- html - 出于某种原因,IE8 对我的 Sass 文件中继承的 html5 CSS 不友好?
- JMeter 在响应断言中使用 span 标签的问题
- html - 在 :hover and :active? 上具有不同效果的 CSS 动画
- html - 相对于居中的 html 内容固定的 CSS 重复背景?
我尝试使用基于 Kerberos 的内置 SPNEGO 身份验证器为 Tomcat 7.0.69 配置 WebSSO。当我访问该应用程序时,会弹出一个 HTTP BasicAuth 对话框,并在 catalina.out 中写入一个调试条目(见下文)。
我的 key 表文件 sso.keytab 包含一个在我的 AD 服务器上注册的主体(通过 ktpass.exe 和 setspn.exe)。
我打开了 Kerberos 的 Debug模式,但我找不到问题所在。它只是在 Entering logout 的某个时刻停止。您是否知道身份验证在哪一步停止,可能是什么原因?感谢您的帮助!
catalina.out
Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt false ticketCache is null isInitiator true KeyTab is /path/to/tomcat/apache-tomcat-7.0.69/conf/sso.keytab refreshKrb5Config is false principal is HTTP/my.host.com@MY.DOMAIN tryFirstPass is false useFirstPass is false storePass is false clearPass is false
Looking for keys for: HTTP/my.host.com@MY.DOMAIN
Added key: 23version: 0
Looking for keys for: HTTP/my.host.com@MY.DOMAIN
Added key: 23version: 0
default etypes for default_tkt_enctypes: 23 17.
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=server001.my.domain UDP:88, timeout=30000, number of retries =3, #bytes=171
>>> KDCCommunication: kdc=server001.my.domain UDP:88, timeout=30000,Attempt =1, #bytes=171
>>> KrbKdcReq send: #bytes read=189
>>>Pre-Authentication Data:
PA-DATA type = 11
PA-ETYPE-INFO etype = 23, salt =
>>>Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>>>Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
PA-DATA type = 16
>>>Pre-Authentication Data:
PA-DATA type = 15
>>> KdcAccessibility: remove server001.my.domain
>>> KDCRep: init() encoding tag is 126 req type is 11
>>>KRBError:
sTime is Thu Dec 15 15:35:42 CET 2016 1481812542000
suSec is 830454
error code is 25
error Message is Additional pre-authentication required
sname is krbtgt/MY.DOMAIN@MY.DOMAIN
eData provided.
msgType is 30
>>>Pre-Authentication Data:
PA-DATA type = 11
PA-ETYPE-INFO etype = 23, salt =
>>>Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>>>Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
PA-DATA type = 16
>>>Pre-Authentication Data:
PA-DATA type = 15
KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
default etypes for default_tkt_enctypes: 23 17.
Looking for keys for: HTTP/my.host.com@MY.DOMAIN
Added key: 23version: 0
Looking for keys for: HTTP/my.host.com@MY.DOMAIN
Added key: 23version: 0
default etypes for default_tkt_enctypes: 23 17.
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=server001.my.domain UDP:88, timeout=30000, number of retries =3, #bytes=254
>>> KDCCommunication: kdc=server001.my.domain UDP:88, timeout=30000,Attempt =1, #bytes=254
>>> KrbKdcReq send: #bytes read=104
>>> KrbKdcReq send: kdc=server001.my.domain TCP:88, timeout=30000, number of retries =3, #bytes=254
>>> KDCCommunication: kdc=server001.my.domain TCP:88, timeout=30000,Attempt =1, #bytes=254
>>>DEBUG: TCPClient reading 1666 bytes
>>> KrbKdcReq send: #bytes read=1666
>>> KdcAccessibility: remove server001.my.domain
Looking for keys for: HTTP/my.host.com@MY.DOMAIN
Added key: 23version: 0
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbAsRep cons in KrbAsReq.getReply HTTP/my.host.com
principal is HTTP/my.host.com@MY.DOMAIN
Will use keytab
