使用Kerberoes(Active Directory和LDAP)使用weblogic 12c单点登录

时间:2018-05-01 20:53:59

标签: single-sign-on kerberos weblogic12c gssapi

自上周以来我一直在尝试这个但到目前为止没有运气。 尝试在Windows和AD(使用LDAP)上使用weblogic12c启用SSO

1)创建了一个全新的用户,为他启用了AES 128 2)在AD

上执行以下命令

setspn -S HTTP / APPDEV2004.domain.com http_weblogic_test

使用命令验证输出 setspn -l http_weblogic_test 输出是 HTTP / APPDEV2004.domain.com HTTP / APPDEV2004

ktpass / out c:\ http_weblogic_test.keytab / mapuser http_weblogic_test / princ HTTP/APPDEV2004.domain.com@DOMAIN.COM / pass / ptype KRB5_NT_PRINCIPAL / crypto All

现在,当使用Kinit验证Kerberos票证是否正确生成时,它总是失败并出现异常 java -Dsun.security.krb5.debug = true -Djava.security.krb5.conf = c:\ windows \ krb5.ini sun.security.krb5.internal.tools.Kinit -k  -t C:\ opt \ http_weblogic_test.keytab 

i = 0
j = 0

for index, row in df.iterrows():
  text1 = row['text']
  for index2, row2 in df.iterrows():
     text2 = row2['text']
     lev_ratio = Levenshtein.ratio(text1, text2)
     if j != i and lev_ratio > 0.9:
         df.drop(index2, inplace = True)     
     j += 1
  i += 1

但是,当我从命令行提供密码而不是使用keytab文件时,它完全正常 java -Dsun.security.krb5.debug = true -Djava.security.krb5.conf = c:\ windows \ krb5.ini sun.security.krb5.internal.tools.Kinit

  
    
      

KinitOptions缓存名称为D:\ Users \ ayadav \ krb5cc_ayadav       来自缓存的KinitOptions主要名称是:http_weblogic_test@DOAMIN.COM

    
  

校长是http_weblogic_test@DOMAIN.COM http_weblogic_test@DOMAIN.COM的密码: 进入passowrd之后,它经历了一系列步骤,最后说道 新票据存储在缓存文件D:\ Users \ ayadav \ krb5cc_ayadav中,我认为这是成功生成票证的标志,但是我很难利用keytab文件但需要摆脱预验证信息无效( 24)。

更新我还使用KTab命令生成keytab文件并使用它然而我仍然得到例外。

Exception: krb_error 24 Pre-authentication information was invalid (24) Pre- 
authentication information was invalid
KrbException: Pre-authentication information was invalid (24)
    at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:76)
    at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:316)
    at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:361)
    at sun.security.krb5.internal.tools.Kinit.<init>(Kinit.java:219)
    at sun.security.krb5.internal.tools.Kinit.main(Kinit.java:113)
Caused by: KrbException: Identifier doesn't match expected value (906)
    at sun.security.krb5.internal.KDCRep.init(KDCRep.java:140)
    at sun.security.krb5.internal.ASRep.init(ASRep.java:64)
    at sun.security.krb5.internal.ASRep.<init>(ASRep.java:59)
    at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:60)
    ... 4 more

更新 - 在将krb5Login.conf中的主体名称更新为principal =“HTTP / APPDEV2004.domain.com”后,我能够成功运行Kinit

将测试应用程序部署到weblogic后,我可以看到Kinit正在运行以成功生成TGT

回应摘录

java sun.security.krb5.internal.tools.Ktab
-a http_weblogic_test@DOMAIN.COM <password> 
-k c:\opt\http_weblogic_test_new.keytab

java sun.security.krb5.internal.tools.Ktab
-a APPDEV2004.domain.com@DOMAIN.COM <password> 
-k  c:\http_weblogic_test_new_ktab.keytab

我已使用ActiveDirectoryProvider(标记为SUFFICIENT)和NegotiateIndentityProviderAsserter(基于表单的协商被标记为禁用)在weblogic服务器中配置myrealm 但它仍然显示基本身份验证对话框,而不是让我登录。

更新 - 在weblogic服务器调试日志中,我可以看到以下异常

principal is HTTP/APPDEV2004.oriental.com@ORIENTAL.COM
Will use keytab
Commit Succeeded 

Found KeyTab http_weblogic_test.keytab for 
HTTP/APPDEV2004.domain.com@DOMAIN.COM
Found ticket for HTTP/APPDEV2004.domain.com@DOMAIN.COM to go to 
krbtgt/DOMAIN.COM@DOMAIN.COM expiring on Wed May 02 03:37:28 CDT 2018

I am using the following properties for the web.xml in the application 

<security-constraint>
    <display-name>AdminAccess</display-name>
    <web-resource-collection>
        <web-resource-name>AllAdminOperations</web-resource-name>
        <description/>
        <url-pattern>/faces/admin/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <description>Admin Only Access</description>
        <role-name>Admin</role-name>
    </auth-constraint>
    <user-data-constraint>
        <description>Secured Login</description>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
</security-constraint>
<security-constraint>
    <display-name>validUser</display-name>
    <web-resource-collection>
        <web-resource-name>application</web-resource-name>
        <description/>
        <url-pattern>/faces/home/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <description>Only Registered user can access this</description>
        <role-name>Basic</role-name>
        <role-name>Admin</role-name>
    </auth-constraint>
</security-constraint>
<login-config>
    <auth-method>Basic</auth-method>
    <realm-name>**myrealm**</realm-name>
</login-config>
<security-role>
    <description>Deputy User</description>
    <role-name>Deputy</role-name>
</security-role>
<security-role>
    <description>AdminUser</description>
    <role-name>Admin</role-name>
</security-role>

and my weblogic.xml has 
<security-role-assignment>
  <role-name>Admin</role-name>
  <principal-name>Admin</principal-name>
</security-role-assignment>
<security-role-assignment>
 <role-name>Deputy</role-name>
 <principal-name>Deputy</principal-name>
</security-role-assignment>

1 个答案:

答案 0 :(得分:-1)

Active Directory中的服务帐户是否已禁用预身份验证?

https://blogs.msdn.microsoft.com/muaddib/2013/10/28/how-to-find-user-accounts-with-kerberos-preauthentication-disabled/

相关问题
最新问题