Weblogic + Kerberos + SSO

时间:2015-01-20 09:22:25

标签: weblogic single-sign-on kerberos

我正在尝试使用weblogic和Kerberos配置单点登录。

所以,但我仍然得到登录页面,也许你可以告诉我这个日志有什么问题:

Debug is  true storeKey true useTicketCache false useKeyTab true doNotPrompt false ticketCache is null isInitiator true KeyTab is /oracle/product12/user_projects/domains/test/krb/test.keytab refreshKrb5Config is false principal is kinp@TEST.ORG tryFirstPass is false useFirstPass is false storePass is false clearPass is false
KeyTab instance already exists
Added key: 23version: 19
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 3.
0: EncryptionKey: keyType=23 kvno=19 keyValue (hex dump)=
0000: C3 CB 19 1C 64 6E F9 7F   6A C9 31 FB EE 69 E7 35  ....dn..j.1..i.5


principal's key obtained from the keytab
Acquire TGT using AS Exchange
default etypes for default_tkt_enctypes: 23 3.
>>> KrbAsReq calling createMessage
>>> KrbAsReq in createMessage
>>> KrbKdcReq send: kdc=192.168.0.100 UDP:88, timeout=30000, number of retries =3, #bytes=137
>>> KDCCommunication: kdc=192.168.0.100 UDP:88, timeout=30000,Attempt =1, #bytes=137
>>> KrbKdcReq send: #bytes read=181
>>> KrbKdcReq send: #bytes read=181
>>> KdcAccessibility: remove 192.168.0.100
>>> KDCRep: init() encoding tag is 126 req type is 11
>>>KRBError:
     sTime is Tue Jan 20 10:46:05 EET 2015 1421743565000
     suSec is 576578
     error code is 25
     error Message is Additional pre-authentication required
     realm is TEST.ORG
     sname is krbtgt/TEST.ORG
     eData provided.
     msgType is 30
>>>Pre-Authentication Data:
     PA-DATA type = 11
     PA-ETYPE-INFO etype = 23
     PA-ETYPE-INFO salt = 
>>>Pre-Authentication Data:
     PA-DATA type = 19
     PA-ETYPE-INFO2 etype = 23
     PA-ETYPE-INFO2 salt = null
>>>Pre-Authentication Data:
     PA-DATA type = 2
     PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
     PA-DATA type = 16
>>>Pre-Authentication Data:
     PA-DATA type = 15
AcquireTGT: PREAUTH FAILED/REQUIRED, re-send AS-REQ
>>>KrbAsReq salt is TEST.ORGdev
default etypes for default_tkt_enctypes: 23 3.
Pre-Authenticaton: find key for etype = 23
AS-REQ: Add PA_ENC_TIMESTAMP now
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbAsReq calling createMessage
>>> KrbAsReq in createMessage
>>> KrbKdcReq send: kdc=192.168.0.100 UDP:88, timeout=30000, number of retries =3, #bytes=220
>>> KDCCommunication: kdc=192.168.0.100 UDP:88, timeout=30000,Attempt =1, #bytes=220
>>> KrbKdcReq send: #bytes read=1408
>>> KrbKdcReq send: #bytes read=1408
>>> KdcAccessibility: remove 192.168.0.100
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbAsRep cons in KrbAsReq.getReply dev
principal is dev@TEST.ORG
EncryptionKey: keyType=23 keyBytes (hex dump)=0000: C3 CB 19 1C 64 6E F9 7F   6A C9 31 FB EE 69 E7 35  ....dn..j.1..i.5

Added server's keyKerberos Principal dev@TEST.ORGKey Version 19key EncryptionKey: keyType=23 keyBytes (hex dump)=
0000: C3 CB 19 1C 64 6E F9 7F   6A C9 31 FB EE 69 E7 35  ....dn..j.1..i.5


        [Krb5LoginModule] added Krb5Principal  dev@TEST.ORG to Subject
Commit Succeeded 

Found key for dev@TEST.ORG(23)
Entered Krb5Context.acceptSecContext with state=STATE_NEW

当我尝试访问登录页面时,我收到了这个日志。

错误异常:

com.bea.security.utils.kerberos.KerberosException: Failure unspecified at GSS-API level (Mechanism level: Specified version of key is not available (44))
    at com.bea.security.utils.kerberos.KerberosTokenHandler.acceptGssInitContextTokenInDoAs(KerberosTokenHandler.java:334)
    at com.bea.security.utils.kerberos.KerberosTokenHandler.access$000(KerberosTokenHandler.java:41)
    at com.bea.security.utils.kerberos.KerberosTokenHandler$1.run(KerberosTokenHandler.java:226)
...
Caused By: GSSException: Failure unspecified at GSS-API level (Mechanism level: Specified version of key is not available (44))
    at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:741)
    at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:323)
    at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:267)
...
Caused By: KrbException: Specified version of key is not available (44)
    at sun.security.krb5.EncryptionKey.findKey(EncryptionKey.java:516)
    at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:260)
    at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:134)
...

谢谢!

1 个答案:

答案 0 :(得分:2)

无法发表评论,将此作为答案发布。您需要启用Weblogic的身份验证日志记录:

  1. 在Weblogic控制台中,点击“锁定&amp;编辑左上角的“按钮。
  2. 选择环境 - 左侧域结构portlet中的服务器。
  3. 在“服务器摘要”页面上选择您的服务器。
  4. 选择“调试”选项卡。
  5. 深入研究weblogic - security - atn。
  6. 选中DebugSecurityAtn。
  7. 字样左侧的复选框
  8. 点击页面顶部或底部的“启用”按钮。
  9. 再次转到您的服务器,单击“记录”选项卡,
  10. 向下滚动并点击高级
  11. 在“消息目标 - 日志文件”中将严重性级别更改为“调试”
  12. 点击页面顶部或底部的“保存”按钮。
  13. 点击左上角的“激活更改”。
  14. 之后尝试再次登录,您的日志中会有更多信息。