使用 Kerberos SPNEGO 配置 Tomcat SSO
Configuring Tomcat SSO using Kerberos SPNEGO
我正在尝试使用 Kerberos 在 Tomcat 9(使用 SDK 8)中配置 SSO。我的环境全部在 Windows Server 2016 虚拟机中:
-
- server2016.forestgump.internal 192.168.44.130 - 活动目录
- windowstomcat.forestgump.internal 192.168.44.135 - Tomcat v9, SDK 8
- WIN-MN3G5OM9U4Q.forestgump.internal 192.168.44.140 - 只是客户端
我看了很多教程(都略有不同),但我仍然无法访问我的网页,401 一直在等着我。
AD 中的域是 "FORESTGUMP.INTERNAL"(是的.. 用单个 'R' 拼写 forest 没有错,只是凌晨 2 点的虚构名称)。我在该域中创建了 2 个用户
- tomcat(技术用户,用于登录windowstomcat.forestgump.internaltomcat服务器)。此用户有一些额外的配置:密码永不过期 = true,用户无法更改密码 = true,他的帐户支持 Kerberos AES128,此帐户支持 Kerberos AES256,信任此用户以委派任何服务(仅限 Kerberos)
- mario(用户登录到客户端计算机的域)
我将 SPN 映射到 tomcat 用户:
setspn -l forestgump.internal\tomcat
Registered ServicePrincipalNames for CN=tomcat,CN=Users,DC=forestgump,DC=internal:
HTTP/windowstomcat.forestgump.internal@FORESTGUMP.INTERNAL
HTTP/windowstomcat@FORESTGUMP.INTERNAL
HTTP/windowstomcat
HTTP/windowstomcat.forestgump.internal
然后我生成了一个密钥表文件:
ktpass /out c:\tomcat.keytab /mapuser TOMCAT@FORESTGUMP.INTERNAL /princ HTTP/windowstomcat.forestgump.internal@FORESTGUMP.INTERNAL /pass Passw0rd! /kvno 0 -crypto ALL -ptype KRB5_NT_PRINCIPAL
并将此 tomcat.keytab 复制到 Tomcat 服务器。/tomcat-9/conf 并在 c.\tomcat-9\lib
中添加 spnego-r9.jar
在 tomcat 服务器中我创建了文件 ./tomcat-9/conf/krb5.ini
[libdefaults]
default_realm = FORESTGUMP.INTERNAL
default_keytab_name = "C:\opt\tomcat-9\conf\tomcat.keytab"
default_tkt_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
default_tgs_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
forwardable=true
[realms]
forestgump.internal = {
kdc = server2016.forestgump.internal:88
}
[domain_realm]
forestgump.internal= FORESTGUMP.INTERNAL
.forestgump.internal= FORESTGUMP.INTERNAL
我创建了文件 ./tomcat-9/conf/jass.conf
com.sun.security.jgss.krb5.initiate {
com.sun.security.auth.module.Krb5LoginModule required
doNotPrompt=true
principal="HTTP/windowstomcat.forestgump.internal@FORESTGUMP.INTERNAL"
keyTab="c:/opt/tomcat-9/conf/tomcat.keytab"
useKeyTab=true
storeKey=true;
debug=true;
};
com.sun.security.jgss.krb5.accept {
com.sun.security.auth.module.Krb5LoginModule required
doNotPrompt=true
principal="HTTP/windowstomcat.forestgump.internal@FORESTGUMP.INTERNAL"
keyTab="c:/opt/tomcat-9/conf/tomcat.keytab"
useKeyTab=true
storeKey=true;
debug=true;
};
到目前为止,它在我找到的所有教程中都非常一致。从现在开始,遥远的西部和我对 tomcat 和 java 开发知识的缺乏对我没有帮助。
我更改了默认 tomcat-9/conf/server.xml 为 AD LDAP
添加了一个领域
<Realm className="org.apache.catalina.realm.LockOutRealm">
<!-- This Realm uses the UserDatabase configured in the global JNDI
resources under the key "UserDatabase". Any edits
that are performed against this UserDatabase are immediately
available for use by the Realm. -->
<Realm className="org.apache.catalina.realm.UserDatabaseRealm" resourceName="UserDatabase" />
<Realm className="org.apache.catalina.realm.JNDIRealm" connectionURL="ldap://server2016.forestgump.internal:389" authentication="simple" referrals="follow" connectionName="CN=tomcat,CN=Users,DC=forestgump,DC=internal" connectionPassword="Passw0rd!" userSearch="(sAMAccountName={0})" userBase="CN=Users,DC=forestgump,DC=internal" userSubtree="true" roleSearch="(member={0})" roleName="cn" roleSubtree="true" roleBase="cn=Builtin,DC=forestgump,DC=internal" />
</Realm>
我用 Jxplorer 测试了 LDAP 配置,我可以连接到我的 AD。不确定这是否有必要,我发现只有 20% 的教程提到了这一点。
然后我创建了一个简单的 webapp 来测试配置。 Web 应用程序具有以下结构:
- Tomcat你好世界
- index.jsp
- 网络信息
- web.xml
- 元信息
- context.xml
这里是文件的内容
index.jsp
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>AUTH test</title>
</head>
<body>
<h1>Hello World!</h1>
<p>auth type: <%=request.getAuthType()%> </p>
<p>remote user: <%=request.getRemoteUser() %> </p>
<p>principal: <%=request.getUserPrincipal() %></p>
<p>name: <%= (request.getUserPrincipal()!=null)?request.getUserPrincipal().getName():"NO PRINCIPAL" %></p>
</body>
</html>
web.xml
<?xml version="1.0" encoding="ISO-8859-1"?>
<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_4_0.xsd"
version="4.0"
metadata-complete="true">
<welcome-file-list>
<welcome-file>index.jsp</welcome-file>
</welcome-file-list>
<security-constraint>
<web-resource-collection>
<web-resource-name>Web Resource - Allow GET method</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>CN=Users,DC=forestgump,DC=internal</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<role-name>CN=Users,DC=forestgump,DC=internal</role-name>
</security-role>
<login-config>
<auth-method>SPNEGO</auth-method>
<realm-name>FORESTGUMP.INTERNAL</realm-name>
</login-config>
</web-app>
context.xml
<?xml version="1.0" encoding="UTF-8"?>
<Context antiJARLocking="true" path="/spnego">
<!-- valve will be explicitly created when SPNEGO is used,
this is to declare additional attributes -->
<Valve className="org.apache.catalina.authenticator.SpnegoAuthenticator"
alwaysUseSession="true" cache="true" />
</Context>
