堆棧內存溢出
  簡體   English   中英

使用 Kerberos SPNEGO 配置 Tomcat SSO

[英]Configuring Tomcat SSO using Kerberos SPNEGO

 原文  2020-05-08 06:01:22       java/ tomcat/ single-sign-on/ kerberos/ spnego

問題描述

我正在嘗試使用 Kerberos 在 Tomcat 9(使用 SDK 8)中配置 SSO。 我的環境都在 Windows Server 2016 VMs 中:-

  • server2016.forestgump.internal 192.168.44.130 - 活動目錄
  • windowstomcat.forestgump.internal 192.168.44.135 - Tomcat v9,SDK 8
  • WIN-MN3G5OM9U4Q.forestgump.internal 192.168.44.140 - 只是客戶端

我經歷了許多教程(都略有不同),但我仍然無法獲得我的 web 頁面,401 一直在等我。

AD 中的域是“FORESTGUMP.INTERNAL”(是的.. 用單個“R”拼寫森林沒有錯誤,只是凌晨 2 點的虛構名稱)。 我在這個域中創建了 2 個用戶

  • tomcat(技術用戶,用於登錄windowstomcat.forestgump.internal tomcat服務器)。 此用戶有一些附加配置:密碼永不過期 = true,用戶無法更改密碼 = true,他的帳戶支持 Kerberos AES128,此帳戶支持 Kerberos AES256,信任此用戶以委托任何服務(僅限 Kerberos)
  • mario(在客戶端機器上登錄域的用戶)

我將 SPN 映射到 tomcat 用戶:

setspn -l forestgump.internal\tomcat
        Registered ServicePrincipalNames for CN=tomcat,CN=Users,DC=forestgump,DC=internal:
        HTTP/windowstomcat.forestgump.internal@FORESTGUMP.INTERNAL
        HTTP/windowstomcat@FORESTGUMP.INTERNAL
        HTTP/windowstomcat
        HTTP/windowstomcat.forestgump.internal

然后我生成了一個 keytab 文件:

ktpass /out c:\tomcat.keytab /mapuser TOMCAT@FORESTGUMP.INTERNAL /princ HTTP/windowstomcat.forestgump.internal@FORESTGUMP.INTERNAL /pass Passw0rd! /kvno 0 -crypto ALL -ptype KRB5_NT_PRINCIPAL

And copied this tomcat.keytab the Tomcat server./tomcat-9/conf and added spnego-r9.jar in c.\tomcat-9\lib

在 tomcat 服務器中,我創建了文件。/tomcat-9/conf/krb5.ini

    [libdefaults]
default_realm = FORESTGUMP.INTERNAL
default_keytab_name = "C:\opt\tomcat-9\conf\tomcat.keytab"
default_tkt_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
default_tgs_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
forwardable=true

[realms]
forestgump.internal = {
        kdc = server2016.forestgump.internal:88
}

[domain_realm]
forestgump.internal= FORESTGUMP.INTERNAL
.forestgump.internal= FORESTGUMP.INTERNAL

我創建了文件。/tomcat-9/conf/jass.conf

com.sun.security.jgss.krb5.initiate {
com.sun.security.auth.module.Krb5LoginModule required
doNotPrompt=true
principal="HTTP/windowstomcat.forestgump.internal@FORESTGUMP.INTERNAL"
keyTab="c:/opt/tomcat-9/conf/tomcat.keytab"
useKeyTab=true
storeKey=true;
debug=true;
};
com.sun.security.jgss.krb5.accept {
com.sun.security.auth.module.Krb5LoginModule required
doNotPrompt=true
principal="HTTP/windowstomcat.forestgump.internal@FORESTGUMP.INTERNAL"
keyTab="c:/opt/tomcat-9/conf/tomcat.keytab"
useKeyTab=true
storeKey=true;
debug=true;
};

到目前為止,我發現的所有教程都非常一致。 從現在開始,遙遠的西部和我對 tomcat 和 java 開發的了解對我沒有幫助。 我更改了默認的 tomcat-9/conf/server.xml 為 AD LDAP 添加了 Realm

