那些遇到过的问题

Spring Security Kerberos Windows 身份验证错误

Ale*_*eiP 5 security active-directory spring-security spnego spring-security-kerberos

我正在尝试在我们的环境中设置基于 Spring 的安全 Web 应用程序。如http://docs.spring.io/spring-security-kerberos/docs/1.0.1.RELEASE/reference/htmlsingle/#setupwinkerberos中所述

为了确认一切设置正确,我尝试运行 Spring Boot Security 示例应用程序(按照此处所述构建:http ://docs.spring.io/spring-security-kerberos/docs/1.0.1.RELEASE/reference /htmlsingle/#samples-sec-server-win-auth

这是我们在 TEST 域下的测试环境:

Active Directory(称为 AD 服务器)域控制器,Windows 2008 R2 64 位
计算机名称:adjavatest1
计算机完整名称:adjavatest1.test.company.info
用户:TEST\administrator

客户端 PC,Windows 7
计算机名称:adjavatest2
计算机完整名称: adjavatest2.test.company.info
用户:TEST\administrator

应用程序服务器(称为 Web 服务器)
计算机名称:kpiq-dev
完整计算机名称:kpiq-dev.test.company.info
用户:TEST\administrator

到目前为止,我已执行以下步骤来配置环境和应用程序

1)在AD服务器上设置SPN

setspn -A HTTP/adjavatest1.test.company.info TEST\administrator
Run Code Online (Sandbox Code Playgroud)

(许多来源建议创建 SPN“HTTP/adjavatest1”和“HOST/adjavatest1” - 我已经尝试过,没有任何区别。)

2) 验证AD服务器上的SPN

>setspn -L TEST\administrator
Registered ServicePrincipalNames for CN=Administrator,CN=Users,DC=test,DC=company,DC=info:
HTTP/adjavatest1.test.company.info
Run Code Online (Sandbox Code Playgroud)

3) 在AD Server上映射用户/服务并生成keytab文件

>ktpass -princ HTTP/adjavatest1.test.company.info@TEST.COMPANY.INFO -pass pswd123 -mapuser TEST\Administrator -out .\ adjavatest1.HTTP.keytab -ptype KRB5_NT_PRINCIPAL -crypto All
Targeting domain controller:  adjavatest1.test.company.info
Using legacy password setting method
Successfully mapped HTTP/adjavatest1.test.company.info to Administrator.
Key created.
Key created.
Key created.
Key created.
Key created.
Output keytab to .\ adjavatest1.HTTP.keytab:
Keytab version: 0x502
keysize 85 HTTP/adjavatest1.test.company.info@TEST.COMPANY.INFO ptype 1 (KRB5_NT_PRINCIPAL) vno 5 etype 0x1 (DES-CBC-CRC) keylength 8 (0x6da81379831f37ad)
keysize 85 HTTP/adjavatest1.test.company.info@TEST.COMPANY.INFO ptype 1 (KRB5_NT_PRINCIPAL) vno 5 etype 0x3 (DES-CBC-MD5) keylength 8 (0x6da81379831f37ad)
keysize 93 HTTP/adjavatest1.test.company.info@TEST.COMPANY.INFO ptype 1 (KRB5_NT_PRINCIPAL) vno 5 etype 0x17 (RC4-HMAC ) keylength 16 (0xe32edb70a8df744e3b0f87ea7ff515f7)
keysize 109 HTTP/adjavatest1.test.company.info@TEST.COMPANY.INFO ptype 1 (KRB5_NT_PRINCIPAL) vno 5 etype 0x12 (AES256-SHA1) keylength 32 (0xf744e212c2e48e34c815364c0b5290a68b37b6c65a7cd0befcbcc2625e3e6c79)
keysize 93 HTTP/adjavatest1.test.company.info@TEST.COMPANY.INFO ptype 1 (KRB5_NT_PRINCIPAL) vno 5 etype 0x11 (AES128-SHA1) keylength 16 (0x20f3474a818d4d326136449a8a660e2c)
Run Code Online (Sandbox Code Playgroud)

