我必须配置wildfly 10以支持针对Microsoft Active Directory的SSO。服务器正在Windows Server 2012 R2上运行。
我尝试了谷歌发现的一些配置和推荐。
每次我
PBOX00206:登录失败:javax.security.auth.login.LoginException:Continuation Required。
这不一定是错误,因为它只在DEBUG打开时显示。
网络浏览器获取 401 - 未经授权。
我被困在上面。
你知道什么是错的或我现在能做什么吗?
standalone.xml(仅限部分)
<system-properties>
<property name="jboss.security.disable.secdomain.option" value="true" />
<property name="sun.security.krb5.debug" value="true" />
<property name="java.security.krb5.kdc" value="dns.xxx.cz" />
<property name="java.security.krb5.realm" value="XXX.CZ" />
<property name="java.security.krb5.conf" value="d:\\krb5.conf" />
</system-properties>
<security-domain name="host" cache-type="default">
<authentication>
<login-module code="Kerberos" flag="required">
<module-option name="debug" value="true"/>
<module-option name="storeKey" value="true"/>
<module-option name="refreshKrb5Config" value="true"/>
<module-option name="useKeyTab" value="true"/>
<module-option name="doNotPrompt" value="true"/>
<module-option name="keytab" value="d:\\web.keytab"/>
<module-option name="principal" value="HTTP/server.xxx.cz@XXX.CZ"/>
</login-module>
</authentication>
</security-domain>
<security-domain name="SPNEGO" cache-type="default">
<authentication>
<login-module code="SPNEGOUsers" flag="required">
<module-option name="password-stacking" value="useFirstPass"/>
<module-option name="serverSecurityDomain" value="host"/>
</login-module>
<login-module code="AdvancedLdap" flag="requisite">
<module-option name="jaasSecurityDomain" value="host"/>
<module-option name="password-stacking" value="useFirstPass"/>
<module-option name="java.naming.security.authentication" value="simple"/>
<module-option name="java.naming.provider.url" value="ldap://192.168.1.1:3268"/>
<module-option name="bindDN" value="CN=svc,DC=xxx,DC=cz"/>
<module-option name="bindCredential" value="password"/>
<module-option name="baseCtxDN" value="DC=xxx,DC=cz"/>
<module-option name="baseFilter" value="(userPrincipalName={0})"/>
<module-option name="rolesCtxDN" value="DC=xxx,DC=cz"/>
<module-option name="roleAttributeIsDN" value="true"/>
<module-option name="roleAttributeID" value="memberOf"/>
<module-option name="roleNameAttributeID" value="cn"/>
<module-option name="recurseRoles" value="true"/>
<module-option name="allowEmptyPassword" value="false"/>
</login-module>
</authentication>
</security-domain>
WildFly输出
2016-03-29 13:51:26,011 DEBUG [org.jboss.security.auth.spi.AbstractServerLoginModule] (default task-4) removeRealmFromPrincipal=false
2016-03-29 13:51:26,026 DEBUG [org.jboss.security.auth.spi.AbstractServerLoginModule] (default task-4) serverSecurityDomain=host
2016-03-29 13:51:26,026 DEBUG [org.jboss.security.auth.spi.AbstractServerLoginModule] (default task-4) usernamePasswordDomain=null
2016-03-29 13:51:26,026 INFO [stdout] (default task-4) Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is false principal is HTTP/server.xxx.cz@xxx.CZ tryFirstPass is false useFirstPass is false storePass is false clearPass is false
2016-03-29 13:51:26,026 INFO [stdout] (default task-4) Java config name: d:\\krb5.conf
2016-03-29 13:51:26,026 INFO [stdout] (default task-4) Loaded from Java config
2016-03-29 13:51:26,026 INFO [stdout] (default task-4) >>> KeyTabInputStream, readName(): xxx.CZ
