自上周以来我一直在尝试这个但到目前为止没有运气。 尝试在Windows和AD(使用LDAP)上使用weblogic12c启用SSO
1)创建了一个全新的用户,为他启用了AES 128 2)在AD
上执行以下命令setspn -S HTTP / APPDEV2004.domain.com http_weblogic_test
使用命令验证输出 setspn -l http_weblogic_test 输出是 HTTP / APPDEV2004.domain.com HTTP / APPDEV2004
ktpass / out c:\ http_weblogic_test.keytab / mapuser http_weblogic_test / princ HTTP/APPDEV2004.domain.com@DOMAIN.COM / pass / ptype KRB5_NT_PRINCIPAL / crypto All
现在,当使用Kinit验证Kerberos票证是否正确生成时,它总是失败并出现异常 java -Dsun.security.krb5.debug = true -Djava.security.krb5.conf = c:\ windows \ krb5.ini sun.security.krb5.internal.tools.Kinit -k -t C:\ opt \ http_weblogic_test.keytab
i = 0
j = 0
for index, row in df.iterrows():
text1 = row['text']
for index2, row2 in df.iterrows():
text2 = row2['text']
lev_ratio = Levenshtein.ratio(text1, text2)
if j != i and lev_ratio > 0.9:
df.drop(index2, inplace = True)
j += 1
i += 1
但是,当我从命令行提供密码而不是使用keytab文件时,它完全正常 java -Dsun.security.krb5.debug = true -Djava.security.krb5.conf = c:\ windows \ krb5.ini sun.security.krb5.internal.tools.Kinit
KinitOptions缓存名称为D:\ Users \ ayadav \ krb5cc_ayadav 来自缓存的KinitOptions主要名称是:http_weblogic_test@DOAMIN.COM
校长是http_weblogic_test@DOMAIN.COM http_weblogic_test@DOMAIN.COM的密码: 进入passowrd之后,它经历了一系列步骤,最后说道 新票据存储在缓存文件D:\ Users \ ayadav \ krb5cc_ayadav中,我认为这是成功生成票证的标志,但是我很难利用keytab文件但需要摆脱预验证信息无效( 24)。
更新我还使用KTab命令生成keytab文件并使用它然而我仍然得到例外。
Exception: krb_error 24 Pre-authentication information was invalid (24) Pre-
authentication information was invalid
KrbException: Pre-authentication information was invalid (24)
at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:76)
at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:316)
at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:361)
at sun.security.krb5.internal.tools.Kinit.<init>(Kinit.java:219)
at sun.security.krb5.internal.tools.Kinit.main(Kinit.java:113)
Caused by: KrbException: Identifier doesn't match expected value (906)
at sun.security.krb5.internal.KDCRep.init(KDCRep.java:140)
at sun.security.krb5.internal.ASRep.init(ASRep.java:64)
at sun.security.krb5.internal.ASRep.<init>(ASRep.java:59)
at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:60)
... 4 more
更新 - 在将krb5Login.conf中的主体名称更新为principal =“HTTP / APPDEV2004.domain.com”后,我能够成功运行Kinit
将测试应用程序部署到weblogic后,我可以看到Kinit正在运行以成功生成TGT
回应摘录
java sun.security.krb5.internal.tools.Ktab
-a http_weblogic_test@DOMAIN.COM <password>
-k c:\opt\http_weblogic_test_new.keytab
java sun.security.krb5.internal.tools.Ktab
-a APPDEV2004.domain.com@DOMAIN.COM <password>
-k c:\http_weblogic_test_new_ktab.keytab
我已使用ActiveDirectoryProvider(标记为SUFFICIENT)和NegotiateIndentityProviderAsserter(基于表单的协商被标记为禁用)在weblogic服务器中配置myrealm 但它仍然显示基本身份验证对话框,而不是让我登录。
更新 - 在weblogic服务器调试日志中,我可以看到以下异常
principal is HTTP/APPDEV2004.oriental.com@ORIENTAL.COM
Will use keytab
Commit Succeeded
Found KeyTab http_weblogic_test.keytab for
HTTP/APPDEV2004.domain.com@DOMAIN.COM
Found ticket for HTTP/APPDEV2004.domain.com@DOMAIN.COM to go to
krbtgt/DOMAIN.COM@DOMAIN.COM expiring on Wed May 02 03:37:28 CDT 2018
I am using the following properties for the web.xml in the application
<security-constraint>
<display-name>AdminAccess</display-name>
<web-resource-collection>
<web-resource-name>AllAdminOperations</web-resource-name>
<description/>
<url-pattern>/faces/admin/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<description>Admin Only Access</description>
<role-name>Admin</role-name>
</auth-constraint>
<user-data-constraint>
<description>Secured Login</description>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-constraint>
<display-name>validUser</display-name>
<web-resource-collection>
<web-resource-name>application</web-resource-name>
<description/>
<url-pattern>/faces/home/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<description>Only Registered user can access this</description>
<role-name>Basic</role-name>
<role-name>Admin</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>Basic</auth-method>
<realm-name>**myrealm**</realm-name>
</login-config>
<security-role>
<description>Deputy User</description>
<role-name>Deputy</role-name>
</security-role>
<security-role>
<description>AdminUser</description>
<role-name>Admin</role-name>
</security-role>
and my weblogic.xml has
<security-role-assignment>
<role-name>Admin</role-name>
<principal-name>Admin</principal-name>
</security-role-assignment>
<security-role-assignment>
<role-name>Deputy</role-name>
<principal-name>Deputy</principal-name>
</security-role-assignment>
答案 0 :(得分:-1)
Active Directory中的服务帐户是否已禁用预身份验证?