Kerberos 授权不适用于 Chrome 和 FireFox,但适用于 IE
Kerberos authorization doesn't work on Chrome and FireFox, but works on IE
我按照这个 guide 将 cas 与 Windows AD 集成。
几天前它在所有浏览器上都运行良好。但它不仅适用于 IE,当我使用 firefox 浏览器时,只发送 "Negotiate TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==" 到服务器,然后浏览器 return 到 cas 登录页面。
最近才在生产环境发现这个问题。我有一个具有相同配置的测试环境,但到目前为止它工作正常。
我知道当 kerberos 票证没有缓存在本地时,浏览器将发送 "Negotiate TlRMT..."。但是我可以用 klist 命令看到票,它在 IE 上工作意味着
票还可以
我想这可能是由 windows 客户端或广告服务器的某些配置引起的,谁能给我一些建议,谢谢!
"https://1056-app.test.com" have already add to
"network.negotiate-auth.trusted-uris" on firefox. And I also tried to
reinstall firefox, not works.
Chrome: 55
IE:11
FireFox:56
Clinet Browser OS:Windows 7
AD Server OS: Windows Server 2008 R2
Cas Server OS: Suse11Sp3
这是 FireFox 上的 http 转储
GET https://1056-app.test.com/cas/login 401 Unauthorized
Response Headers
Server : nginx/1.8.0
Date : Fri, 13 Oct 2017 10:38:08 GMT
Content-Type : text/html;charset=UTF-8
Transfer-Encoding : chunked
Connection : keep-alive
Pragma : no-cache
Expires : Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control : no-cache
WWW-Authenticate : Negotiate
Content-Language : en-US
Content-Encoding : gzip
Vary : Accept-Encoding
Request Headers
Host : 1056-app.test.com
User-Agent : Mozilla/5.0 (Windows NT 6.1; WOW64; rv:53.0) Gecko/20100101 Firefox/53.0
Accept : text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language : en-US,en;q=0.5
Accept-Encoding : gzip, deflate, br
Cookie : JSESSIONID=EE40B3C3FAFB30D13F45DC612E4D383ECC95916DBE12BEDDE21E9D933893964A4EB867271389530BC8A4B6E9B485E944B952
Connection : keep-alive
Upgrade-Insecure-Requests : 1
GET https://1056-app.test.com/cas/login 401 Unauthorized
Response Headers
Server : nginx/1.8.0
Date : Fri, 13 Oct 2017 10:38:08 GMT
Content-Type : text/html;charset=UTF-8
Transfer-Encoding : chunked
Connection : keep-alive
Pragma : no-cache
Expires : Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control : no-cache
Content-Language : en-US
Content-Encoding : gzip
Vary : Accept-Encoding
Request Headers
Host : 1056-app.test.com
User-Agent : Mozilla/5.0 (Windows NT 6.1; WOW64; rv:53.0) Gecko/20100101 Firefox/53.0
Accept : text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language : en-US,en;q=0.5
Accept-Encoding : gzip, deflate, br
Cookie : JSESSIONID=EE40B3C3FAFB30D13F45DC612E4D383ECC95916DBE12BEDDE21E9D933893964A4EB867271389530BC8A4B6E9B485E944B952
Connection : keep-alive
Upgrade-Insecure-Requests : 1
Authorization : Negotiate TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==
客户端上的klist
Client: huangq @ SWI.TEST.NET
Server: HTTP/1056-app.test.com @ SWI.TEST.NET
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
Ticket Flags 0x40a00000 -> forwardable renewable pre_authent
Start Time: 10/13/2017 12:52:34 (local)
End Time: 10/13/2017 22:11:01 (local)
Renew Time: 10/20/2017 12:11:01 (local)
Session Key Type: RSADSI RC4-HMAC(NT)
setspn -Q cmd on client
C:\Users\huangq>setspn -Q HTTP/1056-app.test.com
Checking domain DC=swi,DC=test,DC=net
CN=SOWSLdapA,OU=Service,OU=_Users,DC=swi,DC=test,DC=net
HTTP/1056-app.test.com
Existing SPN found!
密钥表创建命令
ktpass.exe /out D:\1056-app.keytab /princ HTTP/1056-app.test.com@SWI.TEST.NET /pass xxx /mapuser SOWSLdapA@swi.test.net /ptype KRB5_NT_PRINCIPAL /crypto RC4-HMAC-NT
已找到根本原因。因为我们用cname做dns,cname和spn地址不匹配。
我用这个命令打开firefox协商调试日志link
set NSPR_LOG_MODULES=negotiateauth:5
set NSPR_LOG_FILE=C://firefox.log
./firefox.exe
firefox.log
[Lazy Idle]: D/negotiateauth Sending a token of length 9800
[Main Thread]: D/negotiateauth service = 1056-app.test.com
[Main Thread]: D/negotiateauth using negotiate-sspi
[Main Thread]: D/negotiateauth nsAuthSSPI::Init
[Main Thread]: D/negotiateauth Using SPN of [HTTP/***-nginx-elb-***.eu-west-1.elb.amazonaws.com]
解:
1.Change DNS 到 A 类型
2.Modify 浏览器禁用 kerberos cname 查找。 Chromelink。 Firefox 不支持。
参考:
https://www.chromium.org/developers/design-documents/http-authentication
我按照这个 guide 将 cas 与 Windows AD 集成。
几天前它在所有浏览器上都运行良好。但它不仅适用于 IE,当我使用 firefox 浏览器时,只发送 "Negotiate TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==" 到服务器,然后浏览器 return 到 cas 登录页面。
最近才在生产环境发现这个问题。我有一个具有相同配置的测试环境,但到目前为止它工作正常。
我知道当 kerberos 票证没有缓存在本地时,浏览器将发送 "Negotiate TlRMT..."。但是我可以用 klist 命令看到票,它在 IE 上工作意味着 票还可以
我想这可能是由 windows 客户端或广告服务器的某些配置引起的,谁能给我一些建议,谢谢!
