我正在努力为active directory和spnego支持设置带有ldap适配器的keycloak。这是一个测试设置,一切都运行在同一个虚拟机上与Windows Server2016作为操作系统。与kerberos集成的ldap适配器似乎配置正确--用户同步和kerberos身份验证正在工作。
但是,当尝试将Windows集成身份验证(spnego)与Chrome一起使用时,浏览器会显示登录页面。
为了让它工作,我想更好地理解我在KeyCloak中获得的以下日志消息。当然,任何其他关于什么可能是核心问题的建议也非常感谢!
16:50:06,194 INFO [stdout] (default task-5) Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator false KeyTab is C:\keycloak\standalone\configuration\keycloak.keytab refreshKrb5Config is false principal is HTTP/keycloak.local@KEYCLOAK.LOCAL tryFirstPass is false useFirstPass is false storePass is false clearPass is false
16:50:06,210 INFO [stdout] (default task-5) principal is HTTP/keycloak.local@KEYCLOAK.LOCAL
16:50:06,210 INFO [stdout] (default task-5) Will use keytab
16:50:06,210 INFO [stdout] (default task-5) Commit Succeeded
16:50:06,210 INFO [stdout] (default task-5)
16:50:06,225 INFO [stdout] (default task-5) Found KeyTab C:\keycloak\standalone\configuration\keycloak.keytab for HTTP/keycloak.local@KEYCLOAK.LOCAL
16:50:06,225 INFO [stdout] (default task-5) Found KeyTab C:\keycloak\standalone\configuration\keycloak.keytab for HTTP/keycloak.local@KEYCLOAK.LOCAL
16:50:06,225 INFO [stdout] (default task-5) Found KeyTab C:\keycloak\standalone\configuration\keycloak.keytab for HTTP/keycloak.local@KEYCLOAK.LOCAL
16:50:06,225 INFO [stdout] (default task-5) Found KeyTab C:\keycloak\standalone\configuration\keycloak.keytab for HTTP/keycloak.local@KEYCLOAK.LOCAL
16:50:06,225 INFO [stdout] (default task-5) Entered SpNegoContext.acceptSecContext with state=STATE_NEW
16:50:06,225 INFO [stdout] (default task-5) SpNegoContext.acceptSecContext: receiving token = a0 75 30 73 a0 30 30 2e 06 0a 2b 06 01 04 01 82 37 02 02 0a 06 09 2a 86 48 82 f7 12 01 02 02 06 09 2a 86 48 86 f7 12 01 02 02 06 0a 2b 06 01 04 01 82 37 02 02 1e a2 3f 04 3d 4e 54 4c 4d 53 53 50 00 01 00 00 00 97 b2 08 e2 08 00 08 00 35 00 00 00 0d 00 0d 00 28 00 00 00 0a 00 39 38 00 00 00 0f 50 50 4b 45 59 43 4c 4f 41 4b 32 32 30 4b 45 59 43 4c 4f 41 4b
16:50:06,225 INFO [stdout] (default task-5) SpNegoToken NegTokenInit: reading Mechanism Oid = 1.3.6.1.4.1.311.2.2.10
16:50:06,225 INFO [stdout] (default task-5) SpNegoToken NegTokenInit: reading Mechanism Oid = 1.2.840.48018.1.2.2
16:50:06,225 INFO [stdout] (default task-5) SpNegoToken NegTokenInit: reading Mechanism Oid = 1.2.840.113554.1.2.2
16:50:06,225 INFO [stdout] (default task-5) SpNegoToken NegTokenInit: reading Mechanism Oid = 1.3.6.1.4.1.311.2.2.30
16:50:06,225 INFO [stdout] (default task-5) SpNegoToken NegTokenInit: reading Mech Token
16:50:06,225 INFO [stdout] (default task-5) SpNegoContext.acceptSecContext: received token of type = SPNEGO NegTokenInit
16:50:06,225 INFO [stdout] (default task-5) SpNegoContext: negotiated mechanism = 1.2.840.113554.1.2.2
16:50:06,225 INFO [stdout] (default task-5) The underlying mechanism context has not been initialized
16:50:06,225 INFO [stdout] (default task-5) SpNegoContext.acceptSecContext: mechanism wanted = 1.2.840.113554.1.2.2
16:50:06,225 INFO [stdout] (default task-5) SpNegoContext.acceptSecContext: negotiated result = ACCEPT_INCOMPLETE
16:50:06,225 INFO [stdout] (default task-5) SpNegoContext.acceptSecContext: sending token of type = SPNEGO NegTokenTarg
16:50:06,225 INFO [stdout] (default task-5) SpNegoContext.acceptSecContext: sending token = a1 14 30 12 a0 03 0a 01 01 a1 0b 06 09 2a 86 48 86 f7 12 01 02 02
16:50:06,225 INFO [stdout] (default task-5) The underlying mechanism context has not been initialized
16:50:06,225 INFO [stdout] (default task-5) The underlying mechanism context has not been initialized
16:50:06,225 INFO [stdout] (default task-5) [Krb5LoginModule]: Entering logout
16:50:06,225 INFO [stdout] (default task-5) [Krb5LoginModule]: logged out Subject
我到目前为止的解释是:
>
“底层机制上下文尚未初始化”是什么意思?这是否表示缺少某些配置?
