我似乎无法正确配置系统,也无法让浏览器向Web服务器发送kerberos票据。而是发送NTLM
令牌。
问:我该如何解决这个问题?
下面列出了所有细节和配置。
ktpass -princ HTTP/software.company.local@COMPANY.LOCAL -mapuser software@COMPANY.LOCAL -crypto ALL -ptype KRB5_NT_PRINCIPAL -pass __PassForADUserSoftware__ -out C:/winnt/krb5.keytab
Targeting domain controller: PC-I7.COMPANY.local
Failed to set property 'userPrincipalName' to 'HTTP/software.company.local@COMPANY.LOCAL' on Dn 'CN=Software SSO Kerberized WebServer,DC=COMPANY,DC=local': 0x13.
WARNING: Failed to set UPN HTTP/software.company.local@COMPANY.LOCAL on CN=Software SSO Kerberized WebServer,DC=COMPANY,DC=local.
kinits to 'HTTP/software.company.local@COMPANY.LOCAL' will fail.
Successfully mapped HTTP/software.company.local to software.
Password successfully set!
Key created.
Key created.
Key created.
Key created.
Key created.
Output keytab to C:/winnt/krb5.keytab:
Keytab version: 0x502
keysize 64 HTTP/software.company.local@COMPANY.LOCAL ptype 1 (KRB5_NT_PRINCIPAL) vno 8 etype 0x1 (DES-CBC-CRC) keylength 8 (0x0bf1688040abadba)
keysize 64 HTTP/software.company.local@COMPANY.LOCAL ptype 1 (KRB5_NT_PRINCIPAL) vno 8 etype 0x3 (DES-CBC-MD5) keylength 8 (0x0bf1688040abadba)
keysize 72 HTTP/software.company.local@COMPANY.LOCAL ptype 1 (KRB5_NT_PRINCIPAL) vno 8 etype 0x17 (RC4-HMAC) keylength 16 (0x737d9811dd38e108741461ba79153192)
keysize 88 HTTP/software.company.local@COMPANY.LOCAL ptype 1 (KRB5_NT_PRINCIPAL) vno 8 etype 0x12 (AES256-SHA1) keylength 32 (0xcc8ab2939f822f9df6904a987954e0cfaa261bc36803af6c5f8d9a98f1d4f2aa)
keysize 72 HTTP/software.company.local@COMPANY.LOCAL ptype 1 (KRB5_NT_PRINCIPAL) vno 8 etype 0x11 (AES128-SHA1) keylength 16 (0xd616b814dcd1b955f125ab4de5895d39)
user: Administrator
pass: ARandomPass
kinit HTTP/software.company.local@COMPANY.LOCAL
Security > Local Intranet > Sites > *.company.local
Security > Custom level > Automatic logon only in Intranet area
WARN:oejs.SpnegoLoginService:qtp506835709-28:
GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)
at sun.security.jgss.GSSHeader.<init>(GSSHeader.java:97)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:306)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
at org.eclipse.jetty.security.SpnegoLoginService.login(SpnegoLoginService.java:138)
at org.eclipse.jetty.security.authentication.LoginAuthenticator.login(LoginAuthenticator.java:61)
at org.eclipse.jetty.security.authentication.SpnegoAuthenticator.validateRequest(SpnegoAuthenticator.java:99)
at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:483)
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:134)
at org.eclipse.jetty.server.Server.handle(Server.java:524)
at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:319)
at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:253)
at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:273)
at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:95)
at org.eclipse.jetty.io.SelectChannelEndPoint$2.run(SelectChannelEndPoint.java:93)
at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.executeProduceConsume(ExecuteProduceConsume.java:303)
at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.produceConsume(ExecuteProduceConsume.java:148)
at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.run(ExecuteProduceConsume.java:136)
at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:671)
at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:589)
at java.lang.Thread.run(Thread.java:748)
Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt false
ticketCache is null isInitiator false
KeyTab is C:/software/inst/modules/common-config/auth/krb5.keytab refreshKrb5Config is false
principal is HTTP/software.company.local@COMPANY.LOCAL tryFirstPass is false
useFirstPass is false storePass is false clearPass is false
[libdefaults]
default_realm = COMPANY.LOCAL
permitted_enctypes = rc4-hmac,aes128-cts,aes256-cts,arcfour-hmac-md5,aes256-cts-hmac-sha1-96
default_tgs_enctypes = rc4-hmac,aes128-cts,aes256-cts,arcfour-hmac-md5,aes256-cts-hmac-sha1-96
default_tkt_enctypes = rc4-hmac,aes128-cts,aes256-cts,arcfour-hmac-md5,aes256-cts-hmac-sha1-96
default_keytab_name = FILE:C:/software/inst/modules/common-config/krb5.keytab
[domain_realm]
COMPANY.local = COMPANY.LOCAL
.company.local = COMPANY.LOCAL
[realms]