在我使用IE、Firefox的客户端vm中(配置network.negotiate-auth.delegation-uris = windowstomcat.forestgump.internal和network.negotiate-auth.gsslib = windowstomcat.forestgump.internal) 和 Kerberos 身份验证客户端 (http://blog.michelbarneveld.nl/michel/archive/2009/12/05/kerberos-authentication-tester.aspx)
浏览器的结果始终为 401,Kerberos 测试器的结果始终为 500。
真正令人沮丧的是我在 tomcat 或 AD 中看不到任何错误。在 tomcat 中,我什至在启动时添加了调试语句(设置 CATALINA_OPTS= -Dsun.security.krb5.debug=true -Dsun.security.jgss.debug=true -Dsun.security.spnego.debug=真).
catalina.log 超级干净
localhost.log 有几个例外(当我使用 Kerberos 客户端进行测试并获得 500 时)
08-May-2020 14:51:46.294 SEVERE [http-nio-8080-exec-4] org.apache.catalina.core.StandardHostValve.invoke Exception Processing /TomcatHelloWorld/
java.lang.SecurityException: java.io.IOException: Configuration Error:
Line 8: expected [controlFlag]
at sun.security.provider.ConfigFile$Spi.<init>(ConfigFile.java:137)
at sun.security.provider.ConfigFile.<init>(ConfigFile.java:102)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
at java.lang.Class.newInstance(Class.java:442)
at javax.security.auth.login.Configuration.run(Configuration.java:255)
at javax.security.auth.login.Configuration.run(Configuration.java:247)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.Configuration.getConfiguration(Configuration.java:246)
at javax.security.auth.login.LoginContext.run(LoginContext.java:245)
at javax.security.auth.login.LoginContext.run(LoginContext.java:243)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.init(LoginContext.java:243)
at javax.security.auth.login.LoginContext.<init>(LoginContext.java:348)
at org.apache.catalina.authenticator.SpnegoAuthenticator.doAuthenticate(SpnegoAuthenticator.java:196)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:631)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:690)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:373)
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:868)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1590)
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:748)
Caused by: java.io.IOException: Configuration Error:
Line 8: expected [controlFlag]
at sun.security.provider.ConfigFile$Spi.ioException(ConfigFile.java:666)
at sun.security.provider.ConfigFile$Spi.match(ConfigFile.java:572)
at sun.security.provider.ConfigFile$Spi.parseLoginEntry(ConfigFile.java:454)
at sun.security.provider.ConfigFile$Spi.readConfig(ConfigFile.java:427)
at sun.security.provider.ConfigFile$Spi.init(ConfigFile.java:329)
at sun.security.provider.ConfigFile$Spi.init(ConfigFile.java:271)
at sun.security.provider.ConfigFile$Spi.<init>(ConfigFile.java:135)
... 31 more
这肯定与我的 webapp 有关,但我无法确定导致错误的原因。
任何帮助都会极大地帮助我理智。
干杯。
在建议删除配置文件中的分号后,我继续前进,现在发现了一些有趣的异常:
11-May-2020 14:38:55.976 INFO [main] org.apache.catalina.startup.Catalina.start Server startup in [897] milliseconds
Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is c:/opt/tomcat-9/conf/tomcat.keytab refreshKrb5Config is false principal is HTTP/windowstomcat.forestgump.internal@FORESTGUMP.INTERNAL tryFirstPass is false useFirstPass is false storePass is false clearPass is false
>>> KeyTabInputStream, readName(): FORESTGUMP.INTERNAL
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): windowstomcat.forestgump.internal
>>> KeyTab: load() entry length: 85; type: 1
>>> KeyTabInputStream, readName(): FORESTGUMP.INTERNAL
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): windowstomcat.forestgump.internal
>>> KeyTab: load() entry length: 85; type: 3
>>> KeyTabInputStream, readName(): FORESTGUMP.INTERNAL
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): windowstomcat.forestgump.internal
>>> KeyTab: load() entry length: 93; type: 23
>>> KeyTabInputStream, readName(): FORESTGUMP.INTERNAL
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): windowstomcat.forestgump.internal
>>> KeyTab: load() entry length: 109; type: 18
>>> KeyTabInputStream, readName(): FORESTGUMP.INTERNAL
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): windowstomcat.forestgump.internal
>>> KeyTab: load() entry length: 93; type: 17
Looking for keys for: HTTP/windowstomcat.forestgump.internal@FORESTGUMP.INTERNAL
Java config name: C:\opt\tomcat-9\conf\krb5.ini
Loaded from Java config
Added key: 17version: 0
Added key: 18version: 0
Added key: 23version: 0
Found unsupported keytype (3) for HTTP/windowstomcat.forestgump.internal@FORESTGUMP.INTERNAL
Found unsupported keytype (1) for HTTP/windowstomcat.forestgump.internal@FORESTGUMP.INTERNAL
>>> KdcAccessibility: reset
Looking for keys for: HTTP/windowstomcat.forestgump.internal@FORESTGUMP.INTERNAL
Added key: 17version: 0
Added key: 18version: 0
Added key: 23version: 0
Found unsupported keytype (3) for HTTP/windowstomcat.forestgump.internal@FORESTGUMP.INTERNAL
Found unsupported keytype (1) for HTTP/windowstomcat.forestgump.internal@FORESTGUMP.INTERNAL
default etypes for default_tkt_enctypes: 23 18 17.
