我尝试运行显示Login-Dialog的OpenWebStart应用程序,并且没有在Kerberos上登录。我收到“校验和失败”异常(如下所示)。我在VM(Centos7)和Kerberos日志中运行KDC,我看到TGT已成功创建:
Kerberos.kalna.ch krb5kdc[1132](Information): AS_REQ (6 etypes {18 17 16 23 1 3} 192.168.56.1: ISSUE authtime 1583736176 , etypes {rep=18 tkt=18 ses=18}, [email protected] for krbtgt/[email protected]
以下是Kerberos配置(kdc.conf):
[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88
[realms]
KALNA.CH = {
#master_key_type = aes256-cts
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
}
并且在客户端上是以下配置(krb5.conf):
[libdefaults]
forwardable = true
default_realm = KALNA.CH
udp_preference_limit = 1
kdc_timeout = 2000
allow_weak_crypto = true
[realms]
KALNA.CH = {
kdc = Kerberos.kalna.ch
default_domain = kalna.ch
}
[domain_realm]
.kalna.ch = KALNA.CH
kalna.ch = KALNA.CH
通过调试,我可以看到TGT收到了很好的答复,但随后执行了校验和检查并失败了。我尝试使用无限强度策略,但这没有帮助。知道Checksum为什么会失败吗?
非常感谢您的帮助。以下是OpenWebStart日志:
Debug is true storeKey false useTicketCache false useKeyTab false doNotPrompt false ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is true principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false Refreshing Kerberos configuration
... 30 more
at sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Aes256CtsHmacSha1EType.java:100)
at sun.security.krb5.internal.crypto.Aes256.decrypt(Aes256.java:76)
at sun.security.krb5.internal.crypto.dk.AesDkCrypto.decrypt(AesDkCrypto.java:272)
at sun.security.krb5.internal.crypto.dk.AesDkCrypto.decryptCTS(AesDkCrypto.java:451)
Caused by: java.security.GeneralSecurityException: Checksum failed
... 23 more
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:770)
at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:447)
at sun.security.krb5.KrbAsReqBuilder.resolve(KrbAsReqBuilder.java:310)
at sun.security.krb5.KrbAsRep.decryptUsingPassword(KrbAsRep.java:139)
at sun.security.krb5.KrbAsRep.decrypt(KrbAsRep.java:150)
at sun.security.krb5.EncryptedData.decrypt(EncryptedData.java:175)
at sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Aes256CtsHmacSha1EType.java:94)
at sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Aes256CtsHmacSha1EType.java:102)
Caused by: KrbException: Checksum failed
at net.sourceforge.jnlp.Launcher$TgThread.run(Launcher.java:650)
at net.sourceforge.jnlp.Launcher.access$200(Launcher.java:69)
at net.sourceforge.jnlp.Launcher.launchApplication(Launcher.java:400)
at java.lang.reflect.Method.invoke(Method.java:498)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at javax.security.auth.login.LoginContext.login(LoginContext.java:587)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755)
at java.lang.reflect.Method.invoke(Method.java:498)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:618)
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:808)
javax.security.auth.login.LoginException: Checksum failed
[Krb5LoginModule] authentication failed Checksum failed
Mon Mar 09 07:42:56 CET 2020 [DEBUG ] com.openwebstart.proxy.direct.DirectProxyProvider: Using NO_PROXY
[Krb5LoginModule] user entered username: [email protected]
我已经调试了KrbAsRep.java,您是对的,KDC发送以下pAData。然后从中计算出Salt。但是我看不出原因,为什么失败了。
0 = {PAData@4691} ">>>Pre-Authentication Data:\n\t PA-DATA type = 19\n\t PA-ETYPE-INFO2 etype = 23, salt = KALNA.CHkada, s2kparams = null\n"
1 = {PAData@4692} ">>>Pre-Authentication Data:\n\t PA-DATA type = 3\n"
2 = {PAData@4693} ">>>Pre-Authentication Data:\n\t PA-DATA type = 11\n\t PA-ETYPE-INFO etype = 23, salt = KALNA.CHkada\n"