2016-03-29 13:51:26,026 INFO [stdout] (default task-4) >>> KeyTabInputStream, readName(): HTTP
2016-03-29 13:51:26,042 INFO [stdout] (default task-4) >>> KeyTabInputStream, readName(): server.xxx.cz
2016-03-29 13:51:26,042 INFO [stdout] (default task-4) >>> KeyTab: load() entry length: 55; type: 1
2016-03-29 13:51:26,042 INFO [stdout] (default task-4) >>> KeyTabInputStream, readName(): xxx.CZ
2016-03-29 13:51:26,042 INFO [stdout] (default task-4) >>> KeyTabInputStream, readName(): HTTP
2016-03-29 13:51:26,042 INFO [stdout] (default task-4) >>> KeyTabInputStream, readName(): server.xxx.cz
2016-03-29 13:51:26,042 INFO [stdout] (default task-4) >>> KeyTab: load() entry length: 55; type: 3
2016-03-29 13:51:26,042 INFO [stdout] (default task-4) >>> KeyTabInputStream, readName(): xxx.CZ
2016-03-29 13:51:26,042 INFO [stdout] (default task-4) >>> KeyTabInputStream, readName(): HTTP
2016-03-29 13:51:26,042 INFO [stdout] (default task-4) >>> KeyTabInputStream, readName(): server.xxx.cz
2016-03-29 13:51:26,042 INFO [stdout] (default task-4) >>> KeyTab: load() entry length: 63; type: 23
2016-03-29 13:51:26,042 INFO [stdout] (default task-4) >>> KeyTabInputStream, readName(): xxx.CZ
2016-03-29 13:51:26,042 INFO [stdout] (default task-4) >>> KeyTabInputStream, readName(): HTTP
2016-03-29 13:51:26,042 INFO [stdout] (default task-4) >>> KeyTabInputStream, readName(): server.xxx.cz
2016-03-29 13:51:26,042 INFO [stdout] (default task-4) >>> KeyTab: load() entry length: 79; type: 18
2016-03-29 13:51:26,042 INFO [stdout] (default task-4) >>> KeyTabInputStream, readName(): xxx.CZ
2016-03-29 13:51:26,042 INFO [stdout] (default task-4) >>> KeyTabInputStream, readName(): HTTP
2016-03-29 13:51:26,042 INFO [stdout] (default task-4) >>> KeyTabInputStream, readName(): server.xxx.cz
2016-03-29 13:51:26,042 INFO [stdout] (default task-4) >>> KeyTab: load() entry length: 63; type: 17
2016-03-29 13:51:26,042 INFO [stdout] (default task-4) Looking for keys for: HTTP/server.xxx.cz@xxx.CZ
2016-03-29 13:51:26,042 INFO [stdout] (default task-4) Added key: 17version: 4
2016-03-29 13:51:26,058 INFO [stdout] (default task-4) Added key: 18version: 4
2016-03-29 13:51:26,058 INFO [stdout] (default task-4) Added key: 23version: 4
2016-03-29 13:51:26,058 INFO [stdout] (default task-4) Found unsupported keytype (3) for HTTP/server.xxx.cz@xxx.CZ
2016-03-29 13:51:26,058 INFO [stdout] (default task-4) Found unsupported keytype (1) for HTTP/server.xxx.cz@xxx.CZ
2016-03-29 13:51:26,058 INFO [stdout] (default task-4) >>> KdcAccessibility: reset
2016-03-29 13:51:26,058 INFO [stdout] (default task-4) Looking for keys for: HTTP/server.xxx.cz@XXX.CZ
2016-03-29 13:51:26,058 INFO [stdout] (default task-4) Added key: 17version: 4
2016-03-29 13:51:26,058 INFO [stdout] (default task-4) Added key: 18version: 4
2016-03-29 13:51:26,058 INFO [stdout] (default task-4) Added key: 23version: 4
2016-03-29 13:51:26,058 INFO [stdout] (default task-4) Found unsupported keytype (3) for HTTP/server.xxx.cz@XXX.CZ
2016-03-29 13:51:26,058 INFO [stdout] (default task-4) Found unsupported keytype (1) for HTTP/server.xxx.cz@XXX.CZ
2016-03-29 13:51:26,058 INFO [stdout] (default task-4) default etypes for default_tkt_enctypes: 23 18 17 16.
