Kerberos SSO与weblogic

时间:2018-05-11 16:38:15

标签: apache weblogic single-sign-on kerberos

我已经设法使用Windows AD为SSO配置weblogic,但有几个问题我需要清晰

1)当我从浏览器访问应用程序时,apache web服务器介于两者之间,为什么weblogic每次都要求使用SPN进行TGT(我可以在weblogic控制台中看到),即使它想要获取通过KDC进行身份验证,这应该只在启动时发生一次,而不是来自同一浏览器的每个请求。

理论上,Weblogic绝不应该联系KDC来验证现有用户的TGT。

2)如果在客户端和weblogic服务器之间使用KDC提供的相同会话密钥进行安全通信,除非会话密钥到期,否则他们永远不需要在中间点击KDC,在这种情况下,他们也可以选择续订它,因此从浏览器到weblogic的每个请求都不需要创建TGT。这是对的。

Weblogic控制台日志 - >

Found ticket for HTTP/APPDEV2011.domain.com@DOMAIN.COM to go to krbtgt/DOMAIN.COM@DOMAIN.COM expiring on Fri May 11 21:06:46 CDT 2018
Debug is  true storeKey true useTicketCache true useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is http_weblogic_test.keytab refreshKrb5Config is false principal is HTTP/APPDEV2011.domain.com@DOMAIN.COM tryFirstPass is false useFirstPass is false storePass is false clearPass is false
Acquire TGT from Cache
KinitOptions cache name is D:\Users\ayadav.DOMAIN.000\krb5cc_ayadav
Acquire default native Credentials
default etypes for default_tkt_enctypes: 17 23.
LSA contains TGT for ayadav@DOMAIN.COM not HTTP/APPDEV2011.domain.com@DOMAIN.COM
Principal is HTTP/APPDEV2011.domain.com@DOMAIN.COM
null credentials from Ticket Cache
Looking for keys for: HTTP/APPDEV2011.domain.com@DOMAIN.COM
Added key: 17version: 14
Added key: 18version: 14
Added key: 23version: 14
Found unsupported keytype (3) for HTTP/APPDEV2011.domain.com@DOMAIN.COM
Found unsupported keytype (1) for HTTP/APPDEV2011.domain.com@DOMAIN.COM
Looking for keys for: HTTP/APPDEV2011.domain.com@DOMAIN.COM
Added key: 17version: 14
Added key: 18version: 14
Added key: 23version: 14
Found unsupported keytype (3) for HTTP/APPDEV2011.domain.com@DOMAIN.COM
Found unsupported keytype (1) for HTTP/APPDEV2011.domain.com@DOMAIN.COM
default etypes for default_tkt_enctypes: 17 23.
KrbAsReq creating message
KrbKdcReq send: kdc=wcosp-dc01.domain.com UDP:88, timeout=30000, number of retries =3, #bytes=163
KDCCommunication: kdc=wcosp-dc01.domain.com UDP:88, timeout=30000,Attempt =1, #bytes=163
KrbKdcReq send: #bytes read=207
Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 17, salt = DOMAIN.COMHTTPAPPDEV2011.domain.com, s2kparams = null
PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
Pre-Authentication Data:
PA-DATA type = 16
Pre-Authentication Data:
PA-DATA type = 15
KdcAccessibility: remove wcosp-dc01.domain.com
KDCRep: init() encoding tag is 126 req type is 11
KRBError:
sTime is Fri May 11 11:06:46 CDT 2018 1526054806000
suSec is 633784
error code is 25
error Message is Additional pre-authentication required
sname is krbtgt/DOMAIN.COM@DOMAIN.COM
eData provided.
msgType is 30
Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 17, salt = DOMAIN.COMHTTPAPPDEV2011.domain.com, s2kparams = null
PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
Pre-Authentication Data:
PA-DATA type = 16
Pre-Authentication Data:
PA-DATA type = 15
KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
default etypes for default_tkt_enctypes: 17 23.
Looking for keys for: HTTP/APPDEV2011.domain.com@DOMAIN.COM
Added key: 17version: 14
Added key: 18version: 14
Added key: 23version: 14
Found unsupported keytype (3) for HTTP/APPDEV2011.domain.com@DOMAIN.COM
Found unsupported keytype (1) for HTTP/APPDEV2011.domain.com@DOMAIN.COM
Looking for keys for: HTTP/APPDEV2011.domain.com@DOMAIN.COM
Added key: 17version: 14
Added key: 18version: 14
Added key: 23version: 14
Found unsupported keytype (3) for HTTP/APPDEV2011.domain.com@DOMAIN.COM
Found unsupported keytype (1) for HTTP/APPDEV2011.domain.com@DOMAIN.COM
default etypes for default_tkt_enctypes: 17 23.
EType: sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType
KrbAsReq creating message
KrbKdcReq send: kdc=wcosp-dc01.domain.com UDP:88, timeout=30000, number of retries =3, #bytes=250
KDCCommunication: kdc=wcosp-dc01.domain.com UDP:88, timeout=30000,Attempt =1, #bytes=250
KrbKdcReq send: #bytes read=96
KrbKdcReq send: kdc=wcosp-dc01.domain.com TCP:88, timeout=30000, number of retries =3, #bytes=250
KDCCommunication: kdc=wcosp-dc01.domain.com TCP:88, timeout=30000,Attempt =1, #bytes=250
DEBUG: TCPClient reading 1602 bytes
KrbKdcReq send: #bytes read=1602
KdcAccessibility: remove wcosp-dc01.domain.com
Looking for keys for: HTTP/APPDEV2011.domain.com@DOMAIN.COM
Added key: 17version: 14
Added key: 18version: 14
Added key: 23version: 14
Found unsupported keytype (3) for HTTP/APPDEV2011.domain.com@DOMAIN.COM
Found unsupported keytype (1) for HTTP/APPDEV2011.domain.com@DOMAIN.COM
EType: sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType
KrbAsRep cons in KrbAsReq.getReply HTTP/APPDEV2011.domain.com
principal is HTTP/APPDEV2011.domain.com@DOMAIN.COM
Will use keytab
Commit Succeeded 
>

由于

0 个答案:

没有答案