使用 Weblogic12 + SPNEGO + Kerberos + LDAP 的 SSO 身份验证
SSO Authentication using Weblogic12 + SPNEGO + Kerberos + LDAP
我有一个正在处理的 EE 应用程序,我正在尝试使用通过多租户 WebLogic 服务器(12.2 .1.2). SPNEGO 提供程序已配置并且似乎与 Active Directory 一起正常工作。我创建了一个小应用程序,它由 WAR 中的一个 servlet 组成,如果身份验证成功,它应该在屏幕上显示登录信息。
我遇到的问题是,从服务器查看日志文件,身份验证成功,但一旦我通过 SPNEGO 进行身份验证,服务器就不会向我发送消息。我可以从 Active Directory 中看到 SPNEGO 令牌被传递到哪里并用于验证我的身份,甚至是我所属的所有组。
这是测试应用程序Web.xml
<context-param>
<param-name>javax.faces.PROJECT_STAGE</param-name>
<param-value>Development</param-value>
</context-param>
<servlet>
<servlet-name>AuthSimpleTestServlet</servlet-name>
<servlet-class>functional.test.SimpleTestServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>AuthSimpleTestServlet</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
<security-role>
<description>Admin Role</description>
<role-name>DEV_ADMIN</role-name>
</security-role>
<security-constraint>
<web-resource-collection>
<web-resource-name>secured pages</web-resource-name>
<url-pattern>/*</url-pattern>
<url-pattern>/</url-pattern>
<http-method>POST</http-method>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>DEV_ADMIN</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>CLIENT-CERT</auth-method>
<realm-name>myrealm</realm-name>
</login-config>
<session-config>
<session-timeout>
30
</session-timeout>
</session-config>
<welcome-file-list>
<welcome-file>/AuthSimpleTestServlet</welcome-file>
</welcome-file-list>
weblogic.xml
<security-role-assignment>
<role-name>DEV_ADMIN</role-name>
<principal-name>@APP_DEV_ADMIN</principal-name>
<principal-name>APP_DEV_ADMIN</principal-name>
</security-role-assignment>
我可以看到主体被添加到主题的位置。不是用于格式化目的的 JS 代码段。
<Aug 6, 2018, 1:48:15,491 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <login succeeded for username DCConway>
<Aug 6, 2018, 1:48:15,491 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <weblogic.security.providers.authentication.LDAPAtnLoginModuleImpl.login delegated, returning true>
<Aug 6, 2018, 1:48:15,491 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <weblogic.security.providers.authentication.LDAPAtnLoginModuleImpl.commit>
<Aug 6, 2018, 1:48:15,491 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <LDAP Atn Commit>
<Aug 6, 2018, 1:48:15,491 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <LDAP Atn Principals Added>
<Aug 6, 2018, 1:48:15,491 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <weblogic.security.providers.authentication.LDAPAtnLoginModuleImpl.commit delegated, returning true>
<Aug 6, 2018, 1:48:15,491 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <com.bea.common.security.internal.service.JAASLoginServiceImpl.login logged in>
<Aug 6, 2018, 1:48:15,492 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <com.bea.common.security.internal.service.JAASLoginServiceImpl.login subject=Subject:
Principal: DCConway
Principal: @APP_DEV_ADMIN
Principal: APP_DEV_ADMIN
尽管看起来一切正常,但我在尝试访问 servlet 时收到 403 禁止错误。
请求 header 似乎具有正确的令牌。
我希望有人能帮我确定问题是什么以及如何解决它。
下面是日志文件的一些复制部分以供查看,这是大量的日志信息。服务器的名称等已更改。
<Aug 6, 2018, 1:48:15,327 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <PrincipalAuthenticator.assertIdentity using common security>
<Aug 6, 2018, 1:48:15,327 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <weblogic.security.service.WLSIdentityAssertionServiceWrapper.assertIdentity>
<Aug 6, 2018, 1:48:15,327 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <com.bea.common.security.internal.service.IdentityAssertionServiceImpl.assertIdentity(Authorization)>
<Aug 6, 2018, 1:48:15,327 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <com.bea.common.security.internal.service.IdentityAssertionTokenServiceImpl.assertIdentity(Authorization)>
<Aug 6, 2018, 1:48:15,327 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <com.bea.common.security.internal.service.IdentityAssertionTokenServiceImpl.assertIdentity - IdentityAssertionException>
<Aug 6, 2018, 1:48:15,327 PM EDT> <Debug> <WebAppIdentityAssertion> <BEA-000000> <Permission check failed for weblogic.servlet.internal.ServletRequestImpl@11524151[
GET /STIP_Ken/SPNEGO_TEST HTTP/1.1
Accept: text/html, application/xhtml+xml, image/jxr, */*
Referer: http://os-serv-li-env800.os.comapny.com:7005/console/console.portal?_nfpb=true&_pageLabel=WebAppApplicationTestingPage&handle=com.bea.console.handles.AppDeploymentHandle%28%22com.bea%3AName%3DSPNEGO_TEST%2CType%3DAppDeployment%2CPartition%3Dken_partition%2CResourceGroup%3DPartitionResourceGroup-ken%22%29
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate, peerdist
DNT: 1
Connection: Keep-Alive
Authorization: *
X-P2P-PeerDist: Version=1.1
X-P2P-PeerDistEx: MinContentInformation=1.0, MaxContentInformation=2.0
]>
<Aug 6, 2018, 1:48:15,328 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <NegotiateIdentityAsserterServiceImpl.process() called>
<Aug 6, 2018, 1:48:15,328 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <CERT auth type found for webapp>
<Aug 6, 2018, 1:48:15,328 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <All request headers:>
<Aug 6, 2018, 1:48:15,328 PM EDT> <Debug> <SecurityAtn> <BEA-000000> < Header: Accept : text/html, application/xhtml+xml, image/jxr, */*>
<Aug 6, 2018, 1:48:15,328 PM EDT> <Debug> <SecurityAtn> <BEA-000000> < Header: Referer : http://os-serv-li-env800.os.comapny.com:7005/console/console.portal?_nfpb=true&_pageLabel=WebAppApplicationTestingPage&handle=com.bea.console.handles.AppDeploymentHandle%28%22com.bea%3AName%3DSPNEGO_TEST%2CType%3DAppDeployment%2CPartition%3Dken_partition%2CResourceGroup%3DPartitionResourceGroup-ken%22%29>
<Aug 6, 2018, 1:48:15,328 PM EDT> <Debug> <SecurityAtn> <BEA-000000> < Header: Accept-Language : en-US>
<Aug 6, 2018, 1:48:15,328 PM EDT> <Debug> <SecurityAtn> <BEA-000000> < Header: User-Agent : Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko>
<Aug 6, 2018, 1:48:15,328 PM EDT> <Debug> <SecurityAtn> <BEA-000000> < Header: Accept-Encoding : gzip, deflate, peerdist>
<Aug 6, 2018, 1:48:15,328 PM EDT> <Debug> <SecurityAtn> <BEA-000000> < Header: Host : os-serv-li-env800.os.comapny.com:7027>
<Aug 6, 2018, 1:48:15,328 PM EDT> <Debug> <SecurityAtn> <BEA-000000> < Header: DNT : 1>
<Aug 6, 2018, 1:48:15,328 PM EDT> <Debug> <SecurityAtn> <BEA-000000> < Header: Connection : Keep-Alive>
<Aug 6, 2018, 1:48:15,328 PM EDT> <Debug> <SecurityAtn> <BEA-000000> < Header: Cookie : JSESSIONID=bVMQKy4C_QQlGvaTKZUwkiEsW2tVrTRkQ_A4yU_vGb22z85hWfEV!1153673829; ADMINCONSOLESESSION=F2UQTg7hP-Xz-h9kpjTkEPLp4hdHnKSKLqnupTfTl4HxVZ9eEIAi!-803667715>
<Aug 6, 2018, 1:48:15,328 PM EDT> <Debug> <SecurityAtn> <BEA-000000> < Header: Authorization : Negotiate YIILBAYGKwYBBQUCoIIK+DCCCvS...
