Kerberos configuration files - Kerberos configuration files - Alfresco Content Services - 23.4 - 23.4 - Ready - Alfresco - external - Alfresco/Alfresco-Content-Services/23.4/Alfresco-Content-Services/Tutorials/Configure-Single-Sign-On/Kerberos/Configure-Alfresco-Process-Services/Kerberos-configuration-files

Kerberos configuration files - Kerberos configuration files - Alfresco Content Services - 23.4 - 23.4 - Ready - Alfresco - external - Alfresco/Alfresco-Content-Services/23.4/Alfresco-Content-Services/Tutorials/Configure-Single-Sign-On/Kerberos/Configure-Alfresco-Process-Services/Kerberos-configuration-files - 2026-03-12

Alfresco Content Services

Platform

Alfresco

Product

Alfresco Content Services

Release

23.4

License

ft:locale

en-US

In Configure a realm and client the keytab and krb5.conf files need to be edited if the Active Directory instance is in a separate domain.

The keytab file can be configured to refer to an Active Directory instance in a separate domain if necessary.
For example:
```
 ktpass -princ HTTP/alfresco.example.com@AD-SSO.EXAMPLE.COM -pass PASSWORD -mapuser 
 ad-sso\httpsalfresco -crypto all -ptype KRB5_NT_PRINCIPAL -out 
 c:\temp\httpalfresco.keytab -kvno 0
```
Where alfresco.example.com is the load balancer address, AD-SSO.EXAMPLE.COM is the domain of the Active Directory instance and ad-sso is the domainnetbios of the Active Directory instance.

The krb5.conf uses the internal IP address of the Active Directory container.

For example:

 [libdefaults]
 default_realm = AD-SSO.EXAMPLE.COM
 default_tkt_enctypes = rc4-hmac
 default_tgs_enctypes = rc4-hmac

 [realms]
 AD-SSO.EXAMPLE.COM = {
           kdc = ec2amaz-5gk9lmd.ad-sso.example.com
           }

 [domain_realm]
 ec2amaz-5gk9lmd.ad-sso.example.com = AD-SSO.EXAMPLE.COM
 .ec2amaz-5gk9lmd.ad-sso.example.com = AD-SSO.EXAMPLE.COM