>>> KrbAsReq creating message
getKDCFromDNS using UDP
>>> KrbKdcReq send: kdc=server2016.forestgump.internal. UDP:88, timeout=30000, number of retries =3, #bytes=190
>>> KDCCommunication: kdc=server2016.forestgump.internal. UDP:88, timeout=30000,Attempt =1, #bytes=190
>>> KrbKdcReq send: #bytes read=238
>>>Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 18, salt = FORESTGUMP.INTERNALHTTPwindowstomcat.forestgump.internal, s2kparams = null
PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>>>Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
PA-DATA type = 16
>>>Pre-Authentication Data:
PA-DATA type = 15
>>> KdcAccessibility: remove server2016.forestgump.internal.:88
>>> KDCRep: init() encoding tag is 126 req type is 11
>>>KRBError:
sTime is Mon May 11 14:39:04 NZST 2020 1589164744000
suSec is 480933
error code is 25
error Message is Additional pre-authentication required
sname is krbtgt/FORESTGUMP.INTERNAL@FORESTGUMP.INTERNAL
eData provided.
msgType is 30
>>>Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 18, salt = FORESTGUMP.INTERNALHTTPwindowstomcat.forestgump.internal, s2kparams = null
PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>>>Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
PA-DATA type = 16
>>>Pre-Authentication Data:
PA-DATA type = 15
KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
default etypes for default_tkt_enctypes: 23 18 17.
Looking for keys for: HTTP/windowstomcat.forestgump.internal@FORESTGUMP.INTERNAL
Added key: 17version: 0
Added key: 18version: 0
Added key: 23version: 0
Found unsupported keytype (3) for HTTP/windowstomcat.forestgump.internal@FORESTGUMP.INTERNAL
Found unsupported keytype (1) for HTTP/windowstomcat.forestgump.internal@FORESTGUMP.INTERNAL
Looking for keys for: HTTP/windowstomcat.forestgump.internal@FORESTGUMP.INTERNAL
Added key: 17version: 0
Added key: 18version: 0
Added key: 23version: 0
Found unsupported keytype (3) for HTTP/windowstomcat.forestgump.internal@FORESTGUMP.INTERNAL
Found unsupported keytype (1) for HTTP/windowstomcat.forestgump.internal@FORESTGUMP.INTERNAL
default etypes for default_tkt_enctypes: 23 18 17.
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>> KrbAsReq creating message
getKDCFromDNS using UDP
>>> KrbKdcReq send: kdc=server2016.forestgump.internal. UDP:88, timeout=30000, number of retries =3, #bytes=279
>>> KDCCommunication: kdc=server2016.forestgump.internal. UDP:88, timeout=30000,Attempt =1, #bytes=279
>>> KrbKdcReq send: #bytes read=110
>>> KrbKdcReq send: kdc=server2016.forestgump.internal. TCP:88, timeout=30000, number of retries =3, #bytes=279
>>> KDCCommunication: kdc=server2016.forestgump.internal. TCP:88, timeout=30000,Attempt =1, #bytes=279
>>>DEBUG: TCPClient reading 1694 bytes
>>> KrbKdcReq send: #bytes read=1694
>>> KdcAccessibility: remove server2016.forestgump.internal.:88
Looking for keys for: HTTP/windowstomcat.forestgump.internal@FORESTGUMP.INTERNAL
Added key: 17version: 0
Added key: 18version: 0
Added key: 23version: 0
Found unsupported keytype (3) for HTTP/windowstomcat.forestgump.internal@FORESTGUMP.INTERNAL
Found unsupported keytype (1) for HTTP/windowstomcat.forestgump.internal@FORESTGUMP.INTERNAL
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>> KrbAsRep cons in KrbAsReq.getReply HTTP/windowstomcat.forestgump.internal
principal is HTTP/windowstomcat.forestgump.internal@FORESTGUMP.INTERNAL
Will use keytab
Commit Succeeded
Search Subject for SPNEGO ACCEPT cred (<<DEF>>, sun.security.jgss.spnego.SpNegoCredElement)
Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>, sun.security.jgss.krb5.Krb5AcceptCredential)
Found KeyTab c:\opt\tomcat-9\conf\tomcat.keytab for HTTP/windowstomcat.forestgump.internal@FORESTGUMP.INTERNAL
Found KeyTab c:\opt\tomcat-9\conf\tomcat.keytab for HTTP/windowstomcat.forestgump.internal@FORESTGUMP.INTERNAL
Found ticket for HTTP/windowstomcat.forestgump.internal@FORESTGUMP.INTERNAL to go to krbtgt/FORESTGUMP.INTERNAL@FORESTGUMP.INTERNAL expiring on Tue May 12 00:39:04 NZST 2020
Entered SpNegoContext.acceptSecContext with state=STATE_NEW
SpNegoContext.acceptSecContext: receiving token = a0 8..