<Aug 6, 2018, 1:48:15,328 PM EDT> <Debug> <SecurityAtn> <BEA-000000> < Header: X-P2P-PeerDist : Version=1.1>
<Aug 6, 2018, 1:48:15,329 PM EDT> <Debug> <SecurityAtn> <BEA-000000> < Header: X-P2P-PeerDistEx : MinContentInformation=1.0, MaxContentInformation=2.0>
<Aug 6, 2018, 1:48:15,329 PM EDT> <Debug> <SecurityAtn> <BEA-000000> < processing header: Negotiate YIILBAYGKwYBBQUCoIIK+DCCCvSgMDAuBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICHgYKKwYBBAGCNwICCqKCCr4Eggq6YIIKtgYJKoZIhvcSAQICAQBuggqlMIIKoaADAgEFoQMCAQ6iBwMFACAAAACjggi1YYIIsTCCCK2gAwIBBaETGxFNQUlOLkFEUy5VU0NHLk1JTKIvMC2gAwIBAqEmMCQbBEhUVFAbHG9zYy1zLWxpbS1hcDgwMC5vc2MudXNjZy5taWyjggheMIIIWqADAgESoQMCAQeigghMBIIISOIHiNd0PhKH07ahpwtToHkw3cO1MILaInEboKRe9r5MeR4xBpHwK8qMRsgM3vZfozvwRrskv4tftg7ZjKBbBDzNKFBbqAUNPJ9NWc8eq6p9gBcvzzuacRPVn1O80Q1Y+XEIAqQpbEY+LkdWTjcDy8xM/OdXTldBoYFmrmpnxEPe3J0vY1CdEoCefPfp0B+xN7lQ3dS4XQQvww2BYzF55wUXUxRYCfogZnxhkUARyT9M1S4xwFog6Ap+wAe1UextvB9R9IW7nE3eT3EJbcLgCFpXh502KcFwt7ht7O2L93tU6SjaLl2ogq2d+m24bgobnPD+YRPk4873REkTFmXrTAkkgw+mXmga2iP9ML7X+hiXGraJQmj6GbwfpSc0sITOnIktm25UwNrQXjabh0XfN5XoMeQW6x0cWW0j4plpgH+kGGSuj0fFe7zrBu+IgV0XkC/dbcYaTkVWVfs+oAGUWHcpGWxNduXFqm78rlAg915/eHvEXuZgP9PLCCpC3fXGqaxlO4oF81Ly/3NLWBybWQs7S2NVbmDfTg+puVkBL7vYZR8jkOo7cmtijpCgA0kHAS/5sV8pZCabpTh+UkiI4QgiwdBSEVhIxnhKAByewYU4D0wpmT5ebSqhnrJzZufMr0Fz3PvVx/F0f+nH/bLj+VWURyNu3SsQ5tz+JwV1lG+9MRwiPIe/SFbiOV8KvqBJFzJ3RgzUWVk7L8CzGQg88ahKUdO9jHV+XiclVpL5qCX9TRD960bEJGYgvemeI172tOnQXQEm0H9i4x02gLarvmlb18fwycaj4OJV6wRFUUbWXs1OnfMBH9PKeh6sAmow2Knh2+noSwHceizjDY4HarD/bnUXQ9TNIqu0onJYfQsWLYXwOyl5IVBaRxhBLBodJCv8mJMJuM7sWBwXuGJft7HbIJgcpaECQk28zBtD5EYS/LkX46zFJlGEoQFV1qrARMH3rtf4RMG3kaWkpmEIVj6DT3ZvtTWy52gcFNrJNeWRgKJuatSahm8tWjDfEgPs1quyKds/j1cMAyEYZVkpZLlXKRTe4tQ8nW1atVL/ZyFKPJi/gFj9yIp1gghc1VHevRglxoUQCvMLrXbcx71+oc07EyAN1wfd9Gc0Tyz9PRiblhpV7+Akqt3PQcpGtlgBmuiMS1JmT1BsjUpyi8Zr46KKwnBYLqlUqDaHaxmExG5H40vVF0UqIvL3tw80o6R0qZiyoWK5tJ7Y/IioETWdxobNevKUZDQDojrxVVynVefgqEbjGBZ2pRkEKpcCzgm6PY3xv6EenscDaDaOeRSBVLl0bBtP6w+TSvdAFtjm2GF61+c1+ug/bi5g7feoiB2ahhlhsUp37N59FLC50Jk7nhOzKLY1+IdXN5C8/vtbWA4xe2m0pCrwvtucgWBO/3L49TsQIE8HokI5cBXGQSj1ZKOLgdvMoAiKP9HEHyCS7zkSM04PZYH93h9OfDnv8hf0GnSjcw5Tq8bY0AKruC+aysPo00BEHMlxHie9bAMcT3/mL5i4kAHzZVwt9yjbpGeSiWzXh2j3CHJeB3n9MNN5tn7pus7xii+zNV1MA4l3RoRKL4inyt6U18elY02FvhbzYDfkfcEqKudZ9H/TyiZbzB/EcIfPbth1l1UOsQVcAF9fNrNyPG0ezlnkIUNBGRBuX23F7Y6rZfkXQys2pv3FlPjTK7f3EtwX7xunrvtVR1chSfZEfz6xsiVC3YPpUk3NUpTlg4DNbFUnhfEeLbZBKI3I1cYKPeftFiqygjxbyFEnzTPLY1UP63wCmdNip6PppJZHY8lS6cDOkEWjj/6pbiHpH2yoJQXR+bh2P3TdqV55vXt1gItG+aufuE1unh1GqAY7DwgRRdMd8pVHZ/FkOIIwGLCnVVUsVkNxjkTMW5KMfms7VM4EgiW4VkpyV/yM90ArMN0BDYluIP5rlw9hL2MLsUDfNQa1yX2RY9DTKPjMU3TqqCbD7YZ2t7FwRdGDXH9qOyXsbxqrudGpqL44NrpDgHEtCxzh0Eyz0CctAAQoGt5DkAbNv8KbraQNwFnIPxCXQ0R+jyQVAqoBlTMYajtmpr9oYlWyAozZ0wYbKMM0a/eFBJe2FQtbSVBLTY2D8h/laX/dMW4siAiSUvBr+Fys99W28Y0O9qcNZXf3sARNrcANIy2EZ6n2XYMPZ5LW96TaWLq6Y5KUHmhz9i1yO3QXk4KF7if99QI0qicMnnUJ99MaLA5VPQavbm77jCkW3cpVubBWfDUeMbGoxEMdUxjC7p3JM7duptr8t2GteZgSSj81gdxTqoGAM2eLZhH/spzSDfO7/mNmymF81/It4aXrTx9PQjcvH8t5xz7MDKuaucJSvu3rrgc35bbBz94UlrubZLAdiS348XVlTdsMvWmVZu5EPHPCUUgSx1riTkmVxHbgVbR/pSvKsmvNCIqwOfHK3QlLWJQqLB//8jLBjlv0u7h4tYo6bLEmAp21hkorzMlEMDSKKZH/b+1fWJipK6MVRW1OIRGiPMEUcK6Rw5bf2WfofhG8OW7NtGewIsG1K9dYPAIlZOHiVoFyZbCI6boplgVGqhiab57qs8Z0Zibos9dCYY52UQMEGUmgI/b0hu2IPDl1+wEOGLLO2A+lT+TmQNu1X/09yFduJmb+r3Dw9s9cCrTjO4r5GNenjrq7NjeK6Q4WpBaW5I8aSn6P3Q6cyJaPHKjudlfM/N9sPFBc3ylj2BZRrNWLYaLywDJD5UlMMM2Cv6R95Ft9i/yb+q1vs/3uhpeoKk6Ny7jjyp5xu0Xmb392SlCQZzfBMCuCGEaAH41whgZeOX5HZJr/vyyrwrFQlRCNpIIB0TCCAc2gAwIBEqKCAcQEggHA4fZXLJsGEn1cx6r3wF0FiTLJLX2Fu/GwlmidzC7/7VfGMDDWTCuSKasFwi9lC5QkV74etXYMa3ndwr+aPM4aPwaEIIFQe8r4bW7jol00FB4SavtHfhonKBBZVw1Y8RbDE+TnGQUb5R11TPbi+wfomKcQM4Fhew3dueNfhFT/sQ6eKQQ6UmqSTzZKjmQhjOpaBLyqV+ciZM52ctC49wPc+xN3SbAPCI4m3H5b/C8VTTbOwtE+vMnlj3sjQYQR82bCLKRoJXTWP8ImerWYSlD7MlUXWdQH+msG2RHE8U8XCwhPRUQuyNgdUzvt1cYndfuz7jPR8YzFj/e7NWSLfDKbJiskuK8W+gLGfCMuROVMoyp3+bXaTjY1/tNhgcu0NAtzh+uT/UOmksLdbosNlhQ5nEoRbu1b5sB58HlmooJeK7TVxxjmStYtua/+blmUo+pn/OHMIJly9T9+KQ9hXeh9i7Eivy2VZR08/OuFK63k/6Nej/I+aogo7bpLJGrhKJLNE2Hgi3yevKTKIN168ES5j/KHt+jeZyQrHyMu2Y6Pa1UBoZj2BKeksyA59y8LyuuicCA2rWqBATpfZOH0NcL0bA==>
<Aug 6, 2018, 1:48:15,329 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <SPNEGONegotiateToken.discriminate: SPNEGO static oid 0: 0606 2b06 0105 0502 ..+.....
