Weblogic + Kerberos + SSO

Weblogic + Kerberos + SSO

我正在尝试使用 weblogic 和 Kerberos 配置单点登录。

所以,但我仍然看到登录页面,也许你可以通过这个日志告诉我哪里出了问题:

Debug is  true storeKey true useTicketCache false useKeyTab true doNotPrompt false ticketCache is null isInitiator true KeyTab is /oracle/product12/user_projects/domains/test/krb/test.keytab refreshKrb5Config is false principal is kinp@TEST.ORG tryFirstPass is false useFirstPass is false storePass is false clearPass is false
KeyTab instance already exists
Added key: 23version: 19
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 3.
0: EncryptionKey: keyType=23 kvno=19 keyValue (hex dump)=
0000: C3 CB 19 1C 64 6E F9 7F   6A C9 31 FB EE 69 E7 35  ....dn..j.1..i.5


principal's key obtained from the keytab
Acquire TGT using AS Exchange
default etypes for default_tkt_enctypes: 23 3.
>>> KrbAsReq calling createMessage
>>> KrbAsReq in createMessage
>>> KrbKdcReq send: kdc=192.168.0.100 UDP:88, timeout=30000, number of retries =3, #bytes=137
>>> KDCCommunication: kdc=192.168.0.100 UDP:88, timeout=30000,Attempt =1, #bytes=137
>>> KrbKdcReq send: #bytes read=181
>>> KrbKdcReq send: #bytes read=181
>>> KdcAccessibility: remove 192.168.0.100
>>> KDCRep: init() encoding tag is 126 req type is 11
>>>KRBError:
     sTime is Tue Jan 20 10:46:05 EET 2015 1421743565000
     suSec is 576578
     error code is 25
     error Message is Additional pre-authentication required
     realm is TEST.ORG
     sname is krbtgt/TEST.ORG
     eData provided.
     msgType is 30
>>>Pre-Authentication Data:
     PA-DATA type = 11
     PA-ETYPE-INFO etype = 23
     PA-ETYPE-INFO salt = 
>>>Pre-Authentication Data:
     PA-DATA type = 19
     PA-ETYPE-INFO2 etype = 23
     PA-ETYPE-INFO2 salt = null
>>>Pre-Authentication Data:
     PA-DATA type = 2
     PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
     PA-DATA type = 16
>>>Pre-Authentication Data:
     PA-DATA type = 15
AcquireTGT: PREAUTH FAILED/REQUIRED, re-send AS-REQ
>>>KrbAsReq salt is TEST.ORGdev
default etypes for default_tkt_enctypes: 23 3.
Pre-Authenticaton: find key for etype = 23
AS-REQ: Add PA_ENC_TIMESTAMP now
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbAsReq calling createMessage
>>> KrbAsReq in createMessage
>>> KrbKdcReq send: kdc=192.168.0.100 UDP:88, timeout=30000, number of retries =3, #bytes=220
>>> KDCCommunication: kdc=192.168.0.100 UDP:88, timeout=30000,Attempt =1, #bytes=220
>>> KrbKdcReq send: #bytes read=1408
>>> KrbKdcReq send: #bytes read=1408
>>> KdcAccessibility: remove 192.168.0.100
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbAsRep cons in KrbAsReq.getReply dev
principal is dev@TEST.ORG
EncryptionKey: keyType=23 keyBytes (hex dump)=0000: C3 CB 19 1C 64 6E F9 7F   6A C9 31 FB EE 69 E7 35  ....dn..j.1..i.5

Added server's keyKerberos Principal dev@TEST.ORGKey Version 19key EncryptionKey: keyType=23 keyBytes (hex dump)=
0000: C3 CB 19 1C 64 6E F9 7F   6A C9 31 FB EE 69 E7 35  ....dn..j.1..i.5


        [Krb5LoginModule] added Krb5Principal  dev@TEST.ORG to Subject
Commit Succeeded 

Found key for dev@TEST.ORG(23)
Entered Krb5Context.acceptSecContext with state=STATE_NEW

我在尝试访问登录页面时收到此日志。

错误异常:

com.bea.security.utils.kerberos.KerberosException: Failure unspecified at GSS-API level (Mechanism level: Specified version of key is not available (44))
    at com.bea.security.utils.kerberos.KerberosTokenHandler.acceptGssInitContextTokenInDoAs(KerberosTokenHandler.java:334)
    at com.bea.security.utils.kerberos.KerberosTokenHandler.access[=11=]0(KerberosTokenHandler.java:41)
    at com.bea.security.utils.kerberos.KerberosTokenHandler.run(KerberosTokenHandler.java:226)
...
Caused By: GSSException: Failure unspecified at GSS-API level (Mechanism level: Specified version of key is not available (44))
    at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:741)
    at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:323)
    at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:267)
...
Caused By: KrbException: Specified version of key is not available (44)
    at sun.security.krb5.EncryptionKey.findKey(EncryptionKey.java:516)
    at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:260)
    at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:134)
...

谢谢!

无法 post 发表评论,post将其作为答案。您需要启用 Weblogic 的身份验证日志记录:

  1. 在 Weblogic 控制台中,单击左上角的“锁定和编辑”按钮。
  2. Select 环境 – 左侧域结构 portlet 中的服务器。
  3. Select 服务器摘要页面上的您的服务器。
  4. Select“调试”选项卡。
  5. 深入到 weblogic – 安全 – atn。
  6. Select 单词 DebugSecurityAtn 左侧的复选框。
  7. 点击页面顶部或底部的“启用”按钮。
  8. 再次转到您的服务器,单击“日志记录”选项卡,
  9. 向下滚动并单击“高级”
  10. 在 "Message destination(s) - Log file" 中将严重级别更改为调试
  11. 点击页面顶部或底部的“保存”按钮。
  12. 点击左上角的“激活更改”。

之后再次尝试登录,您的日志中将包含更多信息。