Tomcat 8 SPNEGO单点登录无法正常工作

时间:2018-03-21 16:57:52

标签: authentication tomcat single-sign-on spnego

我是SPNEGO的新手,我尝试了很多教程,花了很多时间寻找解决方案。最后我在这里问我的问题:在身份验证期间出了什么问题,如何解决?

以下是我的配置&日志(Tomcat在Windows 10上运行以进行开发)。我已经使用IE11,Chrome和Firefox进行了测试(所有版本都在当前版本中)。

编辑:将Apache更新到8.0.50并更改了新日志

EDIT2:我管理了一步。下面的配置和日志已更新。特别是Kerberos日志很有意思,因为“使用state = STATE_IN_PROCESS输入Krb5Context.initSecContext”行表示到目前为止一切正常。但在此之后又有一次退出。

Systemdaten:

Using CATALINA_BASE:   "D:\Projekte\DEV_Verwaltung\apache-tomcat"
Using CATALINA_HOME:   "D:\Projekte\DEV_Verwaltung\apache-tomcat"
Using CATALINA_TMPDIR: "D:\Projekte\DEV_Verwaltung\apache-tomcat\temp"
Using JRE_HOME:        "C:\Program Files\Java\jdk1.8.0_162"
Using CLASSPATH:       "D:\Projekte\DEV_Verwaltung\apache-tomcat\bin\bootstrap.jar;D:\Projekte\DEV_Verwaltung\apache-tomcat\bin\tomcat-juli.jar"
Server version: Apache Tomcat/8.0.50
Server built:   Feb 7 2018 20:06:05 UTC
Server number:  8.0.50.0
OS Name:        Windows 10
OS Version:     10.0
Architecture:   amd64
JVM Version:    1.8.0_162-b12
JVM Vendor:     Oracle Corporation

1)krb5.ini 

[libdefaults]
default_realm = DEV.LOCAL
default_keytab_name = FILE:D:\Projekte\DEV_Verwaltung\apache-tomcat\conf\tomcat.keytab
default_tkt_enctypes = rc4-hmac,AES-256-CTS-HMAC-SHA1-96,AES-128-CTS-HMAC-SHA1-96
default_tgs_enctypes = rc4-hmac,AES-256-CTS-HMAC-SHA1-96,AES-128-CTS-HMAC-SHA1-96
permitted_enctypes = rc4-hmac,AES-256-CTS-HMAC-SHA1-96,AES-128-CTS-HMAC-SHA1-96

forwardable=true

[realms]
DEV.LOCAL = {
        kdc = dev-dc01.dev.local:88
}

[domain_realm]
dev.local= DEV.LOCAL
.dev.local= DEV.LOCAL

2)jaas.conf 

com.sun.security.jgss.krb5.initiate {
    com.sun.security.auth.module.Krb5LoginModule required
    doNotPrompt=true
    principal="HTTP/dev160.dev.local@DEV.LOCAL"
    useKeyTab=true
    keyTab="D:/Projekte/DEV_Verwaltung/apache-tomcat/conf/tomcat.keytab"
    storeKey=true
    debug=true
    moduleBanner=true;
};

com.sun.security.jgss.krb5.accept {
    com.sun.security.auth.module.Krb5LoginModule required
    doNotPrompt=true
    useKeyTab=true
    storeKey=true
    debug=true
    moduleBanner=true
    principal="HTTP/dev160.dev.local@DEV.LOCAL"
    keyTab="D:/Projekte/DEV_Verwaltung/apache-tomcat/conf/tomcat.keytab"
    ;
};

3)server.xml的相关部分

<Engine name="Catalina" defaultHost="localhost">
    <Realm className="org.apache.catalina.realm.JNDIRealm"
           debug="9"
           connectionURL="ldap://dev-dc01.dev.local:389" 
           userBase="OU=Benutzer,OU=DEV,DC=dev,DC=local"
           userSubtree="true"
           userSearch="(sAMAccountName={0})"
           userRoleName="memberOf" 
           roleBase="OU=MA-Portal,OU=TomcatSSO,DC=dev,DC=local"
           roleName="cn"
           roleSearch="(member={0})" 
           roleSubtree="true" 
           roleNested="true"
           authentication="none"
           useDelegatedCredential="true" 
           spnegoDelegationQop="auth"
           stripRealmForGss="false"
           />
    <Host name="localhost" appBase="webapps">
        <Context docBase="/MA-Portal" path="">
            <Valve className="org.apache.catalina.authenticator.SpnegoAuthenticator"
                   storeDelegatedCredential="true" />
        </Context>
    </Host>
</Engine>

4)web.xml的一部分

<security-constraint>
        <web-resource-collection>
            <web-resource-name>DEV Portal</web-resource-name>
            <url-pattern>/index.xob</url-pattern>
            <url-pattern>/index.html</url-pattern>
            <http-method>DELETE</http-method>
            <http-method>GET</http-method>
            <http-method>POST</http-method>
            <http-method>PUT</http-method>
        </web-resource-collection>
        <auth-constraint>
            <role-name>*</role-name>
        </auth-constraint>
        <user-data-constraint>
            <transport-guarantee>NONE</transport-guarantee>
        </user-data-constraint>
    </security-constraint>

    <login-config> 
        <auth-method>SPNEGO</auth-method> 
    </login-config>

5)setspn:

C:\>setspn -l tc01
Registered ServicePrincipalNames for CN=Tomcat DEV160,OU=Aktiv,OU=Benutzer,OU=DEV,DC=dev,DC=local:
        http/dev160.dev.local@DEV.LOCAL

6)创建密钥表文件:

ktpass -out tomcat.keytab -mapuser tc01@dev.local -princ HTTP/dev160.dev.local@DEV.LOCAL -ptype KRB5_NT_PRINCIPAL -kvno 0 -crypto All -pass mySecurePassword

7)日志文件(打开Kerberos调试):

Debug is  true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is D:/Projekte/DEV_Verwaltung/apache-tomcat/conf/tomcat.keytab refreshKrb5Config is false principal is HTTP/dev160.dev.local@DEV.LOCAL tryFirstPass is false useFirstPass is false storePass is false clearPass is false
Looking for keys for: HTTP/dev160.dev.local@DEV.LOCAL
Added key: 18version: 0
Looking for keys for: HTTP/dev160.dev.local@DEV.LOCAL
Added key: 18version: 0
default etypes for default_tkt_enctypes: 18.
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=dev-dc01.dev.local TCP:88, timeout=30000, number of retries =3, #bytes=145
>>> KDCCommunication: kdc=dev-dc01.dev.local TCP:88, timeout=30000,Attempt =1, #bytes=145
>>>DEBUG: TCPClient reading 184 bytes
>>> KrbKdcReq send: #bytes read=184
>>>Pre-Authentication Data:
     PA-DATA type = 19
     PA-ETYPE-INFO2 etype = 18, salt = DEV.LOCALHTTPdev160.dev.local, s2kparams = null

>>>Pre-Authentication Data:
     PA-DATA type = 2
     PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
     PA-DATA type = 16

>>>Pre-Authentication Data:
     PA-DATA type = 15

>>> KdcAccessibility: remove dev-dc01.dev.local:88
>>> KDCRep: init() encoding tag is 126 req type is 11
>>>KRBError:
     sTime is Thu Mar 22 11:45:39 CET 2018 1521715539000
     suSec is 637032
     error code is 25
     error Message is Additional pre-authentication required
     sname is krbtgt/DEV.LOCAL@DEV.LOCAL
     eData provided.
     msgType is 30
>>>Pre-Authentication Data:
     PA-DATA type = 19
     PA-ETYPE-INFO2 etype = 18, salt = DEV.LOCALHTTPdev160.dev.local, s2kparams = null

>>>Pre-Authentication Data:
     PA-DATA type = 2
     PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
     PA-DATA type = 16

>>>Pre-Authentication Data:
     PA-DATA type = 15

KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
default etypes for default_tkt_enctypes: 18.
Looking for keys for: HTTP/dev160.dev.local@DEV.LOCAL
Added key: 18version: 0
Looking for keys for: HTTP/dev160.dev.local@DEV.LOCAL
Added key: 18version: 0
default etypes for default_tkt_enctypes: 18.
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=dev-dc01.dev.local TCP:88, timeout=30000, number of retries =3, #bytes=232
>>> KDCCommunication: kdc=dev-dc01.dev.local TCP:88, timeout=30000,Attempt =1, #bytes=232
>>>DEBUG: TCPClient reading 1501 bytes
>>> KrbKdcReq send: #bytes read=1501
>>> KdcAccessibility: remove dev-dc01.dev.local:88
Looking for keys for: HTTP/dev160.dev.local@DEV.LOCAL
Added key: 18version: 0
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>> KrbAsRep cons in KrbAsReq.getReply HTTP/dev160.dev.local
principal is HTTP/dev160.dev.local@DEV.LOCAL
Will use keytab
Commit Succeeded 