>
<Aug 6, 2018, 1:48:15,329 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <SPNEGONegotiateToken.discriminate: SPNEGO in oid 0: 0606 2b06 0105 0502 ..+.....
>
<Aug 6, 2018, 1:48:15,329 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <SPNEGONegotiateToken.discriminate: Neg token found>
<Aug 6, 2018, 1:48:15,329 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <SPNEGONegotiateToken.discriminate: len of neg token 2808>
<Aug 6, 2018, 1:48:15,329 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <SPNEGONegotiateToken.discriminate: sequence found>
<Aug 6, 2018, 1:48:15,329 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <SPNEGONegotiateToken.discriminate: len of sequence token 2804>
<Aug 6, 2018, 1:48:15,329 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <SPNEGONegotiateToken.discriminate: choice is 160>
<Aug 6, 2018, 1:48:15,329 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <SPNEGONegotiateToken.discriminate: len of mech type 48>
<Aug 6, 2018, 1:48:15,329 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <SPNEGONegotiateToken.discriminate: len of mech type seq 46>
<Aug 6, 2018, 1:48:15,329 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <SPNEGONegotiateToken.discriminate: mech type offset 24>
<Aug 6, 2018, 1:48:15,329 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <mech type token
16: 0609 2a86 4882 f712 ..*.H...
more lines...
<Aug 6, 2018, 1:48:15,329 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <SPNEGONegotiateToken.discriminate: Mech list oid 1.2.840.48018.1.2.2>
<Aug 6, 2018, 1:48:15,329 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <SPNEGONegotiateToken.discriminate: Mech list oid 1.2.840.113554.1.2.2>
<Aug 6, 2018, 1:48:15,329 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <SPNEGONegotiateToken.discriminate: Mech list oid 1.3.6.1.4.1.311.2.2.30>
<Aug 6, 2018, 1:48:15,329 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <SPNEGONegotiateToken.discriminate: Mech list oid 1.3.6.1.4.1.311.2.2.10>
<Aug 6, 2018, 1:48:15,329 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <SPNEGONegotiateToken.discriminate: Mech token len 2750>
<Aug 6, 2018, 1:48:15,329 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <SPNEGONegotiateToken.discriminate: Mech token
0: 6082 0ab6 0609 2a86 4886 f712 0102 0201 `.....*.H.......
16: 006e 820a a530 820a a1a0 0302 0105 a103 .n...0..........
more lines..
<Aug 6, 2018, 1:48:15,330 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <Found Negotiate with SPNEGO token>
<Aug 6, 2018, 1:48:15,330 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <Negotiate filter: new session, no negotiation has started>
<Aug 6, 2018, 1:48:15,330 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <com.bea.common.security.internal.service.ChallengeIdentityAssertionServiceImpl.assertChallengeIdentity(Authorization.Negotiate)>
<Aug 6, 2018, 1:48:15,330 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <com.bea.common.security.internal.service.ChallengeIdentityAssertionTokenServiceImpl.assertChallengeIdentity(Authorization.Negotiate)>
<Aug 6, 2018, 1:48:15,330 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <com.bea.common.security.internal.legacy.service.ChallengeIdentityAssertionProviderImpl$ChallengeIdentityAsserterV2Adapter.assertChallengeIdentity(Authorization.Negotiate)>
<Aug 6, 2018, 1:48:15,330 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <com.bea.common.security.internal.service.JAASIdentityAssertionConfigurationServiceImpl.getAppConfigurationEntry(com.sun.security.jgss.krb5.accept)>
Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt false ticketCache is null isInitiator true KeyTab is cglims_mt_dev.keytab refreshKrb5Config is false principal is HTTP/ os-serv-li-env800.os.company.com@MAIN.ADS.COMAPNY.COM tryFirstPass is false useFirstPass is false storePass is false clearPass is false
Looking for keys for: HTTP/ os-serv-li-env800.os.company.com@MAIN.ADS.COMAPNY.COM
Added key: 17version: 4
Added key: 18version: 4
Added key: 23version: 4
Found unsupported keytype (3) for HTTP/ os-serv-li-env800.os.company.com@MAIN.ADS.COMAPNY.COM
Found unsupported keytype (1) for HTTP/ os-serv-li-env800.os.company.com@MAIN.ADS.COMAPNY.COM
Looking for keys for: HTTP/ os-serv-li-env800.os.company.com@MAIN.ADS.COMAPNY.COM
Added key: 17version: 4
Added key: 18version: 4
Added key: 23version: 4
Found unsupported keytype (3) for HTTP/ os-serv-li-env800.os.company.com@MAIN.ADS.COMAPNY.COM
Found unsupported keytype (1) for HTTP/ os-serv-li-env800.os.company.com@MAIN.ADS.COMAPNY.COM
default etypes for default_tkt_enctypes: 18.
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=os-vd-m-009.main.ads.comapny.com UDP:88, timeout=30000, number of retries =3, #bytes=175
>>> KDCCommunication: kdc=os-vd-m-009.main.ads.comapny.com UDP:88, timeout=30000,Attempt =1, #bytes=175
>>> KrbKdcReq send: #bytes read=220
>>>Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 18, salt = MAIN.ADS.COMAPNY.COMHTTPos-serv-li-env800.os.comapny.com, s2kparams = null
>>>Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
PA-DATA type = 16
>>>Pre-Authentication Data:
PA-DATA type = 15
>>> KdcAccessibility: remove os-vd-m-009
>>> KDCRep: init() encoding tag is 126 req type is 11
>>>KRBError:
sTime is Mon Aug 06 13:48:15 EDT 2018 1533577695000
suSec is 67734
error code is 25
error Message is Additional pre-authentication required
sname is krbtgt/ MAIN.ADS.COMAPNY.COM@MAIN.ADS.COMAPNY.COM
eData provided.
msgType is 30
>>>Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 18, salt = MAIN.ADS.COMAPNY.COMHTTPos-serv-li-env800.os.comapny.com, s2kparams = null
>>>Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
PA-DATA type = 16
>>>Pre-Authentication Data:
PA-DATA type = 15
KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
default etypes for default_tkt_enctypes: 18.
Looking for keys for: HTTP/ os-serv-li-env800.os.company.com@MAIN.ADS.COMAPNY.COM
Added key: 17version: 4
Added key: 18version: 4
Added key: 23version: 4
Found unsupported keytype (3) for HTTP/ os-serv-li-env800.os.company.com@MAIN.ADS.COMAPNY.COM
Found unsupported keytype (1) for HTTP/ os-serv-li-env800.os.company.com@MAIN.ADS.COMAPNY.COM
Looking for keys for: HTTP/ os-serv-li-env800.os.company.com@MAIN.ADS.COMAPNY.COM
Added key: 17version: 4
Added key: 18version: 4
Added key: 23version: 4
Found unsupported keytype (3) for HTTP/ os-serv-li-env800.os.company.com@MAIN.ADS.COMAPNY.COM
Found unsupported keytype (1) for HTTP/ os-serv-li-env800.os.company.com@MAIN.ADS.COMAPNY.COM
default etypes for default_tkt_enctypes: 18.
