Uploaded image for project: 'Alfresco One Platform'
  1. Alfresco One Platform
  2. ACE-1334

Add support for kerberos pre-authentication to Alfresco to increase security

    Details

    • ACT Numbers:

      00138429 , 00302373, 00589599 Premier, 00860138

      Description

      Current versions of Alfresco do not support pre-authentication with Kerberos for CIFS access and therefore this needs setting to be disabled for some users.

      This decreases the security of Kerberos authentications and makes attacks easier. In some restricted areas this cannot be disabled which prevents the usage of this authentication mechanism.

      From Microsoft article:

      If preauthentication is enabled, a time stamp will be encrypted using the user's password hash as an encryption key. If the KDC reads a valid time when using the user's password hash (stored in the Active Directory) to decrypt the time stamp, the KDC knows that request isn't a replay of a previous request. The preauthentication feature may be disabled for specific users in order to support some applications that don't support the security feature.

      Alfresco 3.4.10, Oracle

      [Steps that show the current behaviour]

      1. Configure Alfresco to use Kerberos for CIFS authentication. If it is working, disable (untick) "Do not require Kerberos pre-authentication"
      2. Restart Alfresco and see that Kerberos authentication for CIFS will not work anymore and you will find authentication errors

      [Desired behaviour]
      Even with Kerberos pre-authentication required Alfresco should be able to authenticate against Kerberos for CIFS usage

      [Business case]
      Alfresco as an enterprise product should support this very basic security feature for Kerberos to be able to be used also in restricted organisations like governments, banking sector or any else who needs to have higher security standards. Other applications (from Citrix and Cisco) are also able to run with this pre-authentication enabled.

        Attachments

          Issue Links

            Structure

              Activity

                People

                • Assignee:
                  closedissues Closed Issues
                  Reporter:
                  lulrich Levin Ulrich
                • Votes:
                  2 Vote for this issue
                  Watchers:
                  16 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved:

                    Structure Helper Panel