[LoginContext]: login success
Commit Succeeded
[LoginContext]: commit success
Found KeyTab /path/to/tomcat/apache-tomcat-7.0.69/conf/sso.keytab for HTTP/my.host.com@MY.DOMAIN
Found KeyTab /path/to/tomcat/apache-tomcat-7.0.69/conf/sso.keytab for HTTP/my.host.com@MY.DOMAIN
Found ticket for HTTP/my.host.com@MY.DOMAIN to go to krbtgt/MY.DOMAIN@MY.DOMAIN expiring on Fri Dec 16 01:35:42 CET 2016
Entered SpNegoContext.acceptSecContext with state=STATE_NEW
SpNegoContext.acceptSecContext: receiving token = a0 82 13 79 30 82 13 75 a0 30 30 2e 06 09 2a 86 48 86 f7 12 01 02 02
SpNegoToken NegTokenInit: reading Mechanism Oid = 1.2.840.113554.1.2.2
SpNegoToken NegTokenInit: reading Mechanism Oid = 1.2.840.48018.1.2.2
SpNegoToken NegTokenInit: reading Mechanism Oid = 1.3.6.1.4.1.311.2.2.30
SpNegoToken NegTokenInit: reading Mechanism Oid = 1.3.6.1.4.1.311.2.2.10
SpNegoToken NegTokenInit: reading Mech Token
SpNegoContext.acceptSecContext: received token of type = SPNEGO NegTokenInit
SpNegoContext: negotiated mechanism = 1.2.840.113554.1.2.2
Entered Krb5Context.acceptSecContext with state=STATE_NEW
Looking for keys for: HTTP/my.host.com@MY.DOMAIN
Added key: 23version: 0
[Krb5LoginModule]: Entering logout
[Krb5LoginModule]: logged out Subject
[LoginContext]: logout success
收到的 token 长了很多,我把它缩短了
krb5.ini
[libdefaults]
default_realm = MY.DOMAIN
default_keytab_name = FILE:/path/to/tomcat/apache-tomcat-7.0.69/conf/sso.keytab
default_tkt_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
default_tgs_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
permitted_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
[realms]
MY.DOMAIN = {
kdc = server001.my.domain
admin_server = server001.my.domain
default_domain = MY.DOMAIN
}
[domain_realm]
.my.domain = MY.DOMAIN
my.domain = MY.DOMAIN
jaas.conf
spnego-client {
com.sun.security.auth.module.Krb5LoginModule required;
};
spnego-server {
com.sun.security.auth.module.Krb5LoginModule required
storeKey=true
useKeyTab=true
keyTab="/path/to/tomcat/apache-tomcat-7.0.69/conf/sso.keytab"
principal="HTTP/my.host.com@MY.DOMAIN"
debug=true;
};
web.xml
<login-config>
<auth-method>SPNEGO</auth-method>
</login-config>
<security-constraint>
<web-resource-collection>
<web-resource-name>SSO Login</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>
架构
最佳答案
感谢T-Heron ,我能够找到解决方案。 keytab 文件是用错误的加密类型生成的。对于 Windows7/10 和我的环境,它必须明确设置为 AES256-SHA1
正确的 ktpass 调用:
ktpass -out D:\TEMP\sso.keytab -mapuser MYUSER -princ HTTP/my.host.com@MY.DOMAIN -ptype KRB5_NT_PRINCIPAL -kvno 0 -crypto AES256-SHA1 -pass ****
非常感谢您的支持!!!
关于Tomcat Kerberos Spnego 授权不起作用,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/41250010/
今天有小伙伴给我留言问到,try{...}catch(){...}是什么意思?它用来干什么? 简单的说 他们是用来捕获异常的 下面我们通过一个例子来详细讲解下
我正在努力提高网站的可访问性,但我不知道如何在页脚中标记社交媒体链接列表。这些链接指向我在 facecook、twitter 等上的帐户。我不想用 role="navigation" 标记这些链接,因
说现在是 6 点,我有一个 Timer 并在 10 点安排了一个 TimerTask。之后,System DateTime 被其他服务(例如 ntp)调整为 9 点钟。我仍然希望我的 TimerTas
就目前而言,这个问题不适合我们的问答形式。我们希望答案得到事实、引用资料或专业知识的支持,但这个问题可能会引发辩论、争论、投票或扩展讨论。如果您觉得这个问题可以改进并可能重新打开,visit the
我就废话不多说了,大家还是直接看代码吧~ ? 1
Maven系列1 1.什么是Maven? Maven是一个项目管理工具,它包含了一个对象模型。一组标准集合,一个依赖管理系统。和用来运行定义在生命周期阶段中插件目标和逻辑。 核心功能 Mav
我是一名优秀的程序员,十分优秀!