      <Realm className="org.apache.catalina.realm.LockOutRealm">
      <!-- This Realm uses the UserDatabase configured in the global JNDI
         resources under the key "UserDatabase".  Any edits
         that are performed against this UserDatabase are immediately
         available for use by the Realm.  -->
      <Realm className="org.apache.catalina.realm.UserDatabaseRealm" resourceName="UserDatabase" />

      <Realm className="org.apache.catalina.realm.JNDIRealm" connectionURL="ldap://server2016.forestgump.internal:389" authentication="simple" referrals="follow" connectionName="CN=tomcat,CN=Users,DC=forestgump,DC=internal" connectionPassword="Passw0rd!" userSearch="(sAMAccountName={0})" userBase="CN=Users,DC=forestgump,DC=internal" userSubtree="true" roleSearch="(member={0})" roleName="cn" roleSubtree="true" roleBase="cn=Builtin,DC=forestgump,DC=internal" />
      </Realm>

我用 Jxplorer 測試了 LDAP 配置,我可以連接到我的 AD。 不確定這是否有必要,我發現的教程中只有 20% 提到了這一點。

然后我創建了一個簡單的 webapp 來測試配置。 web 應用程序具有以下結構:

  • TomcatHelloWorld
    • 索引.jsp
    • 網絡信息
      • web.xml
    • 元信息
      • 上下文.xml

這里文件的內容

索引.jsp

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>AUTH test</title>
</head>
<body>
<h1>Hello World!</h1>
<p>auth type: <%=request.getAuthType()%> </p>
<p>remote user: <%=request.getRemoteUser() %> </p>
<p>principal: <%=request.getUserPrincipal() %></p>
<p>name: <%= (request.getUserPrincipal()!=null)?request.getUserPrincipal().getName():"NO PRINCIPAL" %></p>
</body>
</html>

web.xml

<?xml version="1.0" encoding="ISO-8859-1"?>
<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_4_0.xsd"
    version="4.0"
    metadata-complete="true">

    <welcome-file-list>
        <welcome-file>index.jsp</welcome-file>
    </welcome-file-list>

    <security-constraint>
        <web-resource-collection>
            <web-resource-name>Web Resource - Allow GET method</web-resource-name>

            <url-pattern>/*</url-pattern>

            <http-method>GET</http-method>
        </web-resource-collection>

        <auth-constraint>
            <role-name>CN=Users,DC=forestgump,DC=internal</role-name>
        </auth-constraint>
    </security-constraint>

    <security-role>
        <role-name>CN=Users,DC=forestgump,DC=internal</role-name>
    </security-role>

    <login-config>
        <auth-method>SPNEGO</auth-method>
        <realm-name>FORESTGUMP.INTERNAL</realm-name>
    </login-config>
</web-app>

上下文.xml

<?xml version="1.0" encoding="UTF-8"?>
<Context antiJARLocking="true" path="/spnego">
<!-- valve will be explicitly created when SPNEGO is used,
 this is to declare additional attributes -->
  <Valve className="org.apache.catalina.authenticator.SpnegoAuthenticator" 
  alwaysUseSession="true" cache="true"  />
</Context>

在客戶端虛擬機中,我使用了 IE,Firefox(配置了 network.negotiate-auth.delegation-uris = windowstomcat.forestgump.internal 和 network.negotiate-auth.gsslib = windowstomcat.forestgump.internal)和一個 Kerberos 身份驗證客戶端( Z80791B3AE7002CB88F8C246/AFA /blog.michelbarneveld.nl/michel/archive/2009/12/05/kerberos-authentication-tester.aspx

結果總是來自瀏覽器的 401 和來自 Kerberos 測試器的 500。

真正令人沮喪的是,我在 tomcat 或 AD 中看不到任何錯誤。 在 tomcat 中,我什至在啟動時添加了調試語句(設置 CATALINA_OPTS= -Dsun.security.krb5.debug=true -Dsun.security.jgss.debug=true -Dsun.security.spnego.debug=true)。

catalina.log 是超級干凈的 localhost.log 有幾個例外(當我使用 Kerberos 客戶端測試並獲得 500 時)

