Spring Security Kerberos - 无法使用HMAC

时间:2017-06-30 20:49:43

标签: spring kerberos spring-security-kerberos

配置spring-kerberos后出现以下错误

 Caused by: java.security.PrivilegedActionException: GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - RC4 with HMAC)
            at java.security.AccessController.doPrivileged(Native Method)
            at javax.security.auth.Subject.doAs(Subject.java:421)
            at org.springframework.security.kerberos.authentication.sun.SunJaasKerberosTicketValidator.validateTicket(SunJaasKerberosTicketValidator.java:68)
            ... 38 more
    Caused by: GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - RC4 with HMAC)
            at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:788)
            at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342)
            at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
            at sun.security.jgss.spnego.SpNegoContext.GSS_acceptSecContext(SpNegoContext.java:905)
            at sun.security.jgss.spnego.SpNegoContext.acceptSecContext(SpNegoContext.java:556)
            at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342)
            at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
            at org.springframework.security.kerberos.authentication.sun.SunJaasKerberosTicketValidator$KerberosValidateAction.run(SunJaasKerberosTicketValidator.java:170)
            at org.springframework.security.kerberos.authentication.sun.SunJaasKerberosTicketValidator$KerberosValidateAction.run(SunJaasKerberosTicketValidator.java:153)
            ... 41 more
    Caused by: KrbException: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - RC4 with HMAC
            at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:270)
            at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:144)
            at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:108)

我用kinit验证了keytab生成 kinit HTTP / httpweb.metsys.loc @ METSYS.LOC @ METSYS.LOC -k -t http-web.keytab

我的主要和密钥表是 app.service-principal=HTTP/httpweb.metsys.loc@METSYS.LOC app.keytab-位置= / HTTP-web.keytab

我添加到krb5.conf

[libdefaults]
        default_realm = METSYS.LOC
        default_tgs_enctypes = rc4-hmac
        default_tkt_enctypes = rc4-hmac

我创建了

setspn -A HTTP/httpweb@METSYS.loc http-web
ktpass /out http-web.keytab /mapuser http-web@METSYS.LOC /princ HTTP/httpweb.metsys.loc@METSYS.LOC  /pass Password_1 /ptype KRB5_NT_PRINCIPAL /crypto RC4-HMAC-NT /kvno 0

我关注了很多帖子,但任何人解决了这个问题

感谢您的帮助

0 个答案:

没有答案