java.sql.SQLException:I / O错误:GSS失败:未提供有效的凭证(机制级别:..)

时间:2019-04-02 14:21:11

标签: sql-server java-8 kerberos windows-authentication jtds

尝试使用JTDS建立KERBEROS连接时出现以下异常


Debug is  true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is C:/Users/../KerberosConfDir/app1.keytab refreshKrb5Config
is false principal is http/domainusername.foo.com tryFirstPass is false useFirstPass is false storePass is false clearPass is false
                [Krb5LoginModule] authentication failed
Pre-authentication information was invalid (24)
java.sql.SQLException: I/O Error: GSS Failed: No valid credentials provided (Mechanism level: Attempt to obtain new INITIATE credentials failed! (null))
        at net.sourceforge.jtds.jdbc.TdsCore.login(TdsCore.java:654)
        at net.sourceforge.jtds.jdbc.JtdsConnection.<init>(JtdsConnection.java:371)
        at net.sourceforge.jtds.jdbc.Driver.connect(Driver.java:184)
        at JDBCKerberosTest.main(JDBCKerberosTest.java:85)
Caused by: java.io.IOException: GSS Failed: No valid credentials provided (Mechanism level: Attempt to obtain new INITIATE credentials failed! (null))
        at net.sourceforge.jtds.jdbc.TdsCore.sendMSLoginPkt(TdsCore.java:1976)
        at net.sourceforge.jtds.jdbc.TdsCore.login(TdsCore.java:617)
        ... 3 more

这是我编写的代码,

try {
        String filePath = System.getProperty("user.dir") + File.separator + "KerberosConfDir";
   Driver d = (Driver)Class.forName("net.sourceforge.jtds.jdbc.Driver").newInstance();
   System.setProperty("java.security.krb5.debug", "true");
   System.setProperty("java.security.auth.login.config", filePath+File.separator+"login.conf");
   System.setProperty("java.security.krb5.conf", filePath+File.separator+"krb5.ini");
   System.setProperty("javax.security.auth.useSubjectCredsOnly", "false");
   Properties dbConProp = new Properties();
   dbConProp.setProperty("user",user);
   dbConProp.setProperty("password",pwd);
   String connectionUrl = "jdbc:jtds:sqlserver://"+hostName+":"+port+"/master;instance="+instanceName+";domain="+mydomain+";useNTLMv2=true;useKerberos=true;";
   con = d.connect(connectionUrl, dbConProp);
   rs = con.createStatement().executeQuery("select auth_scheme from sys.dm_exec_connections where session_id=@@spid");
   if(rs.next()) {
       System.out.println("auth_scheme : "+rs.getString("auth_scheme"));
       if(rs.getString("auth_scheme").equalsIgnoreCase("KERBEROS")) {
           System.out.println("%%%%%%%%%%%%%%%%%%%%%%  JTDS : KERBEROS Connection successful %%%%%%%%%%%%%%%%%%%%%%");
       } else {
           System.out.println("%%%%%%%%%%%%%%%%%%%%%%  JTDS : KERBEROS Connection failed %%%%%%%%%%%%%%%%%%%%%%");
       }
   }
} catch (Exception exp) {
    exp.printStackTrace();
} finally {
    try {
        if(rs != null) {
            rs.close();
        }
    } catch(Exception e) {
       e.printStackTrace();
    }
    try {
        if(con != null) {
            con.close();
        }
    } catch(Exception e) {
        e.printStackTrace();
    }
}

我的login.conf配置如下

  

com.sun.security.jgss.krb5.initiate {   需要com.sun.security.auth.module.Krb5LoginModule   useTicketCache = false
doNotPrompt = true   useKeyTab = true
keyTab =“ ../ KerberosConfDir / app1.keyTab”   主体=“ domainusername@FOO.COM”      storeKey = true   debug = true};

我的krb5.ini如下

     [libdefaults]
         default_realm = FOO.COM
         dns_lookup_realm = false
         dns_lookup_kdc = true
         ticket_lifetime = 1s
         forwardable = yes
         #udp_preference_limit = 1

     [realms]
         FOO.COM = {
           kdc = KDC_HOST.FOO.COM
           default_domain = FOO.COM
         }

     [domain_realm]
         .FOO.COM = FOO.COM

     [login]
         krb4_convert = true
         krb4_get_tickets = false

我的SQLJDBCDriver.conf如下

  


 SQLJDBCDriver {
    com.sun.security.auth.module.Krb5LoginModule required useTicketCache=true >doNotPrompt=true;
 };

已如下创建keyTab文件

  

ktpass / out app1.keytab / princ http/domainusername.foo.com@foo.com / mapuser domainusername / crypto AES256-SHA1 / ptype KRB5_NT_PRINCIPAL / pass domainuserpassword

有人可以帮助我解决这个问题吗?

0 个答案:

没有答案