问题:
Kerberos Java问题,kdc和/或消息流修改(41)错误
朱起运
首先,我对Kerberos非常陌生,而且我对所有领域的知识都很有限,但我必须连接到我们的SharePoint服务器并使用其搜索api,因为这将在unix服务器上运行,我必须通过Kerberos和用户名密码进行验证。以下是我所做的:
我的Java代码
public class MyExmapleService {
public MyExmapleService () {
connectDefault();
}
private void connectDefault() {
try {
Authenticator.setDefault(new SbHttpAuthenticator());
System.setProperty("java.security.krb5.conf", "C:/ext/AFP-2.4.13/config/krb5.conf");
System.setProperty("java.security.auth.useSubjectCredsOnly", "false");
System.setProperty("http.auth.preference", "kerberos");
System.setProperty("sun.security.krb5.debug", "true");
System.setProperty("java.security.auth.login.config", "C:/ext/AFP-2.4.13/lgt_config/login.conf");
URL url = new URL("https://something.mySharePoint.com/_api/search/query?");
URLConnection conn = url.openConnection();
InputStream ins = conn.getInputStream();
BufferedReader reader = new BufferedReader(new InputStreamReader(ins));
String str;
while((str = reader.readLine()) != null) {
System.out.println("blup: " + str);
}
} catch (java.io.IOException e) {
e.printStackTrace();
}
}
public static void main(String[] args) throws Exception {
new SbMyLgtService();
}
}
public class SbHttpAuthenticator extends Authenticator {
public PasswordAuthentication getPasswordAuthentication() {
try {
String kUser = "someUser";
String kPassword = "somePassword";
System.err.println("Feeding username and password for " + getRequestingScheme() + " " + kUser + " " + kPassword);
return (new PasswordAuthentication(kUser, kPassword.toCharArray()));
} catch (IOException e) {
e.printStackTrace();
}
return null;
}
}
krb5.conf
[libdefaults]
default_realm = XX.LOC
dns_lookup = false
[realms]
XX.LOC = {
kdc = xxxxxxxx2110.xx.loc
}
[domain_realm]
.XX.loc = XX.LOC
XX.loc = XX.LOC
Login.conf
com.sun.security.jgss.krb5.initiate {
com.sun.security.auth.module.Krb5LoginModule
required
doNotPrompt=false
useTicketCache=false
allow_weak_crypto=true;
};
我遇到的第一个问题是a2.loc返回20个服务器,因此并不总是使用正确的服务器,在krb5.conf中使用dns\u lookup\u kdc=false参数,这就解决了。
因此,如果我运行这个程序,这个Java异常:“KrbException:Message-stream-modified(41)”来纠正Stackoverflow,建议使用大写版本和域域条目。奇怪的是,我们的王国似乎在XX。loc那么一个混合的大小写名称…有什么方法可以配置它吗?以下是错误输出:
Loaded from Java config
>>> KdcAccessibility: reset
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 17 16 23.
>>> KrbAsReq creating message
Feeding username and password for Negotiate someUser somePassword
>>> KrbKdcReq send: kdc=xxxxx2110.xx.loc UDP:88, timeout=30000, number of retries =3, #bytes=140
>>> KDCCommunication: kdc=xxxxxx2110.xx.loc UDP:88, timeout=30000,Attempt =1, #bytes=140
>>> KrbKdcReq send: #bytes read=179
>>>Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 17, salt = XX.LOCSA-XX-LLLL-htavro, s2kparams = null
PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>>>Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
PA-DATA type = 16
>>>Pre-Authentication Data:
PA-DATA type = 15
>>> KdcAccessibility: remove xxxxxx2110.xx.loc
>>> KDCRep: init() encoding tag is 126 req type is 11
>>>KRBError:
sTime is Tue Feb 23 18:07:16 CET 2016 1456247236000
suSec is 874332
error code is 25
error Message is Additional pre-authentication required
sname is krbtgt/xx.loc@xx.loc
eData provided.
msgType is 30
>>>Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 17, salt = XX.LOCSA-XX-LLLL-htavro, s2kparams = null
PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>>>Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
PA-DATA type = 16
>>>Pre-Authentication Data:
PA-DATA type = 15
KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 17 16 23.
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 17 16 23.