08-May-2020 14:51:46.294 SEVERE [http-nio-8080-exec-4] org.apache.catalina.core.StandardHostValve.invoke Exception Processing /TomcatHelloWorld/
    java.lang.SecurityException: java.io.IOException: Configuration Error:
    Line 8: expected [controlFlag]
        at sun.security.provider.ConfigFile$Spi.<init>(ConfigFile.java:137)
        at sun.security.provider.ConfigFile.<init>(ConfigFile.java:102)
        at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
        at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
        at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
        at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
        at java.lang.Class.newInstance(Class.java:442)
        at javax.security.auth.login.Configuration$2.run(Configuration.java:255)
        at javax.security.auth.login.Configuration$2.run(Configuration.java:247)
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.login.Configuration.getConfiguration(Configuration.java:246)
        at javax.security.auth.login.LoginContext$1.run(LoginContext.java:245)
        at javax.security.auth.login.LoginContext$1.run(LoginContext.java:243)
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.login.LoginContext.init(LoginContext.java:243)
        at javax.security.auth.login.LoginContext.<init>(LoginContext.java:348)
        at org.apache.catalina.authenticator.SpnegoAuthenticator.doAuthenticate(SpnegoAuthenticator.java:196)
        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:631)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
        at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:690)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
        at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:373)
        at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
        at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:868)
        at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1590)
        at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
        at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
        at java.lang.Thread.run(Thread.java:748)
    Caused by: java.io.IOException: Configuration Error:
    Line 8: expected [controlFlag]
        at sun.security.provider.ConfigFile$Spi.ioException(ConfigFile.java:666)
        at sun.security.provider.ConfigFile$Spi.match(ConfigFile.java:572)
        at sun.security.provider.ConfigFile$Spi.parseLoginEntry(ConfigFile.java:454)
        at sun.security.provider.ConfigFile$Spi.readConfig(ConfigFile.java:427)
        at sun.security.provider.ConfigFile$Spi.init(ConfigFile.java:329)
        at sun.security.provider.ConfigFile$Spi.init(ConfigFile.java:271)
        at sun.security.provider.ConfigFile$Spi.<init>(ConfigFile.java:135)
        ... 31 more

這肯定與我的 webapp 有關,但我無法確定導致錯誤的原因。

任何幫助都會極大地幫助我保持清醒。 干杯。

在建議刪除配置文件中的分號之后,我繼續前進,現在得到了一些有趣的異常:

11-May-2020 14:38:55.976 INFO [main] org.apache.catalina.startup.Catalina.start Server startup in [897] milliseconds
Debug is  true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is c:/opt/tomcat-9/conf/tomcat.keytab refreshKrb5Config is false principal is HTTP/windowstomcat.forestgump.internal@FORESTGUMP.INTERNAL tryFirstPass is false useFirstPass is false storePass is false clearPass is false
>>> KeyTabInputStream, readName(): FORESTGUMP.INTERNAL
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): windowstomcat.forestgump.internal
>>> KeyTab: load() entry length: 85; type: 1
>>> KeyTabInputStream, readName(): FORESTGUMP.INTERNAL
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): windowstomcat.forestgump.internal
>>> KeyTab: load() entry length: 85; type: 3
>>> KeyTabInputStream, readName(): FORESTGUMP.INTERNAL
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): windowstomcat.forestgump.internal
>>> KeyTab: load() entry length: 93; type: 23
>>> KeyTabInputStream, readName(): FORESTGUMP.INTERNAL
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): windowstomcat.forestgump.internal
>>> KeyTab: load() entry length: 109; type: 18
>>> KeyTabInputStream, readName(): FORESTGUMP.INTERNAL
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): windowstomcat.forestgump.internal
>>> KeyTab: load() entry length: 93; type: 17
Looking for keys for: HTTP/windowstomcat.forestgump.internal@FORESTGUMP.INTERNAL
Java config name: C:\opt\tomcat-9\conf\krb5.ini
Loaded from Java config
Added key: 17version: 0
Added key: 18version: 0
Added key: 23version: 0
Found unsupported keytype (3) for HTTP/windowstomcat.forestgump.internal@FORESTGUMP.INTERNAL
Found unsupported keytype (1) for HTTP/windowstomcat.forestgump.internal@FORESTGUMP.INTERNAL
>>> KdcAccessibility: reset
Looking for keys for: HTTP/windowstomcat.forestgump.internal@FORESTGUMP.INTERNAL
Added key: 17version: 0
Added key: 18version: 0
Added key: 23version: 0
Found unsupported keytype (3) for HTTP/windowstomcat.forestgump.internal@FORESTGUMP.INTERNAL
Found unsupported keytype (1) for HTTP/windowstomcat.forestgump.internal@FORESTGUMP.INTERNAL
default etypes for default_tkt_enctypes: 23 18 17.
>>> KrbAsReq creating message
getKDCFromDNS using UDP
>>> KrbKdcReq send: kdc=server2016.forestgump.internal. UDP:88, timeout=30000, number of retries =3, #bytes=190
>>> KDCCommunication: kdc=server2016.forestgump.internal. UDP:88, timeout=30000,Attempt =1, #bytes=190
>>> KrbKdcReq send: #bytes read=238
>>>Pre-Authentication Data:
         PA-DATA type = 19
         PA-ETYPE-INFO2 etype = 18, salt = FORESTGUMP.INTERNALHTTPwindowstomcat.forestgump.internal, s2kparams = null
         PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null

