环境规格:
Grails版本:3.3.9
JDK:jdk1.8.0_161
客户端操作系统:Windows Server 2012 R2
服务器操作系统:Windows 7 64位
(我知道我的客户/服务器似乎倒退,但是我在Windows 7上进行开发,只需要域中的计算机进行测试)
Spring Security核心插件版本:3.2.3
Spring Security Kerberos插件版本:3.0.1 < br /> Active Directory环境:Microsoft Active Directory
问题:
我想在我的grails应用中使用Windows集成身份验证。当我运行该应用程序时,在IE中浏览到站点,然后键入域凭据,然后在浏览器中显示HTTP 500。当我检查控制台时,它说“已成功验证[用户]”,但随后又说“协商标题无效”。这是我为域用户执行的步骤,设置spn,密钥表生成,grails设置(由于安全性,一些信息已替换为伪数据)和控制台输出。
域用户属性(来自域控制器) 在Active Directory中,我有一个服务帐户(grailsuser),它只是域用户。在“帐户”选项卡->“帐户”选项下,选择以下内容:“此帐户支持Kerberos AES 128位加密”和“此帐户支持Kerberos AES 256位加密”
在“委派”选项卡下,我选中了“信任此用户以委派任何服务(仅Kerberos)”单选按钮。
SPN(来自域控制器):
grails应用程序从我的计算机运行。 FQDN是devbox.tst.trknow.com@TST.TRKNOW.COM。我已经通过使用set -L tst\grailsuser设置了我的spn。输出是
Registered ServicePrincipalNames for CN=Grails LDAP Service Account,CN=Managed Service Accounts,DC=tst,DC=trknow,DC=com:
HTTP/devbox.tst.trknow.com
密钥表文件(来自域控制器):
使用ktpass我在输出中运行了以下命令
C:\Users\administrator.TST>ktpass /out c:\http-grails.keytab /mapuser grailsuser@TST.TRKNOW.COM /princ HTTP/devbox.tst.trknow.com@TST.TRKNOW.COM /pass pwd123! /ptype KRB5_NT_PRINCIPAL /crypto All
Targeting domain controller: TSTHQDC02.tst.trknow.com
Using legacy password setting method
Successfully mapped HTTP/devbox.tst.trknow.com to grailsuser.
Key created.
Key created.
Key created.
Key created.
Key created.
Output keytab to c:\http-grails.keytab:
Keytab version: 0x502
keysize 70 HTTP/devbox.tst.trknow.com@TST.TRKNOW.COM ptype 1 (KRB5_NT_PRINCIPA
L) vno 14 etype 0x1 (DES-CBC-CRC) keylength 8 (0x5d7513981fecb325)
keysize 70 HTTP/devbox.tst.trknow.com@TST.TRKNOW.COM ptype 1 (KRB5_NT_PRINCIPA
L) vno 14 etype 0x3 (DES-CBC-MD5) keylength 8 (0x5d7513981fecb325)
keysize 78 HTTP/devbox.tst.trknow.com@TST.TRKNOW.COM ptype 1 (KRB5_NT_PRINCIPA
L) vno 14 etype 0x17 (RC4-HMAC) keylength 16 (0x7f3d70a908e23efd5b7b5bcc5cc3c367
)
keysize 94 HTTP/devbox.tst.trknow.com@TST.TRKNOW.COM ptype 1 (KRB5_NT_PRINCIPA
L) vno 14 etype 0x12 (AES256-SHA1) keylength 32 (0x217ca444790211d2fb10ec80ef5ac
0ce0d036080899c16e70134b015d24030ca)
keysize 78 HTTP/devbox.tst.trknow.com@TST.TRKNOW.COM ptype 1 (KRB5_NT_PRINCIPA
L) vno 14 etype 0x11 (AES128-SHA1) keylength 16 (0x3eb60788149300cde7a44a53c0eeb
a80)
Grails设置(来自与我的域相连的开发计算机):
ew。至此,系统管理员设置完成,我可以回到开发人员的工作了。因此,现在我将http-grails.keytab文件复制到我的计算机上。我启动了具有以下设置的测试应用:
application.groovy
import grails.util.Environment
// Added by the Spring Security Core plugin:
grails.plugin.springsecurity.userLookup.userDomainClassName = 'ssotesty.User'
grails.plugin.springsecurity.userLookup.authorityJoinClassName = 'ssotesty.UserRole'
grails.plugin.springsecurity.authority.className = 'ssotesty.Role'
grails.plugin.springsecurity.controllerAnnotations.staticRules = [
[pattern: '/', access: ['permitAll']],
[pattern: '/error', access: ['permitAll']],
[pattern: '/index', access: ['permitAll']],
[pattern: '/index.gsp', access: ['permitAll']],
[pattern: '/shutdown', access: ['permitAll']],
[pattern: '/assets/**', access: ['permitAll']],
[pattern: '/**/js/**', access: ['permitAll']],
[pattern: '/**/css/**', access: ['permitAll']],
[pattern: '/**/images/**', access: ['permitAll']],
