我在tomcat服务器上运行了一个应用程序。此应用程序使用SPNEGO
模块使用Active Directory进行身份验证。
我们采取的步骤使这个设置工作:
Tomcat APP
添加到AD
域REST API
登录调用。此REST API
调用将使用SPNEGO
对AD执行身份验证/授权。作为全新APP初始化的一部分,我们首次启动该应用,并将此应用主机添加到AD域。然后使执行AD授权的API调用失败,并显示以下错误。
类型例外报告:
message GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - RC4 with HMAC)
description The server encountered an internal error that prevented it from fulfilling this request.
exception
javax.servlet.ServletException: GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - RC4 with HMAC)
net.sourceforge.spnego.SpnegoHttpFilter.doFilter(SpnegoHttpFilter.java:238)
root cause
GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - RC4 with HMAC)
sun.security.jgss.krb5.Krb5Context.acceptSecContext(Unknown Source)
sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
sun.security.jgss.spnego.SpNegoContext.GSS_acceptSecContext(Unknown Source)
sun.security.jgss.spnego.SpNegoContext.acceptSecContext(Unknown Source)
sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
net.sourceforge.spnego.SpnegoAuthenticator.doSpnegoAuth(SpnegoAuthenticator.java:444)
net.sourceforge.spnego.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.java:283)
net.sourceforge.spnego.SpnegoHttpFilter.doFilter(SpnegoHttpFilter.java:234)
root cause
KrbException: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - RC4 with HMAC
sun.security.krb5.KrbApReq.authenticate(Unknown Source)
sun.security.krb5.KrbApReq.<init>(Unknown Source)
sun.security.jgss.krb5.InitSecContextToken.<init>(Unknown Source)
sun.security.jgss.krb5.Krb5Context.acceptSecContext(Unknown Source)
sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
sun.security.jgss.spnego.SpNegoContext.GSS_acceptSecContext(Unknown Source)
sun.security.jgss.spnego.SpNegoContext.acceptSecContext(Unknown Source)
sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
net.sourceforge.spnego.SpnegoAuthenticator.doSpnegoAuth(SpnegoAuthenticator.java:444)
net.sourceforge.spnego.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.java:283)
net.sourceforge.spnego.SpnegoHttpFilter.doFilter(SpnegoHttpFilter.java:234)
note The full stack trace of the root cause is available in the Apache Tomcat/6.0.36 logs.
这表示SPNEGO无法找到解密与AD通信的密钥。
当我重新启动tomcat时,问题就消失了。在重新启动后如果Tomcat,用户可以成功执行基于SSO的授权。
我检查了keytab文件,一切正常。我们正在使用RC4-HMAC加密。还在主机上正确配置了login.conf和krb5.conf。 (因为重启后一切正常)
我在tomcat pid上运行strace以查看SPNEGO是否读取了keytab文件。似乎Tomcat / SPNEGO正在调用该文件的stat,但从未打开它。 Tomcat / SPNEGO认为无论它缓存的是什么都是正确的。
以下是该电话的行:
7832 1431560872.430550 stat("/var/pgsql/sync-dir/samba/tomcat-user.keytab", <unfinished ...>
7832 1431560872.443416 <... stat resumed> {st_mode=S_IFREG|0600, st_size=894, ...}) = 0
我从来没有看到读取它。
如果有人看到SPNEGO
缓存信息的问题,请告诉我,当我们重启Tomcat时问题就会消失