个人中心
文章发布
退出
作者热门文章
- iOS/Objective-C 元类和类别
- objective-c - -1001 错误,当 NSURLSession 通过 httpproxy 和/etc/hosts
- java - 使用网络类获取 url 地址
- ios - 推送通知中不播放声音
27
4
我正在使用林架构中的 LDAP(所有服务器和我的服务器都是 Windows)。我正在使用 NTLM 身份验证绑定(bind)到 AD。
我有一个针对 LDAP 服务器执行操作的 JAVA 代码。
代码被包装为 tomcat servlet。
当直接运行 JAVA 代码时(仅将 LDAP 身份验证代码作为应用程序执行),绑定(bind)对本地域有效(本地域 = 我登录到 Windows,并使用该域的用户运行此过程)和外国域名。
当将 JAVA 代码作为 servlet 运行时,绑定(bind)可以工作并验证来自一个域的用户,但如果我试图验证来自其他域的用户则不起作用,它不会工作(只有当我'我将重新启动 tomcat)。
我遇到异常:
GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Message stream modified (41))]]
我会提到它是相同的代码,具有相同的配置和相同的 krb5 文件。
编辑:更多信息:
这是我的代码:
public void func(String realm, String kdc) {
try {
URL configURL = getClass().getResource("jaas_ntlm_configuration.txt");
System.setProperty("java.security.auth.login.config", configURL.toString());
System.setProperty("java.security.krb5.realm", realm);
System.setProperty("java.security.krb5.kdc",kdc);
// If the application is run on NT rather than Unix, use this name
String loginAppName = "MyConfig";
// Create login context
LoginContext lc = new LoginContext(loginAppName, new SampleCallbackHandler());
// Retrieve the information on the logged-in user
lc.login();
// Get the authenticated subject
Subject subject = lc.getSubject();
System.out.println(subject.toString());
Subject.doAs(subject, new JndiAction(new String[] { "" }));
}
catch (LoginException e) {
e.printStackTrace();
}
}
class JndiAction implements java.security.PrivilegedAction {
private String[] args;
public JndiAction(String[] origArgs) {
this.args = (String[])origArgs.clone();
}
public Object run() {
performJndiOperation(args);
return null;
}
private static void performJndiOperation(String[] args) {
// Set up environment for creating initial context
Hashtable env = new Hashtable(11);
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
// Must use fully qualified hostname
env.put(Context.PROVIDER_URL, "ldap://server:389");
// Request the use of the "GSSAPI" SASL mechanism
// Authenticate by using already established Kerberos credentials
env.put(Context.SECURITY_AUTHENTICATION, "GSSAPI");
try {
// Create the initial context
DirContext ctx = new InitialLdapContext(env, null);
// Close the context when we're done
ctx.close();
} catch (NamingException e) {
e.printStackTrace();
}
}
}
我的 jaas_ntlm_configuration.txt 文件包含:
MyConfig { com.sun.security.auth.module.Krb5LoginModule required
useTicketCache=true
doNotPrompt=false;
};
我的 krb5.conf 文件是:
#
# All rights reserved.
#
#pragma ident @(#)krb5.conf 1.1 00/12/08
[libdefaults]
default_tkt_enctypes = des3-cbc-sha1 des-cbc-md5 des-cbc-crc
default_tgs_enctypes = des3-cbc-sha1 des-cbc-md5 des-cbc-crc
forwardable = true
renewable = true
noaddresses = true
clockskew = 300
[realms]
SUB1.DOMAIN.COM = {
kdc = DDC.SUB1.DOMAIN.COM
default_domain=DOMAIN.COM
}
SUB2.DOMAIN.COM = {
kdc = DDC.SUB.DOMAIN.COM
default_domain=DOMAIN.COM
}
SUB3.DOMAIN.COM = {
kdc = DDC.SUB3.DOMAIN.COM
default_domain=DOMAIN.COM
}
[domain_realm]
.DOMAIN.COM = SUB1.DOMAIN.COM
.DOMAIN.COM = SUB2.DOMAIN.COM
.DOMAIN.COM = SUB3.DOMAIN.COM
[logging]
