带有mod_auth_kerb的Kerberos SSO：验证码589824和Token似乎是NTLM

Question

我遇到了一些困扰主持人的困难，t.p.no。我正在使用http://grolmsnet.de/kerbtut，其他人已经为其他人工作了，这些主机没有添加到Windows域中。

由于某种原因，问题似乎是客户端NTLM令牌。

我将完成服务器的设置和状态，然后是测试客户端：

服务器

环境：

操作系统是CentOS 5.9，

与yum一起安装的Kerberos，Apache和mod_auth_kerb：

httpd.x86_64                              2.2.3-76.el5.centos          installed
httpd-devel.i386                          2.2.3-76.el5.centos          installed
httpd-devel.x86_64                        2.2.3-76.el5.centos          installed

mod_auth_kerb.x86_64                      5.1-5.el5                    installed

krb5-devel.x86_64                         1.6.1-70.el5                 installed
krb5-libs.i386                            1.6.1-70.el5                 installed
krb5-libs.x86_64                          1.6.1-70.el5                 installed
krb5-workstation.x86_64                   1.6.1-70.el5                 installed
pam_krb5.i386                             2.2.14-22.el5                installed
pam_krb5.x86_64                           2.2.14-22.el5                installed

KDC / DC是Windows Server 2003 SP2

的Kerberos：

我有一个域管理员创建AD帐户并运行ktpass将SPN映射到此帐户：

ktpass.exe /princ HTTP/t.p.no@TESTSONE2.P.LOCAL /mapuser testsone2\user 
/crypto DES-CBC-MD5 +DesOnly /Pass *** /ptype KRB5_NT_PRINCIPAL /out t.keytab

在尝试kerberize的服务器/主机上，我这样做是为了验证kerberos是否配置正确：

# kinit -V jhs@TESTSONE2.P.LOCAL
Password for jhs@TESTSONE2.P.LOCAL: 
Authenticated to Kerberos v5

# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: jhs@TESTSONE2.P.LOCAL

Valid starting     Expires            Service principal
05/13/13 15:32:13  05/14/13 01:32:17  krbtgt/TESTSONE2.P.LOCAL@TESTSONE2.P.LOCAL
  renew until 05/14/13 15:32:13


Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached

我已经检查过KDC给我的校长发了票：

# kvno HTTP/t.p.no@TESTSONE2.P.LOCAL
HTTP/t.p.no@TESTSONE2.P.LOCAL: kvno = 9

# klist -e
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: jhs@TESTSONE2.P.LOCAL

Valid starting     Expires            Service principal
05/13/13 15:32:13  05/14/13 01:32:17  krbtgt/TESTSONE2.P.LOCAL@TESTSONE2.P.LOCAL
  renew until 05/14/13 15:32:13, Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5 
05/13/13 15:34:27  05/14/13 01:32:17  HTTP/t.p.no@TESTSONE2.P.LOCAL
  renew until 05/14/13 15:32:13, Etype (skey, tkt): DES cbc mode with CRC-32, DES cbc mode with RSA-MD5 

Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached

kvno与keytab中的匹配：

# ktutil 
ktutil: rkt t.keytab
ktutil: l
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
   1    9 HTTP/t.p.no@TESTSONE2.P.LOCAL

t.p.no是一个解析为ip地址的A记录，反向解析为t.p.no

这是我的虚拟主机配置，它是一个简单的乘客服务的rails应用程序。在添加带有与身份验证相关的指令的“位置”部分之前进行了测试：

<VirtualHost *:80>
  DocumentRoot /home/p/testapp/public
  ServerName t.p.no

  RackEnv staging
  RailsEnv staging

  <Directory /home/p/testapp/public>
    Options -MultiViews
  </Directory>

  <Location />
    AuthType Kerberos
    AuthName "Logg inn"
    KrbMethodNegotiate On
    KrbMethodK5Passwd Off
    KrbAuthRealms TESTSONE2.P.LOCAL
    KrbServiceName HTTP # No difference if using full SPN here
    Krb5KeyTab /etc/httpd/keys/t.keytab
    require valid-user
  </Location>

  LogLevel debug
  CustomLog logs/t.p.no-access_log combined_forwarded
  ErrorLog logs/t.p.no-error_log

</VirtualHost>

当客户端在Internet Explorer中输入t.p.no时，Apache会记录以下内容：

[debug] src/mod_auth_kerb.c(1496): [client 139.x.x.201] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[debug] src/mod_auth_kerb.c(1496): [client 139.x.x.201] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[debug] src/mod_auth_kerb.c(1151): [client 139.x.x.201] Acquiring creds for HTTP/t.p.no@TESTSONE2.P.LOCAL
[debug] src/mod_auth_kerb.c(1270): [client 139.x.x.201] Verifying client data using KRB5 GSS-API
[debug] src/mod_auth_kerb.c(1286): [client 139.x.x.201] Verification returned code 589824
[debug] src/mod_auth_kerb.c(1313): [client 139.x.x.201] Warning: received token seems to be NTLM, which isn't supported by the Kerberos module. Check your IE configuration.
[error] [client 139.116.152.201] gss_accept_sec_context() failed: Invalid token was supplied (No error)

客户端

操作系统：Windows Server 2008 SP1

IE已启用IWA，http://t.p.no已添加到其Intranet主机列表中。

在客户端上，当我尝试访问tpno时，我在Fiddler中看到两个请求，在第一个中，客户端不发送任何Authentication-headers，服务器响应状态401和头WWW-Authenticate：Negotiate。 / p>

在第二个请求中，客户端发送标头：授权：协商[令牌数据] 在fiddler的Auth-tab中，显示了令牌数据：

-[NTLM Type1: Negotiation]------------------------------
Provider: NTLMSSP
Type: 1
OS Version: 6.1:7601
Flags:  0xe2088297
    Unicode supported in security buffer.
    OEM strings supported in security buffer.
    Request server's authentication realm included in Type2 reply.
    Sign (integrity)
    NTLM authentication.
    Negotiate Always Sign.
    Negotiate NTLM2 Key.
    Supports 56-bit encryption.
    Supports 128-bit encryption.
    Client will provide master key in Type 3 Session Key field.
Domain_Offset: 0; Domain_Length: 0; Domain_Length2: 0
Host_Offset: 0; Host_Length: 0; Host_Length2: 0
Host: 
Domain: 
------------------------------------

所有帮助找出原因发送NTLM令牌将不胜感激！

Answer 1

如前所述，我的测试客户端是2008服务器R2。与Windows 7客户端和Windows Server 2008 R2相关的文章（http://support.microsoft.com/kb/977321）声明默认情况下，这些产品中禁用了Kerberos身份验证的DES加密。

我按照文章中的步骤在客户端重新启用DES，KDC是2003，所以它仍然应该支持DES。然后验证成功。

Answer 2

你的krb5套餐已经过时了。这些需要更新以支持更强的加密。

绝对应禁用DES。我的所有Linux系统都使用128 AES进行kerberos。