The Java login files need to be updated with details of the Kerberos configuration and the activiti-ldap.properties updated to enable SSO using Kerberos.
-
Configure or create the Java configuration file
java.login.config located in
/java/conf/security. The following is an example of a
java.login.config file. The important properties to set are
keyTab and principal.
- keyTab is the location of the keytab file (see Configure Kerberos files) copied to the ACS server
- principal is in the format HTTP/<host>.<domain>
Alfresco { com.sun.security.auth.module.Krb5LoginModule sufficient; }; AlfrescoHTTP { com.sun.security.auth.module.Krb5LoginModule required storeKey=true useKeyTab=true doNotPrompt=true keyTab="/etc/kerberos.keytab" principal="HTTP/alfresco.example.com"; }; com.sun.net.ssl.client { com.sun.security.auth.module.Krb5LoginModule sufficient; }; other { com.sun.security.auth.module.Krb5LoginModule sufficient; };
-
Edit the following line in the Java security configuration file
java.security by default located in
java/conf/security/to point to the
java.login.config file using the full file path:
login.config.url.1=file:<installLocation>/java/conf/security/java.login.config
-
Use the following configuration parameters in an
activiti-ldap-properties file:
Property Description kerberos.authentication.enabled Sets whether authentication via Kerberos is enabled. This needs to be set to true to setup SSO using Kerberos, for example true. kerberos.authentication.principal The Service Principal Name (SPN) to authenticate against, for example HTTP/alfresco.example.com. kerberos.authentication.keytab The location of key table file, for example C:/alfresco/alfrescohttp.keytab. kerberos.authentication.krb5.conf The location of the Kerberos ini file, for example C:/Windows/krb5.ini. kerberos.allow.ldap.authentication.fallback Sets whether to allow sign in from unsupported browsers using LDAP credentials, for example false. kerberos.allow.database.authentication.fallback Sets whether to allow sign in from unsupported browsers using database credentials, for example true. kerberos.allow.samAccountName.authentication Sets whether authentication can use the short form such as username rather than username@domain.com, for example true. security.authentication.use-externalid A setting that enables authentication through Kerberos, for example true. ldap.authentication.enabled Sets whether LDAP authentication is enabled. This setting needs to be set to true for SSO to work for Kerberos, for example true.