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=os-vd-m-009.main.ads.comapny.com UDP:88, timeout=30000, number of retries =3, #bytes=264
>>> KDCCommunication: kdc=os-vd-m-009.main.ads.comapny.com UDP:88, timeout=30000,Attempt =1, #bytes=264
>>> KrbKdcReq send: #bytes read=106
>>> KrbKdcReq send: kdc=os-vd-m-009.main.ads.comapny.com TCP:88, timeout=30000, number of retries =3, #bytes=264
>>> KDCCommunication: kdc=os-vd-m-009.main.ads.comapny.com TCP:88, timeout=30000,Attempt =1, #bytes=264
>>>DEBUG: TCPClient reading 1923 bytes
>>> KrbKdcReq send: #bytes read=1923
>>> KdcAccessibility: remove os-vd-m-009
Looking for keys for: HTTP/ os-serv-li-env800.os.company.com@MAIN.ADS.COMAPNY.COM
Added key: 17version: 4
Added key: 18version: 4
Added key: 23version: 4
Found unsupported keytype (3) for HTTP/ os-serv-li-env800.os.company.com@MAIN.ADS.COMAPNY.COM
Found unsupported keytype (1) for HTTP/ os-serv-li-env800.os.company.com@MAIN.ADS.COMAPNY.COM
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>> KrbAsRep cons in KrbAsReq.getReply HTTP/os-serv-li-env800.os.comapny.com
principal is HTTP/ os-serv-li-env800.os.company.com@MAIN.ADS.COMAPNY.COM
Will use keytab
Commit Succeeded
Found KeyTab cglims_mt_dev.keytab for HTTP/ os-serv-li-env800.os.company.com@MAIN.ADS.COMAPNY.COM
Found ticket for HTTP/ os-serv-li-env800.os.company.com@MAIN.ADS.COMAPNY.COM to go to krbtgt/ MAIN.ADS.COMAPNY.COM@MAIN.ADS.COMAPNY.COM expiring on Mon Aug 06 23:48:15 EDT 2018
Entered Krb5Context.acceptSecContext with state=STATE_NEW
Looking for keys for: HTTP/ os-serv-li-env800.os.company.com@MAIN.ADS.COMAPNY.COM
Added key: 17version: 4
Added key: 18version: 4
Added key: 23version: 4
Found unsupported keytype (3) for HTTP/ os-serv-li-env800.os.company.com@MAIN.ADS.COMAPNY.COM
Found unsupported keytype (1) for HTTP/ os-serv-li-env800.os.company.com@MAIN.ADS.COMAPNY.COM
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
Using builtin default etypes for permitted_enctypes
default etypes for permitted_enctypes: 18 17 16 23.
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
MemoryCache: add 1533577695/003265/F340CA7D6DD3AB5499310326FEBE8EA9/DCConway@MAIN.ADS.COMAPNY.COM to DCConway@MAIN.ADS.COMAPNY.COM|HTTP/ os-serv-li-env800.os.company.com@MAIN.ADS.COMAPNY.COM
MemoryCache: Existing AuthList:
#1: 1533574589/003195/3E34B0B548DBF2570B1E8140F1C0CBCD/DCConway@MAIN.ADS.COMAPNY.COM
>>> KrbApReq: authenticate succeed.
Krb5Context setting peerSeqNumber to: 1542758160
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
Krb5Context setting mySeqNumber to: 241351631
<Aug 6, 2018, 1:48:15,346 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <gssContext isEstablished true>
<Aug 6, 2018, 1:48:15,346 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <Out token
.................
<Aug 6, 2018, 1:48:15,346 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <GSS name is DCConway@MAIN.ADS.COMAPNY.COM>
<Aug 6, 2018, 1:48:15,346 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <User name is DCConway>
>>> Constrained deleg from GSSCaller{UNKNOWN}
<Aug 6, 2018, 1:48:15,346 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <com.bea.common.security.internal.service.JAASIdentityAssertionConfigurationServiceImpl.getAppConfigurationEntry(com.sun.security.jgss.krb5.accept)>
Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt false ticketCache is null isInitiator true KeyTab is cglims_mt_dev.keytab refreshKrb5Config is false principal is HTTP/ os-serv-li-env800.os.company.com@MAIN.ADS.COMAPNY.COM tryFirstPass is false useFirstPass is false storePass is false clearPass is false
Looking for keys for: HTTP/ os-serv-li-env800.os.company.com@MAIN.ADS.COMAPNY.COM
Added key: 17version: 4
Added key: 18version: 4
Added key: 23version: 4
Found unsupported keytype (3) for HTTP/ os-serv-li-env800.os.company.com@MAIN.ADS.COMAPNY.COM
Found unsupported keytype (1) for HTTP/ os-serv-li-env800.os.company.com@MAIN.ADS.COMAPNY.COM
Looking for keys for: HTTP/ os-serv-li-env800.os.company.com@MAIN.ADS.COMAPNY.COM
Added key: 17version: 4
Added key: 18version: 4
Added key: 23version: 4
Found unsupported keytype (3) for HTTP/ os-serv-li-env800.os.company.com@MAIN.ADS.COMAPNY.COM
Found unsupported keytype (1) for HTTP/ os-serv-li-env800.os.company.com@MAIN.ADS.COMAPNY.COM
default etypes for default_tkt_enctypes: 18.
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=os-vd-m-009.main.ads.comapny.com UDP:88, timeout=30000, number of retries =3, #bytes=175
>>> KDCCommunication: kdc=os-vd-m-009.main.ads.comapny.com UDP:88, timeout=30000,Attempt =1, #bytes=175
>>> KrbKdcReq send: #bytes read=220
>>>Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 18, salt = MAIN.ADS.COMAPNY.COMHTTPos-serv-li-env800.os.comapny.com, s2kparams = null
>>>Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
PA-DATA type = 16
>>>Pre-Authentication Data:
PA-DATA type = 15
>>> KdcAccessibility: remove os-vd-m-009
>>> KDCRep: init() encoding tag is 126 req type is 11
>>>KRBError:
sTime is Mon Aug 06 13:48:15 EDT 2018 1533577695000
suSec is 67734
error code is 25
error Message is Additional pre-authentication required
sname is krbtgt/ MAIN.ADS.COMAPNY.COM@MAIN.ADS.COMAPNY.COM
eData provided.
msgType is 30
>>>Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 18, salt = MAIN.ADS.COMAPNY.COMHTTPos-serv-li-env800.os.comapny.com, s2kparams = null
>>>Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
PA-DATA type = 16
>>>Pre-Authentication Data:
PA-DATA type = 15
KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
default etypes for default_tkt_enctypes: 18.
Looking for keys for: HTTP/ os-serv-li-env800.os.company.com@MAIN.ADS.COMAPNY.COM
Added key: 17version: 4
Added key: 18version: 4
Added key: 23version: 4
Found unsupported keytype (3) for HTTP/ os-serv-li-env800.os.company.com@MAIN.ADS.COMAPNY.COM
Found unsupported keytype (1) for HTTP/ os-serv-li-env800.os.company.com@MAIN.ADS.COMAPNY.COM
Looking for keys for: HTTP/ os-serv-li-env800.os.company.com@MAIN.ADS.COMAPNY.COM
Added key: 17version: 4
Added key: 18version: 4
Added key: 23version: 4
Found unsupported keytype (3) for HTTP/ os-serv-li-env800.os.company.com@MAIN.ADS.COMAPNY.COM
Found unsupported keytype (1) for HTTP/ os-serv-li-env800.os.company.com@MAIN.ADS.COMAPNY.COM
default etypes for default_tkt_enctypes: 18.
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=os-vd-m-009.main.ads.comapny.com UDP:88, timeout=30000, number of retries =3, #bytes=264
>>> KDCCommunication: kdc=os-vd-m-009.main.ads.comapny.com UDP:88, timeout=30000,Attempt =1, #bytes=264
>>> KrbKdcReq send: #bytes read=106
>>> KrbKdcReq send: kdc=os-vd-m-009.main.ads.comapny.com TCP:88, timeout=30000, number of retries =3, #bytes=264
>>> KDCCommunication: kdc=os-vd-m-009.main.ads.comapny.com TCP:88, timeout=30000,Attempt =1, #bytes=264
>>>DEBUG: TCPClient reading 1923 bytes
>>> KrbKdcReq send: #bytes read=1923
>>> KdcAccessibility: remove os-vd-m-009
Looking for keys for: HTTP/ os-serv-li-env800.os.company.com@MAIN.ADS.COMAPNY.COM
Added key: 17version: 4
Added key: 18version: 4
Added key: 23version: 4
Found unsupported keytype (3) for HTTP/ os-serv-li-env800.os.company.com@MAIN.ADS.COMAPNY.COM
Found unsupported keytype (1) for HTTP/ os-serv-li-env800.os.company.com@MAIN.ADS.COMAPNY.COM
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>> KrbAsRep cons in KrbAsReq.getReply HTTP/os-serv-li-env800.os.comapny.com
principal is HTTP/ os-serv-li-env800.os.company.com@MAIN.ADS.COMAPNY.COM
Will use keytab
Commit Succeeded
Found ticket for HTTP/ os-serv-li-env800.os.company.com@MAIN.ADS.COMAPNY.COM to go to krbtgt/ MAIN.ADS.COMAPNY.COM@MAIN.ADS.COMAPNY.COM expiring on Mon Aug 06 23:48:15 EDT 2018
<Aug 6, 2018, 1:48:15,359 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <delegate state is true, acquire delegated credential...>
<Aug 6, 2018, 1:48:15,359 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <Username was found, setting up callbackhandler>
...........
