当前位置: 首页 > 知识库问答 >
问题:

异常-在使用spnego-Kerberos IWA的Kerberos数据库(6)中找不到客户端

易雅畅
2023-03-14

spnego/kerberos身份验证出现以下错误

运行hellokeytab.java文件时出现此错误。

***Exception in thread "main" javax.security.auth.login.LoginException: Client not
found in Kerberos database (6)**
        at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(K
b5LoginModule.java:763)
        at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.j
va:584)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl
java:57)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcce
sorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:606)
        at javax.security.auth.login.LoginContext.invoke(LoginContext.java:762)
        at javax.security.auth.login.LoginContext.access$000(LoginContext.java:
03)
        at javax.security.auth.login.LoginContext$4.run(LoginContext.java:690)
        at javax.security.auth.login.LoginContext$4.run(LoginContext.java:688)
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:
87)
        at javax.security.auth.login.LoginContext.login(LoginContext.java:595)
        at net.sourceforge.spnego.SpnegoHttpURLConnection.<init>(SpnegoHttpURLC
nnection.java:207)
        at HelloKeytab.main(HelloKeytab.java:17)
Caused by: KrbException: Client not found in Kerberos database (6)
        at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:76)
        at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:319)
        at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:364)
        at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(K
b5LoginModule.java:735)
        ... 14 more
Caused by: KrbException: Identifier doesn't match expected value (906)
        at sun.security.krb5.internal.KDCRep.init(KDCRep.java:143)
        at sun.security.krb5.internal.ASRep.init(ASRep.java:65)
        at sun.security.krb5.internal.ASRep.<init>(ASRep.java:60)
        at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:60)
        ... 17 more*



安装程序、链接和我用于SPNEGO/Kerberos身份验证的文件。
链接-http://spnego.sourceforge.net/
tomcat服务器的域帐户
用户-xyztest
密码-****
主体-princ http/appserver1@corp.xyz.com
1)hellokeytab.java-为apache tomcat服务器生成的Test keytab

    public class HelloKeytab {

    public static void main(final String[] args) throws Exception {
        System.setProperty("java.security.krb5.conf", "krb5.conf");
        System.setProperty("sun.security.krb5.debug", "true");
        System.setProperty("java.security.auth.login.config", "login.conf");

        SpnegoHttpURLConnection spnego = null;

        try {
           System.out.println("11111111");
            spnego = new SpnegoHttpURLConnection("custom-client");
            spnego.connect(new URL("http://localhost:8080/DemoAuth/hello_spnego.jsp"));
            System.out.println("2222222");   
            System.out.println("HTTP Status Code: " 
                    + spnego.getResponseCode());

            System.out.println("HTTP Status Message: "
                    + spnego.getResponseMessage());

        } finally {
            if (null != spnego) {
                spnego.disconnect();
            }
        }
    }
}

2)krb5.conf-Kerberos配置文件

 [libdefaults]
        default_tkt_enctypes = aes256-cts aes256-cts-hmac-sha1-96 aes128-cts-    hmac-sha1-96 aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc arcfour-hmac arcfour-hmac-md5 
        default_tgt_enctypes = aes256-cts aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc arcfour-hmac arcfour-hmac-md5 
       permitted_enctypes = aes256-cts aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc arcfour-hmac arcfour-hmac-md5
       default_domain = CORP.XYZ.COM

    [realms]
         CORP.XYZ.COM  = {
               kdc = CORP.XYZ.COM
               default_domain = CORP.XYZ.COM 
    }