default = FILE:/var/krb5/kdc.log
kdc = FILE:/var/krb5/kdc.log
kdc_rotate = {
# How often to rotate kdc.log. Logs will get rotated no more
# often than the period, and less often if the KDC is not used
# frequently.
period = 1d
# how many versions of kdc.log to keep around (kdc.log.0, kdc.log.1, ...)
versions = 10
}
[appdefaults]
kinit = {
renewable = true
forwardable= true
}
rlogin = {
forwardable= true
}
rsh = {
forwardable= true
}
telnet = {
autologin = true
forwardable= true
}
我添加了以下作为 java 参数:
-Djavax.security.auth.useSubjectCredsOnly=false -Djava.security.krb5.conf="krb5.conf" -Dsun.security.krb5.debug=true
如果我总是使用同一个子域调用 func("SUB*.DOMAIN.COM", "DDC.SUB*.DOMAIN.COM") - 它会起作用,但是如果我先使用一个子域然后再使用另一个,第二个会失败。
更多信息:
这里是 krb5.debug=true 的输出:
java -Xmx100m -cp gssapi_test.jar -Djavax.security.auth.useSubjectCredsOnly=false -Djava.security.krb5.conf="krb5.conf" -Dsun.security.krb5.debug=true gssapitest.myTest my_config.txt
2 users provided. Performing authentication #1
Reading configuration file my_config.txt
kdc: DDC.SUB1.DOMAIN.COM, realm: SUB1.DOMAIN.COM
>>>KinitOptions cache name is C:\Users\user1\krb5cc_user1
>> Acquire default native Credentials
>>> Obtained TGT from LSA: Credentials:
client=user1@SUB1.DOMAIN.COM
server=krbtgt/SUB1.DOMAIN.COM@SUB1.DOMAIN.COM
authTime=20130422075139Z
startTime=20130422075139Z
endTime=20130422175139Z
renewTill=20130429075139Z
flags: FORWARDABLE;RENEWABLE;INITIAL;PRE-AUTHENT
EType (int): 23
Subject:
Principal: user1@SUB1.DOMAIN.COM
Private Credential: Ticket (hex) =
.....
Client Principal = user1@SUB1.DOMAIN.COM
Server Principal = krbtgt/SUB1.DOMAIN.COM@SUB1.DOMAIN.COM
Session Key = EncryptionKey: keyType=23 keyBytes (hex dump)=
0000: 2B 8C 97 3C 8E 83 66 F1 6D 58 6C 37 20 0E 1F 53 +..<..f.mXl7 ..S
Forwardable Ticket true
Forwarded Ticket false
Proxiable Ticket false
Proxy Ticket false
Postdated Ticket false
Renewable Ticket true
Initial Ticket true
Auth Time = Mon Apr 22 15:51:39 2013
Start Time = Mon Apr 22 15:51:39 2013
End Time = Tue Apr 23 01:51:39 2013
Renew Till = Mon Apr 29 15:51:39 2013
Client Addresses Null
Connecting to LDAP
Config name: krb5.conf
Found ticket for user1@SUB1.DOMAIN.COM to go to krbtgt/SUB1.DOMAIN.COM@SUB1.DOMAIN.COM expiring on Tue Apr 23 01:51:39 2013
Entered Krb5Context.initSecContext with state=STATE_NEW
Service ticket not found in the subject
>>> Credentials acquireServiceCreds: same realm
default etypes for default_tgs_enctypes: 16 3 1.
>>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KdcAccessibility: reset
>>> KrbKdcReq send: kdc=DDC.SUB1.DOMAIN.COM UDP:88, timeout=30000, number of retries =3, #bytes=1554
>>> KDCCommunication: kdc=DDC.SUB1.DOMAIN.COM UDP:88, timeout=30000,Attempt =1, #bytes=1554
>>> KrbKdcReq send: #bytes read=107
>>> KrbKdcReq send: kdc=DDC.SUB1.DOMAIN.COM TCP:88, timeout=30000, number of retries =3, #bytes=1554
>>> KDCCommunication: kdc=DDC.SUB1.DOMAIN.COM TCP:88, timeout=30000,Attempt =1, #bytes=1554
>>>DEBUG: TCPClient reading 1497 bytes
>>> KrbKdcReq send: #bytes read=1497
>>> KdcAccessibility: remove DDC.SUB1.DOMAIN.COM
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbApReq: APOptions are 00000000 00000000 00000000 00000000
>>> EType: sun.security.krb5.internal.crypto.DesCbcMd5EType
Krb5Context setting mySeqNumber to: 1005735013
Krb5Context setting peerSeqNumber to: 0
Created InitSecContextToken:
.....