<Aug 6, 2018, 1:48:15,503 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <weblogic.security.service.internal.WLSJAASLoginServiceImpl$ServiceImpl.authenticate authenticate succeeded for user DCConway, Identity=Subject: 46
尝试从您的 web.xml 文件中删除此标记:/ 安全约束配置不当可能会出现 403 错误
我有一个正在处理的 EE 应用程序,我正在尝试使用通过多租户 WebLogic 服务器(12.2 .1.2). SPNEGO 提供程序已配置并且似乎与 Active Directory 一起正常工作。我创建了一个小应用程序,它由 WAR 中的一个 servlet 组成,如果身份验证成功,它应该在屏幕上显示登录信息。
我遇到的问题是,从服务器查看日志文件,身份验证成功,但一旦我通过 SPNEGO 进行身份验证,服务器就不会向我发送消息。我可以从 Active Directory 中看到 SPNEGO 令牌被传递到哪里并用于验证我的身份,甚至是我所属的所有组。
这是测试应用程序Web.xml
<context-param>
<param-name>javax.faces.PROJECT_STAGE</param-name>
<param-value>Development</param-value>
</context-param>
<servlet>
<servlet-name>AuthSimpleTestServlet</servlet-name>
<servlet-class>functional.test.SimpleTestServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>AuthSimpleTestServlet</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
<security-role>
<description>Admin Role</description>
<role-name>DEV_ADMIN</role-name>
</security-role>
<security-constraint>
<web-resource-collection>
<web-resource-name>secured pages</web-resource-name>
<url-pattern>/*</url-pattern>
<url-pattern>/</url-pattern>
<http-method>POST</http-method>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>DEV_ADMIN</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>CLIENT-CERT</auth-method>
<realm-name>myrealm</realm-name>
</login-config>
<session-config>
<session-timeout>
30
</session-timeout>
</session-config>
<welcome-file-list>
<welcome-file>/AuthSimpleTestServlet</welcome-file>
</welcome-file-list>
weblogic.xml
<security-role-assignment>
<role-name>DEV_ADMIN</role-name>
<principal-name>@APP_DEV_ADMIN</principal-name>
<principal-name>APP_DEV_ADMIN</principal-name>
</security-role-assignment>
我可以看到主体被添加到主题的位置。不是用于格式化目的的 JS 代码段。
<Aug 6, 2018, 1:48:15,491 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <login succeeded for username DCConway>
<Aug 6, 2018, 1:48:15,491 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <weblogic.security.providers.authentication.LDAPAtnLoginModuleImpl.login delegated, returning true>
<Aug 6, 2018, 1:48:15,491 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <weblogic.security.providers.authentication.LDAPAtnLoginModuleImpl.commit>
<Aug 6, 2018, 1:48:15,491 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <LDAP Atn Commit>
<Aug 6, 2018, 1:48:15,491 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <LDAP Atn Principals Added>
<Aug 6, 2018, 1:48:15,491 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <weblogic.security.providers.authentication.LDAPAtnLoginModuleImpl.commit delegated, returning true>
<Aug 6, 2018, 1:48:15,491 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <com.bea.common.security.internal.service.JAASLoginServiceImpl.login logged in>
<Aug 6, 2018, 1:48:15,492 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <com.bea.common.security.internal.service.JAASLoginServiceImpl.login subject=Subject:
Principal: DCConway
Principal: @APP_DEV_ADMIN
Principal: APP_DEV_ADMIN
尽管看起来一切正常,但我在尝试访问 servlet 时收到 403 禁止错误。
请求 header 似乎具有正确的令牌。
我希望有人能帮我确定问题是什么以及如何解决它。
下面是日志文件的一些复制部分以供查看,这是大量的日志信息。服务器的名称等已更改。
<Aug 6, 2018, 1:48:15,327 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <PrincipalAuthenticator.assertIdentity using common security>
<Aug 6, 2018, 1:48:15,327 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <weblogic.security.service.WLSIdentityAssertionServiceWrapper.assertIdentity>
<Aug 6, 2018, 1:48:15,327 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <com.bea.common.security.internal.service.IdentityAssertionServiceImpl.assertIdentity(Authorization)>
<Aug 6, 2018, 1:48:15,327 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <com.bea.common.security.internal.service.IdentityAssertionTokenServiceImpl.assertIdentity(Authorization)>
<Aug 6, 2018, 1:48:15,327 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <com.bea.common.security.internal.service.IdentityAssertionTokenServiceImpl.assertIdentity - IdentityAssertionException>
<Aug 6, 2018, 1:48:15,327 PM EDT> <Debug> <WebAppIdentityAssertion> <BEA-000000> <Permission check failed for weblogic.servlet.internal.ServletRequestImpl@11524151[
GET /STIP_Ken/SPNEGO_TEST HTTP/1.1
Accept: text/html, application/xhtml+xml, image/jxr, */*
Referer: http://os-serv-li-env800.os.comapny.com:7005/console/console.portal?_nfpb=true&_pageLabel=WebAppApplicationTestingPage&handle=com.bea.console.handles.AppDeploymentHandle%28%22com.bea%3AName%3DSPNEGO_TEST%2CType%3DAppDeployment%2CPartition%3Dken_partition%2CResourceGroup%3DPartitionResourceGroup-ken%22%29
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate, peerdist
DNT: 1
Connection: Keep-Alive
Authorization: *
X-P2P-PeerDist: Version=1.1
X-P2P-PeerDistEx: MinContentInformation=1.0, MaxContentInformation=2.0
]>
<Aug 6, 2018, 1:48:15,328 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <NegotiateIdentityAsserterServiceImpl.process() called>
<Aug 6, 2018, 1:48:15,328 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <CERT auth type found for webapp>
<Aug 6, 2018, 1:48:15,328 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <All request headers:>
<Aug 6, 2018, 1:48:15,328 PM EDT> <Debug> <SecurityAtn> <BEA-000000> < Header: Accept : text/html, application/xhtml+xml, image/jxr, */*>
<Aug 6, 2018, 1:48:15,328 PM EDT> <Debug> <SecurityAtn> <BEA-000000> < Header: Referer : http://os-serv-li-env800.os.comapny.com:7005/console/console.portal?_nfpb=true&_pageLabel=WebAppApplicationTestingPage&handle=com.bea.console.handles.AppDeploymentHandle%28%22com.bea%3AName%3DSPNEGO_TEST%2CType%3DAppDeployment%2CPartition%3Dken_partition%2CResourceGroup%3DPartitionResourceGroup-ken%22%29>
<Aug 6, 2018, 1:48:15,328 PM EDT> <Debug> <SecurityAtn> <BEA-000000> < Header: Accept-Language : en-US>
<Aug 6, 2018, 1:48:15,328 PM EDT> <Debug> <SecurityAtn> <BEA-000000> < Header: User-Agent : Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko>
<Aug 6, 2018, 1:48:15,328 PM EDT> <Debug> <SecurityAtn> <BEA-000000> < Header: Accept-Encoding : gzip, deflate, peerdist>
<Aug 6, 2018, 1:48:15,328 PM EDT> <Debug> <SecurityAtn> <BEA-000000> < Header: Host : os-serv-li-env800.os.comapny.com:7027>
<Aug 6, 2018, 1:48:15,328 PM EDT> <Debug> <SecurityAtn> <BEA-000000> < Header: DNT : 1>
<Aug 6, 2018, 1:48:15,328 PM EDT> <Debug> <SecurityAtn> <BEA-000000> < Header: Connection : Keep-Alive>
<Aug 6, 2018, 1:48:15,328 PM EDT> <Debug> <SecurityAtn> <BEA-000000> < Header: Cookie : JSESSIONID=bVMQKy4C_QQlGvaTKZUwkiEsW2tVrTRkQ_A4yU_vGb22z85hWfEV!1153673829; ADMINCONSOLESESSION=F2UQTg7hP-Xz-h9kpjTkEPLp4hdHnKSKLqnupTfTl4HxVZ9eEIAi!-803667715>
<Aug 6, 2018, 1:48:15,328 PM EDT> <Debug> <SecurityAtn> <BEA-000000> < Header: Authorization : Negotiate YIILBAYGKwYBBQUCoIIK+DCCCvS...
