The Java login files need to be updated with details of the Kerberos configuration and the share-config-custom.xml file edited to enable SSO using Kerberos.
-
Configure or create the Java configuration file
java.login.config located in
/java/conf/security. The following is an example of a
java.login.config file. The important properties to set are
keyTab and principal.
- keyTab is the location of the keytab file copied to the ACS server
- principal is in the format HTTP/<host>.<domain>
Alfresco { com.sun.security.auth.module.Krb5LoginModule sufficient; }; ShareHTTP { com.sun.security.auth.module.Krb5LoginModule required storeKey=true useKeyTab=true doNotPrompt=true keyTab="/etc/kerberos.keytab" principal="HTTP/alfresco.example.com"; }; com.sun.net.ssl.client { com.sun.security.auth.module.Krb5LoginModule sufficient; }; other { com.sun.security.auth.module.Krb5LoginModule sufficient; };
Note: If Alfresco Share is hosted on the same server as Alfresco Content Services then the contents of the java.login.config can be merged into a single file. -
Edit the following line in the Java security configuration file
java.security by default located in
java/conf/security/to point to the
java.login.config file using the full file path:
login.config.url.1=file:<installLocation>/java/conf/security/java.login.config
-
Open the share-config-custom.xml file:
- Update the <realm>property with the realm name, for example <realm>EXAMPLE.COM</realm>.
- Update the <endpoint-spn> property with the SPN value, for example <endpoint-spn>HTTP/alfresco@EXAMPLE.COM</endpoint-spn>
- Uncomment the two sections that begin with: <config evaluator="string-compare" condition="Remote">
- Navigate to the <!--- Kerberos settings ---> section and replace condition="KerberosDisabled" with condition="Kerberos"
Note: For Kerberos to work with user names that contain non-ASCII characters, add the following option to JAVA_OPTS for the Share JVM: -Dsun.security.krb5.msinterop.kstring=true