我在通过AD用户访问SSO的应用程序时,在Weblogic中收到以下错误。
> <> <> <1471875042422> <BEA-000000> <com.bea.common.security.internal.legacy.service.ChallengeIdentityAssertionProviderImpl$ChallengeIdentityAsserterV2Adapter.assertChallengeIdentity(Authorization.Negotiate)>
####<22-Aug-2016 15:10:42 o'clock BST> <Debug> <SecurityAtn> <ndl-wln-100.centricait.com> <ND_Manage1> <[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1471875042422> <BEA-000000> <GSSExceptionInfo:>
####<22-Aug-2016 15:10:42 o'clock BST> <Debug> <SecurityAtn> <ndl-wln-100.centricait.com> <ND_Manage1> <[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1471875042423> <BEA-000000> < major: (13) : No valid credentials provided>
####<22-Aug-2016 15:10:42 o'clock BST> <Debug> <SecurityAtn> <ndl-wln-100.centricait.com> <ND_Manage1> <[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1471875042423> <BEA-000000> < minor: (-1) : Failed to find any Kerberos credentails>
####<22-Aug-2016 15:10:42 o'clock BST> <Debug> <SecurityAtn> <ndl-wln-100.centricait.com> <ND_Manage1> <[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1471875042423> <BEA-000000> <acceptGssInitContextToken failed
com.bea.security.utils.kerberos.KerberosException: No valid credentials provided (Mechanism level: Failed to find any Kerberos credentails)
at com.bea.security.utils.kerberos.KerberosTokenHandler.acceptGssInitContextTokenInDoAs(KerberosTokenHandler.java:334)
at com.bea.security.utils.kerberos.KerberosTokenHandler.access$000(KerberosTokenHandler.java:41)
at com.bea.security.utils.kerberos.KerberosTokenHandler$1.run(KerberosTokenHandler.java:226)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAsPrivileged(Subject.java:536)
at com.bea.security.utils.kerberos.KerberosTokenHandler.acceptGssInitContextToken(KerberosTokenHandler.java:224)
at com.bea.security.utils.kerberos.KerberosTokenHandler.acceptGssInitContextToken(KerberosTokenHandler.java:152)
at com.bea.common.security.internal.utils.negotiate.SPNEGONegotiateToken.getUsername(SPNEGONegotiateToken.java:57)
at weblogic.security.providers.authentication.NegotiateIdentityAsserterProviderImpl.assertChallengeIdentity(NegotiateIdentityAsserterProviderImpl.java:210)
at com.bea.common.security.internal.legacy.service.ChallengeIdentityAssertionProviderImpl$ChallengeIdentityAsserterV2Adapter.assertChallengeIdentity(ChallengeIdentityAssertionProviderImpl.j
我已经使用kinit -V -k -t negotestserver.keytab HTTP/WL-HOST@MYDOMAIN.COM验证了keytab已成功通过身份验证。不知道什么是这个问题的解决方案,我们将不胜感激。
答案 0 :(得分:0)
很可能从浏览器发送到Weblogic的票证不是Kerberos票证,而是NTLM。 IE将使用NTLM而非Kerberos的原因有很多,大部分时间它都是错误的设置或Windows设置。你能查看日志里的票吗?如果它看起来像这样:
YIGCBgYrBgEFBQKgeDB2oDAwLgYKKwYBBAGCNwICCgYJKoZIgvcSAQICBgkqhkiG9xIBAgIGCisGAQQBgjcCAh6iQgRATlRMTVNTUAABAAAAl7II4g4ADgAyAAAACgAKACgAAAAGAbEdAAAAD0xBUFRPUC0yNDVMSUZFQUNDT1VOVExMQw==
它的NTLM。 Kerberos票证至少是两倍。