<Aug 6, 2018, 1:48:15,328 PM EDT> <Debug> <SecurityAtn> <BEA-000000> < Header: X-P2P-PeerDist : Version=1.1>
<Aug 6, 2018, 1:48:15,329 PM EDT> <Debug> <SecurityAtn> <BEA-000000> < Header: X-P2P-PeerDistEx : MinContentInformation=1.0, MaxContentInformation=2.0>
<Aug 6, 2018, 1:48:15,329 PM EDT> <Debug> <SecurityAtn> <BEA-000000> < processing header: Negotiate YIILBAYGKwYBBQUCoIIK+DCCCvSgMDAuBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICHgYKKwYBBAGCNwICCqKCCr4Eggq6YIIKtgYJKoZIhvcSAQICAQBuggqlMIIKoaADAgEFoQMCAQ6iBwMFACAAAACjggi1YYIIsTCCCK2gAwIBBaETGxFNQUlOLkFEUy5VU0NHLk1JTKIvMC2gAwIBAqEmMCQbBEhUVFAbHG9zYy1zLWxpbS1hcDgwMC5vc2MudXNjZy5taWyjggheMIIIWqADAgESoQMCAQeigghMBIIISOIHiNd0PhKH07ahpwtToHkw3cO1MILaInEboKRe9r5MeR4xBpHwK8qMRsgM3vZfozvwRrskv4tftg7ZjKBbBDzNKFBbqAUNPJ9NWc8eq6p9gBcvzzuacRPVn1O80Q1Y+XEIAqQpbEY+LkdWTjcDy8xM/OdXTldBoYFmrmpnxEPe3J0vY1CdEoCefPfp0B+xN7lQ3dS4XQQvww2BYzF55wUXUxRYCfogZnxhkUARyT9M1S4xwFog6Ap+wAe1UextvB9R9IW7nE3eT3EJbcLgCFpXh502KcFwt7ht7O2L93tU6SjaLl2ogq2d+m24bgobnPD+YRPk4873REkTFmXrTAkkgw+mXmga2iP9ML7X+hiXGraJQmj6GbwfpSc0sITOnIktm25UwNrQXjabh0XfN5XoMeQW6x0cWW0j4plpgH+kGGSuj0fFe7zrBu+IgV0XkC/dbcYaTkVWVfs+oAGUWHcpGWxNduXFqm78rlAg915/eHvEXuZgP9PLCCpC3fXGqaxlO4oF81Ly/3NLWBybWQs7S2NVbmDfTg+puVkBL7vYZR8jkOo7cmtijpCgA0kHAS/5sV8pZCabpTh+UkiI4QgiwdBSEVhIxnhKAByewYU4D0wpmT5ebSqhnrJzZufMr0Fz3PvVx/F0f+nH/bLj+VWURyNu3SsQ5tz+JwV1lG+9MRwiPIe/SFbiOV8KvqBJFzJ3RgzUWVk7L8CzGQg88ahKUdO9jHV+XiclVpL5qCX9TRD960bEJGYgvemeI172tOnQXQEm0H9i4x02gLarvmlb18fwycaj4OJV6wRFUUbWXs1OnfMBH9PKeh6sAmow2Knh2+noSwHceizjDY4HarD/bnUXQ9TNIqu0onJYfQsWLYXwOyl5IVBaRxhBLBodJCv8mJMJuM7sWBwXuGJft7HbIJgcpaECQk28zBtD5EYS/LkX46zFJlGEoQFV1qrARMH3rtf4RMG3kaWkpmEIVj6DT3ZvtTWy52gcFNrJNeWRgKJuatSahm8tWjDfEgPs1quyKds/j1cMAyEYZVkpZLlXKRTe4tQ8nW1atVL/ZyFKPJi/gFj9yIp1gghc1VHevRglxoUQCvMLrXbcx71+oc07EyAN1wfd9Gc0Tyz9PRiblhpV7+Akqt3PQcpGtlgBmuiMS1JmT1BsjUpyi8Zr46KKwnBYLqlUqDaHaxmExG5H40vVF0UqIvL3tw80o6R0qZiyoWK5tJ7Y/IioETWdxobNevKUZDQDojrxVVynVefgqEbjGBZ2pRkEKpcCzgm6PY3xv6EenscDaDaOeRSBVLl0bBtP6w+TSvdAFtjm2GF61+c1+ug/bi5g7feoiB2ahhlhsUp37N59FLC50Jk7nhOzKLY1+IdXN5C8/vtbWA4xe2m0pCrwvtucgWBO/3L49TsQIE8HokI5cBXGQSj1ZKOLgdvMoAiKP9HEHyCS7zkSM04PZYH93h9OfDnv8hf0GnSjcw5Tq8bY0AKruC+aysPo00BEHMlxHie9bAMcT3/mL5i4kAHzZVwt9yjbpGeSiWzXh2j3CHJeB3n9MNN5tn7pus7xii+zNV1MA4l3RoRKL4inyt6U18elY02FvhbzYDfkfcEqKudZ9H/TyiZbzB/EcIfPbth1l1UOsQVcAF9fNrNyPG0ezlnkIUNBGRBuX23F7Y6rZfkXQys2pv3FlPjTK7f3EtwX7xunrvtVR1chSfZEfz6xsiVC3YPpUk3NUpTlg4DNbFUnhfEeLbZBKI3I1cYKPeftFiqygjxbyFEnzTPLY1UP63wCmdNip6PppJZHY8lS6cDOkEWjj/6pbiHpH2yoJQXR+bh2P3TdqV55vXt1gItG+aufuE1unh1GqAY7DwgRRdMd8pVHZ/FkOIIwGLCnVVUsVkNxjkTMW5KMfms7VM4EgiW4VkpyV/yM90ArMN0BDYluIP5rlw9hL2MLsUDfNQa1yX2RY9DTKPjMU3TqqCbD7YZ2t7FwRdGDXH9qOyXsbxqrudGpqL44NrpDgHEtCxzh0Eyz0CctAAQoGt5DkAbNv8KbraQNwFnIPxCXQ0R+jyQVAqoBlTMYajtmpr9oYlWyAozZ0wYbKMM0a/eFBJe2FQtbSVBLTY2D8h/laX/dMW4siAiSUvBr+Fys99W28Y0O9qcNZXf3sARNrcANIy2EZ6n2XYMPZ5LW96TaWLq6Y5KUHmhz9i1yO3QXk4KF7if99QI0qicMnnUJ99MaLA5VPQavbm77jCkW3cpVubBWfDUeMbGoxEMdUxjC7p3JM7duptr8t2GteZgSSj81gdxTqoGAM2eLZhH/spzSDfO7/mNmymF81/It4aXrTx9PQjcvH8t5xz7MDKuaucJSvu3rrgc35bbBz94UlrubZLAdiS348XVlTdsMvWmVZu5EPHPCUUgSx1riTkmVxHbgVbR/pSvKsmvNCIqwOfHK3QlLWJQqLB//8jLBjlv0u7h4tYo6bLEmAp21hkorzMlEMDSKKZH/b+1fWJipK6MVRW1OIRGiPMEUcK6Rw5bf2WfofhG8OW7NtGewIsG1K9dYPAIlZOHiVoFyZbCI6boplgVGqhiab57qs8Z0Zibos9dCYY52UQMEGUmgI/b0hu2IPDl1+wEOGLLO2A+lT+TmQNu1X/09yFduJmb+r3Dw9s9cCrTjO4r5GNenjrq7NjeK6Q4WpBaW5I8aSn6P3Q6cyJaPHKjudlfM/N9sPFBc3ylj2BZRrNWLYaLywDJD5UlMMM2Cv6R95Ft9i/yb+q1vs/3uhpeoKk6Ny7jjyp5xu0Xmb392SlCQZzfBMCuCGEaAH41whgZeOX5HZJr/vyyrwrFQlRCNpIIB0TCCAc2gAwIBEqKCAcQEggHA4fZXLJsGEn1cx6r3wF0FiTLJLX2Fu/GwlmidzC7/7VfGMDDWTCuSKasFwi9lC5QkV74etXYMa3ndwr+aPM4aPwaEIIFQe8r4bW7jol00FB4SavtHfhonKBBZVw1Y8RbDE+TnGQUb5R11TPbi+wfomKcQM4Fhew3dueNfhFT/sQ6eKQQ6UmqSTzZKjmQhjOpaBLyqV+ciZM52ctC49wPc+xN3SbAPCI4m3H5b/C8VTTbOwtE+vMnlj3sjQYQR82bCLKRoJXTWP8ImerWYSlD7MlUXWdQH+msG2RHE8U8XCwhPRUQuyNgdUzvt1cYndfuz7jPR8YzFj/e7NWSLfDKbJiskuK8W+gLGfCMuROVMoyp3+bXaTjY1/tNhgcu0NAtzh+uT/UOmksLdbosNlhQ5nEoRbu1b5sB58HlmooJeK7TVxxjmStYtua/+blmUo+pn/OHMIJly9T9+KQ9hXeh9i7Eivy2VZR08/OuFK63k/6Nej/I+aogo7bpLJGrhKJLNE2Hgi3yevKTKIN168ES5j/KHt+jeZyQrHyMu2Y6Pa1UBoZj2BKeksyA59y8LyuuicCA2rWqBATpfZOH0NcL0bA==>
<Aug 6, 2018, 1:48:15,329 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <SPNEGONegotiateToken.discriminate: SPNEGO static oid 0: 0606 2b06 0105 0502 ..+.....