SpNegoToken NegTokenInit: reading Mechanism Oid = 1.2.840.113554.1.2.2
SpNegoToken NegTokenInit: reading Mechanism Oid = 1.2.840.48018.1.2.2
SpNegoToken NegTokenInit: reading Mechanism Oid = 1.3.6.1.4.1.311.2.2.30
SpNegoToken NegTokenInit: reading Mechanism Oid = 1.3.6.1.4.1.311.2.2.10
SpNegoToken NegTokenInit: reading Mech Token
SpNegoContext.acceptSecContext: received token of type = SPNEGO NegTokenInit
SpNegoContext: negotiated mechanism = 1.2.840.113554.1.2.2
Entered Krb5Context.acceptSecContext with state=STATE_NEW
Looking for keys for: HTTP/windowstomcat.forestgump.internal@FORESTGUMP.INTERNAL
Added key: 17version: 0
Added key: 18version: 0
Added key: 23version: 0
Found unsupported keytype (3) for HTTP/windowstomcat.forestgump.internal@FORESTGUMP.INTERNAL
Found unsupported keytype (1) for HTTP/windowstomcat.forestgump.internal@FORESTGUMP.INTERNAL
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
Using builtin default etypes for permitted_enctypes
default etypes for permitted_enctypes: 18 17 16 23.
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
MemoryCache: add 1589164744/000073/52EB3DFA8A4B8EADDCE4B0019A0968EE/Administrator@FORESTGUMP.INTERNAL to Administrator@FORESTGUMP.INTERNAL|HTTP/windowstomcat.forestgump.internal@FORESTGUMP.INTERNAL
>>> KrbApReq: authenticate succeed.
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>>Delegated Creds have pname=Administrator@FORESTGUMP.INTERNAL sname=krbtgt/FORESTGUMP.INTERNAL@FORESTGUMP.INTERNAL authtime=null starttime=20200511023904Z endtime=20200511123904ZrenewTill=20200518023904Z
Krb5Context setting peerSeqNumber to: 1464367068
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
Krb5Context setting mySeqNumber to: 206741889
...
Search Subject for Kerberos V5 INIT cred (<<DEF>>, sun.security.jgss.krb5.Krb5InitCredential)
Found ticket for HTTP/windowstomcat.forestgump.internal@FORESTGUMP.INTERNAL to go to krbtgt/FORESTGUMP.INTERNAL@FORESTGUMP.INTERNAL expiring on Tue May 12 00:39:04 NZST 2020
Entered Krb5Context.initSecContext with state=STATE_NEW
Found ticket for HTTP/windowstomcat.forestgump.internal@FORESTGUMP.INTERNAL to go to krbtgt/FORESTGUMP.INTERNAL@FORESTGUMP.INTERNAL expiring on Tue May 12 00:39:04 NZST 2020
Service ticket not found in the subject
>>> Credentials acquireServiceCreds: same realm
default etypes for default_tgs_enctypes: 23 18 17.
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> CksumType: sun.security.krb5.internal.crypto.HmacMd5ArcFourCksumType
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
getKDCFromDNS using UDP
>>> KrbKdcReq send: kdc=server2016.forestgump.internal. TCP:88, timeout=30000, number of retries =3, #bytes=1622
>>> KDCCommunication: kdc=server2016.forestgump.internal. TCP:88, timeout=30000,Attempt =1, #bytes=1622
>>>DEBUG: TCPClient reading 1598 bytes
>>> KrbKdcReq send: #bytes read=1598
>>> KdcAccessibility: remove server2016.forestgump.internal.:88
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbApReq: APOptions are 00100000 00000000 00000000 00000000
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
Krb5Context setting mySeqNumber to: 905416011
Created InitSecContextToken:
0000: 01 00 6E 82 05 DF 30 82 05 DB A0 03 02 01 05 A1 ..n...0.........
.....
05D0: BE 28 08 00 6F FC 45 DC 0D 90 93 E9 60 46 CC 81 .(..o.E.....`F..
05E0: 51 D8 99 06 16 Q....
Entered Krb5Context.initSecContext with state=STATE_IN_PROCESS
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
Krb5Context setting peerSeqNumber to: 1474518462
[Krb5LoginModule]: Entering logout
[Krb5LoginModule]: logged out Subject
我在 Kerberos 服务器中添加了 256 支持:
ksetup /setenctypeattr FQDN>forestgump.internal RC4-HMAC-MD5 AES128-CTS-HMAC-SHA1-96 AES256-CTS-HMAC-SHA1-96
和用户帐户(tomcat 和 mario)支持 Kerberos 128/256 位加密。
无法查明配置错误
问题似乎出在您 jaas.conf:
中的分号
com.sun.security.jgss.krb5.initiate {
com.sun.security.auth.module.Krb5LoginModule required
doNotPrompt=true
principal="HTTP/windowstomcat.forestgump.internal@FORESTGUMP.INTERNAL"
keyTab="c:/opt/tomcat-9/conf/tomcat.keytab"
useKeyTab=true
storeKey=true;
debug=true;
};
com.sun.security.jgss.krb5.accept {
com.sun.security.auth.module.Krb5LoginModule required
doNotPrompt=true
principal="HTTP/windowstomcat.forestgump.internal@FORESTGUMP.INTERNAL"
keyTab="c:/opt/tomcat-9/conf/tomcat.keytab"
useKeyTab=true
storeKey=true;
debug=true;
};
去掉storeKey=true后面的分号。结果,debug=true; 被解释为它自己的条目,但它不是 - 它只是一个 属性.
