我正在尝试使用http://docs.spring.io/spring-security-kerberos/docs/1.0.1.RELEASE/reference/htmlsingle/#samples-sec-server-win-auth中所述的带有Active Directory凭据的Spring Security Kerberos。我想说的是,我已经掌握了大多数东西(SPN,键表等)。现在我的校验和失败。假设我更改了主体名称,则会收到AES加密错误。
我在带有Oracle Java 1.8 + JCE的RHEL 6上使用Spring Boot[https://github.com/spring-projects/spring-security-kerberos/tree/master/spring-security-kerberos-samples/sec-server-win-auth]中的样本
这是运行罐子时得到的信息
调试为真storeKey为trueuseTicketCache为falseuseKeyTab是doNotPrompt trueticketCache为nullisInitiator为假KeyTab是/home/boss/webdev125-3.keytabrefreshKrb5Config为false主体是http/[email protected]为假useFirstPass为假storePass为假clearPass为假
主要是http/[email protected]将使用keytab提交成功
....
2015-11-25 11:29:09.631调试5559 --- [nio-8080-exec-3] .a.KerberosServiceAuthenticationProvider:尝试验证Kerberos令牌2015-11-25 11:29:10.003警告5559 --- [nio-8080-exec-3] w.a.SpnegoAuthenticationProcessingFilter:协商标题无效:
...
org.springframework.security.authentication.BadCredentialsException:Kerberos验证不成功在org.springframework.security.kerberos.authentication.sun.SunJaasKerberosTicketValidator.validateTicket(SunJaasKerberosTicketValidator.java:71)上在org.springframework.security.kerberos.authentication.KerberosServiceAuthenticationProvider.authenticate(KerberosServiceAuthenticationProvider.java:64)在org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156)
...
由:org.ietf.jgss.GSSException引起:在GSS-API级别未指定失败(机制级别:校验和失败)
at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:856) at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342) at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285) at sun.security.jgss.spnego.SpNegoContext.GSS_acceptSecContext(SpNegoContext.java:906) at sun.security.jgss.spnego.SpNegoContext.acceptSecContext(SpNegoContext.java:556) at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342) at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285) at org.springframework.security.kerberos.authentication.sun.SunJaasKerberosTicketValidator$KerberosValidateAction.run(SunJaasKerberosTicketValidator.java:170) at org.springframework.security.kerberos.authentication.sun.SunJaasKerberosTicketValidator$KerberosValidateAction.run(SunJaasKerberosTicketValidator.java:153) ... 48 common frames omitted
原因:sun.security.krb5.KrbCryptoException:校验和失败
at sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Aes256CtsHmacSha1EType.java:102) at sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Aes256CtsHmacSha1EType.java:94) at sun.security.krb5.EncryptedData.decrypt(EncryptedData.java:175) at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:281) at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:149) at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:108) at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:829) ... 56 common frames omitted
原因:java.security.GeneralSecurityException:校验和失败
at sun.security.krb5.internal.crypto.dk.AesDkCrypto.decryptCTS(AesDkCrypto.java:451) at sun.security.krb5.internal.crypto.dk.AesDkCrypto.decrypt(AesDkCrypto.java:272) at sun.security.krb5.internal.crypto.Aes256.decrypt(Aes256.java:76) at sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Aes256CtsHmacSha1EType.java:100) ... 62 common frames omitted
其他一些细节:
我正在尝试使用Active Directory凭据执行Spring Security Kerberos,如http://docs.spring.io/spring-security-kerberos/docs/1.0.1.RELEASE/reference/htmlsingle/#samples- sec-server -...
似乎我与现有的服务主体映射有冲突。清理完毕后,错误停止发生。该链接帮助我找到了解决方法-https://developer.jboss.org/wiki/ConfiguringJBossNegotiationInAnAllWindowsDomain?_sscc=t
我最近遇到这个问题。