>>>Pre-Authentication Data:
         PA-DATA type = 2
         PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
         PA-DATA type = 16

>>>Pre-Authentication Data:
         PA-DATA type = 15

>>> KdcAccessibility: remove server2016.forestgump.internal.:88
>>> KDCRep: init() encoding tag is 126 req type is 11
>>>KRBError:
         sTime is Mon May 11 14:39:04 NZST 2020 1589164744000
         suSec is 480933
         error code is 25
         error Message is Additional pre-authentication required
         sname is krbtgt/FORESTGUMP.INTERNAL@FORESTGUMP.INTERNAL
         eData provided.
         msgType is 30
>>>Pre-Authentication Data:
         PA-DATA type = 19
         PA-ETYPE-INFO2 etype = 18, salt = FORESTGUMP.INTERNALHTTPwindowstomcat.forestgump.internal, s2kparams = null
         PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null

>>>Pre-Authentication Data:
         PA-DATA type = 2
         PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
         PA-DATA type = 16

>>>Pre-Authentication Data:
         PA-DATA type = 15

KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
default etypes for default_tkt_enctypes: 23 18 17.
Looking for keys for: HTTP/windowstomcat.forestgump.internal@FORESTGUMP.INTERNAL
Added key: 17version: 0
Added key: 18version: 0
Added key: 23version: 0
Found unsupported keytype (3) for HTTP/windowstomcat.forestgump.internal@FORESTGUMP.INTERNAL
Found unsupported keytype (1) for HTTP/windowstomcat.forestgump.internal@FORESTGUMP.INTERNAL
Looking for keys for: HTTP/windowstomcat.forestgump.internal@FORESTGUMP.INTERNAL
Added key: 17version: 0
Added key: 18version: 0
Added key: 23version: 0
Found unsupported keytype (3) for HTTP/windowstomcat.forestgump.internal@FORESTGUMP.INTERNAL
Found unsupported keytype (1) for HTTP/windowstomcat.forestgump.internal@FORESTGUMP.INTERNAL
default etypes for default_tkt_enctypes: 23 18 17.
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>> KrbAsReq creating message
getKDCFromDNS using UDP
>>> KrbKdcReq send: kdc=server2016.forestgump.internal. UDP:88, timeout=30000, number of retries =3, #bytes=279
>>> KDCCommunication: kdc=server2016.forestgump.internal. UDP:88, timeout=30000,Attempt =1, #bytes=279
>>> KrbKdcReq send: #bytes read=110
>>> KrbKdcReq send: kdc=server2016.forestgump.internal. TCP:88, timeout=30000, number of retries =3, #bytes=279
>>> KDCCommunication: kdc=server2016.forestgump.internal. TCP:88, timeout=30000,Attempt =1, #bytes=279
>>>DEBUG: TCPClient reading 1694 bytes
>>> KrbKdcReq send: #bytes read=1694
>>> KdcAccessibility: remove server2016.forestgump.internal.:88
Looking for keys for: HTTP/windowstomcat.forestgump.internal@FORESTGUMP.INTERNAL
Added key: 17version: 0
Added key: 18version: 0
Added key: 23version: 0
Found unsupported keytype (3) for HTTP/windowstomcat.forestgump.internal@FORESTGUMP.INTERNAL
Found unsupported keytype (1) for HTTP/windowstomcat.forestgump.internal@FORESTGUMP.INTERNAL
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>> KrbAsRep cons in KrbAsReq.getReply HTTP/windowstomcat.forestgump.internal
principal is HTTP/windowstomcat.forestgump.internal@FORESTGUMP.INTERNAL
Will use keytab
Commit Succeeded

