Weblogic + Kerberos + SSO

Question

我正在尝试使用weblogic和Kerberos配置单点登录。

所以，但是我还是有登录页面，也许你可以告诉我这个日志有什么问题：

Debug is  true storeKey true useTicketCache false useKeyTab true doNotPrompt false ticketCache is null isInitiator true KeyTab is /oracle/product12/user_projects/domains/test/krb/test.keytab refreshKrb5Config is false principal is kinp@TEST.ORG tryFirstPass is false useFirstPass is false storePass is false clearPass is false
KeyTab instance already exists
Added key: 23version: 19
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 3.
0: EncryptionKey: keyType=23 kvno=19 keyValue (hex dump)=
0000: C3 CB 19 1C 64 6E F9 7F   6A C9 31 FB EE 69 E7 35  ....dn..j.1..i.5


principal's key obtained from the keytab
Acquire TGT using AS Exchange
default etypes for default_tkt_enctypes: 23 3.
>>> KrbAsReq calling createMessage
>>> KrbAsReq in createMessage
>>> KrbKdcReq send: kdc=192.168.0.100 UDP:88, timeout=30000, number of retries =3, #bytes=137
>>> KDCCommunication: kdc=192.168.0.100 UDP:88, timeout=30000,Attempt =1, #bytes=137
>>> KrbKdcReq send: #bytes read=181
>>> KrbKdcReq send: #bytes read=181
>>> KdcAccessibility: remove 192.168.0.100
>>> KDCRep: init() encoding tag is 126 req type is 11
>>>KRBError:
     sTime is Tue Jan 20 10:46:05 EET 2015 1421743565000
     suSec is 576578
     error code is 25
     error Message is Additional pre-authentication required
     realm is TEST.ORG
     sname is krbtgt/TEST.ORG
     eData provided.
     msgType is 30
>>>Pre-Authentication Data:
     PA-DATA type = 11
     PA-ETYPE-INFO etype = 23
     PA-ETYPE-INFO salt = 
>>>Pre-Authentication Data:
     PA-DATA type = 19
     PA-ETYPE-INFO2 etype = 23
     PA-ETYPE-INFO2 salt = null
>>>Pre-Authentication Data:
     PA-DATA type = 2
     PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
     PA-DATA type = 16
>>>Pre-Authentication Data:
     PA-DATA type = 15
AcquireTGT: PREAUTH FAILED/REQUIRED, re-send AS-REQ
>>>KrbAsReq salt is TEST.ORGdev
default etypes for default_tkt_enctypes: 23 3.
Pre-Authenticaton: find key for etype = 23
AS-REQ: Add PA_ENC_TIMESTAMP now
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbAsReq calling createMessage
>>> KrbAsReq in createMessage
>>> KrbKdcReq send: kdc=192.168.0.100 UDP:88, timeout=30000, number of retries =3, #bytes=220
>>> KDCCommunication: kdc=192.168.0.100 UDP:88, timeout=30000,Attempt =1, #bytes=220
>>> KrbKdcReq send: #bytes read=1408
>>> KrbKdcReq send: #bytes read=1408
>>> KdcAccessibility: remove 192.168.0.100
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbAsRep cons in KrbAsReq.getReply dev
principal is dev@TEST.ORG
EncryptionKey: keyType=23 keyBytes (hex dump)=0000: C3 CB 19 1C 64 6E F9 7F   6A C9 31 FB EE 69 E7 35  ....dn..j.1..i.5

Added server's keyKerberos Principal dev@TEST.ORGKey Version 19key EncryptionKey: keyType=23 keyBytes (hex dump)=
0000: C3 CB 19 1C 64 6E F9 7F   6A C9 31 FB EE 69 E7 35  ....dn..j.1..i.5


        [Krb5LoginModule] added Krb5Principal  dev@TEST.ORG to Subject
Commit Succeeded 

Found key for dev@TEST.ORG(23)
Entered Krb5Context.acceptSecContext with state=STATE_NEW

当我试图访问登录页面时，我得到了这个日志。

错误异常：

com.bea.security.utils.kerberos.KerberosException: Failure unspecified at GSS-API level (Mechanism level: Specified version of key is not available (44))
    at com.bea.security.utils.kerberos.KerberosTokenHandler.acceptGssInitContextTokenInDoAs(KerberosTokenHandler.java:334)
    at com.bea.security.utils.kerberos.KerberosTokenHandler.access$000(KerberosTokenHandler.java:41)
    at com.bea.security.utils.kerberos.KerberosTokenHandler$1.run(KerberosTokenHandler.java:226)
...
Caused By: GSSException: Failure unspecified at GSS-API level (Mechanism level: Specified version of key is not available (44))
    at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:741)
    at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:323)
    at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:267)
...
Caused By: KrbException: Specified version of key is not available (44)
    at sun.security.krb5.EncryptionKey.findKey(EncryptionKey.java:516)
    at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:260)
    at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:134)
...

谢谢!

Answer 1

不能张贴评论，张贴这作为一个答复。您需要启用Weblogic的身份验证日志：

1. 在Weblogic中，单击左上角的“Lock&Edit”按钮。
2. 在左侧的Domain portlet中选择Environment - Servers。
3. 在“服务器摘要”页面上选择您的服务器。
4. 选择“Debug”选项卡。
5. 深入到weblogic -安全- atn。
6. 选中word DebugSecurityAtn左侧的复选框。
7. 单击页面顶部或底部的“启用”按钮。
8. 再次转到您的服务器，单击Logging选项卡，
9. 向下滚动并单击“高级”
10. 在“消息目的地-日志文件”中，将严重性级别更改为Debug
11. 点击页面顶部或底部的“保存”按钮。
12. 单击左上角的“激活更改”。

再次登录之后，您将在日志中获得更多的信息。