GSSException GSS-API 级别未指定故障(机制级别:校验和失败)

问题描述 投票:0回答:1

我们在使用 Wildfly 26.1.3(Kerberos5、kdc、Spnego)设置 SSO 时遇到问题。我们在尝试进行身份验证时在日志中收到以下错误。需要您协助解决问题。

{
  "timestamp": "2024-02-23T08:01:00.237+01:00",
  "sequence": 13749,
  "loggerClassName": "org.jboss.logging.DelegatingBasicLogger",
  "loggerName": "org.wildfly.security.http.spnego",
  "level": "TRACE",
  "message": "Call to acceptSecContext failed.",
  "threadName": "default task-1",
  "threadId": 171,
  "mdc": {},
  "ndc": "",
  "hostName": "txxxxxxx-web-7bd785664-fzvn5",
  "processName": "jboss-modules.jar",
  "processId": 215,
  "stackTrace": ": GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)\n\tat sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:858)\n\tat sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342)\n\tat sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)\n\tat sun.security.jgss.spnego.SpNegoContext.GSS_acceptSecContext(SpNegoContext.java:909)\n\tat sun.security.jgss.spnego.SpNegoContext.acceptSecContext(SpNegoContext.java:559)\n\tat sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342)\n\tat sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)\n\tat org.wildfly.security.http.spnego.SpnegoAuthenticationMechanism.lambda$evaluateRequest$0(SpnegoAuthenticationMechanism.java:245)\n\tat java.security.AccessController.doPrivileged(Native Method)\n\tat javax.security.auth.Subject.doAs(Subject.java:422)\n\tat org.wildfly.security.http.spnego.SpnegoAuthenticationMechanism.evaluateRequest(SpnegoAuthenticationMechanism.java:245)\n\tat org.wildfly.security.http.util.SetMechanismInformationMechanismFactory$1.evaluateRequest(SetMechanismInformationMechanismFactory.java:119)\n\tat org.wildfly.security.http.util.SocketAddressCallbackServerMechanismFactory$1.evaluateRequest(SocketAddressCallbackServerMechanismFactory.java:82)\n\tat org.wildfly.security.auth.server.SecurityIdentityServerMechanismFactory$1.evaluateRequest(SecurityIdentityServerMechanismFactory.java:85)\n\tat org.wildfly.security.http.HttpAuthenticator$AuthenticationExchange.authenticate(HttpAuthenticator.java:325)\n\tat org.wildfly.security.http.HttpAuthenticator$AuthenticationExchange.access$800(HttpAuthenticator.java:300)\n\tat org.wildfly.security.http.HttpAuthenticator.authenticate(HttpAuthenticator.java:94)\n\tat org.wildfly.elytron.web.undertow.server.SecurityContextImpl.authenticate(SecurityContextImpl.java:107)\n\tat org.wildfly.elytron.web.undertow.server.servlet.ServletSecurityContextImpl.authenticate(ServletSecurityContextImpl.java:115)\n\tat io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:55)\n\tat io.undertow.server.handlers.DisableCacheHandler.handleRequest(DisableCacheHandler.java:33)\n\tat io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)\n\tat io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:53)\n\tat io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)\n\tat io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)\n\tat io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:59)\n\tat io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)\n\tat org.wildfly.elytron.web.undertow.server.servlet.CleanUpHandler.handleRequest(CleanUpHandler.java:38)\n\tat io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)\n\tat org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)\n\tat io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)\n\tat org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)\n\tat io.undertow.servlet.handlers.SendErrorPageHandler.handleRequest(SendErrorPageHandler.java:52)\n\tat io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)\n\tat io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:275)\n\tat io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:79)\n\tat io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:134)\n\tat io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:131)\n\tat io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)\n\tat io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)\n\tat org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1544)\n\tat org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1544)\n\tat org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1544)\n\tat org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1544)\n\tat io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:255)\n\tat io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:79)\n\tat io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:100)\n\tat io.undertow.server.Connectors.executeRootHandler(Connectors.java:387)\n\tat io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:852)\n\tat org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)\n\tat org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1990)\n\tat org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486)\n\tat org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1377)\n\tat org.xnio.XnioWorker$WorkerThreadFactory$1$1.run(XnioWorker.java:1282)\n\tat java.lang.Thread.run(Thread.java:750)\nCaused by: KrbException: Checksum failed\n\tat sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(ArcFourHmacEType.java:102)\n\tat sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(ArcFourHmacEType.java:94)\n\tat sun.security.krb5.EncryptedData.decrypt(EncryptedData.java:175)\n\tat sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:281)\n\tat sun.security.krb5.KrbApReq.<init>(KrbApReq.java:149)\n\tat sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:140)\n\tat sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:831)\n\t... 54 more\nCaused by: java.security.GeneralSecurityException: Checksum failed\n\tat sun.security.krb5.internal.crypto.dk.ArcFourCrypto.decrypt(ArcFourCrypto.java:408)\n\tat sun.security.krb5.internal.crypto.ArcFourHmac.decrypt(ArcFourHmac.java:91)\n\tat sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(ArcFourHmacEType.java:100)\n\t... 60 more\n",
  "label": "value"
}

在 krb5.conf 中,我们有以下 lib 默认值

[libdefaults]

      default_realm = ABCD.XYZ
      dns_lookup_kdc = true
      dns_lookup_realm = true
      default_tkt_enctypes = AES256-CTS-HMAC-SHA1-96 AES128-CTS-HMAC-SHA1-96 des3-cbc-sha1 rc4-hmac des-cbc-md5 des3-cbc-sha1-kd rc4-hmac-md5
      default_tgs_enctypes = AES256-CTS-HMAC-SHA1-96 AES128-CTS-HMAC-SHA1-96 des3-cbc-sha1 rc4-hmac des-cbc-md5 des3-cbc-sha1-kd rc4-hmac-md5
      permitted_enctypes = AES256-CTS-HMAC-SHA1-96 AES128-CTS-HMAC-SHA1-96 des3-cbc-sha1 rc4-hmac des-cbc-md5 des3-cbc-sha1-kd rc4-hmac-md5

      allow_weak_crypto = true
      udp_preference_limit = 1
      ticket_lifetime = 24h  
      renew_lifetime = 7d  
      forwardable = true  
      rdns = false  
      pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt  
      default_ccache_name = KEYRING:persistent:%{uid}

我们还尝试启用以下功能。

kdc_req_checksum_type = 1
safe_checksum_type = 1
ap_req_checksum_type = 1
active-directory single-sign-on kerberos spnego
1个回答
0
投票

跟踪中的异常是指 arcfour-hmac-md5 算法,但您的应用程序配置不包含此算法。您能否将此 arcfour-hmac-md5 添加到配置文件中的加密算法中? 参考:https://developer.jboss.org/thread/44032

对于 Windows Server 操作系统,事件日志中的主机名也非常长。通常,FQDN 的主机部分不超过 15 个字符。 https://en.wikipedia.org/wiki/NetBIOS

此外,Kerberos 的 MaxTicketAge 和 MaxServiceAge 在 Windows 中默认为 10 小时,您指定的票证续订时间为 24 小时,这与 Windows 默认值不一致。如果在 Active Directory 中对此进行了更改,您的配置应反映相同的值。

参考:https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-gpsb/0fce5b92-bcc1-4b96-9c2b-56397c3f144f

最新问题
© www.soinside.com 2019 - 2024. All rights reserved.