Search Subject for SPNEGO ACCEPT cred (<<DEF>>, sun.security.jgss.spnego.SpNegoCredElement)
Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>, sun.security.jgss.krb5.Krb5AcceptCredential)
Found KeyTab c:\opt\tomcat-9\conf\tomcat.keytab for HTTP/windowstomcat.forestgump.internal@FORESTGUMP.INTERNAL
Found KeyTab c:\opt\tomcat-9\conf\tomcat.keytab for HTTP/windowstomcat.forestgump.internal@FORESTGUMP.INTERNAL
Found ticket for HTTP/windowstomcat.forestgump.internal@FORESTGUMP.INTERNAL to go to krbtgt/FORESTGUMP.INTERNAL@FORESTGUMP.INTERNAL expiring on Tue May 12 00:39:04 NZST 2020
Entered SpNegoContext.acceptSecContext with state=STATE_NEW
SpNegoContext.acceptSecContext: receiving token = a0 8..
SpNegoToken NegTokenInit: reading Mechanism Oid = 1.2.840.113554.1.2.2
SpNegoToken NegTokenInit: reading Mechanism Oid = 1.2.840.48018.1.2.2
SpNegoToken NegTokenInit: reading Mechanism Oid = 1.3.6.1.4.1.311.2.2.30
SpNegoToken NegTokenInit: reading Mechanism Oid = 1.3.6.1.4.1.311.2.2.10
SpNegoToken NegTokenInit: reading Mech Token
SpNegoContext.acceptSecContext: received token of type = SPNEGO NegTokenInit
SpNegoContext: negotiated mechanism = 1.2.840.113554.1.2.2
Entered Krb5Context.acceptSecContext with state=STATE_NEW
Looking for keys for: HTTP/windowstomcat.forestgump.internal@FORESTGUMP.INTERNAL
Added key: 17version: 0
Added key: 18version: 0
Added key: 23version: 0
Found unsupported keytype (3) for HTTP/windowstomcat.forestgump.internal@FORESTGUMP.INTERNAL
Found unsupported keytype (1) for HTTP/windowstomcat.forestgump.internal@FORESTGUMP.INTERNAL
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
Using builtin default etypes for permitted_enctypes
default etypes for permitted_enctypes: 18 17 16 23.
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
MemoryCache: add 1589164744/000073/52EB3DFA8A4B8EADDCE4B0019A0968EE/Administrator@FORESTGUMP.INTERNAL to Administrator@FORESTGUMP.INTERNAL|HTTP/windowstomcat.forestgump.internal@FORESTGUMP.INTERNAL
>>> KrbApReq: authenticate succeed.
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>>Delegated Creds have pname=Administrator@FORESTGUMP.INTERNAL sname=krbtgt/FORESTGUMP.INTERNAL@FORESTGUMP.INTERNAL authtime=null starttime=20200511023904Z endtime=20200511123904ZrenewTill=20200518023904Z
Krb5Context setting peerSeqNumber to: 1464367068
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
Krb5Context setting mySeqNumber to: 206741889
...
Search Subject for Kerberos V5 INIT cred (<<DEF>>, sun.security.jgss.krb5.Krb5InitCredential)
Found ticket for HTTP/windowstomcat.forestgump.internal@FORESTGUMP.INTERNAL to go to krbtgt/FORESTGUMP.INTERNAL@FORESTGUMP.INTERNAL expiring on Tue May 12 00:39:04 NZST 2020
Entered Krb5Context.initSecContext with state=STATE_NEW
Found ticket for HTTP/windowstomcat.forestgump.internal@FORESTGUMP.INTERNAL to go to krbtgt/FORESTGUMP.INTERNAL@FORESTGUMP.INTERNAL expiring on Tue May 12 00:39:04 NZST 2020
Service ticket not found in the subject
>>> Credentials acquireServiceCreds: same realm
default etypes for default_tgs_enctypes: 23 18 17.
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> CksumType: sun.security.krb5.internal.crypto.HmacMd5ArcFourCksumType
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
getKDCFromDNS using UDP
>>> KrbKdcReq send: kdc=server2016.forestgump.internal. TCP:88, timeout=30000, number of retries =3, #bytes=1622
>>> KDCCommunication: kdc=server2016.forestgump.internal. TCP:88, timeout=30000,Attempt =1, #bytes=1622
>>>DEBUG: TCPClient reading 1598 bytes
>>> KrbKdcReq send: #bytes read=1598
>>> KdcAccessibility: remove server2016.forestgump.internal.:88
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbApReq: APOptions are 00100000 00000000 00000000 00000000
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
Krb5Context setting mySeqNumber to: 905416011
Created InitSecContextToken:
0000: 01 00 6E 82 05 DF 30 82   05 DB A0 03 02 01 05 A1  ..n...0.........
.....
05D0: BE 28 08 00 6F FC 45 DC   0D 90 93 E9 60 46 CC 81  .(..o.E.....`F..
05E0: 51 D8 99 06 16                                     Q....