Krb5Context.unwrap: token=[60 33 06 09 2a 86 48 86 f7 12 01 02 02 02 01 00 00 ff ff ff ff 94 52 14 5b f6 02 28 1c a4 3c c5 8f 03 9c a2 d6 e5 f6 f1 18 ed 6f 16 ab 07 a0 00 00 04 04 04 04 ]
Krb5Context.unwrap: data=[07 a0 00 00 ]
Krb5Context.wrap: data=[01 01 00 00 ]
Krb5Context.wrap: token=[60 33 06 09 2a 86 48 86 f7 12 01 02 02 02 01 00 00 ff ff ff ff 2d b6 92 0d d9 51 da aa ef 41 67 33 5c de b3 e6 ce 9a 46 31 a0 a8 0e 27 01 01 00 00 04 04 04 04 ]
Connected
Disconnected
#1: Done
Performing authentication #2
Reading configuration file my_config.txt
kdc: DDC.SUB2.DOMAIN.COM, realm: SUB2.DOMAIN.COM
>>>KinitOptions cache name is C:\Users\user1\krb5cc_user1
>> Acquire default native Credentials
>>> Obtained TGT from LSA: Credentials:
client=user1@SUB1.DOMAIN.COM
server=krbtgt/SUB1.DOMAIN.COM@SUB1.DOMAIN.COM
authTime=20130422075139Z
startTime=20130422075139Z
endTime=20130422175139Z
renewTill=20130429075139Z
flags: FORWARDABLE;RENEWABLE;INITIAL;PRE-AUTHENT
EType (int): 23
Subject:
Principal: user1@SUB1.DOMAIN.COM
Private Credential: Ticket (hex) =
.....
Client Principal = user1@SUB1.DOMAIN.COM
Server Principal = krbtgt/SUB1.DOMAIN.COM@SUB1.DOMAIN.COM
Session Key = EncryptionKey: keyType=23 keyBytes (hex dump)=
0000: 2B 8C 97 3C 8E 83 66 F1 6D 58 6C 37 20 0E 1F 53 +..<..f.mXl7 ..S
Forwardable Ticket true
Forwarded Ticket false
Proxiable Ticket false
Proxy Ticket false
Postdated Ticket false
Renewable Ticket true
Initial Ticket true
Auth Time = Mon Apr 22 15:51:39 2013
Start Time = Mon Apr 22 15:51:39 2013
End Time = Tue Apr 23 01:51:39 2013
Renew Till = Mon Apr 29 15:51:39 2013
Client Addresses Null
Connecting to LDAP
Found ticket for user1@SUB1.DOMAIN.COM to go to krbtgt/SUB1.DOMAIN.COM@SUB1.DOMAIN.COM expiring on Tue Apr 23 01:51:39 2013
Entered Krb5Context.initSecContext with state=STATE_NEW
Service ticket not found in the subject
>>> Credentials acquireServiceCreds: same realm
default etypes for default_tgs_enctypes: 16 3 1.
