KDC 不支持加密类型 (14)
问题描述 投票:0回答:5
我正在尝试使用 spring-security-kerberos 扩展通过 kerberos 实现 SSO。
我创建了一个 keytab 文件,但在尝试访问我的 web 应用程序时收到以下错误:
GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)
我尝试根据这篇文章测试我的密钥表。
密钥表是使用以下命令创建的:
ktpass /out http-web.keytab /mapuser [email protected] /princ HTTP/[email protected] /pass myPass /ptype KRB5_NT_PRINCIPAL -crypto RC4-HMAC-NT /kvno 0
我的krb5.conf如下
[libdefaults]
default_realm = MYDOMAIN.COM
permitted_enctypes = aes256-cts arcfour-hmac-md5 aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc
default_tgs_enctypes = aes256-cts arcfour-hmac-md5 aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc
default_tkt_enctypes = aes256-cts arcfour-hmac-md5 aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
[realms]
MYDOMAIN.COM = {
kdc = controller1.mydomain.com:88
kdc = controler2.mydomain.com:88
kdc = controller3.mydomain.com:88
admin_server = controller3.mydomain.com
default_domain = MYDOMAIN.COM
}
[domain_realm]
.mydomain.com = MYDOMAIN.COM
mydomain.com = MYDOMAIN.COM
[login]
krb4_convert = true
krb4_get_tickets = false
我收到以下错误:
KDC has no support for encryption type (14)
我尝试为 SPN 帐户启用 DES、AES-128 和 AES-256,但没有解决问题。
我在这里缺少什么?
谢谢, 利奥尔
5个回答
8
投票
投票
连续几天都在不断地对 KrbException“KDC 不支持加密类型(14)”进行猛击。我访问过很多地方,包括一些深入的 MSDN 博客文章(来自 Hongwei Sun、Sebastian Canevari),由于缺乏声誉,我无法参考。
谢谢您提到 kvno 0 和 dsiabling DES,它现在也适用于我这边。
最后归结为我的用户帐户设置为
userAccountControl:0d66048 或 0x10200 与 0b10000001000000000 匹配 或 ADS_UF_DONT_EXPIRE_PASSWD (0x00010000) 和 ADS_UF_NORMAL_ACCOUNT (0x00000200),但未设置 UF_USE_DES_KEY_ONLY (0x200000)
和
msDS-SupportedEncryptionTypes:0d16 或 0x10 与 0b10000 或 AES256-CTS-HMAC-SHA1-96 (0x10) 匹配,但未设置 RC4-HMAC (0x04)。
ldapsearch -h masterdc.localnet.org -D 'spn_hostname' -w '*password*' -b 'ou=Accounts,dc=localnet,dc=org' -s sub 'userPrincipalName=HTTP/[email protected]' distinguishedName servicePrincipalName userPrincipalName msDS-SupportedEncryptionTypes userAccountControl
# extended LDIF
#
# LDAPv3
# base <ou=Accounts,dc=localnet,dc=org> with scope subtree
# filter: userPrincipalName=HTTP/[email protected]
# requesting: distinguishedName servicePrincipalName userPrincipalName msDS-SupportedEncryptionTypes userAccountControl
#
# spn_hostname, DokSvc, Services, Accounts, localnet.org
dn: CN=spn_hostname,OU=DokSvc,OU=Services,OU=Accounts,DC=localnet,DC=org
distinguishedName: CN=spn_hostname,OU=DokSvc,OU=Services,OU=Accounts,DC=localnet,DC=org
userAccountControl: 66048
userPrincipalName: HTTP/[email protected]
servicePrincipalName: HTTP/hostname.localnet.org
servicePrincipalName: HTTP/[email protected]
msDS-SupportedEncryptionTypes: 16
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
通过我的 /etc/krb5.conf 中的此内容和以下内容,当从 default_tkt_enctypes 中删除 rc4-hmac 时,我可以重复地引发“KrbException KDC 不支持加密类型 (14)”。
/etc/krb5.conf:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = LOCALNET.DE
default_tkt_enctypes = aes256-cts
default_tgs_enctypes = aes256-cts
permitted_enctypes = aes256-cts
[realms]
LOCALNET.ORG = {
kdc = masterdc.localnet.org:88
admin_server = masterdc.localnet.org
default_domain = LOCALNET.ORG
}
[domain_realm]
.localnet.org = LOCALNET.ORG
localnet.org = LOCALNET.ORG
[appdefaults]
autologin = true
forward = true
forwardable = true
encrypt = true
但是,如果将其更改为default_tkt_enctypes = aes256-cts rc4-hmac,它将成功。
请注意,您也可以省略在 /etc/krb5.conf 中指定 default_tkt_enctypes 指令,以使其正常工作。
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 18 17 16 23.
