Apache 使用weblogic的Kerberos SSO_Apache_Weblogic_Single Sign On_Kerberos

Apache 使用weblogic的Kerberos SSO

apache weblogic single-sign-on

Apache 使用weblogic的Kerberos SSO,apache,weblogic,single-sign-on,kerberos,Apache,Weblogic,Single Sign On,Kerberos,我已经成功地使用windows AD为SSO配置了weblogic，但是有几个问题需要澄清 1）当我使用apache web服务器从浏览器访问应用程序时，为什么weblogic每次都会请求使用SPN的TGT（我可以在weblogic控制台中看到这一点），即使它想通过KDC进行身份验证，也应该在启动期间只发生一次，而不是每次来自同一浏览器的请求都发生理论上，Weblogic永远不应该联系KDC来验证现有用户的TGT 2）如果在客户端和weblogic服务器之间使用KDC提供的相同会话密钥进行

我已经成功地使用windows AD为SSO配置了weblogic，但是有几个问题需要澄清

1）当我使用apache web服务器从浏览器访问应用程序时，为什么weblogic每次都会请求使用SPN的TGT（我可以在weblogic控制台中看到这一点），即使它想通过KDC进行身份验证，也应该在启动期间只发生一次，而不是每次来自同一浏览器的请求都发生

理论上，Weblogic永远不应该联系KDC来验证现有用户的TGT

2）如果在客户端和weblogic服务器之间使用KDC提供的相同会话密钥进行安全通信，则除非会话密钥过期，否则它们将永远不需要在两者之间点击KDC，在这种情况下，它们还可以选择续订该会话密钥，因此从不需要为从浏览器到weblogic的每个请求创建TGT。对吗

Weblogic控制台日志->

Found ticket for HTTP/APPDEV2011.domain.com@DOMAIN.COM to go to krbtgt/DOMAIN.COM@DOMAIN.COM expiring on Fri May 11 21:06:46 CDT 2018
Debug is  true storeKey true useTicketCache true useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is http_weblogic_test.keytab refreshKrb5Config is false principal is HTTP/APPDEV2011.domain.com@DOMAIN.COM tryFirstPass is false useFirstPass is false storePass is false clearPass is false
Acquire TGT from Cache
KinitOptions cache name is D:\Users\ayadav.DOMAIN.000\krb5cc_ayadav
Acquire default native Credentials
default etypes for default_tkt_enctypes: 17 23.
LSA contains TGT for ayadav@DOMAIN.COM not HTTP/APPDEV2011.domain.com@DOMAIN.COM
Principal is HTTP/APPDEV2011.domain.com@DOMAIN.COM
null credentials from Ticket Cache
Looking for keys for: HTTP/APPDEV2011.domain.com@DOMAIN.COM
Added key: 17version: 14
Added key: 18version: 14
Added key: 23version: 14
Found unsupported keytype (3) for HTTP/APPDEV2011.domain.com@DOMAIN.COM
Found unsupported keytype (1) for HTTP/APPDEV2011.domain.com@DOMAIN.COM
Looking for keys for: HTTP/APPDEV2011.domain.com@DOMAIN.COM
Added key: 17version: 14
Added key: 18version: 14
Added key: 23version: 14
Found unsupported keytype (3) for HTTP/APPDEV2011.domain.com@DOMAIN.COM
Found unsupported keytype (1) for HTTP/APPDEV2011.domain.com@DOMAIN.COM
default etypes for default_tkt_enctypes: 17 23.
KrbAsReq creating message
KrbKdcReq send: kdc=wcosp-dc01.domain.com UDP:88, timeout=30000, number of retries =3, #bytes=163
KDCCommunication: kdc=wcosp-dc01.domain.com UDP:88, timeout=30000,Attempt =1, #bytes=163
KrbKdcReq send: #bytes read=207
Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 17, salt = DOMAIN.COMHTTPAPPDEV2011.domain.com, s2kparams = null
PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
Pre-Authentication Data:
PA-DATA type = 16
Pre-Authentication Data:
PA-DATA type = 15
KdcAccessibility: remove wcosp-dc01.domain.com
KDCRep: init() encoding tag is 126 req type is 11
KRBError:
sTime is Fri May 11 11:06:46 CDT 2018 1526054806000
suSec is 633784
error code is 25
error Message is Additional pre-authentication required
sname is krbtgt/DOMAIN.COM@DOMAIN.COM
eData provided.
msgType is 30
Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 17, salt = DOMAIN.COMHTTPAPPDEV2011.domain.com, s2kparams = null
PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
Pre-Authentication Data:
PA-DATA type = 16
Pre-Authentication Data:
PA-DATA type = 15
KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
default etypes for default_tkt_enctypes: 17 23.
Looking for keys for: HTTP/APPDEV2011.domain.com@DOMAIN.COM
Added key: 17version: 14
Added key: 18version: 14
Added key: 23version: 14
Found unsupported keytype (3) for HTTP/APPDEV2011.domain.com@DOMAIN.COM
Found unsupported keytype (1) for HTTP/APPDEV2011.domain.com@DOMAIN.COM
Looking for keys for: HTTP/APPDEV2011.domain.com@DOMAIN.COM
Added key: 17version: 14
Added key: 18version: 14
Added key: 23version: 14
Found unsupported keytype (3) for HTTP/APPDEV2011.domain.com@DOMAIN.COM
Found unsupported keytype (1) for HTTP/APPDEV2011.domain.com@DOMAIN.COM
default etypes for default_tkt_enctypes: 17 23.
EType: sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType
KrbAsReq creating message
KrbKdcReq send: kdc=wcosp-dc01.domain.com UDP:88, timeout=30000, number of retries =3, #bytes=250
KDCCommunication: kdc=wcosp-dc01.domain.com UDP:88, timeout=30000,Attempt =1, #bytes=250
KrbKdcReq send: #bytes read=96
KrbKdcReq send: kdc=wcosp-dc01.domain.com TCP:88, timeout=30000, number of retries =3, #bytes=250
KDCCommunication: kdc=wcosp-dc01.domain.com TCP:88, timeout=30000,Attempt =1, #bytes=250
DEBUG: TCPClient reading 1602 bytes
KrbKdcReq send: #bytes read=1602
KdcAccessibility: remove wcosp-dc01.domain.com
Looking for keys for: HTTP/APPDEV2011.domain.com@DOMAIN.COM
Added key: 17version: 14
Added key: 18version: 14
Added key: 23version: 14
Found unsupported keytype (3) for HTTP/APPDEV2011.domain.com@DOMAIN.COM
Found unsupported keytype (1) for HTTP/APPDEV2011.domain.com@DOMAIN.COM
EType: sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType
KrbAsRep cons in KrbAsReq.getReply HTTP/APPDEV2011.domain.com
principal is HTTP/APPDEV2011.domain.com@DOMAIN.COM
Will use keytab
Commit Succeeded 
>

谢谢

为什么中间有一台Apache web服务器？Weblogic自带了自己的web服务器。是的，但是出于性能原因，我们只需要apache服务器上的静态资源，这种机制可以防止Weblogic变得不堪重负，同时也为我们提供了独立配置重定向的机会。