Configure Kerberos files - Alfresco Content Services - 23.4 - 23.4 - Ready - Alfresco - external

Alfresco Content Services

Platform
Alfresco
Product
Alfresco Content Services
Release
23.4
License

A user account and keytab file is required for Alfresco Content Services (ACS), Alfresco Share and Alfresco Process Services (APS) and a krb5.conf file that details the location of the authentication server needs to be located on each server. The files can be configured against a load balancer.

The following table explains the values used to generate the keytab and krb5.conf files:

Variable Description
host A server host or load balancer name without a domain suffix, for example alfresco.
domain The Domain Name System (DNS) domain, for example example.com.
domainnetbios The Windows domain NetBIOS name, for example example.
REALM The DNS domain in uppercase, for example EXAMPLE.COM.
  1. Create a user account in Active Directory for the SSO authentication filters:
    1. Enter a full name such as HTTP alfresco.
    2. Enter a login name such as httpalfresco.
    3. Enable the setting Do not require Kerberos pre-authentication.
  2. Use the ktpass command to generate a key table for the user account created in the previous step:
     ktpass -princ HTTP/<host>.<domain>@<REALM> -pass <password> -mapuser
     <domainnetbios>\http<host> -crypto all -ptype KRB5_NT_PRINCIPAL -out
     c:\temp\http<host>.keytab -kvno 0
    

    For example:

     ktpass -princ HTTP/alfresco.example.com@EXAMPLE.COM -pass <password> -mapuser
     example\httpalfresco -crypto all -ptype KRB5_NT_PRINCIPAL -out
     c:\temp\httpalfresco.keytab -kvno 0
    
  3. Use the setspn command to create Service Principal Names (SPN) for the user account created in the first step:
     setspn -a HTTP/<host> http<host>
     setspn -a HTTP/<host>.<domain> http<host>
    

    For example:

     setspn -a HTTP/alfresco httpalfresco
     setspn -a HTTP/alfresco.example.com httpalfresco
    
  4. In the Delegation tab of the Properties of the user account created in the first step, tick the Trust this user for delegation to any service (Kerberos only) checkbox.
  5. Copy the key table file created to a protected area on each server such as C:\etc.
    Note: The servers to copy the key table file to are Alfresco Content Services, Alfresco Share and Alfresco Process Services.
  6. Configure a krb5.conf file that contains details of the authentication server:
     [libdefaults]
     default_realm = <REALM>
     default_tkt_enctypes = rc4-hmac
     default_tgs_enctypes = rc4-hmac
    
     [realms]
     <REALM> = {
             kdc = <host>.<domain>
             admin_server = <host>.<domain>
               }
    
     [domain_realm]
     <host>.<domain> = <REALM>
     .<host>.<domain> = <REALM>
    

    The following is an example krb5.conf file:

     [libdefaults]
     default_realm = EXAMPLE.COM
     default_tkt_enctypes = rc4-hmac
     default_tgs_enctypes = rc4-hmac
    
     [realms]
     EXAMPLE.COM = {
                 kdc = ldap.example.com
                 admin_server = ldap.example.com
                   }
    
     [domain_realm]
     ldap.example.com = EXAMPLE.COM
     .ldap.example.com = EXAMPLE.COM
    
  7. Copy the krb5.conf file to the servers running Alfresco Content Services, Alfresco Share and Alfresco Process Services. By default it is located in $WINDIR\krb5.conf where $WINDIR is the location of the Windows directory such as C:\Windows\krb5.conf.