因此看起来 Windows Server 2008 SP2 Active Directory 在预身份验证阶段明确需要 RC4-HMAC:
PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
我已更新 JDK 的 jre/lib/security 文件夹中的 JCE 1.8.0 策略文件,以便支持 AES256。
亲切的问候, 斯特凡
enctypes 在下指定
Kerberos 参数 http://www.iana.org/assignments/kerberos-parameters/kerberos-parameters.xhtml
etype encryption type Reference
1 des-cbc-crc [RFC3961]
3 des-cbc-md5 [RFC3961]
17 aes128-cts-hmac-sha1-96 [RFC3962]
18 aes256-cts-hmac-sha1-96 [RFC3962]
23 rc4-hmac [RFC4757]
失败:
java -cp /somepath/krb5.jar -Dsun.security.krb5.debug=true sun.security.krb5.internal.tools.Kinit -k -t /somepath/spn_hostname.keytab HTTP/[email protected]
>>>KinitOptions cache name is /tmp/krb5cc_723
Principal is HTTP/[email protected]
>>> Kinit using keytab
>>> Kinit keytab file name: /somepath/spn_hostname.keytab
Java config name: null
LSA: Found Ticket
LSA: Made NewWeakGlobalRef
LSA: Found PrincipalName
LSA: Made NewWeakGlobalRef
LSA: Found DerValue
LSA: Made NewWeakGlobalRef
LSA: Found EncryptionKey
LSA: Made NewWeakGlobalRef
LSA: Found TicketFlags
LSA: Made NewWeakGlobalRef
LSA: Found KerberosTime
LSA: Made NewWeakGlobalRef
LSA: Found String
LSA: Made NewWeakGlobalRef
LSA: Found DerValue constructor
LSA: Found Ticket constructor
LSA: Found PrincipalName constructor
LSA: Found EncryptionKey constructor
LSA: Found TicketFlags constructor
LSA: Found KerberosTime constructor
LSA: Finished OnLoad processing
Native config name: C:\Windows\krb5.ini
Loaded from native config
>>> Kinit realm name is LOCALNET.ORG
>>> Creating KrbAsReq
>>> KrbKdcReq local addresses for hostname.localnet.org are:
hostname.localnet.org/192.168.1.2
IPv4 address
>>> KdcAccessibility: reset
>>> KeyTabInputStream, readName(): LOCALNET.ORG
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): hostname.localnet.org
>>> KeyTab: load() entry length: 64; type: 1
>>> KeyTabInputStream, readName(): LOCALNET.ORG
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): hostname.localnet.org
>>> KeyTab: load() entry length: 64; type: 3
>>> KeyTabInputStream, readName(): LOCALNET.ORG
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): hostname.localnet.org
>>> KeyTab: load() entry length: 72; type: 23
>>> KeyTabInputStream, readName(): LOCALNET.ORG
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): hostname.localnet.org
>>> KeyTab: load() entry length: 88; type: 18
>>> KeyTabInputStream, readName(): LOCALNET.ORG
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): hostname.localnet.org
>>> KeyTab: load() entry length: 72; type: 17
Looking for keys for: HTTP/[email protected]
Added key: 17version: 0
Added key: 18version: 0
Added key: 23version: 0
Found unsupported keytype (3) for HTTP/[email protected]
Found unsupported keytype (1) for HTTP/[email protected]
default etypes for default_tkt_enctypes: 18.