>>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbKdcReq send: kdc=DDC.SUB1.DOMAIN.COM UDP:88, timeout=30000, number of retries =3, #bytes=1554
>>> KDCCommunication: kdc=DDC.SUB1.DOMAIN.COM UDP:88, timeout=30000,Attempt =1, #bytes=1554
>>> KrbKdcReq send: #bytes read=107
>>> KrbKdcReq send: kdc=DDC.SUB1.DOMAIN.COM TCP:88, timeout=30000, number of retries =3, #bytes=1554
>>> KDCCommunication: kdc=DDC.SUB1.DOMAIN.COM TCP:88, timeout=30000,Attempt =1, #bytes=1554
>>>DEBUG: TCPClient reading 1482 bytes
>>> KrbKdcReq send: #bytes read=1482
>>> KdcAccessibility: remove DDC.SUB1.DOMAIN.COM
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
KrbException: Message stream modified (41)
at sun.security.krb5.KrbKdcRep.check(Unknown Source)
at sun.security.krb5.KrbTgsRep.<init>(Unknown Source)
at sun.security.krb5.KrbTgsReq.getReply(Unknown Source)
at sun.security.krb5.KrbTgsReq.sendAndGetCreds(Unknown Source)
at sun.security.krb5.internal.CredentialsUtil.serviceCreds(Unknown Source)
at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(Unknown Source)
at sun.security.krb5.Credentials.acquireServiceCreds(Unknown Source)
at sun.security.jgss.krb5.Krb5Context.initSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(Unknown Source)
at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(Unknown Source)
at com.sun.jndi.ldap.LdapClient.authenticate(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.connect(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.<init>(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(Unknown Source)
at javax.naming.spi.NamingManager.getInitialContext(Unknown Source)
at javax.naming.InitialContext.getDefaultInitCtx(Unknown Source)
at javax.naming.InitialContext.init(Unknown Source)
at javax.naming.ldap.InitialLdapContext.<init>(Unknown Source)
at gssapitest.JndiAction.performJndiOperation(myTest.java:603)
at gssapitest.JndiAction.run(myTest.java:577)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Unknown Source)
at gssapitest.myTest.Do(myTest.java:59)
at gssapitest.myTest.main(myTest.java:513)
javax.naming.AuthenticationException: GSSAPI [Root exception is javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Message stream modified (41))]]
at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(Unknown Source)
at com.sun.jndi.ldap.LdapClient.authenticate(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.connect(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.<init>(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(Unknown Source)
at javax.naming.spi.NamingManager.getInitialContext(Unknown Source)
at javax.naming.InitialContext.getDefaultInitCtx(Unknown Source)
at javax.naming.InitialContext.init(Unknown Source)
at javax.naming.ldap.InitialLdapContext.<init>(Unknown Source)
at gssapitest.JndiAction.performJndiOperation(myTest.java:603)
at gssapitest.JndiAction.run(myTest.java:577)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Unknown Source)
at gssapitest.myTest.Do(myTest.java:59)
at gssapitest.myTest.main(myTest.java:513)
Caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Message stream modified (41))]
at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(Unknown Source)
... 18 more
Caused by: GSSException: No valid credentials provided (Mechanism level: Message stream modified (41))
at sun.security.jgss.krb5.Krb5Context.initSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
... 19 more
Caused by: KrbException: Message stream modified (41)
at sun.security.krb5.KrbKdcRep.check(Unknown Source)
at sun.security.krb5.KrbTgsRep.<init>(Unknown Source)
at sun.security.krb5.KrbTgsReq.getReply(Unknown Source)
at sun.security.krb5.KrbTgsReq.sendAndGetCreds(Unknown Source)
at sun.security.krb5.internal.CredentialsUtil.serviceCreds(Unknown Source)
at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(Unknown Source)
at sun.security.krb5.Credentials.acquireServiceCreds(Unknown Source)
... 22 more
FAILED
我能做什么?我做错了什么吗?