COMPANY.LOCAL = {
admin_server = PC-I7.COMPANY.local
kdc = PC-I7.COMPANY.local:88
}
com.sun.security.jgss.initiate {
com.sun.security.auth.module.Krb5LoginModule required
principal = "HTTP/software.company.local@COMPANY.LOCAL"
keyTab = "C:/software/inst/modules/common-config/auth/krb5.keytab"
useKeyTab = true
storeKey = true
debug = true
isInitiator = false;
};
com.sun.security.jgss.accept {
com.sun.security.auth.module.Krb5LoginModule required
principal = "HTTP/software.company.local@COMPANY.LOCAL"
useKeyTab = true
keyTab = "C:/software/inst/modules/common-config/auth/krb5.keytab"
storeKey=true
debug=true
isInitiator=false;
};
targetName = HTTP/software.company.local
<Get name="securityHandler">
<Set name="loginService">
<New class="org.eclipse.jetty.security.SpnegoLoginService">
<Set name="name">Company Realm</Set>
<Set name="config">
<SystemProperty name="jetty.home" default="."/>/modules/common-config/auth/spnego.properties</Set>
</New>
</Set>
<Set name="checkWelcomeFiles">true</Set>
</Get>
这就是我在Java
中以编程方式注册SPNEGO
配置的方式:
private SecurityHandler wrapEnableSSOAuthHandlers(final Handler collection) {
// ini file
System.setProperty(
"java.security.krb5.conf",
_config.getString("authentication.win_sso.spnego.krb5") // the krb5.ini file
);
System.setProperty(
"java.security.auth.login.config",
_config.getString("authentication.win_sso.spnego.login") // the spnego.conf file
);
System.setProperty(
"javax.security.auth.useSubjectCredsOnly",
"false"
);
final Constraint spnegoConstraint = new Constraint();
spnegoConstraint.setName(Constraint.__SPNEGO_AUTH);
final String domainRealm = _config.getString("authentication.win_sso.domain.realm"); // resolves to COMPANY.LOCAL
spnegoConstraint.setRoles(new String[]{domainRealm});
spnegoConstraint.setAuthenticate(true);
final ConstraintMapping mapping = new ConstraintMapping();
mapping.setConstraint(spnegoConstraint);
mapping.setPathSpec("/*");
final String spnegoProperties = _config.getString("authentication.win_sso.spnego.properties"); // the spnego.properties file
final SpnegoLoginService loginService = new SpnegoLoginService();
loginService.setConfig(spnegoProperties);
loginService.setName(domainRealm);
final ConstraintSecurityHandler securityHandler = new ConstraintSecurityHandler();
securityHandler.setLoginService(loginService);
securityHandler.setConstraintMappings(new ConstraintMapping[]{mapping});
securityHandler.setRealmName(domainRealm);
securityHandler.setAuthenticator(new SpnegoAuthenticator());
securityHandler.setHandler(collection);
return securityHandler;
}
和
// here I disable the TRACE method for all calls
Handler wrappedSecurityHandler = wrapDisableTraceHandlers(handlers);
wrappedSecurityHandler = wrapEnableSSOAuthHandlers(wrappedSecurityHandler);
_server.setHandler(wrappedSecurityHandler);
编辑1:附加信息
我已经下载了Kerberos Authentication Tester工具,当从KDC
服务器(192.168.0.5
)运行它并对http://software.company.local:8998
进行测试时,它显示了正确的Kerberos
身份验证。
当从192.168.0.10
服务器(浏览器所在)运行它时,它表示:
意外授权标头
我想这可能是DNS
问题,或者是它们是同一服务器上的两个VM
。
显然,客户机和服务器位于两个不同的虚拟机上(位于同一物理服务器上!)会导致NTLM
令牌。
我认为VM
可以避免客户机和服务器在同一台机器上的问题。
所以,如果你
我有一个让我发疯的问题。我试图在windows Server2012作为active directory服务器、Ubuntu12.04和apache作为webserver以及windows 7笔记本电脑作为客户端的组合上实现单点登录(所有3个都在同一个本地网络上)。我想我已经把一切都安排好了: > 我已经在广告服务器上创建了一个keytab文件,当从webserver上的kinit命令中使用该文件
由于每次登录时都有大量文件下载,我正试图修复一个网络应用程序的性能。为此,我希望启用条件浏览器缓存,即,如果ETag发生变化,从服务器提供新的副本,否则使用浏览器缓存。 通过java过滤器从服务器发送的响应标头: 浏览器下次调用时,发送的请求标头为: 浏览器没有发送 If-None-Match 标头,因此用于验证 ETag 并发回 304 响应代码的服务器端代码失败,并且服务器始终将新副本发送到客
我遇到了一些困难Kerberking一个主机,T.P.No。我正在浏览http://grolmsnet.de/kerbtut,它已经为其他用户提供了一个没有添加到windows域的主机。 环境: OS是CentOS 5.9, Kerberos、Apache和mod_auth_kerb随YUM安装: T.P.NO是反向解析为T.P.NO的ip地址的A记录解析 这是我的虚拟主机配置,它是一个简单的乘客
当我使用自己的客户端id在浏览器中转到以下URL时: https://account-d.docusign.com/oauth/auth?response_type=token 我需要登录,然后我被重定向到:http://localhost:8888/auth#access_token=myAccessToken 现在我有一个节点。在js应用程序中,我想使用我的访问令牌进行API调用,直到现在,我
我知道访问令牌是短期的,因为它们是在不访问数据库的情况下进行验证的,而刷新令牌是长期的,并且是针对数据库进行验证的。 我不明白的是,为什么最初通过发送授权授予获取访问令牌与后来通过发送刷新令牌获取访问令牌之间存在差异。 查看RFC 6749中的这个图,为什么客户端不在步骤(G)中简单地重新发送授权授权?为什么需要刷新令牌?
我在使用Owin cookie身份验证时遇到了一个奇怪的问题。 当我启动IIS服务器时,身份验证在IE/Firefox和Chrome上运行得非常好。 我开始在不同的平台上进行身份验证和登录测试,发现了一个奇怪的错误。Owin框架/IIS偶尔不会向浏览器发送任何cookie。我会输入正确的用户名和密码,代码运行时不会将cookie发送到浏览器。如果我重新启动服务器,它就会开始工作,然后在某个时候我会