我在使用GSSAPI进行Kerberos / Ldap身份验证时遇到了一个奇怪的问题。 我有一个简单的java类,它对Kerberos进行身份验证,然后进行Ldap搜索。
这个程序在某些KDC / AD控制器上失败,但有以下例外:
No encryption was performed by peer.
[stderr] javax.naming.AuthenticationException: GSSAPI [Root exception is javax.security.sasl.SaslException: Final handshake failed [Caused by GSSException: Token had invalid integrity check (Mechanism level: Corrupt checksum in Wrap token)]]
[stderr] at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(LdapSasl.java:150)
[stderr] at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:214)
[stderr] at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2694)
[stderr] at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:293)
[stderr] at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)
[stderr] at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193)
[stderr] at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:136)
[stderr] at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66)
[stderr] at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)
[stderr] at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:288)
[stderr] at javax.naming.InitialContext.init(InitialContext.java:223)
[stderr] at javax.naming.InitialContext.<init>(InitialContext.java:197)
[stderr] at javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:82)
[stderr] at com.ricoh.test.LdapGSSApiTest.search(LdapGSSApiTest.java:199)
[stderr] at com.ricoh.test.JndiAction.run(LdapGSSApiTest.java:440)
[stderr] at java.security.AccessController.doPrivileged(Native Method)
[stderr] at javax.security.auth.Subject.doAs(Subject.java:337)
[stderr] at com.ricoh.test.LdapGSSApiTest.search_gssapi(LdapGSSApiTest.java:189)
[stderr] at com.ricoh.test.LdapGSSApiTest.runTest(LdapGSSApiTest.java:111)
[stderr] at com.ricoh.test.ButtonTest$1.actionPerformed(ButtonTest.java:123)
[stderr] at jp.co.ricoh.dsdk.panel.Button.processActionEvent(Unknown Source)
[stderr] at jp.co.ricoh.dsdk.panel.Button.processEvent(Unknown Source)
[stderr] at jp.co.ricoh.dsdk.panel.Button.fire(Unknown Source)
[stderr] at jp.co.ricoh.dsdk.panel.Component$MultiEventHandlerImpl.exec(Unknown Source)
[stderr] at jp.co.ricoh.dsdk.core.manager.EventRunner$Dispatcher.processEvent(Unknown Source)
[stderr] at jp.co.ricoh.dsdk.core.manager.EventRunner$Dispatcher.run(Unknown Source)
[stderr] Caused by: javax.security.sasl.SaslException: Final handshake failed [Caused by GSSException: Token had invalid integrity check (Mechanism level: Corrupt checksum in Wrap token)]
[stderr] at com.sun.security.sasl.gsskerb.GssKrb5Client.doFinalHandshake(GssKrb5Client.java:310)
[stderr] at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:169)
[stderr] at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(LdapSasl.java:114)
[stderr] ... 25 more
[stderr] Caused by: GSSException: Token had invalid integrity check (Mechanism level: Corrupt checksum in Wrap token)
[stderr] at sun.security.jgss.krb5.WrapToken_v2.getDataFromBuffer(WrapToken_v2.java:257)
[stderr] at sun.security.jgss.krb5.WrapToken_v2.getData(WrapToken_v2.java:189)
[stderr] at sun.security.jgss.krb5.WrapToken_v2.getData(WrapToken_v2.java:164)
[stderr] at sun.security.jgss.krb5.Krb5Context.unwrap(Krb5Context.java:946)
[stderr] at sun.security.jgss.GSSContextImpl.unwrap(GSSContextImpl.java:384)
[stderr] at com.sun.security.sasl.gsskerb.GssKrb5Client.doFinalHandshake(GssKrb5Client.java:216)
[stderr] ... 27 more
我正在运行Java 1.6并禁用RC4加密类型1服务器。
任何人都知道这可能是什么原因? JVM的任何已知问题?
注意:我能够在我们的某些KDC上正确运行该程序并正确进行ldap搜索。
更新:我的程序使用JDK-8工作正常,所以我猜它是与Java 1.6相关的问题。