谢谢。
最佳答案
谢谢!仅供引用,领域的大写(即领域应 100% 正确且为大写)对于避免“异常:krb_error 41 消息流已修改 (41)”非常重要。
下面是正确记法的例子:
[libdefaults]
default_realm = EXAMPLE.COM
[realms]
EXAMPLE.COM = {
kdc = domaincontroller.example.com
admin_server = domaincontroller.example.com
default_domain = EXAMPLE.COM
}
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
问候,
尼卡。
关于java - GSS 异常 : Message stream modified (41),我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/15932361/
27
4
0
由于我的应用程序变大了,我决定应用程序的每个“模块”都有自己的资源文件、样式文件和 GSS 文件。此外,例如按钮的样式将位于不同的全局 GSS 文件中,因为它更像是一种应用程序样式,在整个应用程序中使
关闭。这个问题需要多问focused 。目前不接受答案。 想要改进此问题吗?更新问题,使其仅关注一个问题 editing this post . 已关闭 9 年前。 Improve this ques
尝试做一些像这里解释的事情: http://blog.arcbees.com/2015/04/28/managing-your-css-files-with-variables-and-a-theme
我正在尝试解决一个不寻常的问题。我在 Mac 上开发。我正在编写一些使用 jdbc 连接到数据库的代码。我无法直接访问数据库服务器 - 要访问它,我必须在 ssh 上设置端口转发,该端口转发到数据库服
我已经使用GSS-API创建了2个演示Kerberos客户端。 一个在Python3中,第二个在Java中。 这两个客户端似乎大致相同,并且两者都“起作用”,因为我得到了我的Java GSS-API服
我正在使用 jTDS 连接到 SQLServer。 jTDS 在内部使用 GSS 获取 kerberos 的服务票证并建立安全上下文。由于我的应用程序生命周期很长并且我的连接一直保持 Activity
我正在运行以下教程: http://download.oracle.com/javase/6/docs/technotes/guides/security/jgss/tutorials/BasicCl
我正在使用 Kerberos 实现 Windows -> Linux 透明身份验证。在 Windows 端,我使用 SSPI。我成功地在 Windows 客户端和 Windows 服务器之间建立了上下
我有以下问题。 操作系统:CentOS 6.6 PHP:5.5 Curl: 7.43 编译 当我执行“curl -V”时,我得到以下信息: curl 7.43.0 (x86_64-unknown-li
有没有人找到支持 MSSQL 的 GSS-API 的 JDBC 驱动程序。我需要使用 Windows 身份验证连接到 SQL Server。有趣的是,用户是通过 JAAS 登录到应用程序的,而不是应用
我正在尝试使用 Kerberos 连接到数据库,除了两个问题之外一切正常。首先,当我执行代码时,系统会要求我输入两次密码,而不是一次。然后我的查询被发送到我的数据库并返回结果。 上述问题源于我认为的根
我正在尝试运行 java 教程 Secure Authentication Using SPNEGO Java GSS Mechanism 中的示例 GssSpNegoClient.java由于一行,
如何将以下 GWT CSS 部分转换为 GWT GSS? @if (test.mobile.client.Parameter.getWindowWidth() >= 414) { .previewB
我尝试通过 ssh 连接到服务器并收到此错误: “未指定的 GSS 故障。次要代码可能会提供更多信息 没有可用的 Kerberos 凭据” 我不太确定这意味着什么。 (仍然尝试谷歌它) ; ssh -
我正在尝试实现为我的应用程序请求 TGT 的编程逻辑,因此在通过 GSSAPI 和 GSS 对 LDAP 服务器进行身份验证之前,无需从命令行调用 kinit SPNEGO机制。 我创建一个内存中 c
windows-xp 将授权 header 中的 SPNEGO token 发送到我们理解 kerberos 协议(protocol)的服务器。服务器应用程序是使用java提供的gss-api实现的。
使用本指南:http://www.gwtproject.org/articles/gss_migration.html我将所有 CSS 文件都转换为 GSS。我的 2 个 CSS 是通过入口点 HTM
我想制作一个程序来使用 gss-api/kerberos 进行流量授权。到目前为止,我可以联系 SSOS 并获得服务单。如果用户没有 TGT,我将在我的代码中执行类似于 kinit 的操作。 我的代码
我的测试程序运行良好。我可以创建一个客户端和一个服务器并让它们相互运行。我可以设置 KRB5_CONFIG 环境变量并使用本地配置进行测试。 出于某种原因,当我将代码放入我们的生产软件时,它失败了。即
我使用 GSS API 通过 Kerberos 身份验证(gss_init_sec_context 调用)向 SMB 2.0 服务器验证我自己。我知道我可以使用 kinit -R 命令更新 TGT。但
我是一名优秀的程序员,十分优秀!