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=masterdc.localnet.org UDP:88, timeout=30000, number of retries =3, #bytes=216
>>> KDCCommunication: kdc=masterdc.localnet.org UDP:88, timeout=30000,Attempt =1, #bytes=216
>>> KrbKdcReq send: #bytes read=194
>>>Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 18, salt = LOCALNET.ORGHTTPhostname.localnet.org, s2kparams = null
>>>Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
PA-DATA type = 16
>>>Pre-Authentication Data:
PA-DATA type = 15
>>> KdcAccessibility: remove masterdc.localnet.org:88
>>> KDCRep: init() encoding tag is 126 req type is 11
>>>KRBError:
sTime is Tue Jan 17 18:49:14 CET 2017 1484675354000
suSec is 822386
error code is 25
error Message is Additional pre-authentication required
sname is krbtgt/[email protected]
eData provided.
msgType is 30
>>>Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 18, salt = LOCALNET.ORGHTTPhostname.localnet.org, s2kparams = null
>>>Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
PA-DATA type = 16
>>>Pre-Authentication Data:
PA-DATA type = 15
KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
default etypes for default_tkt_enctypes: 18.
Looking for keys for: HTTP/[email protected]
Added key: 17version: 0
Added key: 18version: 0
Added key: 23version: 0
Found unsupported keytype (3) for HTTP/[email protected]
Found unsupported keytype (1) for HTTP/[email protected]
Looking for keys for: HTTP/[email protected]
Added key: 17version: 0
Added key: 18version: 0
Added key: 23version: 0
Found unsupported keytype (3) for HTTP/[email protected]
Found unsupported keytype (1) for HTTP/[email protected]
default etypes for default_tkt_enctypes: 18.
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=masterdc.localnet.org UDP:88, timeout=30000, number of retries =3, #bytes=305
>>> KDCCommunication: kdc=masterdc.localnet.org UDP:88, timeout=30000,Attempt =1, #bytes=305
>>> KrbKdcReq send: #bytes read=93
>>> KdcAccessibility: remove masterdc.localnet.org:88
>>> KDCRep: init() encoding tag is 126 req type is 11
>>>KRBError:
sTime is Tue Jan 17 18:49:14 CET 2017 1484675354000
suSec is 25186
error code is 14
error Message is KDC has no support for encryption type
sname is krbtgt/[email protected]
msgType is 30
Exception: krb_error 14 KDC has no support for encryption type (14) KDC has no support for encryption type
KrbException: KDC has no support for encryption type (14)
at sun.security.krb5.KrbAsRep.<init>(Unknown Source)
at sun.security.krb5.KrbAsReqBuilder.send(Unknown Source)
at sun.security.krb5.KrbAsReqBuilder.action(Unknown Source)
at sun.security.krb5.internal.tools.Kinit.<init>(Unknown Source)
at sun.security.krb5.internal.tools.Kinit.main(Unknown Source)
Caused by: KrbException: Identifier doesn't match expected value (906)
at sun.security.krb5.internal.KDCRep.init(Unknown Source)
at sun.security.krb5.internal.ASRep.init(Unknown Source)
at sun.security.krb5.internal.ASRep.<init>(Unknown Source)
... 5 more
成功:
java -cp /home/wls0/webdav/krb5.jar -Dsun.security.krb5.debug=true sun.security.krb5.internal.tools.Kinit -k -t /somepath/spn_hostname.keytab HTTP/[email protected]
>>>KinitOptions cache name is /tmp/krb5cc_723
Principal is HTTP/[email protected]
>>> Kinit using keytab
>>> Kinit keytab file name: /somepath/spn_hostname.keytab
Java config name: null
Native config name: /etc/krb5.conf
Loaded from native config
>>> Kinit realm name is LOCALNET.ORG
>>> Creating KrbAsReq
>>> KrbKdcReq local addresses for hostname.localnet.org are:
hostname.localnet.org/192.168.1.2
IPv4 address
>>> KdcAccessibility: reset
>>> KeyTabInputStream, readName(): LOCALNET.ORG
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): hostname.localnet.org
>>> KeyTab: load() entry length: 64; type: 1
>>> KeyTabInputStream, readName(): LOCALNET.ORG
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): hostname.localnet.org
>>> KeyTab: load() entry length: 64; type: 3
>>> KeyTabInputStream, readName(): LOCALNET.ORG
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): hostname.localnet.org
>>> KeyTab: load() entry length: 72; type: 23
>>> KeyTabInputStream, readName(): LOCALNET.ORG
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): hostname.localnet.org
>>> KeyTab: load() entry length: 88; type: 18
>>> KeyTabInputStream, readName(): LOCALNET.ORG
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): hostname.localnet.org
>>> KeyTab: load() entry length: 72; type: 17
Looking for keys for: HTTP/[email protected]
Added key: 17version: 0
Added key: 18version: 0
Added key: 23version: 0
Found unsupported keytype (3) for HTTP/[email protected]
Found unsupported keytype (1) for HTTP/[email protected]
default etypes for default_tkt_enctypes: 23 18.
