文档建议反馈控制台
首页
学习
活动
专区
圈层
工具
MCP广场
文章/答案/技术大牛
发布
社区首页 >问答首页 >Tomcat Kerberos Spnego授权无效

Tomcat Kerberos Spnego授权无效
EN

Stack Overflow用户
提问于 2016-12-20 19:37:09
回答 1查看 3.1K关注 0票数 1

我尝试使用Kerberos上的内置SPNEGO身份验证器为Tomcat 7.0.69配置WebSSO。当我访问应用程序时,会弹出一个HTTP,并在BasicAuth中写入一个调试条目(见下文)。

我的keytab文件sso.keytab包含一个在我的AD上注册的主体(通过ktpass.exe & setspn.exe)。

我为Kerberos打开了调试模式,但找不到问题。只要输入退出,它就会在某个时刻停止。您是否知道,在哪一步停止身份验证,这可能是什么原因?任何帮助都是非常感谢的!

catalina.out

代码语言:javascript
复制
Debug is  true storeKey true useTicketCache false useKeyTab true doNotPrompt false ticketCache is null isInitiator true KeyTab is /path/to/tomcat/apache-tomcat-7.0.69/conf/sso.keytab refreshKrb5Config is false principal is HTTP/my.host.com@MY.DOMAIN tryFirstPass is false useFirstPass is false storePass is false clearPass is false
Looking for keys for: HTTP/my.host.com@MY.DOMAIN
Added key: 23version: 0
Looking for keys for: HTTP/my.host.com@MY.DOMAIN
Added key: 23version: 0
default etypes for default_tkt_enctypes: 23 17.
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=server001.my.domain UDP:88, timeout=30000, number of retries =3, #bytes=171
>>> KDCCommunication: kdc=server001.my.domain UDP:88, timeout=30000,Attempt =1, #bytes=171
>>> KrbKdcReq send: #bytes read=189
>>>Pre-Authentication Data:
     PA-DATA type = 11
     PA-ETYPE-INFO etype = 23, salt = 

>>>Pre-Authentication Data:
     PA-DATA type = 19
     PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null

>>>Pre-Authentication Data:
     PA-DATA type = 2
     PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
     PA-DATA type = 16

>>>Pre-Authentication Data:
     PA-DATA type = 15

>>> KdcAccessibility: remove server001.my.domain
>>> KDCRep: init() encoding tag is 126 req type is 11
>>>KRBError:
     sTime is Thu Dec 15 15:35:42 CET 2016 1481812542000
     suSec is 830454
     error code is 25
     error Message is Additional pre-authentication required
     sname is krbtgt/MY.DOMAIN@MY.DOMAIN
     eData provided.
     msgType is 30
>>>Pre-Authentication Data:
     PA-DATA type = 11
     PA-ETYPE-INFO etype = 23, salt = 

>>>Pre-Authentication Data:
     PA-DATA type = 19
     PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null

>>>Pre-Authentication Data:
     PA-DATA type = 2
     PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
     PA-DATA type = 16

>>>Pre-Authentication Data:
     PA-DATA type = 15

KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
default etypes for default_tkt_enctypes: 23 17.
Looking for keys for: HTTP/my.host.com@MY.DOMAIN
Added key: 23version: 0
Looking for keys for: HTTP/my.host.com@MY.DOMAIN
Added key: 23version: 0
default etypes for default_tkt_enctypes: 23 17.
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=server001.my.domain UDP:88, timeout=30000, number of retries =3, #bytes=254
>>> KDCCommunication: kdc=server001.my.domain UDP:88, timeout=30000,Attempt =1, #bytes=254
>>> KrbKdcReq send: #bytes read=104
>>> KrbKdcReq send: kdc=server001.my.domain TCP:88, timeout=30000, number of retries =3, #bytes=254
>>> KDCCommunication: kdc=server001.my.domain TCP:88, timeout=30000,Attempt =1, #bytes=254
>>>DEBUG: TCPClient reading 1666 bytes
>>> KrbKdcReq send: #bytes read=1666
>>> KdcAccessibility: remove server001.my.domain
Looking for keys for: HTTP/my.host.com@MY.DOMAIN
Added key: 23version: 0
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbAsRep cons in KrbAsReq.getReply HTTP/my.host.com
principal is HTTP/my.host.com@MY.DOMAIN
Will use keytab
    [LoginContext]: login success
Commit Succeeded 

