使用SPNEGO的CAS总是回到NTLM
使用SPNEGO的CAS总是回到NTLM
提问于 2019-12-04 15:17:24
我们已经使用CAS在我们的“内部”网络与Kerberos在一个网站,它是没有问题的工作。
我们现在想配置第二个站点(我们自己的站点),但配置方式略有不同(DNS名称/SPN)。
我试着解释..。首先是非工作配置,然后是工作配置,稍微做了一些修改。
我们尝试使用SPNEGO运行CAS。
我们可以将kinit (linux命令)与cas.keytab一起使用,并从kdc of REALM2.DE获得有效的Kerberos票证,但它不适用于cas.keytab。CAS总是回到NTLM。我们需要做些什么,这样才能奏效?也许他从keytab中使用了错误的SPN条目?我搞不懂。
server)
- acme.de
- Ubuntu 16 LTS和Ubuntu 18 LTS
- CAS : 5.2.7
- REALM1 = Windows Active Directory (有用户)
- REALM2 = MIT Linux领域(
- =官方SSL
- REALM1 =
- REALM1=Windows Active Directory(有用户))
- REALM2=MIT领域(在REALM1和REALM2之间有
- =因特网信任。
F 216
对不工作配置的说明:
SPN就像HTTP/cas.acme.de@REALM2.DE
/etc/krb5.conf:
[libdefaults]
default_keytab_name = /etc/cas/cas.keytab
[realms]
REALM1.DE = {
kdc = ad1.realm1.de
kdc = ad2.realm1.de
kdc = ad3.realm1.de
}
REALM2.DE = {
kdc = kerberos.realm2.de
kdc = kerberos-1.realm2.de
kdc = kerberos-2.realm2.de
admin_server = kadmin.realm2.de
}cas.properties:
cas.server.name=https://cas.acme.de:8443
cas.server.prefix=https://cas.acme.de:8443/cas
cas.authn.attributeRepository.defaultAttributesToRelease=cn,givenName,uid,mail
# KERBEROS / SPNEGO
cas.authn.spnego.kerberosConf=/etc/krb5.conf
# cas.authn.spnego.mixedModeAuthentication=false
cas.authn.spnego.mixedModeAuthentication=true
cas.authn.spnego.cachePolicy=600
cas.authn.spnego.timeout=300000
cas.authn.spnego.jcifsServicePrincipal=HTTP/cas.acme.de@REALM2.DE
cas.authn.spnego.jcifsNetbiosWins=
cas.authn.spnego.loginConf=/etc/cas/login.conf
cas.authn.spnego.ntlmAllowed=true
cas.authn.spnego.hostNamePatternString=.+
cas.authn.spnego.jcifsUsername=
cas.authn.spnego.useSubjectCredsOnly=false
cas.authn.spnego.supportedBrowsers=MSIE,Trident,Firefox,AppleWebKit
cas.authn.spnego.jcifsDomainController=
cas.authn.spnego.dnsTimeout=2000
cas.authn.spnego.hostNameClientActionStrategy=hostnameSpnegoClientAction
cas.authn.spnego.kerberosKdc=192.169.1.3
cas.authn.spnego.alternativeRemoteHostAttribute=alternateRemoteHeader
cas.authn.spnego.jcifsDomain=
cas.authn.spnego.ipsToCheckPattern=
cas.authn.spnego.kerberosDebug=
cas.authn.spnego.send401OnAuthenticationFailure=true
cas.authn.spnego.kerberosRealm=REALM2.DE
cas.authn.spnego.ntlm=false
cas.authn.spnego.principalWithDomainName=true
cas.authn.spnego.jcifsServicePassword=
cas.authn.spnego.jcifsPassword=
cas.authn.spnego.spnegoAttributeName=userPrincipalName
cas.authn.spnego.name=/etc/cas/login.conf:
jcifs.spnego.initiate {
com.sun.security.auth.module.Krb5LoginModule required storeKey=true useKeyTab=true keyTab="/etc/cas/cas.keytab";
};
jcifs.spnego.accept {
com.sun.security.auth.module.Krb5LoginModule required storeKey=true useKeyTab=true keyTab="/etc/cas/cas.keytab";
};cas.keytab:
root@cas:/etc/cas# klist -k /etc/cas/cas.keytab -e -t
Keytab name: FILE:/etc/cas/cas.keytab
KVNO Timestamp Principal
---- ------------------- ------------------------------------------------------
2 17.05.2019 11:38:56 HTTP/cas.realm2.de@REALM2.DE (aes256-cts-hmac-sha1-96)
2 17.05.2019 11:38:56 HTTP/cas.realm2.de@REALM2.DE (aes128-cts-hmac-sha1-96)
2 17.05.2019 11:38:56 HTTP/cas.realm2.de@REALM2.DE (arcfour-hmac)
2 17.05.2019 11:39:03 HTTP/cas.acme.de@REALM2.DE (aes256-cts-hmac-sha1-96)
2 17.05.2019 11:39:03 HTTP/cas.acme.de@REALM2.DE (aes128-cts-hmac-sha1-96)
2 17.05.2019 11:39:03 HTTP/cas.acme.de@REALM2.DE (arcfour-hmac)kinit HTTP/cas.acme.de@REALM2.DE -k -t /etc/cas/cas.keytab
klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: HTTP/cas.acme.de@REALM2.DE
Valid starting Expires Service principal
04.12.2019 12:54:18 05.12.2019 12:54:18 krbtgt/REALM2.DE@REALM2.DEroot@cas:/etc/cas# nslookup cas.acme.d
Server: 192.169.1.1
Address: 192.169.1.1#53
Name: cas.acme.de
Address: 192.169.1.140