>
<Aug 6, 2018, 1:48:15,329 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <SPNEGONegotiateToken.discriminate: SPNEGO in oid 0: 0606 2b06 0105 0502 ..+.....
>
<Aug 6, 2018, 1:48:15,329 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <SPNEGONegotiateToken.discriminate: Neg token found>
<Aug 6, 2018, 1:48:15,329 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <SPNEGONegotiateToken.discriminate: len of neg token 2808>
<Aug 6, 2018, 1:48:15,329 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <SPNEGONegotiateToken.discriminate: sequence found>
<Aug 6, 2018, 1:48:15,329 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <SPNEGONegotiateToken.discriminate: len of sequence token 2804>
<Aug 6, 2018, 1:48:15,329 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <SPNEGONegotiateToken.discriminate: choice is 160>
<Aug 6, 2018, 1:48:15,329 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <SPNEGONegotiateToken.discriminate: len of mech type 48>
<Aug 6, 2018, 1:48:15,329 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <SPNEGONegotiateToken.discriminate: len of mech type seq 46>
<Aug 6, 2018, 1:48:15,329 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <SPNEGONegotiateToken.discriminate: mech type offset 24>
<Aug 6, 2018, 1:48:15,329 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <mech type token
16: 0609 2a86 4882 f712 ..*.H...
more lines...
<Aug 6, 2018, 1:48:15,329 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <SPNEGONegotiateToken.discriminate: Mech list oid 1.2.840.48018.1.2.2>
<Aug 6, 2018, 1:48:15,329 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <SPNEGONegotiateToken.discriminate: Mech list oid 1.2.840.113554.1.2.2>
<Aug 6, 2018, 1:48:15,329 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <SPNEGONegotiateToken.discriminate: Mech list oid 1.3.6.1.4.1.311.2.2.30>
<Aug 6, 2018, 1:48:15,329 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <SPNEGONegotiateToken.discriminate: Mech list oid 1.3.6.1.4.1.311.2.2.10>
<Aug 6, 2018, 1:48:15,329 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <SPNEGONegotiateToken.discriminate: Mech token len 2750>
<Aug 6, 2018, 1:48:15,329 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <SPNEGONegotiateToken.discriminate: Mech token
0: 6082 0ab6 0609 2a86 4886 f712 0102 0201 `.....*.H.......
16: 006e 820a a530 820a a1a0 0302 0105 a103 .n...0..........
more lines..
<Aug 6, 2018, 1:48:15,330 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <Found Negotiate with SPNEGO token>
<Aug 6, 2018, 1:48:15,330 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <Negotiate filter: new session, no negotiation has started>
<Aug 6, 2018, 1:48:15,330 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <com.bea.common.security.internal.service.ChallengeIdentityAssertionServiceImpl.assertChallengeIdentity(Authorization.Negotiate)>
<Aug 6, 2018, 1:48:15,330 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <com.bea.common.security.internal.service.ChallengeIdentityAssertionTokenServiceImpl.assertChallengeIdentity(Authorization.Negotiate)>
<Aug 6, 2018, 1:48:15,330 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <com.bea.common.security.internal.legacy.service.ChallengeIdentityAssertionProviderImpl$ChallengeIdentityAsserterV2Adapter.assertChallengeIdentity(Authorization.Negotiate)>
<Aug 6, 2018, 1:48:15,330 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <com.bea.common.security.internal.service.JAASIdentityAssertionConfigurationServiceImpl.getAppConfigurationEntry(com.sun.security.jgss.krb5.accept)>
Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt false ticketCache is null isInitiator true KeyTab is cglims_mt_dev.keytab refreshKrb5Config is false principal is HTTP/ os-serv-li-env800.os.company.com@MAIN.ADS.COMAPNY.COM tryFirstPass is false useFirstPass is false storePass is false clearPass is false
Looking for keys for: HTTP/ os-serv-li-env800.os.company.com@MAIN.ADS.COMAPNY.COM
Added key: 17version: 4
Added key: 18version: 4
Added key: 23version: 4
Found unsupported keytype (3) for HTTP/ os-serv-li-env800.os.company.com@MAIN.ADS.COMAPNY.COM
Found unsupported keytype (1) for HTTP/ os-serv-li-env800.os.company.com@MAIN.ADS.COMAPNY.COM
Looking for keys for: HTTP/ os-serv-li-env800.os.company.com@MAIN.ADS.COMAPNY.COM
Added key: 17version: 4
Added key: 18version: 4
Added key: 23version: 4
Found unsupported keytype (3) for HTTP/ os-serv-li-env800.os.company.com@MAIN.ADS.COMAPNY.COM
Found unsupported keytype (1) for HTTP/ os-serv-li-env800.os.company.com@MAIN.ADS.COMAPNY.COM
default etypes for default_tkt_enctypes: 18.
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=os-vd-m-009.main.ads.comapny.com UDP:88, timeout=30000, number of retries =3, #bytes=175
>>> KDCCommunication: kdc=os-vd-m-009.main.ads.comapny.com UDP:88, timeout=30000,Attempt =1, #bytes=175
>>> KrbKdcReq send: #bytes read=220
>>>Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 18, salt = MAIN.ADS.COMAPNY.COMHTTPos-serv-li-env800.os.comapny.com, s2kparams = null
>>>Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
PA-DATA type = 16
>>>Pre-Authentication Data:
PA-DATA type = 15
>>> KdcAccessibility: remove os-vd-m-009
>>> KDCRep: init() encoding tag is 126 req type is 11
>>>KRBError:
sTime is Mon Aug 06 13:48:15 EDT 2018 1533577695000
suSec is 67734
error code is 25
error Message is Additional pre-authentication required
sname is krbtgt/ MAIN.ADS.COMAPNY.COM@MAIN.ADS.COMAPNY.COM
eData provided.
msgType is 30
>>>Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 18, salt = MAIN.ADS.COMAPNY.COMHTTPos-serv-li-env800.os.comapny.com, s2kparams = null
>>>Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
PA-DATA type = 16
>>>Pre-Authentication Data:
PA-DATA type = 15
KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
default etypes for default_tkt_enctypes: 18.
Looking for keys for: HTTP/ os-serv-li-env800.os.company.com@MAIN.ADS.COMAPNY.COM
Added key: 17version: 4
Added key: 18version: 4
Added key: 23version: 4
Found unsupported keytype (3) for HTTP/ os-serv-li-env800.os.company.com@MAIN.ADS.COMAPNY.COM
Found unsupported keytype (1) for HTTP/ os-serv-li-env800.os.company.com@MAIN.ADS.COMAPNY.COM
Looking for keys for: HTTP/ os-serv-li-env800.os.company.com@MAIN.ADS.COMAPNY.COM
Added key: 17version: 4
Added key: 18version: 4
Added key: 23version: 4
Found unsupported keytype (3) for HTTP/ os-serv-li-env800.os.company.com@MAIN.ADS.COMAPNY.COM
Found unsupported keytype (1) for HTTP/ os-serv-li-env800.os.company.com@MAIN.ADS.COMAPNY.COM
default etypes for default_tkt_enctypes: 18.
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=os-vd-m-009.main.ads.comapny.com UDP:88, timeout=30000, number of retries =3, #bytes=264
>>> KDCCommunication: kdc=os-vd-m-009.main.ads.comapny.com UDP:88, timeout=30000,Attempt =1, #bytes=264
>>> KrbKdcReq send: #bytes read=106
>>> KrbKdcReq send: kdc=os-vd-m-009.main.ads.comapny.com TCP:88, timeout=30000, number of retries =3, #bytes=264
>>> KDCCommunication: kdc=os-vd-m-009.main.ads.comapny.com TCP:88, timeout=30000,Attempt =1, #bytes=264
>>>DEBUG: TCPClient reading 1923 bytes
>>> KrbKdcReq send: #bytes read=1923
>>> KdcAccessibility: remove os-vd-m-009
Looking for keys for: HTTP/ os-serv-li-env800.os.company.com@MAIN.ADS.COMAPNY.COM
Added key: 17version: 4
Added key: 18version: 4
Added key: 23version: 4
Found unsupported keytype (3) for HTTP/ os-serv-li-env800.os.company.com@MAIN.ADS.COMAPNY.COM
Found unsupported keytype (1) for HTTP/ os-serv-li-env800.os.company.com@MAIN.ADS.COMAPNY.COM
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>> KrbAsRep cons in KrbAsReq.getReply HTTP/os-serv-li-env800.os.comapny.com
principal is HTTP/ os-serv-li-env800.os.company.com@MAIN.ADS.COMAPNY.COM
Will use keytab
Commit Succeeded
Found KeyTab cglims_mt_dev.keytab for HTTP/ os-serv-li-env800.os.company.com@MAIN.ADS.COMAPNY.COM
Found ticket for HTTP/ os-serv-li-env800.os.company.com@MAIN.ADS.COMAPNY.COM to go to krbtgt/ MAIN.ADS.COMAPNY.COM@MAIN.ADS.COMAPNY.COM expiring on Mon Aug 06 23:48:15 EDT 2018
Entered Krb5Context.acceptSecContext with state=STATE_NEW
Looking for keys for: HTTP/ os-serv-li-env800.os.company.com@MAIN.ADS.COMAPNY.COM
Added key: 17version: 4
Added key: 18version: 4
Added key: 23version: 4
Found unsupported keytype (3) for HTTP/ os-serv-li-env800.os.company.com@MAIN.ADS.COMAPNY.COM
Found unsupported keytype (1) for HTTP/ os-serv-li-env800.os.company.com@MAIN.ADS.COMAPNY.COM
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
Using builtin default etypes for permitted_enctypes
default etypes for permitted_enctypes: 18 17 16 23.