2016-03-29 13:51:26,058 INFO [stdout] (default task-4) >>> KrbAsReq creating message
2016-03-29 13:51:26,073 INFO [stdout] (default task-4) >>> KrbKdcReq send: kdc=adsrv.xxx.cz UDP:88, timeout=30000, number of retries =3, #bytes=145
2016-03-29 13:51:26,073 INFO [stdout] (default task-4) >>> KDCCommunication: kdc=adsrv.xxx.cz UDP:88, timeout=30000,Attempt =1, #bytes=145
2016-03-29 13:51:26,073 INFO [stdout] (default task-4) >>> KrbKdcReq send: #bytes read=182
2016-03-29 13:51:26,073 INFO [stdout] (default task-4) >>>Pre-Authentication Data:
2016-03-29 13:51:26,073 INFO [stdout] (default task-4) PA-DATA type = 19
2016-03-29 13:51:26,089 INFO [stdout] (default task-4) PA-ETYPE-INFO2 etype = 18, salt = XXX.CZHTTPserver.xxx.cz, s2kparams = null
2016-03-29 13:51:26,089 INFO [stdout] (default task-4) PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
2016-03-29 13:51:26,089 INFO [stdout] (default task-4)
2016-03-29 13:51:26,089 INFO [stdout] (default task-4) >>>Pre-Authentication Data:
2016-03-29 13:51:26,089 INFO [stdout] (default task-4) PA-DATA type = 2
2016-03-29 13:51:26,089 INFO [stdout] (default task-4) PA-ENC-TIMESTAMP
2016-03-29 13:51:26,089 INFO [stdout] (default task-4) >>>Pre-Authentication Data:
2016-03-29 13:51:26,089 INFO [stdout] (default task-4) PA-DATA type = 16
2016-03-29 13:51:26,089 INFO [stdout] (default task-4)
2016-03-29 13:51:26,089 INFO [stdout] (default task-4) >>>Pre-Authentication Data:
2016-03-29 13:51:26,089 INFO [stdout] (default task-4) PA-DATA type = 15
2016-03-29 13:51:26,089 INFO [stdout] (default task-4)
2016-03-29 13:51:26,089 INFO [stdout] (default task-4) >>> KdcAccessibility: remove adsrv.xxx.cz
2016-03-29 13:51:26,089 INFO [stdout] (default task-4) >>> KDCRep: init() encoding tag is 126 req type is 11
2016-03-29 13:51:26,089 INFO [stdout] (default task-4) >>>KRBError:
2016-03-29 13:51:26,089 INFO [stdout] (default task-4) sTime is Tue Mar 29 13:51:26 CEST 2016 1459252286000
2016-03-29 13:51:26,089 INFO [stdout] (default task-4) suSec is 834289
2016-03-29 13:51:26,089 INFO [stdout] (default task-4) error code is 25
2016-03-29 13:51:26,089 INFO [stdout] (default task-4) error Message is Additional pre-authentication required
2016-03-29 13:51:26,089 INFO [stdout] (default task-4) sname is krbtgt/XXX.CZ@XXX.CZ
2016-03-29 13:51:26,089 INFO [stdout] (default task-4) eData provided.