4) 将 keytab 文件复制到 Web Server 的 C;\SpringSSO 目录中


5)使用 MIT kerberos 工具 c:\SpringSSO>kinit -V -k -t adjavatest1.HTTP.keytab HTTP/adjavatest1.test.company.info@TEST.COMPANY.INFO 中的 kinit验证 Web 服务器上的密钥表使用现有缓存:初始默认 ccache 使用主体:HTTP/adjavatest1.test.company.info@TEST.COMPANY.INFO 使用 keytab:adjavatest1.HTTP.keytab 通过 Kerberos v5 进行身份验证 使用 jdk c:\SpringSSO>kinit -k -t adjavatest1.HTTP 中的 kinit。 keytab HTTP/adjavatest1.test.company.info@TEST.COMPANY.INFO 新票证存储在缓存文件 C:\Users\administrator.TEST\krb5cc_administrator 中

6) 在两个位置的 Web 服务器上的 jre/lib/security 中安装“Kerberos 和无限强度策略”:

c:\Program Files\Java\jre1.8.0_65\lib\security\
c:\Program Files\Java\jdk1.8.0_65\jre\lib\security\
Run Code Online (Sandbox Code Playgroud)

7) 检查 Web 服务器上的 Windows 注册表:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\
Value Name: allowtgtsessionkey
Value: 0x1
Run Code Online (Sandbox Code Playgroud)

8) 构建 spring-security-kerberos-samples\sec-server-win-auth 应用程序,取自https://github.com/spring-projects/spring-security-kerberos/tree/master/spring-security-kerberos-samples 在 application.yml 中使用配置属性

server:
    port: 80
app:
    ad-domain: TEST.COMPANY.INFO
    ad-server: ldap://ADJAVATEST1.TEST.COMPANY.INFO/
    service-principal: HTTP/adjavatest1.test.company.info@TEST.COMPANY.INFO
    keytab-location:  adjavatest1.HTTP.keytab
    ldap-search-base: DC=TEST,DC=COMPANY,DC=INFO
    ldap-search-filter: "(| (userPrincipalName={0}) (sAMAccountName={0}))"
Run Code Online (Sandbox Code Playgroud)

9) 将 Spring boot 应用程序部署到 C:\SpringSSO 目录中的 Web Server

10) 在 Web 服务器上启动 Web 应用程序 c:\SpringSSO>java -Dsun.security.krb5.debug=true -Djava.security.krb5.conf=.\krb5.conf -jar sec-server-win-auth-1.0。 2.构建快照.jar

krb5.conf 中的 Kerberos 配置(我尝试了不同的 enctypes,“arcfour-hmac-md5”只是最后一个实验)

[libdefaults]
 default_realm = TEST.COMPANY.INFO
 permitted_enctypes = arcfour-hmac-md5 rc4-hmac aes256-cts aes128-cts des3-cbc-sha1 des-cbc-md5 des-cbc-crc
 default_tgs_enctypes = arcfour-hmac-md5 rc4-hmac aes256-cts aes128-cts des3-cbc-sha1 des-cbc-md5 des-cbc-crc
 default_tkt_enctypes = arcfour-hmac-md5 rc4-hmac aes256-cts aes128-cts des3-cbc-sha1 des-cbc-md5 des-cbc-crc
 dns_lookup_kdc = true
 dns_lookup_realm = false

[realms]
 TEST.COMPANY.INFO = {
     kdc =  ADJAVATEST1.TEST.COMPANY.INFO
     admin_server =  ADJAVATEST1.TEST.COMPANY.INFO
     master_kdc =  ADJAVATEST1.TEST.COMPANY.INFO
     default_domain = TEST.COMPANY.INFO
 }

[domain_realm]
 .TEST.COMPANY.INFO = TEST.COMPANY.INFO
 TEST.COMPANY.INFO = TEST.COMPANY.INFO
Run Code Online (Sandbox Code Playgroud)

11) 在客户端的IE浏览器中将路径*.test.company.info添加到IE浏览器作为内网模式点浏览器到http://kpiq-dev.test.company.info/hello

