所以我正在尝试为AIX服务器(所以IBM JRE)实现SSO /集成安全系统。它使用Kerberos对AD进行身份验证。
请注意,以下数据已经过清理。
命令我的AD管理员用于在AD服务器上创建keytab文件(注意/ kvno 2)。
ktpass /princ HTTP/local.domain.com@LOCALDOMAIN.NET /mapuser PSLDAP@LOCALDOMAIN.NET /pass <PASSWORD> /crypto ALL /ptype KRB5_NT_PRINCIPAL /kvno 2 /out krb5.keytab
我的krb5.conf文件:
[libdefaults]
default_realm = LOCALDOMAIN.NET
default_keytab_name = FILE:/keytabs/krb.keytab
default_tkt_enctypes = rc4-hmac
default_tgs_enctypes = rc4-hmac
dns_lookup_kdc = true
dns_lookup_realm = true
[realms]
LOCALDOMAIN.NET = {
kdc = localdc08.localdomain.net:88
kdc = otherdc08.localdomain.net:88
admin_server = localdc08.localdomain.net:749
master_kdc = localdc08.localdomain.net
default_domain = LOCALDOMAIN.NET
}
[domain_realm]
.LOCALDOMAIN.NET = LOCALDOMAIN.NET
LOCALDOMAIN.NET = LOCALDOMAIN.NET
localdc08.localdomain.net = LOCALDOMAIN.NET
localdc08.localdomain.net = LOCALDOMAIN.NET
localdomain.net = LOCALDOMAIN.NET
.localdomain.net = LOCALDOMAIN.NET
[logging]
kdc = FILE:/var/krb5/log/krb5kdc.log
admin_server = FILE:/var/krb5/log/kadmin.log
kadmin_local = FILE:/var/krb5/log/kadmin_local.log
default = FILE:/var/krb5/log/krb5lib.log
这是我的LoginModule的krb5Login.conf:
krbServer {
com.ibm.security.auth.module.Krb5LoginModule required
credsType=acceptor
refreshKrb5Config=true
principal="HTTP/local.domain.com"
useKeytab="/keytabs/krb5.keytab"
debug=true;
};
这是我正在运行的java(因为IP无法透露整个事情)
context = new LoginContext("krbServer");
context.login();
// Get server credentials
Subject sub = context.getSubject();
serverCred = Subject.doAs(sub, new PrivilegedExceptionAction<GSSCredential>() {
public GSSCredential run() throws GSSException {
// mechanism OID for SPNEGO authentication
Oid spnegoOid = new Oid("1.3.6.1.5.5.2");
// null name defaults to currently logged in name
GSSCredential cred = authManager.createCredential(null,
GSSCredential.INDEFINITE_LIFETIME,
spnegoOid,
GSSCredential.ACCEPT_ONLY);
return cred;
}
});
context.logout();
当我调用上面的代码时,我得到以下调试输出:
Constructor With Arg: krbServer Version: 1.7.0 Home: /dev/jre
LoginContext Constructed
[JGSS_DBG_CRED] Thread-2 JAAS config: debug=true
[JGSS_DBG_CRED] Thread-2 JAAS config: principal=HTTP/local.domain.com
[JGSS_DBG_CRED] Thread-2 JAAS config: credsType=accept only
[JGSS_DBG_CRED] Thread-2 config: useDefaultCcache=false (default)
[JGSS_DBG_CRED] Thread-2 config: useCcache=null
[JGSS_DBG_CRED] Thread-2 config: useDefaultKeytab=false
[JGSS_DBG_CRED] Thread-2 config: useKeytab=/keytabs/krb5.keytab
[KRB_DBG_CFG] Config:Thread-2: ConfigFile: /etc/krb5/krb5.conf
[JGSS_DBG_CRED] Thread-2 JAAS config: forwardable=false (default)
[JGSS_DBG_CRED] Thread-2 JAAS config: renewable=false (default)
[JGSS_DBG_CRED] Thread-2 JAAS config: proxiable=false (default)
