[英]Authenticate application users using Kerberos and WAS7
I am struggling for a while to put things head to head and solve this issue but with no luck. 我花了一段时间努力使事情并肩解决这个问题,但是没有运气。 I am trying to authenticate my java application users through AD using Kerberos.
我正在尝试使用Kerberos通过AD对我的Java应用程序用户进行身份验证。 I have created the KDC as below:
我创建了如下的KDC:
[libdefaults]
default_realm = X.LOCAL
default_tkt_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1 rc4-hmac arcfour-hmac arcfour-hmac-md5 aes128-cts-hmac-sha1-96
default_tgs_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1 rc4-hmac arcfour-hmac arcfour-hmac-md5 aes128-cts-hmac-sha1-96
permitted_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1 rc4-hmac arcfour-hmac arcfour-hmac-md5 aes128-cts-hmac-sha1-96
[realms]
X.LOCAL = {
kdc = machine_name.X.LOCAL
default_domain = X.LOCAL
}
[domain_realm]
.X.LOCAL = X.LOCAL
I have defined a new realm as follows: • Global security>JAAS – Application logins • Created a new login named “client” and allocated the com.ibm.ws.security.auth.kerberos.Krb5LoginModuleWrapperClient resource. 我定义了一个新领域,如下所示:•全局安全性> JAAS –应用程序登录名•创建了一个名为“ client”的新登录名,并分配了com.ibm.ws.security.auth.kerberos.Krb5LoginModuleWrapperClient资源。
At code level I am setting the path for the KDC: System.setProperty(java.security.krb5.conf, “KDC” path);
在代码级别,我正在设置KDC的路径:
System.setProperty(java.security.krb5.conf, “KDC” path);
Trying to login: 尝试登录:
loginContext = new LoginContext(moduleName, getUsernamePasswordHandler(userName, secret));
loginContext.login();
I am getting: 我正进入(状态:
Login error: com.ibm.security.krb5.KrbException, status code: 14 message: KDC has no support for encryption type 登录错误:com.ibm.security.krb5.KrbException,状态码:14消息:KDC不支持加密类型
You will say that the encryption type is not supported :) I know. 您会说不支持加密类型:)我知道。
Q: 1)What am I missing?(stuck here for over 1 week) 2)What am I doing wrong? 问:1)我想念什么?(在这里呆了一周以上)2)我做错了什么?
Thank you for your time. 感谢您的时间。
Before I will answer to your question, you have to clean up your config an retry again: 在我回答您的问题之前,您必须清理配置,然后重试:
krb5.conf
location and a env property. krb5.conf
位置和一个env属性。 This gives you full flexibity. Your problem is probably this: 您的问题可能是这样的:
AD is Windows Server 2008 which has DES disabled but you allow to use DES. AD是Windows Server 2008,已禁用DES,但您允许使用DES。 This won't work.
这行不通。 DES is disabled in 2008 for a good reason OR your client sends the initial request with AES in the enctypes list on top.
出于良好原因,DES在2008年被禁用,或者您的客户端在顶部的enctypes列表中使用AES发送了初始请求。 A Windows Server 2003 is not capable to deal with that.
Windows Server 2003无法处理该问题。 The most common denominator is RC4-HMAC.
最常见的分母是RC4-HMAC。
Use Wireshark to inspect the traffic. 使用Wireshark检查流量。 This will help you to understand the issue and Kerberos in general tremendously.
这将帮助您全面了解该问题和Kerberos。 Write an isolated test program which will help you as a proof of concept.
编写一个隔离的测试程序,这将帮助您作为概念验证。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.