Kerberos configuration files - Alfresco Content Services - 23.4 - 23.4 - Ready - Alfresco - external

Alfresco Content Services

Platform
Alfresco
Product
Alfresco Content Services
Release
23.4
License

In Configure a realm and client the keytab and krb5.conf files need to be edited if the Active Directory instance is in a separate domain.

  1. The keytab file can be configured to refer to an Active Directory instance in a separate domain if necessary.

    For example:

     ktpass -princ HTTP/alfresco.example.com@AD-SSO.EXAMPLE.COM -pass PASSWORD -mapuser 
     ad-sso\httpsalfresco -crypto all -ptype KRB5_NT_PRINCIPAL -out 
     c:\temp\httpalfresco.keytab -kvno 0
    

    Where alfresco.example.com is the load balancer address, AD-SSO.EXAMPLE.COM is the domain of the Active Directory instance and ad-sso is the domainnetbios of the Active Directory instance.

  2. The krb5.conf uses the internal IP address of the Active Directory container.

    For example:

     [libdefaults]
     default_realm = AD-SSO.EXAMPLE.COM
     default_tkt_enctypes = rc4-hmac
     default_tgs_enctypes = rc4-hmac
    
     [realms]
     AD-SSO.EXAMPLE.COM = {
               kdc = ec2amaz-5gk9lmd.ad-sso.example.com
               }
    
     [domain_realm]
     ec2amaz-5gk9lmd.ad-sso.example.com = AD-SSO.EXAMPLE.COM
     .ec2amaz-5gk9lmd.ad-sso.example.com = AD-SSO.EXAMPLE.COM