    [domain_realm]
         CORP.XYZ.COM = CORP.XYZ.COM

3)login.conf-登录配置文件

    custom-client {
    com.sun.security.auth.module.Krb5LoginModule required
    storeKey=true
    useKeyTab=true
    keyTab="C:/apache-tomcat-7.0.40-windows-x64/apache-tomcat-7.0.40/bin/xyztest.keytab"
    principal="HTTP/APPSERVER1@corp.xyz.com";
};
spnego-client {
     com.sun.security.auth.module.Krb5LoginModule required;
};
spnego-server {
    com.sun.security.auth.module.Krb5LoginModule required
    storeKey=true
    useKeyTab=true
    keyTab="C:/apache-tomcat-7.0.40-windows-x64/apache-tomcat-7.0.40/bin/xyztest.keytab"
    principal="HTTP/APPSERVER1@corp.xyz.com";
};

4)setspn命令-注册主体

setspn -s HTTP/APPSERVER1 xyztest
Checking domain DC=corp,DC=xyz,DC=com

Registering ServicePrincipalNames for CN=xyztest,CN=Users,DC=corp,DC=xyz,DC=com
       HTTP/APPSERVER1
Updated object

PS C:\Windows\system32> setspn -s HTTP/APPSERVER1.corp.xyz.com xyztest
Checking domain DC=corp,DC=xyz,DC=com

Registering ServicePrincipalNames for CN=xyztest,CN=Users,DC=corp,DC=xyz,DC=com
       HTTP/APPSERVER1.corp.xyz.com
Updated object

5)ktpass命令:生成keytab文件

    ktpass /princ HTTP/APPSERVER1@corp.xyz.com /mapuser xyztest /pass ***** /out xyztest.keytab /crypto AES256-SHA1 /ptype KRB5_NT_PRINCIPAL
Targeting domain controller: xyzDC1.corp.xyz.com
Using legacy password setting method
ktpass : Successfully mapped HTTP/APPSERVER1 to xyztest.
At line:1 char:1
+ ktpass /princ HTTP/APPSERVER1@corp.xyz.com /mapuser xyztest /pass *****
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (Successfully ma...o xyztest.:String) [], RemoteException
    + FullyQualifiedErrorId : NativeCommandError

Key created.
Output keytab to xyztest.keytab:
Keytab version: 0x502
keysize 84 HTTP/APPSERVER1@corp.xyz.com ptype 1 (KRB5_NT_PRINCIPAL) vno 3 etype 0x12 (AES256-SHA1) keylength 32 
(0x6e6afbbefc78946121bd7ed6657524c7409917cae1708223ce938449113d9805)
    Command - kinit -k -t xyztest.keytab HTTP/APPSERVER1@corp.xyz.com
Result - Exception krb_error 6 client not found in kerberos database (6)
    public final class HelloKDC {

    private HelloKDC() {
        // default private
    }

    public static void main(final String[] args) throws Exception {

        // Domain (pre-authentication) account
        final String username = "xyztest";

        // Password for the pre-auth acct.
        final String password = "!Dragonfly1!";

        // Name of our krb5 config file
        final String krbfile = "krb5.conf";

        // Name of our login config file
        final String loginfile = "login.conf";

        // Name of our login module
        final String module = "spnego-client";

        // set some system properties
        System.setProperty("java.security.krb5.conf", krbfile);
        System.setProperty("java.security.auth.login.config", loginfile);
        //System.setProperty("sun.security.krb5.debug", true);

        // assert 
        HelloKDC.validate(username, password, krbfile, loginfile, module);

        final CallbackHandler handler = 
            HelloKDC.getUsernamePasswordHandler(username, password);

        final LoginContext loginContext = new LoginContext(module, handler);

        // attempt to login
        loginContext.login();

        // output some info
        System.out.println("Subject=" + loginContext.getSubject());

        // logout
        loginContext.logout();

        System.out.println("Connection test successful.");
    }

    private static void validate(final String username, final String password
        , final String krbfile, final String loginfile, final String moduleName) 
        throws FileNotFoundException, NoSuchAlgorithmException {

        // confirm username was provided
        if (null == username || username.isEmpty()) {
            throw new IllegalArgumentException("Must provide a username");
        }

        // confirm password was provided
        if (null == password || password.isEmpty()) {
            throw new IllegalArgumentException("Must provide a password");
        }

