设置Spring Security Kerberos-SPN和Keytab

时间:2018-07-02 10:59:07

标签: java kerberos gssapi spring-security-kerberos keytab

在尝试将示例spring security kerberos应用程序集成到实际应用程序之前,我正在尝试使其运行。这是我正在运行的应用程序:https://github.com/spring-projects/spring-security-kerberos/tree/master/spring-security-kerberos-samples/sec-server-win-auth/src/main

我已经设置了spn,并创建了密钥表,在运行应用程序时,尝试使用chrome访问时,我得到了错误500

在服务器控制台上显示为:

Negotiate Header was invalid: 
org.springframework.security.authentication.BadCredentialsException: 
GSSContext name of the context initiator is null
at org.springframework.security.kerberos.authentication.sun.SunJaasKerberosTicketValidator$KerberosValidateAction.run(SunJaasKerberosTicketValidator.java:253)

我从代码中看到,getSrcName()中的GSSContext返回null时会发生这种情况。

现在,我仅在笔记本电脑上运行,以尝试使其正常运行。运行spring应用程序的java进程在我用于登录的Windows帐户下运行。 DNS已配置为可以使用laptop-name.mycompany.com访问笔记本电脑,这是我对spn和keytab所做的操作:

setspn -A HTTP/laptop-name.mycompany.com:8080 myWindowsUsername

ktpass -princ HTTP/laptop-name.mycompany.com:8080@MYCOMPANY.COM -pass password123 -mapuser myWindowsUsername@mycompany.com -out keytab.keytab -ptype KRB5_NT_PRINCIPAL

在Java security目录中,我添加了krb5.conf,其中包含以下内容:

[Libdefaults]
 permitted_enctypes = arcfour-hmac-md5 rc4-hmac aes256-cts aes128-cts des3-cbc-sha1 des-cbc-md5 des-cbc-crc
 default_tgs_enctypes = arcfour-hmac-md5 rc4-hmac aes256-cts aes128-cts des3-cbc-sha1 des-cbc-md5 des-cbc-crc
 default_tkt_enctypes = arcfour-hmac-md5 rc4-hmac aes256-cts aes128-cts des3-cbc-sha1 des-cbc-md5 des-cbc-crc
 dns_lookup_kdc = true
 dns_lookup_realm = false

[Domain_realm]
 mycompany.com = MYCOMPANY.COM
 .mycompany.com = MYCOMPANY.COM

我不确定这是否有问题,但是当我使用kinit验证密钥表时,在输出的底部看到了这一点

Looking for keys for: -V@MYCOMPANY.COM
default etypes for default_tkt_enctypes: 23 23 18 17 16.
Exception: krb_error 0 Do not have keys of types listed in default_tkt_enctypes available; only have keys of following type:  No error
KrbException: Do not have keys of types listed in default_tkt_enctypes available; only have keys of following type:
    at sun.security.krb5.internal.crypto.EType.getDefaults(EType.java:280)
    at sun.security.krb5.KrbAsReqBuilder.build(KrbAsReqBuilder.java:261)
    at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:315)
    at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:361)
    at sun.security.krb5.internal.tools.Kinit.<init>(Kinit.java:219)
    at sun.security.krb5.internal.tools.Kinit.main(Kinit.java:113)

输出还表明,主句是-V@MYCOMPANY.COM,这似乎不正确。

关于keytab和GSS api的使用,我还是一个新手。我不确定这是我的密钥表生成,spn设置还是我的系统配置方面的问题,非常感谢任何帮助。

0 个答案:

没有答案
相关问题
最新问题