2016-03-29 13:51:26,105 INFO [stdout] (default task-4) msgType is 30
2016-03-29 13:51:26,105 INFO [stdout] (default task-4) >>>Pre-Authentication Data:
2016-03-29 13:51:26,105 INFO [stdout] (default task-4) PA-DATA type = 19
2016-03-29 13:51:26,105 INFO [stdout] (default task-4) PA-ETYPE-INFO2 etype = 18, salt = XXX.CZHTTPserver.xxx.cz, s2kparams = null
2016-03-29 13:51:26,105 INFO [stdout] (default task-4) PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
2016-03-29 13:51:26,105 INFO [stdout] (default task-4)
2016-03-29 13:51:26,105 INFO [stdout] (default task-4) >>>Pre-Authentication Data:
2016-03-29 13:51:26,105 INFO [stdout] (default task-4) PA-DATA type = 2
2016-03-29 13:51:26,105 INFO [stdout] (default task-4) PA-ENC-TIMESTAMP
2016-03-29 13:51:26,105 INFO [stdout] (default task-4) >>>Pre-Authentication Data:
2016-03-29 13:51:26,105 INFO [stdout] (default task-4) PA-DATA type = 16
2016-03-29 13:51:26,105 INFO [stdout] (default task-4)
2016-03-29 13:51:26,105 INFO [stdout] (default task-4) >>>Pre-Authentication Data:
2016-03-29 13:51:26,105 INFO [stdout] (default task-4) PA-DATA type = 15
2016-03-29 13:51:26,105 INFO [stdout] (default task-4)
2016-03-29 13:51:26,105 INFO [stdout] (default task-4) KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
2016-03-29 13:51:26,105 INFO [stdout] (default task-4) default etypes for default_tkt_enctypes: 23 18 17 16.
2016-03-29 13:51:26,105 INFO [stdout] (default task-4) Looking for keys for: HTTP/server.xxx.cz@XXX.CZ
2016-03-29 13:51:26,105 INFO [stdout] (default task-4) Added key: 17version: 4
2016-03-29 13:51:26,105 INFO [stdout] (default task-4) Added key: 18version: 4
2016-03-29 13:51:26,105 INFO [stdout] (default task-4) Added key: 23version: 4
2016-03-29 13:51:26,120 INFO [stdout] (default task-4) Found unsupported keytype (3) for HTTP/server.xxx.cz@XXX.CZ
2016-03-29 13:51:26,120 INFO [stdout] (default task-4) Found unsupported keytype (1) for HTTP/server.xxx.cz@XXX.CZ
2016-03-29 13:51:26,120 INFO [stdout] (default task-4) Looking for keys for: HTTP/server.xxx.cz@XXX.CZ
2016-03-29 13:51:26,120 INFO [stdout] (default task-4) Added key: 17version: 4
2016-03-29 13:51:26,120 INFO [stdout] (default task-4) Added key: 18version: 4
2016-03-29 13:51:26,120 INFO [stdout] (default task-4) Added key: 23version: 4
2016-03-29 13:51:26,120 INFO [stdout] (default task-4) Found unsupported keytype (3) for HTTP/server.xxx.cz@XXX.CZ
2016-03-29 13:51:26,120 INFO [stdout] (default task-4) Found unsupported keytype (1) for HTTP/server.xxx.cz@XXX.CZ
2016-03-29 13:51:26,120 INFO [stdout] (default task-4) default etypes for default_tkt_enctypes: 23 18 17 16.
2016-03-29 13:51:26,120 INFO [stdout] (default task-4) >>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
2016-03-29 13:51:26,120 INFO [stdout] (default task-4) >>> KrbAsReq creating message
2016-03-29 13:51:26,120 INFO [stdout] (default task-4) >>> KrbKdcReq send: kdc=adsrv.xxx.cz UDP:88, timeout=30000, number of retries =3, #bytes=232
2016-03-29 13:51:26,120 INFO [stdout] (default task-4) >>> KDCCommunication: kdc=adsrv.xxx.cz UDP:88, timeout=30000,Attempt =1, #bytes=232