[JGSS_DBG_CRED] Thread-2 JAAS config: tryFirstPass=false (default)
[JGSS_DBG_CRED] Thread-2 JAAS config: useFirstPass=false (default)
[JGSS_DBG_CRED] Thread-2 JAAS config: moduleBanner=false (default)
[JGSS_DBG_CRED] Thread-2 JAAS config: interactive login? no
[JGSS_DBG_CRED] Thread-2 JAAS config: refreshKrb5Config = true
[KRB_DBG_CFG] Config:Thread-2: ConfigFile: /etc/krb5/krb5.conf
[KRB_DBG_KDC] KdcComm:Thread-2: >>> KdcAccessibility: reset
[KRB_DBG_KDC] KdcComm:Thread-2: >>> KdcAccessibility: reset
[JGSS_DBG_CRED] Thread-2 Try keytab for principal=HTTP/local.domain.com
[KRB_DBG_KTAB] KeyTab:Thread-2Loading the keytab file ... >>> KeyTab: load() entry length: 73
[KRB_DBG_KTAB] KeyTableInputStream:Thread-2: >>> KeyTabInputStream, readName(): LOCALDOMAIN.NET
[KRB_DBG_KTAB] KeyTableInputStream:Thread-2: >>> KeyTabInputStream, readName(): HTTP
[KRB_DBG_KTAB] KeyTableInputStream:Thread-2: >>> KeyTabInputStream, readName(): local.domain.com
[KRB_DBG_KDC] EncryptionKey:Thread-2: >>> EncryptionKey: config default key type is rc4-hmac
[KRB_DBG_KTAB] KeyTab:Thread-2: Added key: 23 version: 2
[KRB_DBG_KTAB] KeyTab:Thread-2: Ordering keys wrt default_tkt_enctypes list
[JGSS_DBG_CRED] Thread-2 No Kerberos creds in keytab for principal HTTP/local.domain.com
[JGSS_DBG_CRED] Thread-2 Login successful
[JGSS_DBG_CRED] Thread-2 kprincipal : HTTP/local.domain.com@LOCALDOMAIN.NET
[JGSS_DBG_CRED] Thread-2 HTTP/local.domain.com@LOCALDOMAIN.NET added to Subject
[JGSS_DBG_CRED] Thread-2 Attempting to add KeyTab to Subject for HTTP/local.domain.com@LOCALDOMAIN.NET
[JGSS_DBG_CRED] Thread-2 find keys for HTTP/local.domain.com@LOCALDOMAIN.NET
[KRB_DBG_KTAB] KeyTab:Thread-2: Added key: 23 version: 2
[KRB_DBG_KTAB] KeyTab:Thread-2: Ordering keys wrt default_tkt_enctypes list
[JGSS_DBG_CRED] Thread-2 No keys to add to Subject for HTTP/local.domain.com@LOCALDOMAIN.NET
LoginContext login() method executed
LoginContext getSubject() method executed
Subject doAs() method executed, serverCred Name: default Lifetime: 2147483647
[JGSS_DBG_CRED] Thread-2 KeyTab is removed from subject
[JGSS_DBG_CRED] Thread-2 KerberosKey Kerberos Principal HTTP/local.domain.com@LOCALDOMAIN.NETKey Version 2key EncryptionKey: keyType=23 keyBytes (hex dump)=
0000: <MASKED>
当我打电话
public String validate(String encToken) {
byte[] token = Base64.decode(encToken);
GSSContext authContext;
try {
authContext = authManager.createContext(serverCred);
authContext.acceptSecContext(token, 0, token.length);
if (authContext.isEstablished()) {
return authContext.getSrcName().toString();
}
} catch (GSSException e) {
// fall through to the return
}
return null;
}
}
我发现在我的令牌上调用的“acceptSecContext”命令返回一个值。我一直认为acceptSecContext只返回需要传递回启动器的值。但是,发起者不希望回复。另外(更重要的是),。isEstablished()方法返回false。
所以我的问题是
1)上述设置有什么问题吗?