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=masterdc.localnet.org UDP:88, timeout=30000, number of retries =3, #bytes=180
>>> KDCCommunication: kdc=masterdc.localnet.org UDP:88, timeout=30000,Attempt =1, #bytes=180
>>> KrbKdcReq send: #bytes read=201
>>>Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 18, salt = LOCALNET.ORGHTTPhostname.localnet.org, s2kparams = null
PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>>>Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
PA-DATA type = 16
>>>Pre-Authentication Data:
PA-DATA type = 15
>>> KdcAccessibility: remove masterdc.localnet.org
>>> KDCRep: init() encoding tag is 126 req type is 11
>>>KRBError:
sTime is Tue Jan 17 19:11:56 CET 2017 1484676716000
suSec is 116308
error code is 25
error Message is Additional pre-authentication required
sname is krbtgt/[email protected]
eData provided.
msgType is 30
>>>Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 18, salt = LOCALNET.ORGHTTPhostname.localnet.org, s2kparams = null
PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>>>Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
PA-DATA type = 16
>>>Pre-Authentication Data:
PA-DATA type = 15
KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
default etypes for default_tkt_enctypes: 23 18.
Looking for keys for: HTTP/[email protected]
Added key: 17version: 0
Added key: 18version: 0
Added key: 23version: 0
Found unsupported keytype (3) for HTTP/[email protected]
Found unsupported keytype (1) for HTTP/[email protected]
Looking for keys for: HTTP/[email protected]
Added key: 17version: 0
Added key: 18version: 0
Added key: 23version: 0
Found unsupported keytype (3) for HTTP/[email protected]
Found unsupported keytype (1) for HTTP/[email protected]
default etypes for default_tkt_enctypes: 23 18.
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=masterdc.localnet.org UDP:88, timeout=30000, number of retries =3, #bytes=269
>>> KDCCommunication: kdc=masterdc.localnet.org UDP:88, timeout=30000,Attempt =1, #bytes=269
>>> KrbKdcReq send: #bytes read=94
>>> KrbKdcReq send: kdc=masterdc.localnet.org TCP:88, timeout=30000, number of retries =3, #bytes=269
>>> KDCCommunication: kdc=masterdc.localnet.org TCP:88, timeout=30000,Attempt =1, #bytes=269
>>>DEBUG: TCPClient reading 1615 bytes
>>> KrbKdcReq send: #bytes read=1615
>>> KdcAccessibility: remove masterdc.localnet.org
Looking for keys for: HTTP/[email protected]
Added key: 17version: 0
Added key: 18version: 0
Added key: 23version: 0
Found unsupported keytype (3) for HTTP/[email protected]
Found unsupported keytype (1) for HTTP/[email protected]
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>> KrbAsRep cons in KrbAsReq.getReply HTTP/hostname.localnet.org
New ticket is stored in cache file /tmp/krb5cc_723
PS:您可能想要从 Windows JDK 中提取 Kerberos 5 工具,因为 Oracle 已从 JDK 1.6 开始将其删除。这可以通过参数 (-Dsun.security.krb5.debug=true) 在 Linux 平台上为您提供额外的调试输出。
mkdir sun.security.krb5
cd sun.security.krb5
"C:\Oracle\Java\jdk1.8.0_112\bin\jar.exe" -xf C:\Oracle\Java\jre1.8.0_112\lib\rt.jar sun\security\krb5
"C:\Oracle\Java\jdk1.8.0_112\bin\jar.exe" -cf krb5.jar sun\security\krb5
dir
这适用于 JDK-6910497:缺少 Kinit 类 http://bugs.java.com/bugdatabase/view_bug.do?bug_id=6910497
4
投票
投票
终于开始工作了: 在为 Oracle JDK 6 实现 kerberos 身份验证时,应使用 RC4-HMAC 加密,因此应为用户帐户禁用 DES 和 AES 支持。
我为什么要检查它们是另一个故事......