2016-03-29 13:51:26,136 INFO [stdout] (default task-4) >>> KrbKdcReq send: #bytes read=84
2016-03-29 13:51:26,136 INFO [stdout] (default task-4) >>> KrbKdcReq send: kdc=adsrv.xxx.cz TCP:88, timeout=30000, number of retries =3, #bytes=232
2016-03-29 13:51:26,136 INFO [stdout] (default task-4) >>> KDCCommunication: kdc=adsrv.xxx.cz TCP:88, timeout=30000,Attempt =1, #bytes=232
2016-03-29 13:51:26,151 INFO [stdout] (default task-4) >>>DEBUG: TCPClient reading 1478 bytes
2016-03-29 13:51:26,151 INFO [stdout] (default task-4) >>> KrbKdcReq send: #bytes read=1478
2016-03-29 13:51:26,151 INFO [stdout] (default task-4) >>> KdcAccessibility: remove adsrv.xxx.cz
2016-03-29 13:51:26,151 INFO [stdout] (default task-4) Looking for keys for: HTTP/server.xxx.cz@XXX.CZ
2016-03-29 13:51:26,151 INFO [stdout] (default task-4) Added key: 17version: 4
2016-03-29 13:51:26,151 INFO [stdout] (default task-4) Added key: 18version: 4
2016-03-29 13:51:26,151 INFO [stdout] (default task-4) Added key: 23version: 4
2016-03-29 13:51:26,151 INFO [stdout] (default task-4) Found unsupported keytype (3) for HTTP/server.xxx.cz@XXX.CZ
2016-03-29 13:51:26,151 INFO [stdout] (default task-4) Found unsupported keytype (1) for HTTP/server.xxx.cz@XXX.CZ
2016-03-29 13:51:26,151 INFO [stdout] (default task-4) >>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
2016-03-29 13:51:26,151 INFO [stdout] (default task-4) >>> KrbAsRep cons in KrbAsReq.getReply HTTP/server.xxx.cz
2016-03-29 13:51:26,151 INFO [stdout] (default task-4) principal is HTTP/server.xxx.cz@XXX.CZ
2016-03-29 13:51:26,151 INFO [stdout] (default task-4) Will use keytab
2016-03-29 13:51:26,151 INFO [stdout] (default task-4) Commit Succeeded
2016-03-29 13:51:26,167 INFO [stdout] (default task-4)
2016-03-29 13:51:26,167 DEBUG [org.jboss.security.auth.spi.AbstractServerLoginModule] (default task-4) Subject = Subject:
Principal: HTTP/server.xxx.cz@XXX.CZ
Private Credential: Ticket (hex) =
0000: 61 82 04 50 30 82 04 4C A0 03 02 01 05 A1 08 1B a..P0..L........
0010: 06 41 4E 53 2E 43 5A A2 1B 30 19 A0 03 02 01 02 .XXX.CZ..0......
0020: A1 12 30 10 1B 06 6B 72 62 74 67 74 1B 06 41 4E ..0...krbtgt..AN
0030: 53 2E 43 5A A3 82 04 1C 30 82 04 18 A0 03 02 01 S.CZ....0.......
0040: 12 A1 03 02 01 03 A2 82 04 0A 04 82 04 06 F6 70 ...............p
0050: 6C 89 66 60 B0 8D 98 60 81 3A 13 49 C0 C8 92 96 l.f`...`.:.I....
0060: BE 05 0D 59 F1 98 2C CA AD 7D C2 0E 89 17 1F 36 ...Y..,........6
0070: 55 0B D0 BE 74 E1 45 E9 78 E5 A0 EF A3 0B 7E AA U...t.E.x.......
0080: F7 8D 47 35 EA BE 1F 52 0D 05 77 05 CA 19 FE 4E ..G5...R..w....N
0090: D2 FE 46 DD 70 79 DC 40 D4 AE 70 25 BA BA 48 11 ..F.py.@..p%..H.
00A0: EB 1E 5C 4E F0 73 33 D2 98 47 F8 17 F1 0E 9C D2 ..\N.s3..G......
00B0: 23 BD B8 7B 69 C5 FF 43 1E 13 CB 8F 96 C7 3F D1 #...i..C......?.
00C0: 24 4A 5E E0 69 70 2D E3 D0 45 3B 09 0C 4B CA FD $J^.ip-..E;..K..
00D0: 08 97 20 BC BB 71 58 B0 5A 00 D2 C4 7D 3A 0F 26 .. ..qX.Z....:.&
00E0: 56 B3 6C D3 FF FC 6C 4E 51 1D B9 DF BE 02 D0 7B V.l...lNQ.......
00F0: E0 0C B0 21 AA 54 71 07 63 6A 6D 65 34 08 4F 9F ...!.Tq.cjme4.O.
