问题:
异常-在使用spnego-Kerberos IWA的Kerberos数据库(6)中找不到客户端
易雅畅
spnego/kerberos身份验证出现以下错误
运行hellokeytab.java文件时出现此错误。
***Exception in thread "main" javax.security.auth.login.LoginException: Client not
found in Kerberos database (6)**
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(K
b5LoginModule.java:763)
at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.j
va:584)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl
java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcce
sorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:762)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:
03)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:690)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:688)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:
87)
at javax.security.auth.login.LoginContext.login(LoginContext.java:595)
at net.sourceforge.spnego.SpnegoHttpURLConnection.<init>(SpnegoHttpURLC
nnection.java:207)
at HelloKeytab.main(HelloKeytab.java:17)
Caused by: KrbException: Client not found in Kerberos database (6)
at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:76)
at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:319)
at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:364)
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(K
b5LoginModule.java:735)
... 14 more
Caused by: KrbException: Identifier doesn't match expected value (906)
at sun.security.krb5.internal.KDCRep.init(KDCRep.java:143)
at sun.security.krb5.internal.ASRep.init(ASRep.java:65)
at sun.security.krb5.internal.ASRep.<init>(ASRep.java:60)
at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:60)
... 17 more*
安装程序、链接和我用于SPNEGO/Kerberos身份验证的文件。
链接-http://spnego.sourceforge.net/
tomcat服务器的域帐户
用户-xyztest
密码-****
主体-princ http/appserver1@corp.xyz.com
1)hellokeytab.java-为apache tomcat服务器生成的Test keytab
public class HelloKeytab {
public static void main(final String[] args) throws Exception {
System.setProperty("java.security.krb5.conf", "krb5.conf");
System.setProperty("sun.security.krb5.debug", "true");
System.setProperty("java.security.auth.login.config", "login.conf");
SpnegoHttpURLConnection spnego = null;
try {
System.out.println("11111111");
spnego = new SpnegoHttpURLConnection("custom-client");
spnego.connect(new URL("http://localhost:8080/DemoAuth/hello_spnego.jsp"));
System.out.println("2222222");
System.out.println("HTTP Status Code: "
+ spnego.getResponseCode());
System.out.println("HTTP Status Message: "
+ spnego.getResponseMessage());
} finally {
if (null != spnego) {
spnego.disconnect();
}
}
}
}
2)krb5.conf-Kerberos配置文件
[libdefaults]
default_tkt_enctypes = aes256-cts aes256-cts-hmac-sha1-96 aes128-cts- hmac-sha1-96 aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc arcfour-hmac arcfour-hmac-md5
default_tgt_enctypes = aes256-cts aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc arcfour-hmac arcfour-hmac-md5
permitted_enctypes = aes256-cts aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc arcfour-hmac arcfour-hmac-md5
default_domain = CORP.XYZ.COM
[realms]
CORP.XYZ.COM = {
kdc = CORP.XYZ.COM
default_domain = CORP.XYZ.COM
}
[domain_realm]
CORP.XYZ.COM = CORP.XYZ.COM
3)login.conf-登录配置文件
custom-client {
com.sun.security.auth.module.Krb5LoginModule required
storeKey=true
useKeyTab=true
keyTab="C:/apache-tomcat-7.0.40-windows-x64/apache-tomcat-7.0.40/bin/xyztest.keytab"
principal="HTTP/APPSERVER1@corp.xyz.com";
};
spnego-client {
com.sun.security.auth.module.Krb5LoginModule required;
};
spnego-server {
com.sun.security.auth.module.Krb5LoginModule required
storeKey=true
useKeyTab=true
keyTab="C:/apache-tomcat-7.0.40-windows-x64/apache-tomcat-7.0.40/bin/xyztest.keytab"
principal="HTTP/APPSERVER1@corp.xyz.com";
};
4)setspn命令-注册主体
setspn -s HTTP/APPSERVER1 xyztest
Checking domain DC=corp,DC=xyz,DC=com
Registering ServicePrincipalNames for CN=xyztest,CN=Users,DC=corp,DC=xyz,DC=com
HTTP/APPSERVER1
Updated object
PS C:\Windows\system32> setspn -s HTTP/APPSERVER1.corp.xyz.com xyztest
Checking domain DC=corp,DC=xyz,DC=com
Registering ServicePrincipalNames for CN=xyztest,CN=Users,DC=corp,DC=xyz,DC=com
HTTP/APPSERVER1.corp.xyz.com
Updated object
5)ktpass命令:生成keytab文件
ktpass /princ HTTP/APPSERVER1@corp.xyz.com /mapuser xyztest /pass ***** /out xyztest.keytab /crypto AES256-SHA1 /ptype KRB5_NT_PRINCIPAL
Targeting domain controller: xyzDC1.corp.xyz.com
Using legacy password setting method
ktpass : Successfully mapped HTTP/APPSERVER1 to xyztest.