        // confirm krb5.conf file exists
        if (null == krbfile || krbfile.isEmpty()) {
            throw new IllegalArgumentException("Must provide a krb5 file");
        } else {
            final File file = new File(krbfile);
            if (!file.exists()) {
                throw new FileNotFoundException(krbfile);
            }
        }

        // confirm loginfile
        if (null == loginfile || loginfile.isEmpty()) {
            throw new IllegalArgumentException("Must provide a login file");
        } else {
            final File file = new File(loginfile);
            if (!file.exists()) {
                throw new FileNotFoundException(loginfile);
            }
        }

        // confirm that runtime loaded the login file
        final Configuration config = Configuration.getConfiguration();

        // confirm that the module name exists in the file
        if (null == config.getAppConfigurationEntry(moduleName)) {
            throw new IllegalArgumentException("The module name " 
                    + moduleName + " was not found in the login file");
        }        
    }

    private static CallbackHandler getUsernamePasswordHandler(
        final String username, final String password) {

        final CallbackHandler handler = new CallbackHandler() {
            public void handle(final Callback[] callback) {
                for (int i=0; i<callback.length; i++) {
                    if (callback[i] instanceof NameCallback) {
                        final NameCallback nameCallback = (NameCallback) callback[i];
                        nameCallback.setName(username);
                    } else if (callback[i] instanceof PasswordCallback) {
                        final PasswordCallback passCallback = (PasswordCallback) callback[i];
                        passCallback.setPassword(password.toCharArray());
                    } else {
                        System.err.println("Unsupported Callback: " 
                                + callback[i].getClass().getName());
                    }
                }
            }
        };

        return handler;
    }
}
    #0>     Client: xyztest @ CORP.XYZ.COM
        Server: krbtgt/CORP.XYZ.COM @ CORP.XYZ.COM
        KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
        Ticket Flags 0x60a10000 -> forwardable forwarded renewable pre_authent n
ame_canonicalize
        Start Time: 3/8/2017 10:01:14 (local)
        End Time:   3/8/2017 20:01:14 (local)
        Renew Time: 3/15/2017 10:01:14 (local)
        Session Key Type: AES-256-CTS-HMAC-SHA1-96
        Cache Flags: 0x2 -> DELEGATION
        Kdc Called: xyzDC1.corp.xyz.com

#1>     Client: xyztest @ CORP.XYZ.COM
        Server: krbtgt/CORP.XYZ.COM @ CORP.XYZ.COM
        KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
        Ticket Flags 0x40e10000 -> forwardable renewable initial pre_authent nam
e_canonicalize
       Start Time: 3/8/2017 10:01:14 (local)
        End Time:   3/8/2017 20:01:14 (local)
        Renew Time: 3/15/2017 10:01:14 (local)
        Session Key Type: AES-256-CTS-HMAC-SHA1-96
        Cache Flags: 0x1 -> PRIMARY
        Kdc Called: xyzDC1.corp.xyz.com

#2>     Client: xyztest @ CORP.XYZ.COM
        Server: ldap/xyzDC1.corp.xyz.com @ CORP.XYZ.COM
        KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
        Ticket Flags 0x40a50000 -> forwardable renewable pre_authent ok_as_deleg
ate name_canonicalize
        Start Time: 3/8/2017 10:01:16 (local)
        End Time:   3/8/2017 20:01:14 (local)
        Renew Time: 3/15/2017 10:01:14 (local)
        Session Key Type: AES-256-CTS-HMAC-SHA1-96
        Cache Flags: 0
        Kdc Called: xyzDC1.corp.xyz.com

