Spring Security Kerberos + AD,校验和失败
[英]Spring Security Kerberos + AD, Checksum Fail
问题描述
I'm trying to do a Spring Security Kerberos with Active Directory credentials as stated in http://docs.spring.io/spring-security-kerberos/docs/1.0.1.RELEASE/reference/htmlsingle/#samples-sec-server-win-auth .
我正在尝试使用 Active Directory 凭据执行 Spring Security Kerberos,如http://docs.spring.io/spring-security-kerberos/docs/1.0.1.RELEASE/reference/htmlsingle/#samples-sec-服务器双赢身份验证。 I'd like to say that I've got most of the things down (SPN, keytabs, etc.).我想说我已经解决了大部分问题(SPN、keytabs 等)。 Now I've got a checksum fail.现在我有一个校验和失败。 Supposing I change my principal name, I get an AES encryption error.假设我更改了我的主体名称,我会收到一个 AES 加密错误。
I'm using Spring Boot on RHEL 6 with Oracle Java 1.8 + JCE Sample from https://github.com/spring-projects/spring-security-kerberos/tree/master/spring-security-kerberos-samples/sec-server-win-auth我在 RHEL 6 上使用 Spring Boot 和来自https://github.com/spring-projects/spring-security-kerberos/tree/master/spring-security-kerberos-samples/sec-server 的Oracle Java 1.8 + JCE 示例-win-auth
Here is what I get when run the jar这是我运行 jar 时得到的结果
Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator false KeyTab is /home/boss/webdev125-3.keytab refreshKrb5Config is false principal is http/webdev@EXAMPLE.ORG tryFirstPass is false useFirstPass is false storePass is false clearPass is false
principal is http/webdev@EXAMPLE.ORG Will use keytab Commit Succeeded
.... ....
2015-11-25 11:29:09.631 DEBUG 5559 --- [nio-8080-exec-3] .a.KerberosServiceAuthenticationProvider : Try to validate Kerberos Token 2015-11-25 11:29:10.003 WARN 5559 --- [nio-8080-exec-3] waSpnegoAuthenticationProcessingFilter : Negotiate Header was invalid:
... ...
org.springframework.security.authentication.BadCredentialsException: Kerberos validation not successful at org.springframework.security.kerberos.authentication.sun.SunJaasKerberosTicketValidator.validateTicket(SunJaasKerberosTicketValidator.java:71) at org.springframework.security.kerberos.authentication.KerberosServiceAuthenticationProvider.authenticate(KerberosServiceAuthenticationProvider.java:64) at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156)
... ...
Caused by: org.ietf.jgss.GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)
at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:856)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
at sun.security.jgss.spnego.SpNegoContext.GSS_acceptSecContext(SpNegoContext.java:906)
at sun.security.jgss.spnego.SpNegoContext.acceptSecContext(SpNegoContext.java:556)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
at org.springframework.security.kerberos.authentication.sun.SunJaasKerberosTicketValidator$KerberosValidateAction.run(SunJaasKerberosTicketValidator.java:170)
at org.springframework.security.kerberos.authentication.sun.SunJaasKerberosTicketValidator$KerberosValidateAction.run(SunJaasKerberosTicketValidator.java:153)
... 48 common frames omitted
Caused by: sun.security.krb5.KrbCryptoException: Checksum failed
at sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Aes256CtsHmacSha1EType.java:102)
at sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Aes256CtsHmacSha1EType.java:94)
at sun.security.krb5.EncryptedData.decrypt(EncryptedData.java:175)
at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:281)
at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:149)
at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:108)
at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:829)
... 56 common frames omitted
Caused by: java.security.GeneralSecurityException: Checksum failed
at sun.security.krb5.internal.crypto.dk.AesDkCrypto.decryptCTS(AesDkCrypto.java:451)
at sun.security.krb5.internal.crypto.dk.AesDkCrypto.decrypt(AesDkCrypto.java:272)
at sun.security.krb5.internal.crypto.Aes256.decrypt(Aes256.java:76)
at sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Aes256CtsHmacSha1EType.java:100)
... 62 common frames omitted
Some other details:其他一些细节:
- /etc/krb5.conf does have default_tgs_enctypes, default_tkt_enctypes to include aes256-cts-hmac-sha1-96 /etc/krb5.conf 确实有 default_tgs_enctypes,default_tkt_enctypes 包括 aes256-cts-hmac-sha1-96
- default keytab location is matching between the application and krb5.conf默认密钥表位置在应用程序和 krb5.conf 之间匹配
- keytabs are being generated on a windows server, then copied to RHEL密钥表在 Windows 服务器上生成,然后复制到 RHEL
2 个解决方案
解决方案1
6 已采纳 2015-11-27 20:29:22
It seems that I had conflicts with existing Service Principal Mappings.我似乎与现有的服务主体映射有冲突。 Once I cleaned it up, the error stopped happening.一旦我清理它,错误就停止发生。 This link helped me find the solution - https://developer.jboss.org/wiki/ConfiguringJBossNegotiationInAnAllWindowsDomain?_sscc=t此链接帮助我找到了解决方案 - https://developer.jboss.org/wiki/ConfiguringJBossNegotiationInAnAllWindowsDomain?_sscc=t
解决方案2
0 2020-04-02 07:44:53
I hit this issue recently.我最近遇到了这个问题。
The DNS of the service must match the service principal name.服务的 DNS 必须与服务主体名称匹配。 The principal name must start with HTTP/主体名称必须以 HTTP/ 开头
Example: Service DNS: www.ala-bala.com Principal name must be: HTTP/ala-bala.com@REALM示例:服务 DNS:www.ala-bala.com 主体名称必须为:HTTP/ala-bala.com@REALM
The realm doesn't have to match the DNS.该领域不必与 DNS 匹配。
If running locally, the DNS obviously will not match the principal.如果在本地运行,DNS 显然与主体不匹配。
You can work around it by adding a line to /etc/hosts: 127.0.0.1 ala-bala.com您可以通过在 /etc/hosts 中添加一行来解决它:127.0.0.1 ala-bala.com
You can also use a client which allows you to override the kerberos host/principal name like requests_kerberos in Python.您还可以使用允许您覆盖 kerberos 主机/主体名称的客户端,例如 Python 中的 requests_kerberos。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.