2
投票
投票
我的解决方案是通过帐户选项卡上的 Active Directory 用户和计算机工具检查 AD 用户的这两个选项:
0
投票
投票
对我的情况有帮助的是开关
ktpass ... -crypto all ...
我在 krb5.conf 中评论了所有这些:
# default_tkt_enctypes = ...
# default_tgs_enctypes = ...
# permitted_enctypes = ...
我猜这是最兼容的 rc4-hmac 编码的默认设置。
我的 SPN 帐户的 Active Directory 中不需要进行特殊设置。
Windows Server 2008、Weblogic 10.3.6、Oracle JDK 1.7
0
投票
投票
几天后我设法解决了这个问题。根本原因是 Java >= 11.0.17 禁用了 RC4-HMAC 和其他“弱”加密算法。
一种解决方案是降级 Java 版本,但有时这是不可能的。另一个解决方案是在 AD 中进行必要的更改(为帐户启用 AES 加密)(如果您可以更改这些值)。
由于我没有任何选择,我可以使用以下配置解决它:
在您的
条目中另外添加rc4-hmac
到您的其他加密算法之后的*_enctypes
(例如krb.conf
)。它也可能与aes256-...
而不是arcfour-hmac
一起使用。 (如果您使用的是 Java,该错误现在应该消失了 < 11.0.17.)rc4-hmac在您的
中添加allow_weak_crypto = true
(现在 Java >= 11.0.17 将允许使用禁用的算法。)krb.conf
最新问题
- seaborn图形中如何防止输出指数数?
- QTreeView 禁用某些行的选择
- 我一直在尝试将流畅的 ui 北极星中的图标添加到流畅的 ui 下拉列表中。没有可用的适当文档
- PostgreSql 函数中的保存点
- TypeScript 使用泛型类型推断出 AbstractControl 的错误类型
- System.Net.HttpStatusCode 和 Microsoft.AspNetCore.Http.StatusCodes 有什么区别? [已关闭]
- 处理 Highcharts 中具有动态 x 轴范围的无数据模块
- 灯具的灯具:我是否导入其他灯具所依赖的灯具?
- 无法运行程序,因为模拟器中的加载设备未在 Android Studio 上运行
- 第 3 方应用程序的护照授权 - 从前端应用程序使用基于令牌的用户访问 /oauth/authorize
- 用 svg 建造房子
- 如何更改Material Ui中循环进度的路径颜色?
- 当我在板条箱中使用 Rust 工作区时,Vec 会清除
- WPF - 在 XAML 中动画网格长度
- 哪些值可以从 aws_launch_template / tag_specations 获取 Resource_type 属性
- 将多个函数参数映射到静态模板参数
- 使用 NWPathMonitor 与 Swift 现代并发 (AsyncStream) 对比 GCD (DispatchQueue)
- 管理 2 个 git 用户 gpg 密钥并为每个用户选择 gpg 签名
- 我该如何解决`“CSSStyleDeclaration”类型上不存在属性“zoom”。`
- mongo --ssl 命令默认连接到错误的数据库
© www.soinside.com 2019 - 2024. All rights reserved.