Hi,
I'm trying to setup my alfresco services to authenticate users against our AD (MS 2008R2SP1 domain controller).
The AD service account is configured this way:
dn: CN=AlfrescoHTTP,OU=USERS,OU=COMMON,DC=MYDOMAIN,DC=LOCAL
changetype: add
userAccountControl: 4784640
sAMAccountName: AlfrescoHTTP
userPrincipalName: HTTP/alfrescoserver.mydomain.local@MYDOMAIN.LOCAL
servicePrincipalName: HTTP/alfrescoserver.mydomain.local
servicePrincipalName: HTTP/alfrescoserver
From the alfresco server, I'm testing authentication using kinit tool:
> kinit -V HTTP/alfrescoserver.mydomain.local
I got following error: "Client not found in Kerberos database while getting initial credentials"
(authentication using kinit is working fine for a regular MSAD account)
I made network captures, and see that a Kerberos AS-REQ is send to the domain controller with following parameters
Client Name (Principal): HTTP/alfrescoserver.mydomain.local
Name-type: Principal (1)
Name: HTTP
Name: alfrescoserver.mydomain.local
Realm: MYDOMAIN.LOCAL
Server Name (Service and Instance): krbtgt/MYDOMAIN.LOCAL
Name-type: Service and Instance (2)
Name: krbtgt
Name: MYDOMAIN.LOCAL
Server response is:
Kerberos BRK-ERROR
Pvno: 5
MSG Type: KRB-ERROR (30)
error_code: KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN (6)
But the Client Principal name is matching the UPN of the service account.....
Please help.
Thanks,
Vincent