[pattern: '/**/favicon.ico', access: ['permitAll']]
]
grails.plugin.springsecurity.filterChain.chainMap = [
[pattern: '/assets/**', filters: 'none'],
[pattern: '/**/js/**', filters: 'none'],
[pattern: '/**/css/**', filters: 'none'],
[pattern: '/**/images/**', filters: 'none'],
[pattern: '/**/favicon.ico', filters: 'none'],
[pattern: '/**', filters: 'JOINED_FILTERS']
]
//Kerberos
grails.plugin.springsecurity.kerberos.ticketValidator.servicePrincipal =
'HTTP/devbox.tst.trknow.com@TST.TRKNOW.COM'
//If Prod
if(!Environment.isDevelopmentMode()){
grails.plugin.springsecurity.kerberos.ticketValidator.keyTabLocation =
'file:////home/sso/http-grails.keytab'
}
else{
grails.plugin.springsecurity.kerberos.ticketValidator.keyTabLocation =
'file:///C:\\grails3projects\\http-grails.keytab'
}
grails.plugin.springsecurity.kerberos.client.debug = true
grails.plugin.springsecurity.kerberos.debug = true
grails.plugin.springsecurity.kerberos.ticketValidator.debug = true
SecureController.groovy
package ssotesty
import grails.plugin.springsecurity.annotation.Secured
class SecureController {
def index() {
render "You can see this!" }
@Secured('permitAll')
def open(){
render "This is open"
}
}
因此,然后我运行该应用程序,转到客户端计算机,然后在IE中点击控制器的索引页。系统提示我输入凭据(如果登录的用户是域中的帐户,则不需要此凭据。应用程序应只接受还是拒绝),然后得到以下有关Negotiate标头无效的输出。
控制台输出:
2019-03-20 15:05:43.684 DEBUG --- [nio-8080-exec-7] o.s.s.k.w.a.SpnegoEntryPoint : Add header WWW-Authenticate:Negotiate to http://devbox.tst.trknow.com:8080/secure/index, forward: no
2019-03-20 15:05:43.684 DEBUG --- [nio-8080-exec-7] o.s.s.k.w.a.SpnegoEntryPoint : Add header WWW-Authenticate:Negotiate to http://devbox.tst.trknow.com:8080/secure/index, forward: no
2019-03-20 15:05:55.323 DEBUG --- [io-8080-exec-10] w.a.SpnegoAuthenticationProcessingFilter : Received Negotiate Header for request http://devbox.tst.trknow.com:8080/secure/index: Negotiate YIIHKwYGKwYBBQUCoIIHHzCCBxugMDAuBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICHgYK*Truncated*
2019-03-20 15:05:55.323 DEBUG --- [io-8080-exec-10] w.a.SpnegoAuthenticationProcessingFilter : Received Negotiate Header for request http://devbox.tst.trknow.com:8080/secure/index: Negotiate YIIHKwYGKwYBBQUCoIIHHzCCBxugMDAuBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICHgYK*Truncated*
2019-03-20 15:05:55.324 DEBUG --- [io-8080-exec-10] .a.KerberosServiceAuthenticationProvider : Try to validate Kerberos Token
2019-03-20 15:05:55.324 DEBUG --- [io-8080-exec-10] .a.KerberosServiceAuthenticationProvider : Try to validate Kerberos Token
Found KeyTab C:\grails3projects\http-grails.keytab for HTTP/devbox.tst.trknow.com@TST.TRKNOW.COM
Found KeyTab C:\grails3projects\http-grails.keytab for HTTP/devbox.tst.trknow.com@TST.TRKNOW.COM
Entered Krb5Context.acceptSecContext with state=STATE_NEW
Java config name: null
Native config name: C:\windows\krb5.ini
Loaded from native config
>>> KeyTabInputStream, readName(): TST.TRKNOW.COM
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): devbox.tst.trknow.com
>>> KeyTab: load() entry length: 70; type: 1
>>> KeyTabInputStream, readName(): TST.TRKNOW.COM
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): devbox.tst.trknow.com
