使用Kerberos和WAS7对应用程序用户进行身份验证
[英]Authenticate application users using Kerberos and WAS7
问题描述
I am struggling for a while to put things head to head and solve this issue but with no luck. 
我花了一段时间努力使事情并肩解决这个问题,但是没有运气。 I am trying to authenticate my java application users through AD using Kerberos. 我正在尝试使用Kerberos通过AD对我的Java应用程序用户进行身份验证。 I have created the KDC as below: 我创建了如下的KDC:
[libdefaults]
default_realm = X.LOCAL
default_tkt_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1 rc4-hmac arcfour-hmac arcfour-hmac-md5 aes128-cts-hmac-sha1-96
default_tgs_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1 rc4-hmac arcfour-hmac arcfour-hmac-md5 aes128-cts-hmac-sha1-96
permitted_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1 rc4-hmac arcfour-hmac arcfour-hmac-md5 aes128-cts-hmac-sha1-96
[realms]
X.LOCAL = {
kdc = machine_name.X.LOCAL
default_domain = X.LOCAL
}
[domain_realm]
.X.LOCAL = X.LOCAL
I have defined a new realm as follows: • Global security>JAAS – Application logins • Created a new login named “client” and allocated the com.ibm.ws.security.auth.kerberos.Krb5LoginModuleWrapperClient resource. 我定义了一个新领域,如下所示:•全局安全性> JAAS –应用程序登录名•创建了一个名为“ client”的新登录名,并分配了com.ibm.ws.security.auth.kerberos.Krb5LoginModuleWrapperClient资源。
At code level I am setting the path for the KDC: System.setProperty(java.security.krb5.conf, “KDC” path); 在代码级别,我正在设置KDC的路径: System.setProperty(java.security.krb5.conf, “KDC” path);
Trying to login: 尝试登录:
loginContext = new LoginContext(moduleName, getUsernamePasswordHandler(userName, secret));
loginContext.login();
I am getting: 我正进入(状态:
Login error: com.ibm.security.krb5.KrbException, status code: 14 message: KDC has no support for encryption type 登录错误:com.ibm.security.krb5.KrbException,状态码:14消息:KDC不支持加密类型
You will say that the encryption type is not supported :) I know. 您会说不支持加密类型:)我知道。
Q: 1)What am I missing?(stuck here for over 1 week) 2)What am I doing wrong? 问:1)我想念什么?(在这里呆了一周以上)2)我做错了什么?
Thank you for your time. 感谢您的时间。
1 个解决方案
解决方案1
0 已采纳 2012-07-21 20:53:11
Before I will answer to your question, you have to clean up your config an retry again: 在我回答您的问题之前,您必须清理配置,然后重试:
- Omit *_enctypes and let both negotiate the best enctype. 省略* _enctypes,让它们协商最佳的enctype。
- Do not set the property from inside the app. 不要从应用程序内部设置属性。 Pass the
krb5.conflocation and a env property.传递krb5.conf位置和一个env属性。 This gives you full flexibity.这给您充分的灵活性。 - You should rather work with a ticket cache or a keytab. 您应该使用票证缓存或密钥表。 There is no point to request the credentials over again from the client. 没有必要从客户端再次请求凭据。 This would make Kerberos superfluous. 这将使Kerberos成为多余。 You log in into the OS just once and use the ticket cache. 您只需登录一次操作系统,然后使用票证缓存。
- Do not use DES encryption, it is unsafe and is deprecated. 不要使用DES加密,它是不安全的,不推荐使用。
- Make sure that the TGT you have has at least RC4 (Arcfour) encryption. 确保您拥有的TGT至少具有RC4(Arcfour)加密。
Your problem is probably this: 您的问题可能是这样的:
AD is Windows Server 2008 which has DES disabled but you allow to use DES. AD是Windows Server 2008,已禁用DES,但您允许使用DES。 This won't work. 这行不通。 DES is disabled in 2008 for a good reason OR your client sends the initial request with AES in the enctypes list on top. 出于良好原因,DES在2008年被禁用,或者您的客户端在顶部的enctypes列表中使用AES发送了初始请求。 A Windows Server 2003 is not capable to deal with that. Windows Server 2003无法处理该问题。 The most common denominator is RC4-HMAC. 最常见的分母是RC4-HMAC。
Use Wireshark to inspect the traffic. 使用Wireshark检查流量。 This will help you to understand the issue and Kerberos in general tremendously. 这将帮助您全面了解该问题和Kerberos。 Write an isolated test program which will help you as a proof of concept. 编写一个隔离的测试程序,这将帮助您作为概念验证。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.