root@cas:/etc/cas# nslookup 192.169.1.140
140.1.169.192.in-addr.arpa name = cas.realm2.de.工作配置说明:
只更改了SPN和Internet DNS名称
SPN就像HTTP/cast.realm2.de@REALM2.DE
/etc/krb5.conf:
[libdefaults]
default_keytab_name = /etc/cas/cast.keytab
[realms]
REALM1.DE = {
kdc = ad1.realm1.de
kdc = ad2.realm1.de
kdc = ad3.realm1.de
}
REALM2.DE = {
kdc = kerberos.realm2.de
kdc = kerberos-1.realm2.de
kdc = kerberos-2.realm2.de
admin_server = kadmin.realm2.de
}cas.properties:
cas.server.name=https://cast.realm2.de:8443
cas.server.prefix=https://cast.realm2.de:8443/cas
# KERBEROS / SPNEGO
cas.authn.spnego.kerberosConf=/etc/krb5.conf
#cas.authn.spnego.mixedModeAuthentication=false
cas.authn.spnego.mixedModeAuthentication=true
cas.authn.spnego.cachePolicy=600
cas.authn.spnego.timeout=300000
cas.authn.spnego.jcifsServicePrincipal=HTTP/cast.realm2.de@REALM2.DE
cas.authn.spnego.jcifsNetbiosWins=
cas.authn.spnego.loginConf=/etc/cas/login.conf
cas.authn.spnego.ntlmAllowed=true
cas.authn.spnego.hostNamePatternString=.+
cas.authn.spnego.jcifsUsername=
cas.authn.spnego.useSubjectCredsOnly=false
cas.authn.spnego.supportedBrowsers=MSIE,Trident,Firefox,AppleWebKit
cas.authn.spnego.jcifsDomainController=
cas.authn.spnego.dnsTimeout=2000
cas.authn.spnego.hostNameClientActionStrategy=hostnameSpnegoClientAction
cas.authn.spnego.kerberosKdc=192.169.1.3
cas.authn.spnego.alternativeRemoteHostAttribute=alternateRemoteHeader
cas.authn.spnego.jcifsDomain=
cas.authn.spnego.ipsToCheckPattern=
cas.authn.spnego.kerberosDebug=
cas.authn.spnego.send401OnAuthenticationFailure=true
cas.authn.spnego.kerberosRealm=REALM2.DE
cas.authn.spnego.ntlm=false
cas.authn.spnego.principalWithDomainName=true
cas.authn.spnego.jcifsServicePassword=
cas.authn.spnego.jcifsPassword=
cas.authn.spnego.spnego/etc/cas/login.conf:
jcifs.spnego.initiate {
com.sun.security.auth.module.Krb5LoginModule required storeKey=true useKeyTab=true keyTab="/etc/cas/cas-t.keytab";
};
jcifs.spnego.accept {
com.sun.security.auth.module.Krb5LoginModule required storeKey=true useKeyTab=true keyTab="/etc/cas/cas-t.keytab";
}; cast.keytab:
klist -k cas-t.keytab -e -t
Keytab name: FILE:cas-t.keytab
KVNO Timestamp Principal
---- ------------------- ------------------------------------------------------
2 04.10.2018 11:17:39 HTTP/cas-t.realm2.de@REALM2.DE (aes256-cts-hmac-sha1-96)
2 04.10.2018 11:17:39 HTTP/cas-t.realm2.de@REALM2.DE (aes128-cts-hmac-sha1-96)
2 04.10.2018 11:17:39 HTTP/cas-t.realm2.de@REALM2.DE (arcfour-hmac)
2 04.10.2018 11:17:42 HTTP/cast.realm2.de@REALM2.DE (aes256-cts-hmac-sha1-96)
2 04.10.2018 11:17:43 HTTP/cast.realm2.de@REALM2.DE (aes128-cts-hmac-sha1-96)
2 04.10.2018 11:17:43 HTTP/cast.realm2.de@REALM2.DE (arcfour-hmac)kinit HTTP/cast.realm2@REALM2.DE -k -t ./cas-t.keytab
klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: HTTP/cas-t.realm2.de@REALM2.DE
Valid starting Expires Service principal
04.12.2019 12:33:51 05.12.2019 12:33:51 krbtgt/REALM2.DE@REALM2.DEroot@cas:/etc/cas# nslookup cast.realm2.de
Server: 192.169.1.1
Address: 192.169.1.1#53
Name: cast.realm2.de
Address: 192.169.1.65
root@cas:/etc/cas# nslookup 192.169.1.65
65.1.169.192.in-addr.arpa name = cast.realm2.de.我们已经试着自己调试了,但是我们无法得到它..
我们希望有人能帮我们解决这个问题。
请告诉我们,如果你需要更多的信息,
,谢谢!
回答 1
Stack Overflow用户
发布于 2019-12-10 10:11:22
在深入挖掘Wireshark之后,我们可以解决这个问题。事实上,这不是CAS问题,而是KDC-领域问题。
客户端通过访问cas服务器导出了错误的领域。客户端浏览器试图询问windows-kdc,但无法检索给定SPN的服务票证。
使用后:
ksetup /AddHostToRealmMap <host name of CAS> <realm>为了迫使客户端请求正确的linux,成功地请求了一张服务票证,CAS-身份验证工作进行得很好。
感谢@Steve为"b)它正在进行正确的领域转换“.
页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://stackoverflow.com/questions/59179207
复制相关文章
相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号