"https://1056-app.test.com" have already add to "network.negotiate-auth.trusted-uris" on firefox. And I also tried to reinstall firefox, not works.
Chrome: 55
IE:11
FireFox:56
Clinet Browser OS:Windows 7
AD Server OS: Windows Server 2008 R2
Cas Server OS: Suse11Sp3
这是 FireFox 上的 http 转储
GET https://1056-app.test.com/cas/login 401 Unauthorized
Response Headers
Server : nginx/1.8.0
Date : Fri, 13 Oct 2017 10:38:08 GMT
Content-Type : text/html;charset=UTF-8
Transfer-Encoding : chunked
Connection : keep-alive
Pragma : no-cache
Expires : Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control : no-cache
WWW-Authenticate : Negotiate
Content-Language : en-US
Content-Encoding : gzip
Vary : Accept-Encoding
Request Headers
Host : 1056-app.test.com
User-Agent : Mozilla/5.0 (Windows NT 6.1; WOW64; rv:53.0) Gecko/20100101 Firefox/53.0
Accept : text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language : en-US,en;q=0.5
Accept-Encoding : gzip, deflate, br
Cookie : JSESSIONID=EE40B3C3FAFB30D13F45DC612E4D383ECC95916DBE12BEDDE21E9D933893964A4EB867271389530BC8A4B6E9B485E944B952
Connection : keep-alive
Upgrade-Insecure-Requests : 1
GET https://1056-app.test.com/cas/login 401 Unauthorized
Response Headers
Server : nginx/1.8.0
Date : Fri, 13 Oct 2017 10:38:08 GMT
Content-Type : text/html;charset=UTF-8
Transfer-Encoding : chunked
Connection : keep-alive
Pragma : no-cache
Expires : Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control : no-cache
Content-Language : en-US
Content-Encoding : gzip
Vary : Accept-Encoding
Request Headers
Host : 1056-app.test.com
User-Agent : Mozilla/5.0 (Windows NT 6.1; WOW64; rv:53.0) Gecko/20100101 Firefox/53.0
Accept : text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language : en-US,en;q=0.5
Accept-Encoding : gzip, deflate, br
Cookie : JSESSIONID=EE40B3C3FAFB30D13F45DC612E4D383ECC95916DBE12BEDDE21E9D933893964A4EB867271389530BC8A4B6E9B485E944B952
Connection : keep-alive
Upgrade-Insecure-Requests : 1
Authorization : Negotiate TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==
客户端上的klist
Client: huangq @ SWI.TEST.NET
Server: HTTP/1056-app.test.com @ SWI.TEST.NET
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
Ticket Flags 0x40a00000 -> forwardable renewable pre_authent
Start Time: 10/13/2017 12:52:34 (local)
End Time: 10/13/2017 22:11:01 (local)
Renew Time: 10/20/2017 12:11:01 (local)
Session Key Type: RSADSI RC4-HMAC(NT)
setspn -Q cmd on client
C:\Users\huangq>setspn -Q HTTP/1056-app.test.com
Checking domain DC=swi,DC=test,DC=net
CN=SOWSLdapA,OU=Service,OU=_Users,DC=swi,DC=test,DC=net
HTTP/1056-app.test.com
Existing SPN found!
密钥表创建命令
ktpass.exe /out D:\1056-app.keytab /princ HTTP/1056-app.test.com@SWI.TEST.NET /pass xxx /mapuser SOWSLdapA@swi.test.net /ptype KRB5_NT_PRINCIPAL /crypto RC4-HMAC-NT
已找到根本原因。因为我们用cname做dns,cname和spn地址不匹配。
我用这个命令打开firefox协商调试日志link
set NSPR_LOG_MODULES=negotiateauth:5
set NSPR_LOG_FILE=C://firefox.log
./firefox.exe
firefox.log
[Lazy Idle]: D/negotiateauth Sending a token of length 9800
[Main Thread]: D/negotiateauth service = 1056-app.test.com
[Main Thread]: D/negotiateauth using negotiate-sspi
[Main Thread]: D/negotiateauth nsAuthSSPI::Init
[Main Thread]: D/negotiateauth Using SPN of [HTTP/***-nginx-elb-***.eu-west-1.elb.amazonaws.com]
解:
1.Change DNS 到 A 类型
2.Modify 浏览器禁用 kerberos cname 查找。 Chromelink。 Firefox 不支持。
参考:
https://www.chromium.org/developers/design-documents/http-authentication