Spring Security Kerberos + AD,校验和失败

时间:2015-11-25 22:13:02

标签: java spring spring-security kerberos spring-security-kerberos

我正在尝试使用http://docs.spring.io/spring-security-kerberos/docs/1.0.1.RELEASE/reference/htmlsingle/#samples-sec-server-win-auth中所述的Active Directory凭据执行Spring Security Kerberos。我想说我已经把大部分事情搞砸了(SPN,keytabs等)。现在我的校验和失败了。假设我更改了我的主要名称,我收到AES加密错误。

我在RHEL 6上使用Spring Boot和Oracle Java 1.8 + JCE 来自https://github.com/spring-projects/spring-security-kerberos/tree/master/spring-security-kerberos-samples/sec-server-win-auth

的示例

这是我在运行jar时得到的

  

调试是真的   storeKey为true   useTicketCache false   useKeyTab是的   doNotPrompt为true   ticketCache为null   isInitiator为false   KeyTab是/home/boss/webdev125-3.keytab   refreshKrb5Config为false   校长是http/webdev@EXAMPLE.ORG   tryFirstPass是假的   useFirstPass为false   storePass是假的   clearPass是假的

     

principal是http/webdev@EXAMPLE.ORG   将使用keytab   提交成功

...

  

2015-11-25 11:29:09.631 DEBUG 5559 --- [nio-8080-exec-3] .a.KerberosServiceAuthenticationProvider:尝试验证Kerberos令牌   2015-11-25 11:29:10.003 WARN 5559 --- [nio-8080-exec-3] w.a.SpnegoAuthenticationProcessingFilter:Negotiate Header无效:

...

  

org.springframework.security.authentication.BadCredentialsException:Kerberos验证不成功           在org.springframework.security.kerberos.authentication.sun.SunJaasKerberosTicketValidator.validateTicket(SunJaasKerberosTicketValidator.java:71)           在org.springframework.security.kerberos.authentication.KerberosServiceAuthenticationProvider.authenticate(KerberosServiceAuthenticationProvider.java:64)           在org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156)

...

  

引起:org.ietf.jgss.GSSException:在GSS-API级别未指定失败(机制级别:校验和失败)

    at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:856)
    at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342)
    at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
    at sun.security.jgss.spnego.SpNegoContext.GSS_acceptSecContext(SpNegoContext.java:906)
    at sun.security.jgss.spnego.SpNegoContext.acceptSecContext(SpNegoContext.java:556)
    at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342)
    at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
    at org.springframework.security.kerberos.authentication.sun.SunJaasKerberosTicketValidator$KerberosValidateAction.run(SunJaasKerberosTicketValidator.java:170)
    at org.springframework.security.kerberos.authentication.sun.SunJaasKerberosTicketValidator$KerberosValidateAction.run(SunJaasKerberosTicketValidator.java:153)
    ... 48 common frames omitted
  

引起:sun.security.krb5.KrbCryptoException:校验和失败

    at sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Aes256CtsHmacSha1EType.java:102)
    at sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Aes256CtsHmacSha1EType.java:94)
    at sun.security.krb5.EncryptedData.decrypt(EncryptedData.java:175)
    at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:281)
    at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:149)
    at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:108)
    at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:829)
    ... 56 common frames omitted
  

引起:java.security.GeneralSecurityException:校验和失败

    at sun.security.krb5.internal.crypto.dk.AesDkCrypto.decryptCTS(AesDkCrypto.java:451)
    at sun.security.krb5.internal.crypto.dk.AesDkCrypto.decrypt(AesDkCrypto.java:272)
    at sun.security.krb5.internal.crypto.Aes256.decrypt(Aes256.java:76)
    at sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Aes256CtsHmacSha1EType.java:100)
    ... 62 common frames omitted

其他一些细节:

  • /etc/krb5.conf确实有default_tgs_enctypes,default_tkt_enctypes包含aes256-cts-hmac-sha1-96
  • 默认keytab位置是应用程序和krb5.conf
  • 之间的匹配
  • 在Windows服务器上生成keytabs,然后复制到RHEL

2 个答案:

答案 0 :(得分:3)

似乎我与现有的服务主体映射存在冲突。一旦我清理它,错误就会停止发生。这个链接帮助我找到了解决方案 - https://developer.jboss.org/wiki/ConfiguringJBossNegotiationInAnAllWindowsDomain?_sscc=t

答案 1 :(得分:0)

我最近遇到了这个问题。

服务的DNS必须与服务主体名称匹配。 主体名称必须以HTTP /

开头

示例: 服务DNS:www.ala-bala.com 主体名称必须为:HTTP/ala-bala.com@REALM

领域不必与DNS匹配。

如果在本地运行,则DNS显然与主体不匹配。

您可以通过在/ etc / hosts中添加一行来解决此问题: 127.0.0.1 ala-bala.com

您还可以使用一个客户端,该客户端允许您覆盖kerberos主机/主名称,例如Python中的request_kerberos。