The Java login files need to be updated with details of the Kerberos configuration and the alfresco-global.properties updated to enable SSO using Kerberos.
-
Configure or create the Java configuration file
java.login.config located in
/java/conf/security. The following is an example of a
java.login.config file. The important properties to set are
keyTab and principal.
- keyTab is the location of the keytab file (see Configure Kerberos files) copied to the ACS server
- principal is in the format HTTP/<host>.<domain>
Alfresco { com.sun.security.auth.module.Krb5LoginModule sufficient; }; AlfrescoHTTP { com.sun.security.auth.module.Krb5LoginModule required storeKey=true useKeyTab=true doNotPrompt=true keyTab="/etc/kerberos.keytab" principal="HTTP/alfresco.example.com"; }; com.sun.net.ssl.client { com.sun.security.auth.module.Krb5LoginModule sufficient; }; other { com.sun.security.auth.module.Krb5LoginModule sufficient; };
-
Edit the following line in the Java security configuration file
java.security by default located in
java/conf/security/to point to the
java.login.config file using the full file path:
login.config.url.1=file:<installLocation>/java/conf/security/java.login.config
-
Use the following configuration parameters in an
alfresco-global.properties file:
Property Description authentication.chain The authentication chain needs to be set for Kerberos, for example kerberos,alfrescoNtlm1:alfrescoNtlm. kerberos.authentication.realm The Kerberos realm to authenticate against. The realm name is the domain name in uppercase, for example EXAMPLE.COM. kerberos.authentication.sso.enabled Sets whether authentication using Kerberos is enabled or not. kerberos.authentication.sso.fallback.enabled Sets whether a fallback authentication mechanism such as database credentials is used. kerberos.authentication.user.configEntryName The name of the entry in the Java Authentication and Authorization Service (JAAS) file used for password-based authentication. The default value of Alfresco is recommended.