Entered Krb5Context.initSecContext with state=STATE_IN_PROCESS
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
Krb5Context setting peerSeqNumber to: 1474518462
                [Krb5LoginModule]: Entering logout
                [Krb5LoginModule]: logged out Subject

我在 Kerberos Server 中添加了 256 支持:

ksetup /setenctypeattr FQDN>forestgump.internal RC4-HMAC-MD5 AES128-CTS-HMAC-SHA1-96 AES256-CTS-HMAC-SHA1-96

並且用戶帳戶(tomcat 和 mario)支持 Kerberos 128/256 位加密。

無法查明配置錯誤

1 個解決方案

解決方案1
 1 已采納  2020-05-10 10:53:14

問題似乎是您的jaas.conf中的分號:

com.sun.security.jgss.krb5.initiate {
com.sun.security.auth.module.Krb5LoginModule required
doNotPrompt=true
principal="HTTP/windowstomcat.forestgump.internal@FORESTGUMP.INTERNAL"
keyTab="c:/opt/tomcat-9/conf/tomcat.keytab"
useKeyTab=true
storeKey=true;
debug=true;
};
com.sun.security.jgss.krb5.accept {
com.sun.security.auth.module.Krb5LoginModule required
doNotPrompt=true
principal="HTTP/windowstomcat.forestgump.internal@FORESTGUMP.INTERNAL"
keyTab="c:/opt/tomcat-9/conf/tomcat.keytab"
useKeyTab=true
storeKey=true;
debug=true;
};

刪除storeKey=true后的分號。 結果, debug=true; 被解釋為它自己的條目,它不是 - 它只是一個屬性。

暫無
暫無

聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.

相關問題 使用Spnego解密kerberos票 帶有SPNEGO SSO的Tomcat 6仍提示輸入登錄名和密碼 使用SPNEGO Web SSO自動登錄 Waffle Kerberos SSO-模擬更改tomcat用戶 Spnego / Kerberos支持與粗麻布 如何使用Spring Rest模板訪問經過kerberos SPNEGO認證的資源 帶廣告的CAS SSO(SPNEGO) 使用sourceforge spnego對活動目錄進行SSO身份驗證 在 graal 中將 spnego 和 kerberos 與 gss 一起使用 使用jsp在tomcat中開發kerberos
相關標簽
 
粵ICP備18138465號  © 2020-2024 STACKOOM.COM