相关疑难解决方法(0)

校验和失败:Kerberos/Spring/Active Directory(2008)

我们无法使用Kerberos/AD身份验证来使用Spring Web应用程序,我认为该问题与Kerberos票证和Active Directory域功能级别的加密类型有关.

基本设置是:

雄猫7
Java 1.6(29)
Windows Server 2008 R2
春天3.0
Spring Security Kerberos/Spnego扩展M2详见:http://blog.springsource.com/2009/09/28/spring-security-kerberos/

我有一个环境,其中Active Directory域功能级别是Windows Server 2003,一切正常,如果客户端登录到域,则客户端按预期进行身份验证.使用kerbtray检查此环境中的票证我可以看到它们都具有票证加密类型和密钥加密类型"RSADSI RC4-HMAC".

我有一个功能级别为Windows Server 2008的新域,这是身份验证不起作用的地方.尝试验证票证时返回的应用程序错误是:

Kerberos validation not successful...

Caused by: GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)
    at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Unknown Source)
    at sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
    at sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
    at sun.security.jgss.spnego.SpNegoContext.GSS_acceptSecContext(Unknown Source)
    at sun.security.jgss.spnego.SpNegoContext.acceptSecContext(Unknown Source)
    at sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
    at sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
    at org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator$KerberosValidateAction.run(SunJaasKerberosTicketValidator.java:146)
    at org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator$KerberosValidateAction.run(SunJaasKerberosTicketValidator.java:136)
    ... 34 more
Caused by: KrbException: Checksum failed
    at sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(Unknown Source)
    at sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(Unknown …

Run Code Online (Sandbox Code Playgroud)

java kerberos active-directory spnego

slt*_*slt

lucky-day

9
推荐指数

2
解决办法

2万
查看次数

Kerberos aes-256加密无法正常工作

服务器是RHEL7,Kerberos是AD(Windows).我只是KDC的客户.

Arcfour-hmac工作正常但是当我将加密类型更改为aes-256并设置新的keytab时,kinit仍然有效,但不是kvno.即使用户似乎拥有有效的票证(在klist中),他也无法再启动服务.

我无法访问Kerberos AD,但它似乎已正确配置为使用aes-256,因为最终用户(在Windows计算机上)已经请求此加密类型的票证.

我的krb5.conf:

[libdefaults]
default_realm = TOTO.NET
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
default_tkt_enctypes = aes256-cts aes128-cts des-cbc-md5 des-cbc-crc
default_tgs_enctypes = aes256-cts aes128-cts des-cbc-md5 des-cbc-crc
permitted_enctypes = aes256-cts aes128-cts des-cbc-md5 des-cbc-crc

[realms]
TOTO.NET = {
  kdc = kdc1.toto.net
  kdc = kdc2.toto.net
  admin_server = kdc1.toto.net
}

[domain_realm]
.toto.net = TOTO.NET
toto.net = TOTO.NET

Run Code Online (Sandbox Code Playgroud)

这里是我尝试使用kvno获取票证时遇到的错误:

[2477332] 1493147723.961912: Getting credentials myuser@TOTO.NET -> nn/myserver@TOTO.NET using ccache FILE:/tmp/krb5cc_0 
[2477332] 1493147723.962055: Retrieving myuser@TOTO.NET -> nn/myserver@TOTO.NET …

Run Code Online (Sandbox Code Playgroud)

authentication encryption kerberos rhel aes

ton*_*o94

2017 04-28

4
推荐指数

2
解决办法

2251
查看次数