Centos
憑證不能被委派 - Alfresco Share
我在 Redhat 6 上配置 Alfresco 4.0.d 時遇到了困難。
我正在使用 Kerberos 身份驗證,它似乎工作正常,並且單點登錄正在主 alfresco 應用程序本身上工作。我已經完成了配置步驟以使共享應用程序正常工作,但盡我所能,每次瀏覽器訪問時,我都會在 catalina.out 中收到此錯誤
http://server:8080/share
以及“Windows 安全”密碼框。WARN [site.servlet.KerberosSessionSetupPrivilegedAction] credentials can not be delegated!
這是我到目前為止所做的:
使用 AD 使用者和電腦,選擇
alfrescohttp
帳戶,然後選擇“信任此使用者以委託任何服務(僅限 Kerberos)。共享配置-custom.xml
複製
/opt/alfresco-4.0.d/tomcat/shared/classes/alfresco/web-extension/share-config-custom.xml.sample
並share-config-custom.xml
編輯如下:<config evaluator="string-compare" condition="Kerberos" replace="true"> <kerberos> <password>*****</password> <realm>MYDOMAIN.CO.UK</realm> <endpoint-spn>HTTP/server.mydomain.co.uk@MYDOMAIN.CO.UK</endpoint-spn> <config-entry>ShareHTTP</config-entry> </kerberos> </config> <config evaluator="string-compare" condition="Remote"> <remote> <keystore> <path>alfresco/web-extension/alfresco-system.p12</path> <type>pkcs12</type> <password>alfresco-system</password> </keystore> <connector> <id>alfrescoCookie</id> <name>Alfresco Connector</name> <description>Connects to an Alfresco instance using cookie-based authentication</description> <class>org.springframework.extensions.webscripts.connector.AlfrescoConnector</class> </connector> <endpoint> <id>alfresco</id> <name>Alfresco - user access</name> <description>Access to Alfresco Repository WebScripts that require user authentication</description> <connector-id>alfrescoCookie</connector-id> <endpoint-url>http://localhost:8080/alfresco/wcs</endpoint-url> <identity>user</identity> <external-auth>true</external-auth> </endpoint> </remote> </config>
krb5.conf
像這樣設置
/etc/krb5.conf
文件:[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = MYDOMAIN.CO.UK default_tkt_enctypes = rc4-hmac default_tgs_enctypes = rc4-hmac forwardable = true proxiable = true [realms] MYDOMAIN.CO.UK = { kdc = mydc.mydomain.co.uk admin_server = mydc.mydomain.co.uk } [domain_realm] .mydc.mydomain.co.uk = MYDOMAIN.CO.UK mydc.mydomain.co.uk = MYDOMAIN.CO.UK
java.login.config
/opt/alfresco-4.0.d/java/jre/lib/security/java.login.config
配置如下:Alfresco { com.sun.security.auth.module.Krb5LoginModule sufficient; }; AlfrescoCIFS { com.sun.security.auth.module.Krb5LoginModule required storeKey=true useKeyTab=true keyTab="/etc/alfrescocifs.keytab" principal="cifs/server.mydomain.co.uk"; }; AlfrescoHTTP { com.sun.security.auth.module.Krb5LoginModule required storeKey=true useKeyTab=true keyTab="/etc/alfrescohttp.keytab" principal="HTTP/server.mydomain.co.uk"; }; com.sun.net.ssl.client { com.sun.security.auth.module.Krb5LoginModule sufficient; }; other { com.sun.security.auth.module.Krb5LoginModule sufficient; }; ShareHTTP { com.sun.security.auth.module.Krb5LoginModule required storeKey=true useKeyTab=true keyTab="/etc/alfrescohttp.keytab" principal="HTTP/server.mydomain.co.uk"; };
alfresco-global.conf
最後,以下設置
alfresco-global.conf
authentication.chain=kerberos1:kerberos,alfrescoNtlm1:alfrescoNtlm kerberos.authentication.real=MYDOMAIN.CO.UK kerberos.authentication.user.configEntryName=Alfresco kerberos.authentication.cifs.configEntryName=AlfrescoCIFS kerberos.authentication.http.configEntryName=AlfrescoHTTP kerberos.authentication.cifs.password=****** kerberos.authentication.http.password=***** kerberos.authentication.defaultAdministratorUserNames=administrator ntlm.authentication.sso.enabled=true
正如我所說,我已經為此碰壁了,我非常感謝你能給我的任何幫助!這個問題也發佈在 Alfresco 論壇上,但我想知道 serverfault 上是否有人遇到過類似的實施挑戰?
從 krb5.conf 中刪除以下行解決了該問題。
forwardable = true proxiable = true