我尝试将Spnego与Finatra Web服务器一起使用,但没有成功。
这是我的GitHub项目:https://github.com/glegoux/spnego-server-finatra
使用Wireshk:
错误:KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN
。
我的服务器日志:
...
Debug is true
storeKey true useTicketCache false useKeyTab true
doNotPrompt true ticketCache is null
isInitiator false KeyTab is /tmp/spnego-server.keytab
refreshKrb5Config is true principal is HTTP/spnego-server@EXAMPLE.COM
tryFirstPass is false
useFirstPass is false storePass is false clearPass is false
Refreshing Kerberos configuration
Java config name: krb5.conf
Loaded from Java config
>>> KdcAccessibility: reset
>>> KdcAccessibility: reset
principal is HTTP/spnego-server@EXAMPLE.COM
Will use keytab
Commit Succeeded
Found KeyTab /tmp/spnego-server.keytab for HTTP/spnego-server@EXAMPLE.COM
Found KeyTab /tmp/spnego-server.keytab for HTTP/spnego-server@EXAMPLE.COM
Found KeyTab /tmp/spnego-server.keytab for HTTP/spnego-server@EXAMPLE.COM
Found KeyTab /tmp/spnego-server.keytab for HTTP/spnego-server@EXAMPLE.COM
Entered SpNegoContext.acceptSecContext with state=STATE_NEW
SpNegoContext.acceptSecContext: receiving token = a0 82 03 be 30 82 03 ba ...
SpNegoToken NegTokenInit: reading Mechanism Oid = 1.3.6.1.5.2.5
SpNegoToken NegTokenInit: reading Mech Token
SpNegoContext.acceptSecContext: received token of type = SPNEGO NegTokenInit
SpNegoContext.acceptSecContext: mechanism wanted = null
SpNegoContext.acceptSecContext: negotiated result = REJECT
SpNegoContext.acceptSecContext: sending token of type = SPNEGO NegTokenTarg
SpNegoContext.acceptSecContext: sending token = a1 07 30 05 a0 03 0a 01 02
The underlying mechanism context has not been initialized
[UnboundedFuturePool-2] INFO SpnegoFilter - Client principal: null
...
当我检查我的凭据时,没有HTTP/spnego-server@EXAMPLE.COM
的票证授予服务(TGS):
$ klist -fe
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: bob@EXAMPLE.COM
Valid starting Expires Service principal
24/06/2018 21:17:20 25/06/2018 07:17:20 krbtgt/EXAMPLE.COM@EXAMPLE.COM
renew until 25/06/2018 21:17:18, Flags: FPRIA
Etype (skey, tkt): des3-cbc-sha1, des3-cbc-sha1
spnego服务器密钥标签:
klist -kte /tmp/spnego-server.keytab
Keytab name: FILE:/tmp/spnego-server.keytab
KVNO Timestamp Principal
---- ----------------- --------------------------------------------------------
1 06/25/18 06:27:43 HTTP/spnego-server@EXAMPLE.COM (des3-cbc-sha1)
你知道为什么吗?
答案 0 :(得分:0)
它有效;)。我已修复帖子,但在HTTP/spnego-server.example.com@EXAMPLE.COM为HTTP/spnego-server@EXAMPLE.COM且没有后缀.example.com
之前,主体名称是正确的。