堆栈内存溢出
  简体   繁体   English

当SPNEGO Kerberos身份验证失败时,Chrome显示ERR_UNEXPECTED

[英]Chrome show ERR_UNEXPECTED when SPNEGO Kerberos authentication failed

 原文  2017-01-16 07:59:57       java/ kerberos/ cas/ spnego/ negotiate

问题描述

I follow this guide to integrate my system with Windows AD. 我按照本指南将系统与Windows AD集成在一起。 So when someone logon windows domain user, he can login to cas automaticly. 因此,当某人登录Windows域用户时,他可以自动登录cas。 If user don't use domain user, I want system return normal html login page. 如果用户不使用域用户,我希望系统返回正常的html登录页面。

Now I have a problem, when I use domain user, it works fine. 现在我有一个问题,当我使用域用户时,它可以正常工作。 But when I use non-domain user, chrome return ERR_UNEXPECTED error page to me. 但是,当我使用非域用户时,chrome向我返回ERR_UNEXPECTED错误页面。 You can see the tcp dump, system already return 401 and login page html, but chrome show error. 您可以看到tcp转储,系统已经返回401,并且登录页面html,但是chrome显示错误。

Can anyone give me some sugguestions? 谁能给我一些建议?

JVM: 1.8.0_111 的JVM:1.8.0_111

cas-server-core: 3.3 cas-server-core:3.3

cas-server-support-spnego: 3.3 cas-server-support-spnego:3.3

Chrome: 55 铬:55

TCP Dump stream by wireshark(non-domain user) Wireshark(非域用户)的TCP Dump流 

GET /cas/login?service=http%3A%2F%2Fserver.ictsm.com%3A8080%2Fapp%2F&_validateRequest_=7RBrB6AIqjijhw5c4LjTBvc1vjpHJHWafif1MXGmMr8ZyI22thbzCtqTYkCUfKOn HTTP/1.1
Host: server.ictsm.com:8080
Connection: keep-alive
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
DNT: 1
Accept-Encoding: gzip, deflate, sdch
Accept-Language: zh-CN,zh;q=0.8
Cookie: JSESSIONID=3A632B243F57094E9468F972D2BE2E04A48835CCEE575DC9F8B2527FA81E23AD6D48BBF69A6D35623080096949F1FB8092F4

HTTP/1.1 401 Unauthorized
Server: nginx
Date: Mon, 16 Jan 2017 07:19:00 GMT
Content-Type: text/html;charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
WWW-Authenticate: NTLM
WWW-Authenticate: Negotiate
Content-Language: zh-CN

my login page html

GET /cas/login?service=http%3A%2F%2Fserver.ictsm.com%3A8080%2Fapp%2F&_validateRequest_=7RBrB6AIqjijhw5c4LjTBvc1vjpHJHWafif1MXGmMr8ZyI22thbzCtqTYkCUfKOn HTTP/1.1
Host: server.ictsm.com:8080
Connection: keep-alive
Cache-Control: max-age=0
Authorization: Negotiate TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
DNT: 1
Accept-Encoding: gzip, deflate, sdch
Accept-Language: zh-CN,zh;q=0.8
Cookie: JSESSIONID=3A632B243F57094E9468F972D2BE2E04A48835CCEE575DC9F8B2527FA81E23AD6D48BBF69A6D35623080096949F1FB8092F4

HTTP/1.1 401 Unauthorized
Server: nginx
Date: Mon, 16 Jan 2017 07:19:00 GMT
Content-Type: text/html;charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
WWW-Authenticate: Negotiate TlRMTVNTUAACAAAAEgASADAAAAAFAoEAAAAAAAAAAAAAAAAAAAAAADoAOgBCAAAAaQBjAHQAcwBtAC4AYwBvAG0AAgASAGkAYwB0AHMAbQAuAGMAbwBtAAEAHABKAEMASQBGAFMAMQAzAF8AMQA3ADQAXwA2AEMAAAAAAA==
Content-Language: zh-CN

my login page html

1 个解决方案

解决方案1
 0 已采纳  2017-02-06 05:01:35

Get rid of WWW-Authenticate: NTLM and only use WWW-Authenticate: Negotiate in the HTTP header. 删除WWW-Authenticate: NTLM ,仅在HTTP标头中使用WWW-Authenticate: Negotiate NTLM has been deprecated by Microsoft many years ago in favor of Kerberos. 许多年前,Microsoft不赞成使用NTLM来支持Kerberos。 Really, nobody should be using NTLM anymore and doubtful that any of your clients are. 确实,没有人应该再使用NTLM了,并且怀疑您的任何客户都在使用NTLM。 This line in your network trace meant that the Chrome client was using NTLM: 网络跟踪中的此行表示Chrome客户端正在使用NTLM:

Authorization: Negotiate TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw== 授权:协商TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw ==

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 使用SPNEGO(Kerberos TGT)进行身份验证时更改LDAP属性 - Change LDAP attributes when authentication with SPNEGO (Kerberos TGT) 为什么Kerberos / SPNEGO身份验证不起作用? - Why Kerberos/SPNEGO authentication doesn't work? Kerberos AD Spnego身份验证在一台计算机上失败,但在另一台计算机上失败 - Kerberos AD Spnego authentication fails on one machine but not on another Java SPNEGO身份验证和Kerberos约束委派(KCD)到后端服务 - Java SPNEGO Authentication & Kerberos Constrained Delegation (KCD) to backend service 在 Samba 4.11 上使用多个 SPN 和 AES256 进行 Kerberos SPNEGO 身份验证 - Kerberos SPNEGO Authentication with multiple SPN and AES256 on Samba 4.11 Spring Security / SPNEGO身份验证问题:校验和失败 - Spring Security/SPNEGO authentication issue: Checksum failed Spnego / Kerberos支持与粗麻布 - Spnego / Kerberos support with hessian 使用Spnego解密kerberos票 - Decrypt kerberos ticket using Spnego 在 graal 中将 spnego 和 kerberos 与 gss 一起使用 - Use of spnego and kerberos with gss in graal 通过HttpClient进行SPNEGO身份验证 - SPNEGO Authentication via HttpClient
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM