在Windows 2012上运行时,我很难对Java Web容器进行身份验证(我已尝试过Tomcat和Jetty)。
每次我尝试Negotiate auth计划时都会收到错误:org.ietf.jgss.GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)
重现的步骤
首先设置Windows Server 2012或2016实例并安装Active Directory域服务。
在我的例子中,我创建了:
NETBIOS域名: NICKIS
Dns域名: nickis.life
在Active Directory上创建kerberos主题用户
重要提示:请确保第一个名称,最后名称和全名是相同的!
我的案例中的新用户是:
DN = CN=kerberos500,CN=Users,DC=nickis,DC=life
登录+域 = kerberos500@nickis.life
NETBIOS \ samAccountName = NICKIS\kerberos500
从Windows Active Directory服务器运行setspn命令
setspn -A HTTP/nickis.life@NICKIS.LIFE kerberos500
示例输出:
C:\Users\Administrator>setspn -A HTTP/nickis.life kerberos500
Checking domain DC=nickis,DC=life
Registering ServicePrincipalNames for CN=kerberos500,CN=Users,DC=nickis,DC=life
HTTP/kerberos500.nickis.life
Updated object
从Windows Active Directory服务器运行ktpass命令
ktpass -out c:\Users\Administrator\kerberos500.keytab -princ HTTP/nickis.life@NICKIS.LIFE -mapUser kerberos500 -mapOp set -pass XXXXpasswordforkerberos500userXXXX -crypto DES-CBC-MD5 -pType KRB5_NT_PRINCIPAL +DesOnly
示例输出:
C:\Users\Administrator>ktpass -out c:\Users\Administrator\kerberos500.keytab -princ HTTP/nickis.life@NICKIS.LIFE -mapUser kerberos500 -mapOp set -pass xxxxxxxx -crypto DES-CBC-MD5 -pType KRB5_NT_PRINCIPAL +DesOnly
Targeting domain controller: WIN-OVV6VHBGIB8.nickis.life
Using legacy password setting method
Successfully mapped HTTP/kerberos500.nickis.life to kerberos500.
Key created.
Output keytab to c:\Users\Administrator\kerberos500.keytab:
Keytab version: 0x502
keysize 71 HTTP/kerberos500.nickis.life@NICKIS.LIFE ptype 1 (KRB5_NT_PRINCIPAL) vno 3 etype 0x3 (DES-CBC-MD5) keylength 8 (0xcd07200bea625d20)
Account kerberos500 has been set for DES-only encryption.
此时,您将拥有一个密钥表文件:
c:\Users\Administrator\kerberos500.keytab
用户负责人:
HTTP/kerberos500.nickis.life@NICKIS.LIFE
这些是提供给GSSApi以使用Kerberos进行单点登录所需的2个输入。
因此,我将这些输入部署到Hadoop安全模块中的Web容器的kerberos安全域。
卷曲测试我尝试使用curl测试它失败了:
curl --negotiate -u : http://nickis.life:8080/my/webapp
Internet Explorer测试我也尝试过使用Internet Explorer。我将nickis.life域添加到Internet Explorer中的可信角色。然后我在Internet Explorer中启动该站点:http://nickis.life:8080
无论哪种方式,我都会收到以下错误:
org.apache.hadoop.security.authentication.client.AuthenticationException: GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)
at org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler.authenticate(KerberosAuthenticationHandler.java:398) ~[hadoop-auth-2.7.1.jar:?]
...
Caused by: org.ietf.jgss.GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)
at sun.security.jgss.GSSHeader.<init>(Unknown Source) ~[?:1.8.0_131]
at sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source) ~[?:1.8.0_131]
at sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source) ~[?:1.8.0_131]
at org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler$2.run(KerberosAuthenticationHandler.java:365) ~[hadoop-auth-2.7.1.jar:?]
at org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler$2.run(KerberosAuthenticationHandler.java:347) ~[hadoop-auth-2.7.1.jar:?]
at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_131]
at javax.security.auth.Subject.doAs(Unknown Source) ~[?:1.8.0_131]
at org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler.authenticate(KerberosAuthenticationHandler.java:347) ~[hadoop-auth-2.7.1.jar:?]
我很难过。注意:我在这里和那里找到了几个链接,但是没有一个链接在所遵循的步骤上,就像我在这里总结的那样,并且没有提供给我的解决方案。
A记录。 任何人都可以追踪我在这里搞砸了什么吗?
更新:
fusionis.life,AD服务器为WIN-OVV6VHBGIB8.fusionis.life DESKTOP-VTPBE99.fusionis.life dnsmgmt.msc并添加了一个“正向查找区域”,其中包含“kerberos500.nickis.life”,其中A HOST设置为DESKTOP-VTPBE99.fusionis.life框的IP。
C:\Users\Administrator>ktpass -out c:\Users\Administrator\kerberos500.keytab -princ HTTP/kerberos500.nickis.life@NICKIS.LIFE -mapUser kerberos500 -mapOp set -pass xxxxxxxxx -crypto ALL -pType KRB5_NT_PRINCIPAL
Targeting domain controller: WIN-OVV6VHBGIB8.fusionis.life
Using legacy password setting method
Successfully mapped HTTP/kerberos500.nickis.life to kerberos500.
Key created.
Key created.
Key created.
Key created.
Key created.
Output keytab to c:\Users\Administrator\kerberos500.keytab:
Keytab version: 0x502
keysize 67 HTTP/kerberos500.nickis.life@NICKIS.LIFE ptype 1 (KRB5_NT_PRINCIPAL) vno 4 etype 0x1 (DES-CBC-CRC) keylength 8 (0x04e30b9183ba8389)
keysize 67 HTTP/kerberos500.nickis.life@NICKIS.LIFE ptype 1 (KRB5_NT_PRINCIPAL) vno 4 etype 0x3 (DES-CBC-MD5) keylength 8 (0x04e30b9183ba8389)
keysize 75 HTTP/kerberos500.nickis.life@NICKIS.LIFE ptype 1 (KRB5_NT_PRINCIPAL) vno 4 etype 0x17 (RC4-HMAC) keylength 16 (0xe39a141de38abd8750bf9c0bf49fd1c5)
keysize 91 HTTP/kerberos500.nickis.life@NICKIS.LIFE ptype 1 (KRB5_NT_PRINCIPAL) vno 4 etype 0x12 (AES256-SHA1) keylength 32 (0xe368a1b060cfe4816f522c1c5f62ca07fe201ed96c6d018054dfbd5b86251892)
keysize 75 HTTP/kerberos500.nickis.life@NICKIS.LIFE ptype 1 (KRB5_NT_PRINCIPAL) vno 4 etype 0x11 (AES128-SHA1) keylength 16 (0x1b1a548fa2893a78c6f4c7f9c482b614)
我在服务器上保存了keytab更新文件,然后将服务主体更新为HTTP/kerberos500.nickis.life@NICKIS.LIFE
我以域用户身份登录tomcat计算机,将http://kerberos500.nickis.life添加到受信任的站点,然后导航到http://kerberos500.nickis.life:8764
我检查了kerberos500 AD“帐户”标签中所有加密复选框的组合。
现在我收到了一个新错误......
GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos credentails)
更新:
最后解决了。我收到了最后一个错误,因为我需要fusionis.life与nickis.life
答案 0 :(得分:-1)
试试这个:
解决方案1
在Windows cmd上运行:
ksetup / addkdc ksetup / addhosttorealmmap
并在浏览器上设置SPNEGO设置
解决方案2
尝试使用Firefox,之前执行此操作:
1)在Firefox中打开此URL
关于:配置
2)设置:network.negotiate-auth.trusted-uris
为需要协商身份验证的任何群集DNS域设置(例如启用kerberos的群集HTTP身份验证)。
示例:
network.negotiate-auth.trusted-URI的= .lily.cloudera.com,.solr.cloudera.com
2)设置:network.auth.use-sspi = false 3)重启Firefox 4)你必须从这里下载Windows isntaller:
http://web.mit.edu/kerberos/dist/#kfw-4.0
5)将Kerberos客户端配置复制到此处
C:\ ProgramData \ MIT \的Kerberos5 \ krb5.ini
6)使用MIT kerberos GUI客户端创建票证
7)再次尝试使用Firefox
希望它可以提供帮助。