1

i've a problem authenticating kerberos with multiple domains. I'm using Alfresco 4.2f on Windows Server 2012 R2 and i've a forest trust (function level 2008 r2) between two domains.

My kerberos cross domain setup is like in the word document from here: https://community.alfresco.com/external-link.jspa?url=https%3A%2F%2Fissues.alfresco.com%2Fjira%2Fbrowse%2FMNT-10368

The problem is, i'm able to login fine with users from my main domain, but not with users from my second domain.

I've traced the krb5 packages with wireshark and if i try to login from the second domain i get following package: "KRB5 Error: KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN". In this package i can see that the user from the second domain tries to authenticate with the realm from the main domain.

The problem is exactly the same as here (without answer): https://community.alfresco.com/thread/176568-kerberos-with-multiple-domains-on-share-40d

Here is my krb5.ini:

[libdefaults]
default_realm = DOMAIN1.LOC
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 2h
default_tkt_enctypes = rc4-hmac
default_tgs_enctypes = rc4-hmac

[realms]
DOMAIN1.LOC = {
 kdc = dc01.domain1.loc:88
 admin_server = dc01.domain1.loc:749
 default_domain = domain1.loc
}
DOMAIN2.LOC = {
 kdc = dc01.domain2.loc:88
 admin_server = dc01.domain2.loc:749
 default_domain = domain2.loc
}

[domain_realm]
dc01.domain1.loc = DOMAIN1.LOC
.dc01.domain1.loc = DOMAIN1.LOC
dc01.domain2.loc = DOMAIN2.LOC
.dc01.domain2.loc = DOMAIN2.LOC

Here is my kerberos subsystem config:

ntlm.authentication.sso.enabled=true
kerberos.authentication.realm=DOMAIN1.LOC
kerberos.authentication.sso.enabled=true
kerberos.authentication.user.configEntryName=Alfresco
kerberos.authentication.http.configEntryName=AlfrescoHTTP
kerberos.authentication.http.password=HighSecure
kerberos.authentication.authenticateCIFS=false
kerberos.authentication.browser.ticketLogons=true

Hopefully anyone can bring me in the right direction.

Thanks.

Beta

0 Answers0