我正在尝试使用 Kerberos 在 Tomcat 9(使用 SDK 8)中配置 SSO。我的环境全部在 Windows Server 2016 虚拟机中: -
- server2016.forestgump.internal 192.168.44.130 - 活动目录
- windowstomcat.forestgump.internal 192.168.44.135 - Tomcat v9, SDK 8
- WIN-MN3G5OM9U4Q.forestgump.internal 192.168.44.140 - 只是客户端
我看了很多教程(都略有不同),但我仍然无法访问我的网页,401 一直在等着我。
AD 中的域是 "FORESTGUMP.INTERNAL"(是的.. 用单个 'R' 拼写 forest 没有错,只是凌晨 2 点的虚构名称)。我在该域中创建了 2 个用户
- tomcat(技术用户,用于登录windowstomcat.forestgump.internaltomcat服务器)。此用户有一些额外的配置:密码永不过期 = true,用户无法更改密码 = true,他的帐户支持 Kerberos AES128,此帐户支持 Kerberos AES256,信任此用户以委派任何服务(仅限 Kerberos)
- mario(用户登录到客户端计算机的域)
我将 SPN 映射到 tomcat 用户:
setspn -l forestgump.internal\tomcat
Registered ServicePrincipalNames for CN=tomcat,CN=Users,DC=forestgump,DC=internal:
HTTP/windowstomcat.forestgump.internal@FORESTGUMP.INTERNAL
HTTP/windowstomcat@FORESTGUMP.INTERNAL
HTTP/windowstomcat
HTTP/windowstomcat.forestgump.internal
然后我生成了一个密钥表文件:
ktpass /out c:\tomcat.keytab /mapuser TOMCAT@FORESTGUMP.INTERNAL /princ HTTP/windowstomcat.forestgump.internal@FORESTGUMP.INTERNAL /pass Passw0rd! /kvno 0 -crypto ALL -ptype KRB5_NT_PRINCIPAL
并将此 tomcat.keytab 复制到 Tomcat 服务器。/tomcat-9/conf 并在 c.\tomcat-9\lib
中添加 spnego-r9.jar在 tomcat 服务器中我创建了文件 ./tomcat-9/conf/krb5.ini
[libdefaults]
default_realm = FORESTGUMP.INTERNAL
default_keytab_name = "C:\opt\tomcat-9\conf\tomcat.keytab"
default_tkt_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
default_tgs_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
forwardable=true
[realms]
forestgump.internal = {
kdc = server2016.forestgump.internal:88
}
[domain_realm]
forestgump.internal= FORESTGUMP.INTERNAL
.forestgump.internal= FORESTGUMP.INTERNAL
我创建了文件 ./tomcat-9/conf/jass.conf
com.sun.security.jgss.krb5.initiate {
com.sun.security.auth.module.Krb5LoginModule required
doNotPrompt=true
principal="HTTP/windowstomcat.forestgump.internal@FORESTGUMP.INTERNAL"
keyTab="c:/opt/tomcat-9/conf/tomcat.keytab"
useKeyTab=true
storeKey=true;
debug=true;
};
com.sun.security.jgss.krb5.accept {
com.sun.security.auth.module.Krb5LoginModule required
doNotPrompt=true
principal="HTTP/windowstomcat.forestgump.internal@FORESTGUMP.INTERNAL"
keyTab="c:/opt/tomcat-9/conf/tomcat.keytab"
useKeyTab=true
storeKey=true;
debug=true;
};
到目前为止,它在我找到的所有教程中都非常一致。从现在开始,遥远的西部和我对 tomcat 和 java 开发知识的缺乏对我没有帮助。 我更改了默认 tomcat-9/conf/server.xml 为 AD LDAP
添加了一个领域 <Realm className="org.apache.catalina.realm.LockOutRealm">
<!-- This Realm uses the UserDatabase configured in the global JNDI
resources under the key "UserDatabase". Any edits
that are performed against this UserDatabase are immediately
available for use by the Realm. -->
<Realm className="org.apache.catalina.realm.UserDatabaseRealm" resourceName="UserDatabase" />
<Realm className="org.apache.catalina.realm.JNDIRealm" connectionURL="ldap://server2016.forestgump.internal:389" authentication="simple" referrals="follow" connectionName="CN=tomcat,CN=Users,DC=forestgump,DC=internal" connectionPassword="Passw0rd!" userSearch="(sAMAccountName={0})" userBase="CN=Users,DC=forestgump,DC=internal" userSubtree="true" roleSearch="(member={0})" roleName="cn" roleSubtree="true" roleBase="cn=Builtin,DC=forestgump,DC=internal" />
</Realm>
我用 Jxplorer 测试了 LDAP 配置,我可以连接到我的 AD。不确定这是否有必要,我发现只有 20% 的教程提到了这一点。
然后我创建了一个简单的 webapp 来测试配置。 Web 应用程序具有以下结构:
- Tomcat你好世界
- index.jsp
- 网络信息
- web.xml
- 元信息
- context.xml
这里是文件的内容
index.jsp
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>AUTH test</title>
</head>
<body>
<h1>Hello World!</h1>
<p>auth type: <%=request.getAuthType()%> </p>
<p>remote user: <%=request.getRemoteUser() %> </p>
<p>principal: <%=request.getUserPrincipal() %></p>
<p>name: <%= (request.getUserPrincipal()!=null)?request.getUserPrincipal().getName():"NO PRINCIPAL" %></p>
</body>
</html>
web.xml
<?xml version="1.0" encoding="ISO-8859-1"?>
<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_4_0.xsd"
version="4.0"
metadata-complete="true">
<welcome-file-list>
<welcome-file>index.jsp</welcome-file>
</welcome-file-list>
<security-constraint>
<web-resource-collection>
<web-resource-name>Web Resource - Allow GET method</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>CN=Users,DC=forestgump,DC=internal</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<role-name>CN=Users,DC=forestgump,DC=internal</role-name>
</security-role>
<login-config>
<auth-method>SPNEGO</auth-method>
<realm-name>FORESTGUMP.INTERNAL</realm-name>
</login-config>
</web-app>
context.xml
<?xml version="1.0" encoding="UTF-8"?>
<Context antiJARLocking="true" path="/spnego">
<!-- valve will be explicitly created when SPNEGO is used,
this is to declare additional attributes -->
<Valve className="org.apache.catalina.authenticator.SpnegoAuthenticator"
alwaysUseSession="true" cache="true" />
</Context>