>>> KeyTab: load() entry length: 70; type: 3
>>> KeyTabInputStream, readName(): TST.TRKNOW.COM
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): devbox.tst.trknow.com
>>> KeyTab: load() entry length: 78; type: 23
>>> KeyTabInputStream, readName(): TST.TRKNOW.COM
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): devbox.tst.trknow.com
>>> KeyTab: load() entry length: 94; type: 18
>>> KeyTabInputStream, readName(): TST.TRKNOW.COM
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): devbox.tst.trknow.com
>>> KeyTab: load() entry length: 78; type: 17
Looking for keys for: HTTP/devbox.tst.trknow.com@TST.TRKNOW.COM
Added key: 17version: 14
Added key: 18version: 14
Added key: 23version: 14
Found unsupported keytype (3) for HTTP/devbox.tst.trknow.com@TST.TRKNOW.COM
Found unsupported keytype (1) for HTTP/devbox.tst.trknow.com@TST.TRKNOW.COM
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
Using builtin default etypes for permitted_enctypes
default etypes for permitted_enctypes: 18 17 16 23.
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
MemoryCache: add 1553108589/041556/905183D04DE02C32E30F1CE01B5F9AC2/bmoe.dev@TST.TRKNOW.COM to bmoe.dev@TST.TRKNOW.COM|HTTP/devbox.tst.trknow.com@TST.TRKNOW.COM
>>> KrbApReq: authenticate succeed.
Krb5Context setting peerSeqNumber to: 710158400
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
Krb5Context setting mySeqNumber to: 59568554
>>> Constrained deleg from GSSCaller{UNKNOWN}
2019-03-20 15:05:56.104 DEBUG --- [io-8080-exec-10] .a.KerberosServiceAuthenticationProvider : Succesfully validated bmoe.dev@TST.TRKNOW.COM
2019-03-20 15:05:56.104 DEBUG --- [io-8080-exec-10] .a.KerberosServiceAuthenticationProvider : Succesfully validated bmoe.dev@TST.TRKNOW.COM
2019-03-20 15:05:56.289 WARN --- [io-8080-exec-10] w.a.SpnegoAuthenticationProcessingFilter : Negotiate Header was invalid: Negotiate YIIHKwYGKwYBBQUCoIIHHzCCBxugMDAuBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICHgYK*Truncate*
grails.plugin.springsecurity.userdetails.NoStackUsernameNotFoundException: User not found
2019-03-20 15:05:56.289 WARN --- [io-8080-exec-10] w.a.SpnegoAuthenticationProcessingFilter : Negotiate Header was invalid: Negotiate YIIHKwYGKwYBBQUCoIIHHzCCBxugMDAuBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICHgYK*Truncate*
grails.plugin.springsecurity.userdetails.NoStackUsernameNotFoundException: User not found
这是我的krb5.ini文件,以防它无效:
[libdefaults]
default_realm = TST.TRKNOW.COM
default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-cbc-sha1 arcfour-hmac-md5 camellia256-cts-cmac camellia128-cts-cmac des-cbc-crc des-cbc-md5 des-cbc-md4
default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-cbc-sha1 arcfour-hmac-md5 camellia256-cts-cmac camellia128-cts-cmac des-cbc-crc des-cbc-md5 des-cbc-md4
[realms]
TST.TRKNOW.COM = {
kdc = TSTHQDC02.TST.TRKNOW.COM:88
admin_server = TSTHQDC02.TST.TRKNOW.COM
default_domain = TST.TRKNOW.COM
}
[domain_realm]
.tst.trknow.com = TST.TRKNOW.COM
tst.trknow.com = TST.TRKNOW.COM
[login]
krb5_convert = true
krb5_get_tickets = false
我已经为此战斗了三天。我无法想象kerberos插件无法正常工作(尤其是Burt Beckwith是它的主要贡献者),因此希望有人可以在此处提供一些指导。