0100: 22 7C 37 70 CF 40 C5 77 56 10 C8 C2 B4 5B 5D BB ".7p.@.wV....[].
0110: FA C0 51 05 E8 14 04 AE 52 8D 80 AA 31 66 6E 7F ..Q.....R...1fn.
0120: 28 3E 49 35 9E A4 5A ED 21 0A FE D9 B1 96 15 A6 (>I5..Z.!.......
0130: 51 0A A6 AA BB 1D 22 B9 FC 2D 87 65 42 FB 5E 17 Q....."..-.eB.^.
0140: 94 32 2F BA 94 06 7C 3A 9E 56 73 52 59 FE F1 3C .2/....:.VsRY..<
0150: D0 19 5F B3 B3 E3 0D F4 0C 51 1A E2 CF 19 50 61 .._......Q....Pa
0160: BA 55 6A 57 F8 9F 8F F7 43 D7 2B B8 62 22 6E F4 .UjW....C.+.b"n.
0170: B2 A8 CC 09 A9 3B A4 C2 5D D8 75 EA 99 7E 20 93 .....;..].u... .
0180: 33 ED 8B BF 40 CC 82 49 69 F5 05 3D 30 1A 5D D4 3...@..Ii..=0.].
0190: CD E2 A3 DE 36 77 94 63 D2 B4 DE 44 AA 35 BD C9 ....6w.c...D.5..
01A0: 5D 57 4D 10 E6 51 A7 D9 A5 A6 EB 9A A1 2D 88 2C ]WM..Q.......-.,
01B0: 27 F1 C8 8E E9 1B 14 90 88 E7 4E 70 3C 53 EC E7 '.........Np<S..
01C0: 29 84 DA 1C 7E 33 A2 99 9D C5 85 3B 63 67 CE 84 )....3.....;cg..
01D0: 73 41 75 67 9D 6E BC E9 80 0B 1C B4 56 0C AB 92 sAug.n......V...
01E0: 13 79 D2 4D D9 B8 15 91 51 48 ED 7D 30 8B 16 ED .y.M....QH..0...
01F0: C4 AB CE 0D D7 F6 0D 41 7F BA 99 E1 9E 51 8D 82 .......A.....Q..
0200: 2D 2D B9 1B C8 92 71 22 28 43 B2 AD FC 67 A0 10 --....q"(C...g..
0210: 3E 85 61 52 48 C1 2C A7 CC 49 70 7B 1E 32 27 22 >.aRH.,..Ip..2'"
0220: 30 04 DD 4E 6E 45 F3 0B 0F E2 F6 EB 8E CF 0D B7 0..NnE..........
0230: 32 F4 2D 47 E6 B3 13 97 E3 C2 D0 53 84 ED FC 7C 2.-G.......S....
0240: 40 60 52 AC FC 0C C8 C9 D7 D3 C6 C6 F0 33 34 1B @`R..........34.
0250: 8E 6E 12 3B AB 30 34 0C 99 29 11 67 A2 01 75 BB .n.;.04..).g..u.
0260: 8F C2 8F A9 47 71 63 EF 58 17 95 46 57 69 8C 4F ....Gqc.X..FWi.O
0270: 2B 47 50 2E D9 C2 B6 3C 2A FF BD 0E DF FB 72 DF +GP....<*.....r.
0280: 76 58 9A DF 8A 94 DC 7C ED 99 BB D5 DF 27 88 F8 vX...........'..
0290: 65 A2 5F 16 C0 A2 43 FA F3 E7 88 DF 88 62 20 F8 e._...C......b .
02A0: 4A 6C C3 8D 36 3F 82 F4 0C 37 6B BB C1 89 20 12 Jl..6?...7k... .
02B0: 36 9E E2 48 D0 BE 30 09 36 1B 7E 4C 8F 90 D8 C2 6..H..0.6..L....
02C0: 6F 64 E8 DE D4 BE B9 B4 CD 53 F2 B1 29 AF 19 0B od.......S..)...
02D0: 09 93 20 6D CE 92 7D EE DB 38 19 46 04 C1 E4 CE .. m.....8.F....