Found KeyTab D:\Projekte\DEV_Verwaltung\apache-tomcat\conf\tomcat.keytab for HTTP/dev160.dev.local@DEV.LOCAL
Found KeyTab D:\Projekte\DEV_Verwaltung\apache-tomcat\conf\tomcat.keytab for HTTP/dev160.dev.local@DEV.LOCAL
Found ticket for HTTP/dev160.dev.local@DEV.LOCAL to go to krbtgt/DEV.LOCAL@DEV.LOCAL expiring on Thu Mar 22 21:45:39 CET 2018
Entered Krb5Context.acceptSecContext with state=STATE_NEW
Looking for keys for: HTTP/dev160.dev.local@DEV.LOCAL
Added key: 18version: 0
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
default etypes for permitted_enctypes: 18.
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
MemoryCache: add 1521715539/009934/6F0C350291AF99F8B1C96420B2CA9A91/JochenA@DEV.LOCAL to JochenA@DEV.LOCAL|HTTP/DEV160.dev.local@DEV.LOCAL
>>> KrbApReq: authenticate succeed.
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>>Delegated Creds have pname=JochenA@DEV.LOCAL sname=krbtgt/DEV.LOCAL@DEV.LOCAL authtime=null starttime=20180322104539Z endtime=20180322204539ZrenewTill=20180329104539Z
Krb5Context setting peerSeqNumber to: 1164363412
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
Krb5Context setting mySeqNumber to: 97594329
Found ticket for HTTP/dev160.dev.local@DEV.LOCAL to go to krbtgt/DEV.LOCAL@DEV.LOCAL expiring on Thu Mar 22 21:45:39 CET 2018
Entered Krb5Context.initSecContext with state=STATE_NEW
Found ticket for HTTP/dev160.dev.local@DEV.LOCAL to go to krbtgt/DEV.LOCAL@DEV.LOCAL expiring on Thu Mar 22 21:45:39 CET 2018
Service ticket not found in the subject
>>> Credentials acquireServiceCreds: same realm
default etypes for default_tgs_enctypes: 18.
>>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>> KrbKdcReq send: kdc=dev-dc01.dev.local TCP:88, timeout=30000, number of retries =3, #bytes=1433
>>> KDCCommunication: kdc=dev-dc01.dev.local TCP:88, timeout=30000,Attempt =1, #bytes=1433
>>>DEBUG: TCPClient reading 1432 bytes
>>> KrbKdcReq send: #bytes read=1432
>>> KdcAccessibility: remove dev-dc01.dev.local:88
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>> KrbApReq: APOptions are 00100000 00000000 00000000 00000000
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
Krb5Context setting mySeqNumber to: 374044442
Created InitSecContextToken:
0000: 01 00 6E 82 05 4F 30 82   05 4B A0 03 02 01 05 A1  ..n..O0..K......
0010: 03 02 01 0E A2 07 03 05   00 20 00 00 00 A3 82 04  ......... ......
0020: 54 61 82 04 50 30 82 04   4C A0 03 02 01 05 A1 0B  Ta..P0..L.......
:
0540: 86 C5 5C 0A 24 74 6D E4   A2 1A 01 E7 8B 7C B7 2A  ..\.$tm........*
0550: 9B 00 96 39 C8                                     ...9.

Entered Krb5Context.initSecContext with state=STATE_IN_PROCESS
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
Krb5Context setting peerSeqNumber to: 1856492318
Krb5Context.unwrap: token=[05 04 05 ff 00 0c 00 0c 00 00 00 00 6e a7 d3 1e fb 6f 0b 44 ed 16 da 31 19 c5 ca c0 07 a0 00 00 ]
Krb5Context.unwrap: data=[07 a0 00 00 ]
Krb5Context.wrap: data=[01 01 00 00 ]
Krb5Context.wrap: token=[05 04 04 ff 00 0c 00 00 00 00 00 00 16 4b 77 1a 01 01 00 00 66 ac 65 95 f2 e1 61 4f 00 2b 8e 51 ]
        [Krb5LoginModule]: Entering logout
        [Krb5LoginModule]: logged out Subject

据我所知,一切看起来应该可行,但在浏览器中会出现一个登录对话框。当我输入凭据时,收到错误403拒绝访问指定的资源。

因此身份验证失败。但为什么?感谢您的帮助。

祝你好运

约亨

1 个答案:

答案 0 :(得分:2)

有效!

我忘记的是与AD组匹配的“安全角色”标签。在使用正确的组添加标签后(CN = MyUsers,OU = ....,DC = dev,DC = local),一切都开始有效。

<security-constraint>
    <web-resource-collection>
        <web-resource-name>DEV DEV-Portal</web-resource-name>
        <!--<url-pattern>/index.xob</url-pattern>
        <url-pattern>/index.html</url-pattern>
        <url-pattern>/test.xob</url-pattern>-->
        <url-pattern>/*</url-pattern>
        <http-method>DELETE</http-method>
        <http-method>GET</http-method>
        <http-method>POST</http-method>
        <http-method>PUT</http-method>
        <http-method>TRACE</http-method>
        <http-method>OPTIONS</http-method>
    </web-resource-collection>
    <auth-constraint>
        <role-name>CN=DEV-Portal-Users,OU=DEV-Portal,OU=TomcatSSO,DC=dev,DC=local</role-name>
    </auth-constraint>
    <user-data-constraint>
        <transport-guarantee>NONE</transport-guarantee>
    </user-data-constraint>
</security-constraint>

<security-role>
    <description>DEV-Portal-Users</description>
    <role-name>CN=DEV-Portal-Users,OU=DEV-Portal,OU=TomcatSSO,DC=dev,DC=local</role-name>
</security-role>

感谢所有试图帮助我的人。

约亨

相关问题
最新问题