我们使用kerberos身份验证来执行SSO。早些时候,我们的产品是在JRE 6 Update 22上,而且一切都很好。我们最近迁移到JRE 6更新45,并且kerberos身份验证失败。
所以,基本上代码执行了两个步骤 - 连接和登录 1.“连接”步骤测试SPN名称和凭据(密码或密钥表)是否可以登录到域和KDC信息标识的域控制器。 2.“登录”步骤执行相同操作,然后还尝试使用GSSAPI身份验证机制绑定到AD LDAP服务。因此,它正在尝试执行GSSAPI绑定,并且在此步骤中它现在失败了。
所以,这就是发生的事情 -
Server(our product) sends AS-REQ to KDC
KDC responds back with error_code: KRB5KDC_ERR_PREAUTH_REQUIRED (25)
Server again sends AS-REQ to KDC with the timestamp
KDC responds back ( AS-REP) with TGT
MCIM sends the TGS-REQ – From our analysis, this is the problem area, this request is populated with incorrect details as explained below.
KDC responds back with error_code: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN (7)
现在,这里的问题是当服务器发送TGS-REQ时,它发送服务器名称(未知):ldap / 10.213.177.3而在较旧的JRE版本中,它用于将TGS-REQ作为ldap /发送win2008.mcssoiwa.hari(kdc的主机名),即使给出了KDC IP。 现在,KDC没有使用ldap和IP注册的SPN,而它有一个使用KDC的Ldap / Hostname注册的SPN
如果我们为ldap /显式执行setspn命令,一切都会开始工作。那么,在JRE 6的后续版本中发生了哪些变化,导致了这个问题。这对我们来说真的是一个阻碍者,我们不知道如何解决这个问题。任何帮助/指导将不胜感激。
正在执行此操作的代码 -
LDAPConnection connection = new LDAPConnection(request.getServer(), request.getPort());
GSSAPIBindRequest bindRequest = new GSSAPIBindRequest(request.getAuthnId(), null, "N/A", null, null, "");
connection.bind(bindRequest); //throws exception
这会引发以下异常
*
Caused by: com.unboundid.ldap.sdk.LDAPException: Unable to create the initial GSSAPI SASL request: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))] caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7)) caused by KrbException: Server not found in Kerberos database (7) caused by KrbException: Identifier doesn't match expected value (906)
at com.unboundid.ldap.sdk.SASLHelper.processSASLBind(SASLHelper.java:120)
at com.unboundid.ldap.sdk.GSSAPIBindRequest.run(GSSAPIBindRequest.java:1022)
... 56 common frames omitted
Caused by: javax.security.sasl.SaslException: GSS initiate failed
at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(Unknown Source)
at com.unboundid.ldap.sdk.SASLHelper.processSASLBind(SASLHelper.java:114)
... 57 common frames omitted
Caused by: org.ietf.jgss.GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))
at sun.security.jgss.krb5.Krb5Context.initSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
... 59 common frames omitted
Caused by: sun.security.krb5.KrbException: Server not found in Kerberos database (7)
at sun.security.krb5.KrbTgsRep.<init>(Unknown Source)
at sun.security.krb5.KrbTgsReq.getReply(Unknown Source)
at sun.security.krb5.internal.CredentialsUtil.serviceCreds(Unknown Source)
at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(Unknown Source)
at sun.security.krb5.Credentials.acquireServiceCreds(Unknown Source)
... 62 common frames omitted
Caused by: sun.security.krb5.Asn1Exception: Identifier doesn't match expected value (906)
at sun.security.krb5.internal.KDCRep.init(Unknown Source)
at sun.security.krb5.internal.TGSRep.init(Unknown Source)
at sun.security.krb5.internal.TGSRep.<init>(Unknown Source)*
答案 0 :(得分:0)
两件事:简要略过changes in JDK6表示在22到45之间有一些关于LDAP的提及。我无法立即检测到任何相关内容 - 也许你必须仔细审查所有细节变化。
Release notes of UnboundID Solutions's LDAP SDK for Java也可以给出一些指示。也许你需要升级SDK以弥补JDK的变化。