02E0: DC 05 60 DF 48 30 89 41 3D CA 2A 91 02 5E C5 FA ..`.H0.A=.*..^..
02F0: B0 07 25 E1 06 92 4F CD 61 B9 EB 79 2B E3 31 70 ..%...O.a..y+.1p
0300: CF 9D 30 35 61 E0 ED 17 88 08 87 67 CB E8 B3 05 ..05a......g....
0310: E6 80 2C 2E D7 B8 4B 31 06 64 E5 2D 29 98 64 84 ..,...K1.d.-).d.
0320: B2 97 59 D5 7E B4 38 7D C0 87 B6 79 3A 8E AD 28 ..Y...8....y:..(
0330: E3 01 83 DE E6 9C E2 A6 A2 42 88 2F 13 E6 DF 4A .........B./...J
0340: D4 1A 2D 08 B8 87 7C B3 EF D6 CD 26 CF F3 E9 7C ..-........&....
0350: 97 39 43 6C 38 BC C4 02 53 27 D9 5A 8A BA 8A DF .9Cl8...S'.Z....
0360: 73 48 19 04 6E 7F B7 6D 5D B5 ED A3 0A 1A 2A B8 sH..n..m].....*.
0370: F1 22 A8 AF 82 08 D1 5D 74 04 F8 87 81 55 39 8B .".....]t....U9.
0380: 40 BF C3 26 4F 5C 56 05 C8 9F 2A 3A F2 3D A7 2B @..&O\V...*:.=.+
0390: 48 F3 0A 60 AD 8B 53 A0 8A 86 6F 54 54 1D 84 67 H..`..S...oTT..g
03A0: 23 B4 0F 59 A4 73 94 9F FE 43 63 DF 68 7A F1 8D #..Y.s...Cc.hz..
03B0: B4 B2 C4 CC 42 F0 23 3E 50 5F 64 C1 AD 1C EC 2A ....B.#>P_d....*
03C0: 2D F2 1F 52 F1 81 33 D7 B1 85 D8 98 A7 38 22 7F -..R..3......8".
03D0: 42 00 7E 1F 8C 8D 32 00 B9 F9 61 F2 86 59 4C 69 B.....2...a..YLi
03E0: E0 19 AC 5D 75 E1 98 A6 83 A2 5F 4E C2 6D D9 69 ...]u....._N.m.i
03F0: EC 3B 5D E5 A3 10 F5 24 95 B0 EC E2 FF FC CF 54 .;]....$.......T
0400: BC 2B 43 AD 4A D6 77 A2 1B 54 AE 52 AC 5A E2 75 .+C.J.w..T.R.Z.u
0410: 59 38 C7 64 15 0C CE 18 50 1D 24 9C FE FB 3C 4A Y8.d....P.$...<J
0420: 33 31 4B C6 65 40 F7 8B 4A 35 75 67 1B DD 1F 60 31K.e@..J5ug...`
0430: 10 CF C2 AB 05 8B AD 43 2A 95 FE AA 94 80 98 38 .......C*......8
0440: D8 3C 6A 15 21 40 34 E8 0B 42 73 5A 9A B4 4F D4 .<j.!@4..BsZ..O.
0450: 17 57 30 D1 .W0.
Client Principal = HTTP/server.xxx.cz@XXX.CZ
Server Principal = krbtgt/XXX.CZ@XXX.CZ
Session Key = EncryptionKey: keyType=23 keyBytes (hex dump)=
0000: 10 A6 39 17 84 65 5E 8C 5B 39 22 E4 2A 9E 95 97 ..9..e^.[9".*...