2)为什么在我为上下文对象调用login()方法时会发生这种情况?
[JGSS_DBG_CRED] Thread-2 Attempting to add KeyTab to Subject for HTTP/local.domain.com@LOCALDOMAIN.NET
[JGSS_DBG_CRED] Thread-2 find keys for HTTP/local.domain.com@LOCALDOMAIN.NET
[KRB_DBG_KTAB] KeyTab:Thread-2: Added key: 23 version: 2
[KRB_DBG_KTAB] KeyTab:Thread-2: Ordering keys wrt default_tkt_enctypes list
[JGSS_DBG_CRED] Thread-2 No keys to add to Subject for HTTP/local.domain.com@LOCALDOMAIN.NET
如果它找到了密钥23版本2,为什么它会说“没有密钥添加到主体@域的主题?为什么它没有添加它找到的密钥?它是否有kvno = 2的问题?
3)我搜索得非常详尽,我无法确定如何解析acceptSecContext的输出以找出返回值是什么。我正在接收的返回值(base-64编码)是oQcwBaADCgEC。
编辑:更新。 acceptSecContext十六进制值的返回值是: 0xA1 0x07 0x30 0x05 0xA0 0x03 0x0A 0x01 0x02
从以下站点(https://msdn.microsoft.com/en-us/library/ms995330.aspx#http-sso-2_topic2)中获取第一个十六进制值(A1)对应于NegTokenTarg。那讲得通。
下一个八位字节应该是长度(如果长度需要更多八位字节,则最高位为1)。由于最高位为0,因此长度为7个八位字节。退房。
下一个八位字节(0x30)表示构造的SEQUENCE,下一个八位字节是SEQUENCE长度(0x05); 5个八位字节,检查出来。
然后我们有0xA0,0x03,0x0A,0x01,表示序列元素0(negResult)。
最后一个八位字节(0x02)是ENUMERATED值,被“拒绝”。
所以我的令牌被拒绝了。我怎么弄清楚“为什么”?我想我需要让AD团队确切了解他们到底发生了什么。
答案 0 :(得分:0)
您是否尝试手动测试kinit和SPN提供的keytab?同样在你的jaas.conf中你可能会使用useKeyTab = true和keyTab =&#34; keytab_filename&#34;。但这可能是您的IBM JDK特有的东西。
答案 1 :(得分:0)
我发现了遇到类似问题的其他人的问题。
事实证明OID不起作用。
对我的java代码进行以下更改以检索服务器凭据解决了问题:
serverCred = Subject.doAs(sub, new PrivilegedExceptionAction<GSSCredential>() {
public GSSCredential run() throws GSSException {
// mechanism OID for SPNEGO authentication
Oid spnegoOid = new Oid("1.3.6.1.5.5.2");
// null name defaults to currently logged in name
GSSCredential cred = authManager.createCredential(null,
GSSCredential.INDEFINITE_LIFETIME,
spnegoOid,
GSSCredential.ACCEPT_ONLY);
cred.add(null,
GSSCredential.INDEFINITE_LIFETIME,
GSSCredential.INDEFINITE_LIFETIME,
new Oid("1.2.840.113554.1.2.2"),
GSSCredential.ACCEPT_ONLY);
return cred;
}
我认为这与我不会来回谈判任何事情(发起者和接受者)有关,所以SPNEGO从来没有真正有机会告诉发起人它更喜欢什么机制和可用的机制,但是我的印象是SPNEGO Oid可以容纳许多不同的机制,所以我的工作原理有点不清楚,但它有效。
附录:经过进一步的研究,我能够找到一个模糊的参考问题,原因是&#34;在AIX&#34;的GSSCredential实现中有一些深层次的功能。所以你有它。