在我使用IE、Firefox的客户端vm中(配置network.negotiate-auth.delegation-uris = windowstomcat.forestgump.internal和network.negotiate-auth.gsslib = windowstomcat.forestgump.internal) 和 Kerberos 身份验证客户端 (http://blog.michelbarneveld.nl/michel/archive/2009/12/05/kerberos-authentication-tester.aspx)
浏览器的结果始终为 401,Kerberos 测试器的结果始终为 500。
真正令人沮丧的是我在 tomcat 或 AD 中看不到任何错误。在 tomcat 中,我什至在启动时添加了调试语句(设置 CATALINA_OPTS= -Dsun.security.krb5.debug=true -Dsun.security.jgss.debug=true -Dsun.security.spnego.debug=真).
catalina.log 超级干净 localhost.log 有几个例外(当我使用 Kerberos 客户端进行测试并获得 500 时)
08-May-2020 14:51:46.294 SEVERE [http-nio-8080-exec-4] org.apache.catalina.core.StandardHostValve.invoke Exception Processing /TomcatHelloWorld/
java.lang.SecurityException: java.io.IOException: Configuration Error:
Line 8: expected [controlFlag]
at sun.security.provider.ConfigFile$Spi.<init>(ConfigFile.java:137)
at sun.security.provider.ConfigFile.<init>(ConfigFile.java:102)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
at java.lang.Class.newInstance(Class.java:442)
at javax.security.auth.login.Configuration.run(Configuration.java:255)
at javax.security.auth.login.Configuration.run(Configuration.java:247)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.Configuration.getConfiguration(Configuration.java:246)
at javax.security.auth.login.LoginContext.run(LoginContext.java:245)
at javax.security.auth.login.LoginContext.run(LoginContext.java:243)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.init(LoginContext.java:243)
at javax.security.auth.login.LoginContext.<init>(LoginContext.java:348)
at org.apache.catalina.authenticator.SpnegoAuthenticator.doAuthenticate(SpnegoAuthenticator.java:196)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:631)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:690)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:373)
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:868)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1590)
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:748)
Caused by: java.io.IOException: Configuration Error:
Line 8: expected [controlFlag]
at sun.security.provider.ConfigFile$Spi.ioException(ConfigFile.java:666)
at sun.security.provider.ConfigFile$Spi.match(ConfigFile.java:572)
at sun.security.provider.ConfigFile$Spi.parseLoginEntry(ConfigFile.java:454)
at sun.security.provider.ConfigFile$Spi.readConfig(ConfigFile.java:427)
at sun.security.provider.ConfigFile$Spi.init(ConfigFile.java:329)
at sun.security.provider.ConfigFile$Spi.init(ConfigFile.java:271)
at sun.security.provider.ConfigFile$Spi.<init>(ConfigFile.java:135)
... 31 more
这肯定与我的 webapp 有关,但我无法确定导致错误的原因。
任何帮助都会极大地帮助我理智。 干杯。
在建议删除配置文件中的分号后,我继续前进,现在发现了一些有趣的异常:
11-May-2020 14:38:55.976 INFO [main] org.apache.catalina.startup.Catalina.start Server startup in [897] milliseconds
Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is c:/opt/tomcat-9/conf/tomcat.keytab refreshKrb5Config is false principal is HTTP/windowstomcat.forestgump.internal@FORESTGUMP.INTERNAL tryFirstPass is false useFirstPass is false storePass is false clearPass is false
>>> KeyTabInputStream, readName(): FORESTGUMP.INTERNAL
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): windowstomcat.forestgump.internal
>>> KeyTab: load() entry length: 85; type: 1
>>> KeyTabInputStream, readName(): FORESTGUMP.INTERNAL
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): windowstomcat.forestgump.internal
>>> KeyTab: load() entry length: 85; type: 3
>>> KeyTabInputStream, readName(): FORESTGUMP.INTERNAL
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): windowstomcat.forestgump.internal
>>> KeyTab: load() entry length: 93; type: 23
>>> KeyTabInputStream, readName(): FORESTGUMP.INTERNAL
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): windowstomcat.forestgump.internal
>>> KeyTab: load() entry length: 109; type: 18
>>> KeyTabInputStream, readName(): FORESTGUMP.INTERNAL
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): windowstomcat.forestgump.internal
>>> KeyTab: load() entry length: 93; type: 17
Looking for keys for: HTTP/windowstomcat.forestgump.internal@FORESTGUMP.INTERNAL
Java config name: C:\opt\tomcat-9\conf\krb5.ini
Loaded from Java config
Added key: 17version: 0
Added key: 18version: 0
Added key: 23version: 0
Found unsupported keytype (3) for HTTP/windowstomcat.forestgump.internal@FORESTGUMP.INTERNAL
Found unsupported keytype (1) for HTTP/windowstomcat.forestgump.internal@FORESTGUMP.INTERNAL
>>> KdcAccessibility: reset
Looking for keys for: HTTP/windowstomcat.forestgump.internal@FORESTGUMP.INTERNAL
Added key: 17version: 0
Added key: 18version: 0
Added key: 23version: 0
Found unsupported keytype (3) for HTTP/windowstomcat.forestgump.internal@FORESTGUMP.INTERNAL
Found unsupported keytype (1) for HTTP/windowstomcat.forestgump.internal@FORESTGUMP.INTERNAL
default etypes for default_tkt_enctypes: 23 18 17.