12) 将浏览器指向 http://kpiq-dev.test.company.info/hello

13) 检查Web服务器上的日志表明服务器无法编码

2015-12-17 08:55:35.893 DEBUG 1876 --- [p-nio-80-exec-3] w.a.SpnegoAuthenticationProcessingFilter : Received Negotiate Header for request http:// kpiq-dev.test.company.info/hello: Negotiate YIIH ...trucated... H4qgvsM
2015-12-17 08:55:35.893 DEBUG 1876 --- [p-nio-80-exec-3] o.s.s.authentication.ProviderManager     : Authentication attempt using org.springframework.security.kerberos.authentication.KerberosServiceAuthenticationProvider
2015-12-17 08:55:35.893 DEBUG 1876 --- [p-nio-80-exec-3] .a.KerberosServiceAuthenticationProvider : Try to validate Kerberos Token
Found KeyTab c:\SpringSSO\ adjavatest1.HTTP.keytab for HTTP/adjavatest1.test.company.info@TEST.COMPANY.INFO
Found KeyTab c:\SpringSSO\ adjavatest1.HTTP.keytab for HTTP/adjavatest1.test.company.info@TEST.COMPANY.INFO
Entered Krb5Context.acceptSecContext with state=STATE_NEW
Java config name: .\krb5.conf
Loaded from Java config
>>> KeyTabInputStream, readName(): TEST.COMPANY.INFO
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName():  adjavatest1.test.company.info
>>> KeyTab: load() entry length: 85; type: 1
>>> KeyTabInputStream, readName(): TEST.COMPANY.INFO
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName():  adjavatest1.test.company.info
>>> KeyTab: load() entry length: 85; type: 3
>>> KeyTabInputStream, readName(): TEST.COMPANY.INFO
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName():  adjavatest1.test.company.info
>>> KeyTab: load() entry length: 93; type: 23
>>> KeyTabInputStream, readName(): TEST.COMPANY.INFO
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName():  adjavatest1.test.company.info
>>> KeyTab: load() entry length: 109; type: 18
>>> KeyTabInputStream, readName(): TEST.COMPANY.INFO
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName():  adjavatest1.test.company.info
>>> KeyTab: load() entry length: 93; type: 17
Looking for keys for: HTTP/adjavatest1.test.company.info@TEST.COMPANY.INFO
Added key: 17version: 5
Added key: 18version: 5
Added key: 23version: 5
Found unsupported keytype (3) for HTTP/adjavatest1.test.company.info@TEST.COMPANY.INFO
Found unsupported keytype (1) for HTTP/adjavatest1.test.company.info@TEST.COMPANY.INFO
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
2015-12-17 08:55:36.236  WARN 1876 --- [p-nio-80-exec-3] w.a.SpnegoAuthenticationProcessingFilter : Negotiate Header was invalid: Negotiate YIIHNAYGKwYBBQU ...trucated... dH4qgvsM

