相关疑难解决方法(0)

校验和失败:Kerberos/Spring/Active Directory(2008)

我们无法使用Kerberos/AD身份验证来使用Spring Web应用程序,我认为该问题与Kerberos票证和Active Directory域功能级别的加密类型有关.

基本设置是:

雄猫7
Java 1.6(29)
Windows Server 2008 R2
春天3.0
Spring Security Kerberos/Spnego扩展M2详见:http://blog.springsource.com/2009/09/28/spring-security-kerberos/

我有一个环境,其中Active Directory域功能级别是Windows Server 2003,一切正常,如果客户端登录到域,则客户端按预期进行身份验证.使用kerbtray检查此环境中的票证我可以看到它们都具有票证加密类型和密钥加密类型"RSADSI RC4-HMAC".

我有一个功能级别为Windows Server 2008的新域,这是身份验证不起作用的地方.尝试验证票证时返回的应用程序错误是:

Kerberos validation not successful...

Caused by: GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)
    at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Unknown Source)
    at sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
    at sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
    at sun.security.jgss.spnego.SpNegoContext.GSS_acceptSecContext(Unknown Source)
    at sun.security.jgss.spnego.SpNegoContext.acceptSecContext(Unknown Source)
    at sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
    at sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
    at org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator$KerberosValidateAction.run(SunJaasKerberosTicketValidator.java:146)
    at org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator$KerberosValidateAction.run(SunJaasKerberosTicketValidator.java:136)
    ... 34 more
Caused by: KrbException: Checksum failed
    at sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(Unknown Source)
    at sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(Unknown …

Run Code Online (Sandbox Code Playgroud)

java kerberos active-directory spnego

slt*_*slt

lucky-day

9
推荐指数

2
解决办法

2万
查看次数

具有null SrcName的GSSContext

我正在使用基于Windows域登录的SSO进行Web应用,为此我选择验证Kerberos票证.但是现在我遇到了一个我无法找到解决方案的问题.我设法验证一个没有例外的票证,但当我试图获取userName时,NullPointerException抛出,因为用户名是null,我不知道哪里有问题.

如果在验证期间没有出现任何异常,为什么用户名为null？

我如何获得userName: String clientName = gssContext.getSrcName().toString();

我基于此创建了我的客户端:

使用GSSManager验证Kerberos票证

如何通过GSS-API获取kerberos服务票？

http://docs.oracle.com/javase/7/docs/technotes/guides/security/jgss/single-signon.html

更新1:

我如何设置内容,只需复制粘贴表格/sf/answers/1781560371/:

final Oid spnegoOid = new Oid("1.3.6.1.5.5.2");

GSSManager gssmgr = GSSManager.getInstance();

// tell the GSSManager the Kerberos name of the service
GSSName serviceName = gssmgr.createName(this.servicePrincipal, GSSName.NT_USER_NAME);

// get the service's credentials. note that this run() method was called by Subject.doAs(),
// so the service's credentials (Service Principal Name and password) are already
// available in the Subject
GSSCredential serviceCredentials = gssmgr.createCredential(serviceName,
        GSSCredential.INDEFINITE_LIFETIME, …

Run Code Online (Sandbox Code Playgroud)

java kerberos jgss spring-security-kerberos

Var*_*lok

2017 05-23

6
推荐指数

1
解决办法

3960
查看次数