>>> KrbAsReq creating message
getKDCFromDNS using UDP
>>> KrbKdcReq send: kdc=server2016.forestgump.internal. UDP:88, timeout=30000, number of retries =3, #bytes=190
>>> KDCCommunication: kdc=server2016.forestgump.internal. UDP:88, timeout=30000,Attempt =1, #bytes=190
>>> KrbKdcReq send: #bytes read=238
>>>Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 18, salt = FORESTGUMP.INTERNALHTTPwindowstomcat.forestgump.internal, s2kparams = null
PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>>>Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
PA-DATA type = 16
>>>Pre-Authentication Data:
PA-DATA type = 15
>>> KdcAccessibility: remove server2016.forestgump.internal.:88
>>> KDCRep: init() encoding tag is 126 req type is 11
>>>KRBError:
sTime is Mon May 11 14:39:04 NZST 2020 1589164744000
suSec is 480933
error code is 25
error Message is Additional pre-authentication required
sname is krbtgt/FORESTGUMP.INTERNAL@FORESTGUMP.INTERNAL
eData provided.
msgType is 30
>>>Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 18, salt = FORESTGUMP.INTERNALHTTPwindowstomcat.forestgump.internal, s2kparams = null
PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>>>Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
PA-DATA type = 16
>>>Pre-Authentication Data:
PA-DATA type = 15
KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
default etypes for default_tkt_enctypes: 23 18 17.
Looking for keys for: HTTP/windowstomcat.forestgump.internal@FORESTGUMP.INTERNAL
Added key: 17version: 0
Added key: 18version: 0
Added key: 23version: 0
Found unsupported keytype (3) for HTTP/windowstomcat.forestgump.internal@FORESTGUMP.INTERNAL
Found unsupported keytype (1) for HTTP/windowstomcat.forestgump.internal@FORESTGUMP.INTERNAL
Looking for keys for: HTTP/windowstomcat.forestgump.internal@FORESTGUMP.INTERNAL
Added key: 17version: 0
Added key: 18version: 0
Added key: 23version: 0
Found unsupported keytype (3) for HTTP/windowstomcat.forestgump.internal@FORESTGUMP.INTERNAL
Found unsupported keytype (1) for HTTP/windowstomcat.forestgump.internal@FORESTGUMP.INTERNAL
default etypes for default_tkt_enctypes: 23 18 17.
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>> KrbAsReq creating message
getKDCFromDNS using UDP
>>> KrbKdcReq send: kdc=server2016.forestgump.internal. UDP:88, timeout=30000, number of retries =3, #bytes=279
>>> KDCCommunication: kdc=server2016.forestgump.internal. UDP:88, timeout=30000,Attempt =1, #bytes=279
>>> KrbKdcReq send: #bytes read=110
>>> KrbKdcReq send: kdc=server2016.forestgump.internal. TCP:88, timeout=30000, number of retries =3, #bytes=279
>>> KDCCommunication: kdc=server2016.forestgump.internal. TCP:88, timeout=30000,Attempt =1, #bytes=279
>>>DEBUG: TCPClient reading 1694 bytes
>>> KrbKdcReq send: #bytes read=1694
>>> KdcAccessibility: remove server2016.forestgump.internal.:88
Looking for keys for: HTTP/windowstomcat.forestgump.internal@FORESTGUMP.INTERNAL
Added key: 17version: 0
Added key: 18version: 0
Added key: 23version: 0
Found unsupported keytype (3) for HTTP/windowstomcat.forestgump.internal@FORESTGUMP.INTERNAL
Found unsupported keytype (1) for HTTP/windowstomcat.forestgump.internal@FORESTGUMP.INTERNAL
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>> KrbAsRep cons in KrbAsReq.getReply HTTP/windowstomcat.forestgump.internal
principal is HTTP/windowstomcat.forestgump.internal@FORESTGUMP.INTERNAL
Will use keytab
Commit Succeeded
Search Subject for SPNEGO ACCEPT cred (<<DEF>>, sun.security.jgss.spnego.SpNegoCredElement)
Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>, sun.security.jgss.krb5.Krb5AcceptCredential)
Found KeyTab c:\opt\tomcat-9\conf\tomcat.keytab for HTTP/windowstomcat.forestgump.internal@FORESTGUMP.INTERNAL
Found KeyTab c:\opt\tomcat-9\conf\tomcat.keytab for HTTP/windowstomcat.forestgump.internal@FORESTGUMP.INTERNAL
Found ticket for HTTP/windowstomcat.forestgump.internal@FORESTGUMP.INTERNAL to go to krbtgt/FORESTGUMP.INTERNAL@FORESTGUMP.INTERNAL expiring on Tue May 12 00:39:04 NZST 2020
Entered SpNegoContext.acceptSecContext with state=STATE_NEW
SpNegoContext.acceptSecContext: receiving token = a0 8..