“spnegoContext.acceptSecContext:协商的结果=accept_incomplete”是什么意思?这是否意味着谈判失败了,或者需要更多的信息?
其他信息:
上面的日志是我通过LocalHost访问keycloak时得到的。当我使用IP地址或完全限定的主机名时,我会得到一个异常:
16:44:08,698 INFO [stdout] (default task-2) Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator false KeyTab is C:\keycloak\standalone\configuration\keycloak.keytab refreshKrb5Config is false principal is HTTP/keycloak.local@KEYCLOAK.LOCAL tryFirstPass is false useFirstPass is false storePass is false clearPass is false
16:44:08,704 INFO [stdout] (default task-2) principal is HTTP/keycloak.local@KEYCLOAK.LOCAL
16:44:08,705 INFO [stdout] (default task-2) Will use keytab
16:44:08,705 INFO [stdout] (default task-2) Commit Succeeded
16:44:08,705 INFO [stdout] (default task-2)
16:44:08,706 INFO [stdout] (default task-2) Found KeyTab C:\keycloak\standalone\configuration\keycloak.keytab for HTTP/keycloak.local@KEYCLOAK.LOCAL
16:44:08,707 INFO [stdout] (default task-2) Found KeyTab C:\keycloak\standalone\configuration\keycloak.keytab for HTTP/keycloak.local@KEYCLOAK.LOCAL
16:44:08,709 INFO [stdout] (default task-2) Found KeyTab C:\keycloak\standalone\configuration\keycloak.keytab for HTTP/keycloak.local@KEYCLOAK.LOCAL
16:44:08,711 INFO [stdout] (default task-2) Found KeyTab C:\keycloak\standalone\configuration\keycloak.keytab for HTTP/keycloak.local@KEYCLOAK.LOCAL
16:44:08,712 WARN [org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator] (default task-2) SPNEGO login failed: java.security.PrivilegedActionException: GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Unknown Source)
at org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator.authenticate(SPNEGOAuthenticator.java:68)
at org.keycloak.storage.ldap.LDAPStorageProvider.authenticate(LDAPStorageProvider.java:692)
[...]
以下是:https://community.cloudera.com/t5/community-articles/user-authentication-from-windows-workstation-to-hdp-realm/ta-p/245957
我意识到将“SSPI”切换为false对Firefox有效,但我想这只是为了解决症状和变通方法,因为Chrome和IE仍然有同样的问题。
我必须在kafka中使用SSL添加加密和身份验证。 这就是我所做的: > < li> 为每个经纪人kafka生成证书: keytools-keystoreserver.keystore.jks别名localhost有效性 创建CA。生成的CA是一个公钥-私钥对,是用于签署其他证书的证书。CA负责签署证书。 使用生成的 CA 对所有代理证书进行签名 从密钥库导出证书: < code > keytoo
我一直在尝试使用SASL_PLAINTEXTSCRAM-SHA-256向我的Kafka代理添加SASL身份验证,但没有任何成功。我在Kafka的日志文件中不断收到以下错误。 错误[控制器id=0,targetBrokerId=0]连接到节点0的身份验证失败,原因是:由于SASL机制SCRAM-SHA-256(org.apache.kafka.clients.NetworkClient)的凭据无效,
所以我已经在结果中声明了相关字符串的值,但是它仍然说我的变量“result”可能还没有初始化。 我正在尝试实现与此类似的输出。任何人都可以帮我吗?谢谢!
Tweepy API请求twitter return me Twitter错误响应:状态代码=401。 这是我的实际代码: 我曾试图用tweepy软件包删除推文,并获得了所有必需的密钥。镊子包装不起作用吗?有人能帮我解决这个问题吗。
WebLogic 12c JMS在我们的系统中表现不一致。我们正在使用外部JNDI提供程序连接远程JMS服务器,如下所示 有时JMS消息发送失败并出现以下错误 错误似乎是随机发生的,并且会持续一段时间。什么可能导致此错误?外部JNDI是否保持持久TCP连接的活动状态?是否可能是防火墙断开了非活动连接?