    [LoginContext]: commit success
Found KeyTab /path/to/tomcat/apache-tomcat-7.0.69/conf/sso.keytab for HTTP/my.host.com@MY.DOMAIN
Found KeyTab /path/to/tomcat/apache-tomcat-7.0.69/conf/sso.keytab for HTTP/my.host.com@MY.DOMAIN
Found ticket for HTTP/my.host.com@MY.DOMAIN to go to krbtgt/MY.DOMAIN@MY.DOMAIN expiring on Fri Dec 16 01:35:42 CET 2016
Entered SpNegoContext.acceptSecContext with state=STATE_NEW
SpNegoContext.acceptSecContext: receiving token = a0 82 13 79 30 82 13 75 a0 30 30 2e 06 09 2a 86 48 86 f7 12 01 02 02 
SpNegoToken NegTokenInit: reading Mechanism Oid = 1.2.840.113554.1.2.2
SpNegoToken NegTokenInit: reading Mechanism Oid = 1.2.840.48018.1.2.2
SpNegoToken NegTokenInit: reading Mechanism Oid = 1.3.6.1.4.1.311.2.2.30
SpNegoToken NegTokenInit: reading Mechanism Oid = 1.3.6.1.4.1.311.2.2.10
SpNegoToken NegTokenInit: reading Mech Token
SpNegoContext.acceptSecContext: received token of type = SPNEGO NegTokenInit
SpNegoContext: negotiated mechanism = 1.2.840.113554.1.2.2
Entered Krb5Context.acceptSecContext with state=STATE_NEW
Looking for keys for: HTTP/my.host.com@MY.DOMAIN
Added key: 23version: 0
        [Krb5LoginModule]: Entering logout
        [Krb5LoginModule]: logged out Subject
    [LoginContext]: logout success

回收信要长得多,我把它缩短了

krb5.ini

代码语言:javascript
复制
[libdefaults]
    default_realm = MY.DOMAIN
    default_keytab_name = FILE:/path/to/tomcat/apache-tomcat-7.0.69/conf/sso.keytab
    default_tkt_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
    default_tgs_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
    permitted_enctypes   = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96

[realms]
    MY.DOMAIN  = {
        kdc = server001.my.domain
        admin_server = server001.my.domain
        default_domain = MY.DOMAIN
}

[domain_realm]
    .my.domain = MY.DOMAIN
    my.domain = MY.DOMAIN

jaas.conf

代码语言:javascript
复制
spnego-client {
    com.sun.security.auth.module.Krb5LoginModule required;
};

spnego-server {
    com.sun.security.auth.module.Krb5LoginModule required
    storeKey=true
    useKeyTab=true
    keyTab="/path/to/tomcat/apache-tomcat-7.0.69/conf/sso.keytab"
    principal="HTTP/my.host.com@MY.DOMAIN"
    debug=true;
};

web.xml

代码语言:javascript
复制
<login-config>
  <auth-method>SPNEGO</auth-method>
</login-config>

<security-constraint>
  <web-resource-collection>
    <web-resource-name>SSO Login</web-resource-name>
    <url-pattern>/*</url-pattern>
  </web-resource-collection>
  <auth-constraint>
    <role-name>*</role-name>
  </auth-constraint>
</security-constraint>

Architecture

  • AD Server Windows Server 2016
  • 应用程序-服务器Unix-Redhat6与Oracle JVM和Tomcat 7.0.69
  • 带有11的客户端Windows 10
tomcat
single-sign-on
kerberos
web.xml
spnego
EN

回答 1

Stack Overflow用户

回答已采纳

发布于 2017-01-04 14:43:58

多亏了T-Heron,我找到了解决方案。keytab文件是用错误的加密类型生成的。对于Windows7 7/10,在我的环境中,必须显式地将其设置为erc256-SHA1

正确的ktpass调用:

代码语言:javascript
复制
ktpass -out D:\TEMP\sso.keytab -mapuser MYUSER -princ HTTP/my.host.com@MY.DOMAIN -ptype KRB5_NT_PRINCIPAL -kvno 0 -crypto AES256-SHA1 -pass ****

非常感谢您的支持!

票数 0
EN
页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:

https://stackoverflow.com/questions/41250010

复制
相关文章

相似问题

领券

腾讯云开发者

扫码关注腾讯云开发者

扫码关注腾讯云开发者

领取腾讯云代金券

热门产品

热门推荐

更多推荐

Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有 

深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 粤公网安备44030502008569号

腾讯云计算(北京)有限责任公司 京ICP证150476号 |  京ICP备11018762号

问题归档专栏文章快讯文章归档关键词归档开发者手册归档开发者手册 Section 归档