SpNegoToken NegTokenInit: reading Mechanism Oid = 1.2.840.113554.1.2.2
SpNegoToken NegTokenInit: reading Mechanism Oid = 1.2.840.48018.1.2.2
SpNegoToken NegTokenInit: reading Mechanism Oid = 1.3.6.1.4.1.311.2.2.30
SpNegoToken NegTokenInit: reading Mechanism Oid = 1.3.6.1.4.1.311.2.2.10
SpNegoToken NegTokenInit: reading Mech Token
SpNegoContext.acceptSecContext: received token of type = SPNEGO NegTokenInit
SpNegoContext: negotiated mechanism = 1.2.840.113554.1.2.2
Entered Krb5Context.acceptSecContext with state=STATE_NEW
Looking for keys for: HTTP/windowstomcat.forestgump.internal@FORESTGUMP.INTERNAL
Added key: 17version: 0
Added key: 18version: 0
Added key: 23version: 0
Found unsupported keytype (3) for HTTP/windowstomcat.forestgump.internal@FORESTGUMP.INTERNAL
Found unsupported keytype (1) for HTTP/windowstomcat.forestgump.internal@FORESTGUMP.INTERNAL
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
Using builtin default etypes for permitted_enctypes
default etypes for permitted_enctypes: 18 17 16 23.
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
MemoryCache: add 1589164744/000073/52EB3DFA8A4B8EADDCE4B0019A0968EE/Administrator@FORESTGUMP.INTERNAL to Administrator@FORESTGUMP.INTERNAL|HTTP/windowstomcat.forestgump.internal@FORESTGUMP.INTERNAL
>>> KrbApReq: authenticate succeed.
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>>Delegated Creds have pname=Administrator@FORESTGUMP.INTERNAL sname=krbtgt/FORESTGUMP.INTERNAL@FORESTGUMP.INTERNAL authtime=null starttime=20200511023904Z endtime=20200511123904ZrenewTill=20200518023904Z
Krb5Context setting peerSeqNumber to: 1464367068
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
Krb5Context setting mySeqNumber to: 206741889
...
Search Subject for Kerberos V5 INIT cred (<<DEF>>, sun.security.jgss.krb5.Krb5InitCredential)
Found ticket for HTTP/windowstomcat.forestgump.internal@FORESTGUMP.INTERNAL to go to krbtgt/FORESTGUMP.INTERNAL@FORESTGUMP.INTERNAL expiring on Tue May 12 00:39:04 NZST 2020
Entered Krb5Context.initSecContext with state=STATE_NEW
Found ticket for HTTP/windowstomcat.forestgump.internal@FORESTGUMP.INTERNAL to go to krbtgt/FORESTGUMP.INTERNAL@FORESTGUMP.INTERNAL expiring on Tue May 12 00:39:04 NZST 2020
Service ticket not found in the subject
>>> Credentials acquireServiceCreds: same realm
default etypes for default_tgs_enctypes: 23 18 17.
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> CksumType: sun.security.krb5.internal.crypto.HmacMd5ArcFourCksumType
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
getKDCFromDNS using UDP
>>> KrbKdcReq send: kdc=server2016.forestgump.internal. TCP:88, timeout=30000, number of retries =3, #bytes=1622
>>> KDCCommunication: kdc=server2016.forestgump.internal. TCP:88, timeout=30000,Attempt =1, #bytes=1622
>>>DEBUG: TCPClient reading 1598 bytes
>>> KrbKdcReq send: #bytes read=1598
>>> KdcAccessibility: remove server2016.forestgump.internal.:88
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbApReq: APOptions are 00100000 00000000 00000000 00000000
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
Krb5Context setting mySeqNumber to: 905416011
Created InitSecContextToken:
0000: 01 00 6E 82 05 DF 30 82 05 DB A0 03 02 01 05 A1 ..n...0.........
.....
05D0: BE 28 08 00 6F FC 45 DC 0D 90 93 E9 60 46 CC 81 .(..o.E.....`F..
05E0: 51 D8 99 06 16 Q....
Entered Krb5Context.initSecContext with state=STATE_IN_PROCESS
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
Krb5Context setting peerSeqNumber to: 1474518462
[Krb5LoginModule]: Entering logout
[Krb5LoginModule]: logged out Subject
我在 Kerberos 服务器中添加了 256 支持:
ksetup /setenctypeattr FQDN>forestgump.internal RC4-HMAC-MD5 AES128-CTS-HMAC-SHA1-96 AES256-CTS-HMAC-SHA1-96
和用户帐户(tomcat 和 mario)支持 Kerberos 128/256 位加密。
无法查明配置错误
问题似乎出在您 jaas.conf:
com.sun.security.jgss.krb5.initiate {
com.sun.security.auth.module.Krb5LoginModule required
doNotPrompt=true
principal="HTTP/windowstomcat.forestgump.internal@FORESTGUMP.INTERNAL"
keyTab="c:/opt/tomcat-9/conf/tomcat.keytab"
useKeyTab=true
storeKey=true;
debug=true;
};
com.sun.security.jgss.krb5.accept {
com.sun.security.auth.module.Krb5LoginModule required
doNotPrompt=true
principal="HTTP/windowstomcat.forestgump.internal@FORESTGUMP.INTERNAL"
keyTab="c:/opt/tomcat-9/conf/tomcat.keytab"
useKeyTab=true
storeKey=true;
debug=true;
};
去掉storeKey=true后面的分号。结果,debug=true; 被解释为它自己的条目,但它不是 - 它只是一个 属性.