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
MemoryCache: add 1533577695/003265/F340CA7D6DD3AB5499310326FEBE8EA9/DCConway@MAIN.ADS.COMAPNY.COM to DCConway@MAIN.ADS.COMAPNY.COM|HTTP/ os-serv-li-env800.os.company.com@MAIN.ADS.COMAPNY.COM
MemoryCache: Existing AuthList:
#1: 1533574589/003195/3E34B0B548DBF2570B1E8140F1C0CBCD/DCConway@MAIN.ADS.COMAPNY.COM
>>> KrbApReq: authenticate succeed.
Krb5Context setting peerSeqNumber to: 1542758160
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
Krb5Context setting mySeqNumber to: 241351631
<Aug 6, 2018, 1:48:15,346 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <gssContext isEstablished true>
<Aug 6, 2018, 1:48:15,346 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <Out token
.................
<Aug 6, 2018, 1:48:15,346 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <GSS name is DCConway@MAIN.ADS.COMAPNY.COM>
<Aug 6, 2018, 1:48:15,346 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <User name is DCConway>
>>> Constrained deleg from GSSCaller{UNKNOWN}
<Aug 6, 2018, 1:48:15,346 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <com.bea.common.security.internal.service.JAASIdentityAssertionConfigurationServiceImpl.getAppConfigurationEntry(com.sun.security.jgss.krb5.accept)>
Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt false ticketCache is null isInitiator true KeyTab is cglims_mt_dev.keytab refreshKrb5Config is false principal is HTTP/ os-serv-li-env800.os.company.com@MAIN.ADS.COMAPNY.COM tryFirstPass is false useFirstPass is false storePass is false clearPass is false
Looking for keys for: HTTP/ os-serv-li-env800.os.company.com@MAIN.ADS.COMAPNY.COM
Added key: 17version: 4
Added key: 18version: 4
Added key: 23version: 4
Found unsupported keytype (3) for HTTP/ os-serv-li-env800.os.company.com@MAIN.ADS.COMAPNY.COM
Found unsupported keytype (1) for HTTP/ os-serv-li-env800.os.company.com@MAIN.ADS.COMAPNY.COM
Looking for keys for: HTTP/ os-serv-li-env800.os.company.com@MAIN.ADS.COMAPNY.COM
Added key: 17version: 4
Added key: 18version: 4
Added key: 23version: 4
Found unsupported keytype (3) for HTTP/ os-serv-li-env800.os.company.com@MAIN.ADS.COMAPNY.COM
Found unsupported keytype (1) for HTTP/ os-serv-li-env800.os.company.com@MAIN.ADS.COMAPNY.COM
default etypes for default_tkt_enctypes: 18.
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=os-vd-m-009.main.ads.comapny.com UDP:88, timeout=30000, number of retries =3, #bytes=175
>>> KDCCommunication: kdc=os-vd-m-009.main.ads.comapny.com UDP:88, timeout=30000,Attempt =1, #bytes=175
>>> KrbKdcReq send: #bytes read=220
>>>Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 18, salt = MAIN.ADS.COMAPNY.COMHTTPos-serv-li-env800.os.comapny.com, s2kparams = null
>>>Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
PA-DATA type = 16
>>>Pre-Authentication Data:
PA-DATA type = 15
>>> KdcAccessibility: remove os-vd-m-009
>>> KDCRep: init() encoding tag is 126 req type is 11
>>>KRBError:
sTime is Mon Aug 06 13:48:15 EDT 2018 1533577695000
suSec is 67734
error code is 25
error Message is Additional pre-authentication required
sname is krbtgt/ MAIN.ADS.COMAPNY.COM@MAIN.ADS.COMAPNY.COM
eData provided.
msgType is 30
>>>Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 18, salt = MAIN.ADS.COMAPNY.COMHTTPos-serv-li-env800.os.comapny.com, s2kparams = null
>>>Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
PA-DATA type = 16
>>>Pre-Authentication Data:
PA-DATA type = 15
KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
default etypes for default_tkt_enctypes: 18.
Looking for keys for: HTTP/ os-serv-li-env800.os.company.com@MAIN.ADS.COMAPNY.COM
Added key: 17version: 4
Added key: 18version: 4
Added key: 23version: 4
Found unsupported keytype (3) for HTTP/ os-serv-li-env800.os.company.com@MAIN.ADS.COMAPNY.COM
Found unsupported keytype (1) for HTTP/ os-serv-li-env800.os.company.com@MAIN.ADS.COMAPNY.COM
Looking for keys for: HTTP/ os-serv-li-env800.os.company.com@MAIN.ADS.COMAPNY.COM
Added key: 17version: 4
Added key: 18version: 4
Added key: 23version: 4
Found unsupported keytype (3) for HTTP/ os-serv-li-env800.os.company.com@MAIN.ADS.COMAPNY.COM
Found unsupported keytype (1) for HTTP/ os-serv-li-env800.os.company.com@MAIN.ADS.COMAPNY.COM
default etypes for default_tkt_enctypes: 18.
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=os-vd-m-009.main.ads.comapny.com UDP:88, timeout=30000, number of retries =3, #bytes=264
>>> KDCCommunication: kdc=os-vd-m-009.main.ads.comapny.com UDP:88, timeout=30000,Attempt =1, #bytes=264
>>> KrbKdcReq send: #bytes read=106
>>> KrbKdcReq send: kdc=os-vd-m-009.main.ads.comapny.com TCP:88, timeout=30000, number of retries =3, #bytes=264
>>> KDCCommunication: kdc=os-vd-m-009.main.ads.comapny.com TCP:88, timeout=30000,Attempt =1, #bytes=264
>>>DEBUG: TCPClient reading 1923 bytes
>>> KrbKdcReq send: #bytes read=1923
>>> KdcAccessibility: remove os-vd-m-009
Looking for keys for: HTTP/ os-serv-li-env800.os.company.com@MAIN.ADS.COMAPNY.COM
Added key: 17version: 4
Added key: 18version: 4
Added key: 23version: 4
Found unsupported keytype (3) for HTTP/ os-serv-li-env800.os.company.com@MAIN.ADS.COMAPNY.COM
Found unsupported keytype (1) for HTTP/ os-serv-li-env800.os.company.com@MAIN.ADS.COMAPNY.COM
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>> KrbAsRep cons in KrbAsReq.getReply HTTP/os-serv-li-env800.os.comapny.com
principal is HTTP/ os-serv-li-env800.os.company.com@MAIN.ADS.COMAPNY.COM
Will use keytab
Commit Succeeded
Found ticket for HTTP/ os-serv-li-env800.os.company.com@MAIN.ADS.COMAPNY.COM to go to krbtgt/ MAIN.ADS.COMAPNY.COM@MAIN.ADS.COMAPNY.COM expiring on Mon Aug 06 23:48:15 EDT 2018
<Aug 6, 2018, 1:48:15,359 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <delegate state is true, acquire delegated credential...>
<Aug 6, 2018, 1:48:15,359 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <Username was found, setting up callbackhandler>
...........
<Aug 6, 2018, 1:48:15,503 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <weblogic.security.service.internal.WLSJAASLoginServiceImpl$ServiceImpl.authenticate authenticate succeeded for user DCConway, Identity=Subject: 46
尝试从您的 web.xml 文件中删除此标记:/ 安全约束配置不当可能会出现 403 错误