Question

我们无法通过单点登录进行部署，包括Oracle Weblogic Server 10.3.6和Windows 2012 R2 Active Directory在内，我们已经在Windows 2003和2008 R2上成功实现了同样的功能。日志指示RC4加密存在某些问题，可能是我错了。请查看以下日志。

[GSS LoginConfigImpl]: Trying com.sun.security.jgss.krb5.accept: Found!
Debug is  true storeKey true useTicketCache false useKeyTab true doNotPrompt false ticketCache is null isInitiator true KeyTab is dom1client600.keytab refreshKrb5Config is false principal is HTTP/dom-wln-600@DOM1.COM tryFirstPass is false useFirstPass is false storePass is false clearPass is false
Added key: 17version: 0
Added key: 18version: 0
Added key: 23version: 0
Added key: 3version: 0
Added key: 1version: 0
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 17 18 23.
Added key: 17version: 0
Added key: 18version: 0
Added key: 23version: 0
Added key: 3version: 0
Added key: 1version: 0
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 17 18 23.
default etypes for default_tkt_enctypes: 17 18 23.
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=10.30.4.185 TCP:88, timeout=30000, number of retries =3, #bytes=158
>>> KDCCommunication: kdc=10.30.4.185 TCP:88, timeout=30000,Attempt =1, #bytes=158
>>>DEBUG: TCPClient reading 201 bytes
>>> KrbKdcReq send: #bytes read=201
>>>Pre-Authentication Data:
         PA-DATA type = 19
         PA-ETYPE-INFO2 etype = 18, salt = DOMAIN.COMHTTPdom-wln-600, s2kparams = null
         PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null

>>>Pre-Authentication Data:
         PA-DATA type = 2
         PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
         PA-DATA type = 16

>>>Pre-Authentication Data:
         PA-DATA type = 15

>>> KdcAccessibility: remove 10.30.4.185
>>> KDCRep: init() encoding tag is 126 req type is 11
>>>KRBError:
         sTime is Wed Sep 26 06:56:46 BST 2018 1537941406000
         suSec is 910784
         error code is 25
         error Message is Additional pre-authentication required
         realm is DOMAIN.COM
         sname is krbtgt/DOMAIN.COM
         eData provided.
         msgType is 30
>>>Pre-Authentication Data:
         PA-DATA type = 19
         PA-ETYPE-INFO2 etype = 18, salt = DOMAIN.COMHTTPdom-wln-600, s2kparams = null
         PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null

>>>Pre-Authentication Data:
         PA-DATA type = 2
         PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
         PA-DATA type = 16

>>>Pre-Authentication Data:
         PA-DATA type = 15

KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
default etypes for default_tkt_enctypes: 17 18 23.
Added key: 17version: 0
Added key: 18version: 0
Added key: 23version: 0
Added key: 3version: 0
Added key: 1version: 0
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 17 18 23.
Added key: 17version: 0
Added key: 18version: 0
Added key: 23version: 0
Added key: 3version: 0
Added key: 1version: 0
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 17 18 23.
default etypes for default_tkt_enctypes: 17 18 23.
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=10.30.4.185 TCP:88, timeout=30000, number of retries =3, #bytes=244
>>> KDCCommunication: kdc=10.30.4.185 TCP:88, timeout=30000,Attempt =1, #bytes=244
>>>DEBUG: TCPClient reading 1501 bytes
>>> KrbKdcReq send: #bytes read=1501
>>> KdcAccessibility: remove 10.30.4.185
Added key: 17version: 0
Added key: 18version: 0
Added key: 23version: 0
Added key: 3version: 0
Added key: 1version: 0
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 17 18 23.
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>> KrbAsRep cons in KrbAsReq.getReply HTTP/dom-wln-600
principal is HTTP/dom-wln-600@DOMAIN.COM
Will use keytab
Added key: 17version: 0
Added key: 18version: 0
Added key: 23version: 0
Added key: 3version: 0
Added key: 1version: 0
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 17 18 23.
Commit Succeeded 

Found KeyTab
Found KerberosKey for HTTP/dom-wln-600@DOMAIN.COM
Found KerberosKey for HTTP/dom-wln-600@DOMAIN.COM
Found KerberosKey for HTTP/dom-wln-600@DOMAIN.COM
Found KerberosKey for HTTP/dom-wln-600@DOMAIN.COM
Found KerberosKey for HTTP/dom-wln-600@DOMAIN.COM
Entered Krb5Context.acceptSecContext with state=STATE_NEW
Added key: 17version: 0
Added key: 18version: 0
Added key: 23version: 0
Added key: 3version: 0
Added key: 1version: 0
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 17 18 23.
EType: sun.security.krb5.internal.crypto.ArcFourHmacEType

Windows Active Directory 2012的单一登录加密问题

0 个答案: