Kerberos Java問題,修改了kdc和/或消息流(41)錯誤
[英]Kerberos Java problems with kdc and/or Message stream modified (41) error
問題描述
首先,我對Kerberos真的很陌生,而且我對所有Domain知識只有有限的了解,但是我必須連接到我們的SharePoint Server並使用它的搜索api,因為它將在unix服務器上運行,我必須通過Kerberos進行身份驗證和用戶名密碼。 所以這是我的工作:
我的Java代碼
public class MyExmapleService {
public MyExmapleService () {
connectDefault();
}
private void connectDefault() {
try {
Authenticator.setDefault(new SbHttpAuthenticator());
System.setProperty("java.security.krb5.conf", "C:/ext/AFP-2.4.13/config/krb5.conf");
System.setProperty("java.security.auth.useSubjectCredsOnly", "false");
System.setProperty("http.auth.preference", "kerberos");
System.setProperty("sun.security.krb5.debug", "true");
System.setProperty("java.security.auth.login.config", "C:/ext/AFP-2.4.13/lgt_config/login.conf");
URL url = new URL("https://something.mySharePoint.com/_api/search/query?");
URLConnection conn = url.openConnection();
InputStream ins = conn.getInputStream();
BufferedReader reader = new BufferedReader(new InputStreamReader(ins));
String str;
while((str = reader.readLine()) != null) {
System.out.println("blup: " + str);
}
} catch (java.io.IOException e) {
e.printStackTrace();
}
}
public static void main(String[] args) throws Exception {
new SbMyLgtService();
}
}
public class SbHttpAuthenticator extends Authenticator {
public PasswordAuthentication getPasswordAuthentication() {
try {
String kUser = "someUser";
String kPassword = "somePassword";
System.err.println("Feeding username and password for " + getRequestingScheme() + " " + kUser + " " + kPassword);
return (new PasswordAuthentication(kUser, kPassword.toCharArray()));
} catch (IOException e) {
e.printStackTrace();
}
return null;
}
}
的krb5.conf
[libdefaults]
default_realm = XX.LOC
dns_lookup = false
[realms]
XX.LOC = {
kdc = xxxxxxxx2110.xx.loc
}
[domain_realm]
.XX.loc = XX.LOC
XX.loc = XX.LOC
login.conf的
com.sun.security.jgss.krb5.initiate {
com.sun.security.auth.module.Krb5LoginModule
required
doNotPrompt=false
useTicketCache=false
allow_weak_crypto=true;
};
我遇到的第一個問題是a2.loc返回20台服務器,因此並非總是使用正確的服務器,而dns_lookup_kdc = false krb5.conf中的參數已解決。
因此,如果我運行此程序,則會出現以下Java異常:'KrbException:消息流已修改(41)'若要更正Stackoverflow並建議使用大寫版本和域域條目。 奇怪的是,我們的Realm似乎在XX.loc上,所以大小寫混合了Name ...有沒有辦法配置它? 這是錯誤輸出:
Loaded from Java config
>>> KdcAccessibility: reset
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 17 16 23.
>>> KrbAsReq creating message
Feeding username and password for Negotiate someUser somePassword
>>> KrbKdcReq send: kdc=xxxxx2110.xx.loc UDP:88, timeout=30000, number of retries =3, #bytes=140
>>> KDCCommunication: kdc=xxxxxx2110.xx.loc UDP:88, timeout=30000,Attempt =1, #bytes=140
>>> KrbKdcReq send: #bytes read=179
>>>Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 17, salt = XX.LOCSA-XX-LLLL-htavro, s2kparams = null
PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>>>Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
PA-DATA type = 16
>>>Pre-Authentication Data:
PA-DATA type = 15
>>> KdcAccessibility: remove xxxxxx2110.xx.loc
>>> KDCRep: init() encoding tag is 126 req type is 11
>>>KRBError:
sTime is Tue Feb 23 18:07:16 CET 2016 1456247236000
suSec is 874332
error code is 25
error Message is Additional pre-authentication required
sname is krbtgt/xx.loc@xx.loc
eData provided.
msgType is 30
>>>Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 17, salt = XX.LOCSA-XX-LLLL-htavro, s2kparams = null
PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>>>Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
PA-DATA type = 16
>>>Pre-Authentication Data:
PA-DATA type = 15
KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 17 16 23.
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 17 16 23.
>>> EType: sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=xxxxxx2110.xx.loc UDP:88, timeout=30000, number of retries =3, #bytes=222
>>> KDCCommunication: kdc=xxxxxx2110.xx.loc UDP:88, timeout=30000,Attempt =1, #bytes=222
>>> KrbKdcReq send: #bytes read=1401
>>> KdcAccessibility: remove xxxxxx2110.xx.loc
>>> EType: sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType
Negotiate support not initiated, will fallback to other scheme if allowed. Reason:
GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new INITIATE credentials failed! (null))
at sun.security.jgss.krb5.Krb5InitCredential.getTgt(Krb5InitCredential.java:343)
at sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential.java:145)
at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:122)
at sun.security.jgss.krb5.Krb5MechFactory.getMechanismContext(Krb5MechFactory.java:187)
at sun.security.jgss.GSSManagerImpl.getMechanismContext(GSSManagerImpl.java:224)
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:212)
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:179)
at sun.net.www.protocol.http.spnego.NegotiatorImpl.init(NegotiatorImpl.java:108)
at sun.net.www.protocol.http.spnego.NegotiatorImpl.<init>(NegotiatorImpl.java:117)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:422)
at sun.net.www.protocol.http.Negotiator.getNegotiator(Negotiator.java:63)
at sun.net.www.protocol.http.NegotiateAuthentication.firstToken(NegotiateAuthentication.java:209)
at sun.net.www.protocol.http.NegotiateAuthentication.setHeaders(NegotiateAuthentication.java:183)
at sun.net.www.protocol.http.HttpURLConnection.getServerAuthentication(HttpURLConnection.java:2467)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1682)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1440)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254)
at com.lgt.sb.service.fininfo.mylgt.SbMyLgtService.connectDefault(SbMyLgtService.java:49)
at com.lgt.sb.service.fininfo.mylgt.SbMyLgtService.<init>(SbMyLgtService.java:27)
at com.lgt.sb.service.fininfo.mylgt.SbMyLgtService.main(SbMyLgtService.java:86)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:497)
at com.intellij.rt.execution.application.AppMain.main(AppMain.java:134)
Caused by: javax.security.auth.login.LoginException: Message stream modified (41)
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:804)
at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:617)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:497)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
at javax.security.auth.login.LoginContext.login(LoginContext.java:587)
at sun.security.jgss.GSSUtil.login(GSSUtil.java:258)
at sun.security.jgss.krb5.Krb5Util.getTicket(Krb5Util.java:158)
at sun.security.jgss.krb5.Krb5InitCredential$1.run(Krb5InitCredential.java:335)
at sun.security.jgss.krb5.Krb5InitCredential$1.run(Krb5InitCredential.java:331)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.jgss.krb5.Krb5InitCredential.getTgt(Krb5InitCredential.java:330)
... 27 more
Caused by: KrbException: Message stream modified (41)
at sun.security.krb5.KrbKdcRep.check(KrbKdcRep.java:45)
at sun.security.krb5.KrbAsRep.decrypt(KrbAsRep.java:158)
at sun.security.krb5.KrbAsRep.decryptUsingPassword(KrbAsRep.java:139)
at sun.security.krb5.KrbAsReqBuilder.resolve(KrbAsReqBuilder.java:287)
at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:361)
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:766)
... 45 more
java.io.IOException: Server returned HTTP response code: 401 for URL: https://something.mySharePoint.com/_api/search/query?
at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1839)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1440)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254)
at com.xxx.MyExampleService.connectDefault(SbMyLgtService.java:49)
at com.xxx.MyExampleService.<init>(SbMyLgtService.java:27)
at com.xxx.MyExampleService.main(SbMyLgtService.java:86)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:497)
1 個解決方案
解決方案1
0 2016-05-05 15:47:21
如果對Krb5 config進行了更新,但已緩存在您的系統中,則可能會發生這種情況,請嘗試將以下屬性添加到jaasConfig
put("refreshKrb5Config", "true");
使用 Kerberos 連接到 SMB 共享時出現 KrbException “Message Stream Modified (41)”
[英]KrbException “Message Stream Modified (41)” when connecting to SMB share using Kerberos
在同一Java應用程序中使用不同的Kerberos KDC進行身份驗證
[英]Authenticating with different Kerberos KDC in the same Java application
如何使用 Java GSS-API 和 Kerberos 5 從單個 Java 客戶端程序與兩個不同的 KDC 服務器進行通信?
[英]How to communicate with two different KDC servers from single Java client program using Java GSS-API and Kerberos 5?
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.
相關問題
GSSException:修改了消息流(41)
使用 Kerberos 連接到 SMB 共享時出現 KrbException “Message Stream Modified (41)”
在同一Java應用程序中使用不同的Kerberos KDC進行身份驗證
使用JAAS的Keytab和KDC中的Kerberos用戶主體
用於單元測試的ApacheDS Embedded Kerberos KDC
如何使用 Java GSS-API 和 Kerberos 5 從單個 Java 客戶端程序與兩個不同的 KDC 服務器進行通信?
Java Kerberos預身份驗證錯誤
簡化 java stream 返回錯誤信息
Java中的錯誤消息(流和Lambda理解)
來自修改集合的Java 8流
相關標簽