the @domain suffix from Kerberos authenticated user names in SPP, WebDAV and the Web Client. A value of false enables a multi-domain customer to use the @domain suffix. |
For Kerberos to work with user names that contain non-ASCII characters, add the following option to JAVA_OPTS for the Share JVM: -Dsun.security.krb5.msinterop.kstring=true