At line:1 char:1
+ ktpass /princ HTTP/APPSERVER1@corp.xyz.com /mapuser xyztest /pass *****
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (Successfully ma...o xyztest.:String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
Key created.
Output keytab to xyztest.keytab:
Keytab version: 0x502
keysize 84 HTTP/APPSERVER1@corp.xyz.com ptype 1 (KRB5_NT_PRINCIPAL) vno 3 etype 0x12 (AES256-SHA1) keylength 32
(0x6e6afbbefc78946121bd7ed6657524c7409917cae1708223ce938449113d9805)
Command - kinit -k -t xyztest.keytab HTTP/APPSERVER1@corp.xyz.com
Result - Exception krb_error 6 client not found in kerberos database (6)
public final class HelloKDC {
private HelloKDC() {
// default private
}
public static void main(final String[] args) throws Exception {
// Domain (pre-authentication) account
final String username = "xyztest";
// Password for the pre-auth acct.
final String password = "!Dragonfly1!";
// Name of our krb5 config file
final String krbfile = "krb5.conf";
// Name of our login config file
final String loginfile = "login.conf";
// Name of our login module
final String module = "spnego-client";
// set some system properties
System.setProperty("java.security.krb5.conf", krbfile);
System.setProperty("java.security.auth.login.config", loginfile);
//System.setProperty("sun.security.krb5.debug", true);
// assert
HelloKDC.validate(username, password, krbfile, loginfile, module);
final CallbackHandler handler =
HelloKDC.getUsernamePasswordHandler(username, password);
final LoginContext loginContext = new LoginContext(module, handler);
// attempt to login
loginContext.login();
// output some info
System.out.println("Subject=" + loginContext.getSubject());
// logout
loginContext.logout();
System.out.println("Connection test successful.");
}
private static void validate(final String username, final String password
, final String krbfile, final String loginfile, final String moduleName)
throws FileNotFoundException, NoSuchAlgorithmException {
// confirm username was provided
if (null == username || username.isEmpty()) {
throw new IllegalArgumentException("Must provide a username");
}
// confirm password was provided
if (null == password || password.isEmpty()) {
throw new IllegalArgumentException("Must provide a password");
}
// confirm krb5.conf file exists
if (null == krbfile || krbfile.isEmpty()) {
throw new IllegalArgumentException("Must provide a krb5 file");
} else {
final File file = new File(krbfile);
if (!file.exists()) {
throw new FileNotFoundException(krbfile);
}
}
// confirm loginfile
if (null == loginfile || loginfile.isEmpty()) {
throw new IllegalArgumentException("Must provide a login file");
} else {
final File file = new File(loginfile);
if (!file.exists()) {
throw new FileNotFoundException(loginfile);
}
}
// confirm that runtime loaded the login file
final Configuration config = Configuration.getConfiguration();
// confirm that the module name exists in the file
if (null == config.getAppConfigurationEntry(moduleName)) {
throw new IllegalArgumentException("The module name "
+ moduleName + " was not found in the login file");
}
}
private static CallbackHandler getUsernamePasswordHandler(
final String username, final String password) {
final CallbackHandler handler = new CallbackHandler() {
public void handle(final Callback[] callback) {
for (int i=0; i<callback.length; i++) {
if (callback[i] instanceof NameCallback) {
final NameCallback nameCallback = (NameCallback) callback[i];
nameCallback.setName(username);
} else if (callback[i] instanceof PasswordCallback) {
final PasswordCallback passCallback = (PasswordCallback) callback[i];
passCallback.setPassword(password.toCharArray());
