我们无法使用Kerberos/AD身份验证来使用Spring Web应用程序,我认为该问题与Kerberos票证和Active Directory域功能级别的加密类型有关.
基本设置是:
我有一个环境,其中Active Directory域功能级别是Windows Server 2003,一切正常,如果客户端登录到域,则客户端按预期进行身份验证.使用kerbtray检查此环境中的票证我可以看到它们都具有票证加密类型和密钥加密类型"RSADSI RC4-HMAC".
我有一个功能级别为Windows Server 2008的新域,这是身份验证不起作用的地方.尝试验证票证时返回的应用程序错误是:
Kerberos validation not successful...
Caused by: GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)
at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
at sun.security.jgss.spnego.SpNegoContext.GSS_acceptSecContext(Unknown Source)
at sun.security.jgss.spnego.SpNegoContext.acceptSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
at org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator$KerberosValidateAction.run(SunJaasKerberosTicketValidator.java:146)
at org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator$KerberosValidateAction.run(SunJaasKerberosTicketValidator.java:136)
... 34 more
Caused by: KrbException: Checksum failed
at sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(Unknown Source)
at sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(Unknown …