使用SPNEGO的Tomcat用户的SSO失败

Question

我在tomcat服务器上运行了一个应用程序。此应用程序使用SPNEGO模块使用Active Directory进行身份验证。

我们采取的步骤使这个设置工作：

1. 将Tomcat APP添加到AD域
2. 对APP进行REST API登录调用。此REST API调用将使用SPNEGO对AD执行身份验证/授权。

作为全新APP初始化的一部分，我们首次启动该应用，并将此应用主机添加到AD域。然后使执行AD授权的API调用失败，并显示以下错误。

类型例外报告：

message GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - RC4 with HMAC)

description The server encountered an internal error that prevented it from fulfilling this request.

exception

javax.servlet.ServletException: GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - RC4 with HMAC)
    net.sourceforge.spnego.SpnegoHttpFilter.doFilter(SpnegoHttpFilter.java:238)
root cause

GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - RC4 with HMAC)
    sun.security.jgss.krb5.Krb5Context.acceptSecContext(Unknown Source)
    sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
    sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
    sun.security.jgss.spnego.SpNegoContext.GSS_acceptSecContext(Unknown Source)
    sun.security.jgss.spnego.SpNegoContext.acceptSecContext(Unknown Source)
    sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
    sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
    net.sourceforge.spnego.SpnegoAuthenticator.doSpnegoAuth(SpnegoAuthenticator.java:444)
    net.sourceforge.spnego.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.java:283)
    net.sourceforge.spnego.SpnegoHttpFilter.doFilter(SpnegoHttpFilter.java:234)
root cause

KrbException: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - RC4 with HMAC
    sun.security.krb5.KrbApReq.authenticate(Unknown Source)
    sun.security.krb5.KrbApReq.<init>(Unknown Source)
    sun.security.jgss.krb5.InitSecContextToken.<init>(Unknown Source)
    sun.security.jgss.krb5.Krb5Context.acceptSecContext(Unknown Source)
    sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
    sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
    sun.security.jgss.spnego.SpNegoContext.GSS_acceptSecContext(Unknown Source)
    sun.security.jgss.spnego.SpNegoContext.acceptSecContext(Unknown Source)
    sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
    sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
    net.sourceforge.spnego.SpnegoAuthenticator.doSpnegoAuth(SpnegoAuthenticator.java:444)
    net.sourceforge.spnego.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.java:283)
    net.sourceforge.spnego.SpnegoHttpFilter.doFilter(SpnegoHttpFilter.java:234)
note The full stack trace of the root cause is available in the Apache Tomcat/6.0.36 logs.

这表示SPNEGO无法找到解密与AD通信的密钥。

当我重新启动tomcat时，问题就消失了。在重新启动后如果Tomcat，用户可以成功执行基于SSO的授权。

我检查了keytab文件，一切正常。我们正在使用RC4-HMAC加密。还在主机上正确配置了login.conf和krb5.conf。 （因为重启后一切正常）

我在tomcat pid上运行strace以查看SPNEGO是否读取了keytab文件。似乎Tomcat / SPNEGO正在调用该文件的stat，但从未打开它。 Tomcat / SPNEGO认为无论它缓存的是什么都是正确的。

以下是该电话的行：

7832  1431560872.430550 stat("/var/pgsql/sync-dir/samba/tomcat-user.keytab",  <unfinished ...>
7832  1431560872.443416 <... stat resumed> {st_mode=S_IFREG|0600, st_size=894, ...}) = 0

我从来没有看到读取它。

如果有人看到SPNEGO缓存信息的问题，请告诉我，当我们重启Tomcat时问题就会消失