Forwardable Ticket false
Forwarded Ticket false
Proxiable Ticket false
Proxy Ticket false
Postdated Ticket false
Renewable Ticket false
Initial Ticket false
Auth Time = Tue Mar 29 13:51:26 CEST 2016
Start Time = Tue Mar 29 13:51:26 CEST 2016
End Time = Tue Mar 29 23:51:26 CEST 2016
Renew Till = null
Client Addresses Null
Private Credential: Default keytab for HTTP/server.xxx.cz@XXX.CZ
2016-03-29 13:51:26,198 DEBUG [org.jboss.security.auth.spi.AbstractServerLoginModule] (default task-4) Logged in 'host' LoginContext
2016-03-29 13:51:26,198 INFO [stdout] (default task-4) [Krb5LoginModule]: Entering logout
2016-03-29 13:51:26,198 INFO [stdout] (default task-4) [Krb5LoginModule]: logged out Subject
2016-03-29 13:51:26,198 DEBUG [org.jboss.security.auth.spi.AbstractServerLoginModule] (default task-4) NegotiationContext.setContinuationRequired(true)
2016-03-29 13:51:26,214 DEBUG [org.jboss.security] (default task-4) PBOX00206: Login failure: javax.security.auth.login.LoginException: Continuation Required.
at org.jboss.security.negotiation.spnego.SPNEGOLoginModule.login(SPNEGOLoginModule.java:192)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
at javax.security.auth.login.LoginContext.login(LoginContext.java:587)
at org.jboss.security.authentication.JBossCachedAuthenticationManager.defaultLogin(JBossCachedAuthenticationManager.java:406)
at org.jboss.security.authentication.JBossCachedAuthenticationManager.proceedWithJaasLogin(JBossCachedAuthenticationManager.java:345)
at org.jboss.security.authentication.JBossCachedAuthenticationManager.authenticate(JBossCachedAuthenticationManager.java:333)
at org.jboss.security.authentication.JBossCachedAuthenticationManager.isValid(JBossCachedAuthenticationManager.java:146)
at org.wildfly.extension.undertow.security.JAASIdentityManagerImpl.verifyCredential(JAASIdentityManagerImpl.java:123)
at org.wildfly.extension.undertow.security.JAASIdentityManagerImpl.verify(JAASIdentityManagerImpl.java:96)
at org.jboss.security.negotiation.NegotiationMechanism.authenticate(NegotiationMechanism.java:99)
at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:233)
at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:250)
at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.access$100(SecurityContextImpl.java:219)
at io.undertow.security.impl.SecurityContextImpl.attemptAuthentication(SecurityContextImpl.java:121)
at io.undertow.security.impl.SecurityContextImpl.authTransition(SecurityContextImpl.java:96)
at io.undertow.security.impl.SecurityContextImpl.authenticate(SecurityContextImpl.java:89)
at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:55)
at io.undertow.server.handlers.DisableCacheHandler.handleRequest(DisableCacheHandler.java:33)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:51)
at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
at io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:56)
at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284)
at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263)
at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174)
at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
2016-03-29 13:51:26,625 TRACE [org.jboss.security] (default task-3) PBOX00201: End isValid, result = false
2016-03-29 13:51:26,625 TRACE [org.jboss.security.negotiation.common.NegotiationContext] (default task-3) clear 35ec8348
2016-03-29 13:51:26,641 TRACE [org.jboss.security] (default task-3) PBOX00354: Setting security roles ThreadLocal: null
答案 0 :(得分:2)
您点击https://issues.jboss.org/browse/JBEAP-3709,一旦https://github.com/wildfly/wildfly/pull/8816合并,将在wildfly中进行修复。
解决方案是将org.jboss.security.negotiation升级到版本3.0.2.Final,您可以通过在目录模块/ system / layers / base / org / jboss中合并或更改上述拉取请求来重建wildfly来实现/安全/谈判/主
答案 1 :(得分:0)
我确认使用最新的jboss-negotiation模块(版本3.0.3)和WildFly 10.0.0可以使用Kerberos身份验证。 &#34;继续要求&#34;异常仍然被抛出,但它在日志中被屏蔽(除非日志类别org.jboss.security设置为DEBUG)。我使用WildFly 10.1.0进行了一些测试,并确认Kerberos身份验证在那里开箱即用(它随jboss-negotiation模块3.0.2一起提供),但最好是修补jboss-negotiation 3.0。 3如果您要使用LDAP进行角色映射(因为该版本中的LDAP错误修复),也是如此。