org.springframework.security.authentication.BadCredentialsException: Kerberos validation not successful
            at org.springframework.security.kerberos.authentication.sun.SunJaasKerberosTicketValidator.validateTicket(SunJaasKerberosTicketValidator.java:71)
            at org.springframework.security.kerberos.authentication.KerberosServiceAuthenticationProvider.authenticate(KerberosServiceAuthenticationProvider.java:64)
            at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156)
            at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:177)
            at org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter$AuthenticationManagerDelegator.authenticate(WebSecurityConfigurerAdapter.java:446)
            at org.springframework.security.kerberos.web.authentication.SpnegoAuthenticationProcessingFilter.doFilter(SpnegoAuthenticationProcessingFilter.java:145)
            at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
...trucated...
            at java.lang.Thread.run(Unknown Source)
Caused by: java.security.PrivilegedActionException: null
            at java.security.AccessController.doPrivileged(Native Method)
            at javax.security.auth.Subject.doAs(Unknown Source)
            at org.springframework.security.kerberos.authentication.sun.SunJaasKerberosTicketValidator.validateTicket(SunJaasKerberosTicketValidator.java:68)
            ... 45 common frames omitted
Caused by: org.ietf.jgss.GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)
            at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Unknown Source)
            at sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
            at sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
            at sun.security.jgss.spnego.SpNegoContext.GSS_acceptSecContext(Unknown Source)
            at sun.security.jgss.spnego.SpNegoContext.acceptSecContext(Unknown Source)
            at sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
            at sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
            at org.springframework.security.kerberos.authentication.sun.SunJaasKerberosTicketValidator$KerberosValidateAction.run(SunJaasKerberosTicketValidator.java:170)
            at org.springframework.security.kerberos.authentication.sun.SunJaasKerberosTicketValidator$KerberosValidateAction.run(SunJaasKerberosTicketValidator.java:153)
            ... 48 common frames omitted
Caused by: sun.security.krb5.KrbCryptoException: Checksum failed
            at sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Unknown Source)
            at sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Unknown Source)
            at sun.security.krb5.EncryptedData.decrypt(Unknown Source)
            at sun.security.krb5.KrbApReq.authenticate(Unknown Source)
            at sun.security.krb5.KrbApReq.<init>(Unknown Source)
            at sun.security.jgss.krb5.InitSecContextToken.<init>(Unknown Source)
            ... 57 common frames omitted
Caused by: java.security.GeneralSecurityException: Checksum failed
            at sun.security.krb5.internal.crypto.dk.AesDkCrypto.decryptCTS(Unknown Source)
            at sun.security.krb5.internal.crypto.dk.AesDkCrypto.decrypt(Unknown Source)
            at sun.security.krb5.internal.crypto.Aes256.decrypt(Unknown Source)
            ... 63 common frames omitted
Run Code Online (Sandbox Code Playgroud)

为什么安全性尝试加密 Aes256CtsHmacSha1EType,而不是 rc4-hmac?
有什么建议我下一步可以尝试吗?

先感谢您。

小智 0

两个可能的错误:

1) krb5.conf 未正确加载

2) 服务主体配置不正确

第一个的解决方案:

  • 在第8点)在application.yaml中添加应用程序: kerberos-conf:/home/xyz/krb5.conf

  • 在 Spring Security 项目中创建附加类

        @Configuration
    public class KerberosGlobalConfig {

        @Value("${app.kerberos-conf}")
        private String kerberosGlobalConfPath;

        @Bean
        public GlobalSunJaasKerberosConfig globalSunJaasKerberosConfig() {
            GlobalSunJaasKerberosConfig globalSunJaasKerberosConfig = new 
            GlobalSunJaasKerberosConfig();
            //TODO remove hardcoding
            globalSunJaasKerberosConfig.setDebug(true);
            globalSunJaasKerberosConfig.setKrbConfLocation(kerberosGlobalConfPath);
            return globalSunJaasKerberosConfig;
        }

    }
    Run Code Online (Sandbox Code Playgroud)

归档时间:

查看次数:

8002 次

最近记录:

6 年,11 月 前
相关归档
如何设置Active Directory环境测试? 13
更新更改时出错:不安全的存储库...由其他人拥有 10
重点加强.我做得对吗? 5
n方公钥密码学 5
在创建 OU 之前检查它是否存在 4
Spring Security OAuth2:如何添加多个ResourceServerConfigurer类型的安全过滤器链? 4
鉴于我的代码是开源的,而且我在服务器上运行,而且我接受几乎原始的代码,那可能发生在我身上的最糟糕的是什么? 3
在Yaml中将debug设置为true而不是@EnableWebSecurity(debug = true) 3
.NET FileSystemWatcher检测NTFS安全性更改 2
SpringBoot2 + Webflux - WebTestClient 总是返回“401 UNAUTHORIZED” 2
难疑归档
如何从异步调用返回响应? 5208
在CSS中设置cellpadding和cellspacing? 3210
显式关键字是什么意思? 2753
如何用JavaScript更改元素的类? 2650
如何逐行读取文件到列表中? 2028
在JavaScript中定义枚举的首选语法是什么? 1982
Java内部类和静态嵌套类 1691
你什么时候应该使用escape而不是encodeURI/encodeURIComponent? 1371
如何列出使用ATTACH打开的SQLite数据库文件中的表? 1151
用于Python的IDE是什么? 1028