#3>     Client: xyztest @ CORP.XYZ.COM
        Server: LDAP/xyzDC1.corp.xyz.com/corp.xyz.com @ CORP.ADAP
TIVE.COM
        KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
        Ticket Flags 0x40a50000 -> forwardable renewable pre_authent ok_as_deleg
ate name_canonicalize
        Start Time: 3/8/2017 10:01:15 (local)
        End Time:   3/8/2017 20:01:14 (local)
        Renew Time: 3/15/2017 10:01:14 (local)
        Session Key Type: AES-256-CTS-HMAC-SHA1-96
        Cache Flags: 0
        Kdc Called: xyzDC1.corp.xyz.com

#4>     Client: xyztest @ CORP.XYZ.COM
        Server: cifs/xyzDC1.corp.xyz.com @ CORP.XYZ.COM
        KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
        Ticket Flags 0x40a50000 -> forwardable renewable pre_authent ok_as_deleg
ate name_canonicalize
        Start Time: 3/8/2017 10:01:14 (local)
        End Time:   3/8/2017 20:01:14 (local)
        Renew Time: 3/15/2017 10:01:14 (local)
        Session Key Type: AES-256-CTS-HMAC-SHA1-96
        Cache Flags: 0
        Kdc Called: xyzDC1.corp.xyz.com

共有1个答案

翟柏
2023-03-14

在Kerberos环境下工作时,请记住以下事项

>

  • realm(域名)在创建keytab文件时以及在使用realm的任何地方都应该用大写
  • 对于SPNEGO身份验证,每个服务器主机都应该映射为web身份验证用户的HTTP/Hostname。例如,

    setspn-s http/主机名xyztest

    kinit principal password
    
    kinit -k -t keytab principal
    
    set krb5ccname=newticketfilelocation
    
    klist
    

  •  类似资料:
    • 我在W12服务器上运行了以下命令:- setspn-A HTTP/krbspn ktpass/princ HTTP/@/crypto ALL/ptype krb5\u nt\u principal/mapuser krbspn c:\ticket\krbspn。按键-kvno 0/pass Pa$$w0rd kinit-krbspn给出了正确的结果,但kinit-HTTP/返回:- KrbExce

    • 我使用CAS和Spnego支持,KDC是192.168.1.244,我的领域是示例。COM我测试了我的本地Windows域环境,我可以从示例中获得票证。com我用“kinit”命令测试它,但在CAS spnego环境中,在Kerberos数据库中找不到异常客户端,我已经在C:\windows\krb5.ini中创建了它,内容如下 krb5.ini 异常报告如下: 但为什么在kerberos数据库中

    • 我正在obiee11.1.1.7.14中配置SSO,其中我在配置krb5.conf和执行kinit命令时遇到了问题。 关于Active Directory的几点注意事项 我们有多个域控制器,为了平衡请求,我们使用端口3269维护负载均衡器。 obiee和MSAD之间的集成成功完成,负载均衡器名称为主机,端口为3269。 并且在demotrust.jks和ovd存储中添加了一些证书,并且在新提供程序

    • 尝试在Tomcat 7(windows Server 2012)上归档集成的windows身份验证,以便Intranet用户在访问我的web应用程序时不需要输入他们的凭据。遵循tomcat手册:https://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html#Built-in\u Tomcat\u支持 在运行tomcat的计算机上。检

    • 问题内容: 我正在使用spnego(http://spnego.sourceforge.net)在JBoss下进行kerberos身份验证。 我需要解密kerberos票证才能访问包含PAC数据的授权数据。需要PAC数据来决定要授予用户哪些角色。 如何访问和解密kerberos票?我在网上搜索了示例,但没有任何努力。 问题答案: 这些家伙具有完整的PAC解码实现: http://jaasloung

    • 我的Grails应用程序在开发模式下使用h2数据库(Grails应用程序的默认行为)。中的DB连接设置是 我正在尝试使用IntelliJ IDEA的数据库客户端工具为此数据库建立连接。我开始这样创建连接 然后在下面的对话框中,输入JDBC URL 并选择“模式”上的所有可用数据库 “Test Connection”(测试连接)按钮表示成功,但从红色圆圈中可以看到,没有找到任何表格。似乎我已经正确地