>>> EType: sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=xxxxxx2110.xx.loc UDP:88, timeout=30000, number of retries =3, #bytes=222
>>> KDCCommunication: kdc=xxxxxx2110.xx.loc UDP:88, timeout=30000,Attempt =1, #bytes=222
>>> KrbKdcReq send: #bytes read=1401
>>> KdcAccessibility: remove xxxxxx2110.xx.loc
>>> EType: sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType
Negotiate support not initiated, will fallback to other scheme if allowed. Reason:
GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new INITIATE credentials failed! (null))
at sun.security.jgss.krb5.Krb5InitCredential.getTgt(Krb5InitCredential.java:343)
at sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential.java:145)
at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:122)
at sun.security.jgss.krb5.Krb5MechFactory.getMechanismContext(Krb5MechFactory.java:187)
at sun.security.jgss.GSSManagerImpl.getMechanismContext(GSSManagerImpl.java:224)
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:212)
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:179)
at sun.net.www.protocol.http.spnego.NegotiatorImpl.init(NegotiatorImpl.java:108)
at sun.net.www.protocol.http.spnego.NegotiatorImpl.<init>(NegotiatorImpl.java:117)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:422)
at sun.net.www.protocol.http.Negotiator.getNegotiator(Negotiator.java:63)
at sun.net.www.protocol.http.NegotiateAuthentication.firstToken(NegotiateAuthentication.java:209)
at sun.net.www.protocol.http.NegotiateAuthentication.setHeaders(NegotiateAuthentication.java:183)
at sun.net.www.protocol.http.HttpURLConnection.getServerAuthentication(HttpURLConnection.java:2467)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1682)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1440)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254)
at com.lgt.sb.service.fininfo.mylgt.SbMyLgtService.connectDefault(SbMyLgtService.java:49)
at com.lgt.sb.service.fininfo.mylgt.SbMyLgtService.<init>(SbMyLgtService.java:27)
at com.lgt.sb.service.fininfo.mylgt.SbMyLgtService.main(SbMyLgtService.java:86)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:497)
at com.intellij.rt.execution.application.AppMain.main(AppMain.java:134)
Caused by: javax.security.auth.login.LoginException: Message stream modified (41)
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:804)
at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:617)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:497)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
at javax.security.auth.login.LoginContext.login(LoginContext.java:587)
at sun.security.jgss.GSSUtil.login(GSSUtil.java:258)
at sun.security.jgss.krb5.Krb5Util.getTicket(Krb5Util.java:158)
at sun.security.jgss.krb5.Krb5InitCredential$1.run(Krb5InitCredential.java:335)
at sun.security.jgss.krb5.Krb5InitCredential$1.run(Krb5InitCredential.java:331)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.jgss.krb5.Krb5InitCredential.getTgt(Krb5InitCredential.java:330)
... 27 more
Caused by: KrbException: Message stream modified (41)
at sun.security.krb5.KrbKdcRep.check(KrbKdcRep.java:45)
at sun.security.krb5.KrbAsRep.decrypt(KrbAsRep.java:158)
at sun.security.krb5.KrbAsRep.decryptUsingPassword(KrbAsRep.java:139)
at sun.security.krb5.KrbAsReqBuilder.resolve(KrbAsReqBuilder.java:287)
at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:361)
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:766)
... 45 more
java.io.IOException: Server returned HTTP response code: 401 for URL: https://something.mySharePoint.com/_api/search/query?
at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1839)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1440)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254)
at com.xxx.MyExampleService.connectDefault(SbMyLgtService.java:49)
at com.xxx.MyExampleService.<init>(SbMyLgtService.java:27)
at com.xxx.MyExampleService.main(SbMyLgtService.java:86)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:497)
共有1个答案
仲孙华奥
如果有对Krb5 config的更新,但它被缓存在您的系统中,则可能会发生这种情况,请尝试将以下属性添加到您的jaasConfig中
put("refreshKrb5Config", "true");
类似资料:
-
问题内容: 在类下运行以下代码时 我收到以下错误: 我也试过搬家 走出do-while循环但徒劳无功。 问题答案: 问题 问题是,按照javadoc的说明,您执行了该操作,将关闭流 并释放与之关联的所有系统资源 。 为了快速验证,请注释掉: 您可以随时随地回答,没有任何例外。 一个办法 一种解决方案是在所有读取终止后关闭缓冲区读取器:
-
我得到这个错误(我激活了wp-debug)当我试图激活一个主题或当我试图保存后: 警告:无法修改标题信息-标题已由/mnt/webv/b3/13/56920413/htdocs/WordPress_02/wp content/themes/BackpackFamily/functions.php:58中的/mnt/webv/b3/13/56920413/htdocs/WordPress_02/wp
-
我想创建一个程序,允许用户删除员工与指定的工资单号码。 java(在其名为的包中) 当我输入工资单号码时,我的程序只识别第一个工作人员。任何其他工作人员都不会被‘发现’。我在哪里出了问题?如何从数组中删除特定的工资单号码并向用户请求另一个输入(直到数组为“空”)。
-
我遇到了一个奇怪的问题,使用FCM向Android发送推送通知。 目标:-发送推送通知时出错 下面是一个场景,我确实有向Android发送推送通知的功能 所以问题是当我发送单个通知时,它可以正常工作,但当我发送多个通知时,我每次都出错 当我们调试代码时,我们的数据库中确实有设备令牌,没有停止发送推送通知的防火墙。 每次调用上述函数,我都会得到
-
我遇到一个问题,message.channel.send哪个消息没有定义。我尝试了很多方法,但我仍然很困惑。你能帮我一下吗?谢谢!
-
我正在尝试删除邮件标签。我能够成功地阅读邮件,但当我试图修改邮件标签时,我遇到了一个问题 出现错误:Google。API。请求。RequestError权限不足[403]错误消息[权限不足]位置[-]原因[权限不足]域[全局] 我不得不尝试从json创建一个服务,但它有一个相同的问题。这是我的密码 然后我调用api修改消息中未读的标签