} else {
System.err.println("Unsupported Callback: "
+ callback[i].getClass().getName());
}
}
}
};
return handler;
}
}
#0> Client: xyztest @ CORP.XYZ.COM
Server: krbtgt/CORP.XYZ.COM @ CORP.XYZ.COM
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x60a10000 -> forwardable forwarded renewable pre_authent n
ame_canonicalize
Start Time: 3/8/2017 10:01:14 (local)
End Time: 3/8/2017 20:01:14 (local)
Renew Time: 3/15/2017 10:01:14 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0x2 -> DELEGATION
Kdc Called: xyzDC1.corp.xyz.com
#1> Client: xyztest @ CORP.XYZ.COM
Server: krbtgt/CORP.XYZ.COM @ CORP.XYZ.COM
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40e10000 -> forwardable renewable initial pre_authent nam
e_canonicalize
Start Time: 3/8/2017 10:01:14 (local)
End Time: 3/8/2017 20:01:14 (local)
Renew Time: 3/15/2017 10:01:14 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0x1 -> PRIMARY
Kdc Called: xyzDC1.corp.xyz.com
#2> Client: xyztest @ CORP.XYZ.COM
Server: ldap/xyzDC1.corp.xyz.com @ CORP.XYZ.COM
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40a50000 -> forwardable renewable pre_authent ok_as_deleg
ate name_canonicalize
Start Time: 3/8/2017 10:01:16 (local)
End Time: 3/8/2017 20:01:14 (local)
Renew Time: 3/15/2017 10:01:14 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0
Kdc Called: xyzDC1.corp.xyz.com
#3> Client: xyztest @ CORP.XYZ.COM
Server: LDAP/xyzDC1.corp.xyz.com/corp.xyz.com @ CORP.ADAP
TIVE.COM
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40a50000 -> forwardable renewable pre_authent ok_as_deleg
ate name_canonicalize
Start Time: 3/8/2017 10:01:15 (local)
End Time: 3/8/2017 20:01:14 (local)
Renew Time: 3/15/2017 10:01:14 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0
Kdc Called: xyzDC1.corp.xyz.com
#4> Client: xyztest @ CORP.XYZ.COM
Server: cifs/xyzDC1.corp.xyz.com @ CORP.XYZ.COM
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40a50000 -> forwardable renewable pre_authent ok_as_deleg
ate name_canonicalize
Start Time: 3/8/2017 10:01:14 (local)
End Time: 3/8/2017 20:01:14 (local)
Renew Time: 3/15/2017 10:01:14 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0
Kdc Called: xyzDC1.corp.xyz.com
共有1个答案
翟柏
在Kerberos环境下工作时,请记住以下事项
>
对于SPNEGO身份验证,每个服务器主机都应该映射为web身份验证用户的HTTP/Hostname。例如,
setspn-s http/主机名xyztest
kinit principal password
kinit -k -t keytab principal
set krb5ccname=newticketfilelocation
klist
类似资料:
-
我在W12服务器上运行了以下命令:- setspn-A HTTP/krbspn ktpass/princ HTTP/@/crypto ALL/ptype krb5\u nt\u principal/mapuser krbspn c:\ticket\krbspn。按键-kvno 0/pass Pa$$w0rd kinit-krbspn给出了正确的结果,但kinit-HTTP/返回:- KrbExce
-
我使用CAS和Spnego支持,KDC是192.168.1.244,我的领域是示例。COM我测试了我的本地Windows域环境,我可以从示例中获得票证。com我用“kinit”命令测试它,但在CAS spnego环境中,在Kerberos数据库中找不到异常客户端,我已经在C:\windows\krb5.ini中创建了它,内容如下 krb5.ini 异常报告如下: 但为什么在kerberos数据库中
-
我正在obiee11.1.1.7.14中配置SSO,其中我在配置krb5.conf和执行kinit命令时遇到了问题。 关于Active Directory的几点注意事项 我们有多个域控制器,为了平衡请求,我们使用端口3269维护负载均衡器。 obiee和MSAD之间的集成成功完成,负载均衡器名称为主机,端口为3269。 并且在demotrust.jks和ovd存储中添加了一些证书,并且在新提供程序
-
尝试在Tomcat 7(windows Server 2012)上归档集成的windows身份验证,以便Intranet用户在访问我的web应用程序时不需要输入他们的凭据。遵循tomcat手册:https://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html#Built-in\u Tomcat\u支持 在运行tomcat的计算机上。检
-
问题内容: 我正在使用spnego(http://spnego.sourceforge.net)在JBoss下进行kerberos身份验证。 我需要解密kerberos票证才能访问包含PAC数据的授权数据。需要PAC数据来决定要授予用户哪些角色。 如何访问和解密kerberos票?我在网上搜索了示例,但没有任何努力。 问题答案: 这些家伙具有完整的PAC解码实现: http://jaasloung
-
我的Grails应用程序在开发模式下使用h2数据库(Grails应用程序的默认行为)。中的DB连接设置是 我正在尝试使用IntelliJ IDEA的数据库客户端工具为此数据库建立连接。我开始这样创建连接 然后在下面的对话框中,输入JDBC URL 并选择“模式”上的所有可用数据库 “Test Connection”(测试连接)按钮表示成功,但从红色圆圈中可以看到,没有找到任何表格。似乎我已经正确地