使用Kerberos登录OpenWebStart应用程序-校验和失败

Question

我尝试运行OpenWebStart应用程序，它显示登录对话框并在Kerberos上进行登录。我得到“校验和失败”异常(见下文)。我在VM (Centos7)中运行KDC，在Kerberos Log中我看到TGT已成功创建：

Kerberos.kalna.ch krb5kdc[1132](Information): AS_REQ (6 etypes {18 17 16 23 1 3} 192.168.56.1: ISSUE authtime 1583736176 , etypes {rep=18 tkt=18 ses=18}, kada@KALNA.CH for krbtgt/KALNA.CH@KALNA.CH

Kerberos配置如下(kdc.conf)：

[kdcdefaults]
 kdc_ports = 88
 kdc_tcp_ports = 88

[realms]
 KALNA.CH = {
  #master_key_type = aes256-cts
  acl_file = /var/kerberos/krb5kdc/kadm5.acl
  dict_file = /usr/share/dict/words
  admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
  supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
 }

客户端的配置如下(krb5.conf)：

[libdefaults]
forwardable = true
default_realm = KALNA.CH
udp_preference_limit = 1
kdc_timeout = 2000
allow_weak_crypto = true

[realms]
KALNA.CH = {
    kdc = Kerberos.kalna.ch
    default_domain = kalna.ch
}

[domain_realm]
 .kalna.ch = KALNA.CH
 kalna.ch = KALNA.CH

通过调试，我可以看到TGT得到了很好的接收，但随后执行了校验和并失败了。我试过使用无限制强度策略，但那没有用。你知道为什么校验和失败吗？

任何帮助都是非常感谢的。下面是OpenWebStart日志：

Debug is  true storeKey false useTicketCache false useKeyTab false doNotPrompt false ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is true principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false Refreshing Kerberos configuration 
    ... 30 more 
    at sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Aes256CtsHmacSha1EType.java:100) 
    at sun.security.krb5.internal.crypto.Aes256.decrypt(Aes256.java:76) 
    at sun.security.krb5.internal.crypto.dk.AesDkCrypto.decrypt(AesDkCrypto.java:272) 
    at sun.security.krb5.internal.crypto.dk.AesDkCrypto.decryptCTS(AesDkCrypto.java:451) 
Caused by: java.security.GeneralSecurityException: Checksum failed 
    ... 23 more 
    at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:770) 
    at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:447) 
    at sun.security.krb5.KrbAsReqBuilder.resolve(KrbAsReqBuilder.java:310) 
    at sun.security.krb5.KrbAsRep.decryptUsingPassword(KrbAsRep.java:139) 
    at sun.security.krb5.KrbAsRep.decrypt(KrbAsRep.java:150) 
    at sun.security.krb5.EncryptedData.decrypt(EncryptedData.java:175) 
    at sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Aes256CtsHmacSha1EType.java:94) 
    at sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Aes256CtsHmacSha1EType.java:102) 
Caused by: KrbException: Checksum failed 
    at net.sourceforge.jnlp.Launcher$TgThread.run(Launcher.java:650) 
    at net.sourceforge.jnlp.Launcher.access$200(Launcher.java:69) 
    at net.sourceforge.jnlp.Launcher.launchApplication(Launcher.java:400) 
    at java.lang.reflect.Method.invoke(Method.java:498) 
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) 
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) 
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) 
    at javax.security.auth.login.LoginContext.login(LoginContext.java:587) 
    at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680) 
    at java.security.AccessController.doPrivileged(Native Method) 
    at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680) 
    at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682) 
    at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195) 
    at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755) 
    at java.lang.reflect.Method.invoke(Method.java:498) 
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) 
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) 
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) 
    at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:618) 
    at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:808) 
javax.security.auth.login.LoginException: Checksum failed 
        [Krb5LoginModule] authentication failed Checksum failed 
Mon Mar 09 07:42:56 CET 2020 [DEBUG  ] com.openwebstart.proxy.direct.DirectProxyProvider: Using NO_PROXY 

        [Krb5LoginModule] user entered username: kada@KALNA.CH

Answer 1

我已经调试了KrbAsRep.java，你是对的，KDC发送了下面的pAData。然后从这些数据中计算Salt。但我看不出理由，为什么失败了。

0 = {PAData@4691} ">>>Pre-Authentication Data:\n\t PA-DATA type = 19\n\t PA-ETYPE-INFO2 etype = 23, salt = KALNA.CHkada, s2kparams = null\n"
1 = {PAData@4692} ">>>Pre-Authentication Data:\n\t PA-DATA type = 3\n"
2 = {PAData@4693} ">>>Pre-Authentication Data:\n\t PA-DATA type = 11\n\t PA-ETYPE-INFO etype = 23, salt = KALNA.CHkada\n"