Authentication java安全异常:校验和失败
我正在使用 用于java中的SSO 我有KDC Windows server 2008,我使用setspn命令为testsso用户创建了spn。和使用testsso@MYDOMAIN.COM作为jaas.con的负责人 我在Windows7机器上有Tomcat服务器(在AD中)。在本文中,我创建了一个servlet作为jsp(来自webmoli本身) 我正在从第三台机器Windows XP(在AD中)发送该servlet的浏览器请求 但我得到校验和失败的错误。Stacktrace如下所示-Authentication java安全异常:校验和失败,authentication,windows-authentication,kerberos,spnego,kerberos-delegation,Authentication,Windows Authentication,Kerberos,Spnego,Kerberos Delegation,我正在使用 用于java中的SSO 我有KDC Windows server 2008,我使用setspn命令为testsso用户创建了spn。和使用testsso@MYDOMAIN.COM作为jaas.con的负责人 我在Windows7机器上有Tomcat服务器(在AD中)。在本文中,我创建了一个servlet作为jsp(来自webmoli本身) 我正在从第三台机器Windows XP(在AD中)发送该servlet的浏览器请求 但我得到校验和失败的错误。Stacktrace如下所示- Au
Auth is :: Negotiate Token is YIIE9wYGKwYBBQUCoIIE6zCCBOegJDAiBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICCqKCBL0EggS5YIIEtQYJKoZIhvcSAQICAQBuggSkMIIEoKADAgEFoQMCAQ6iBwMFACAAAACjggPQYYIDzDCCA8igAwIBBaEKGwhDT1JFLkNPTaIkMCKgAwIBAqEbMBkbBEhUVFAbEXBjdml0YTI1LmNvcmUuY29to4IDjTCCA4mgAwIBF6EDAgEBooIDewSCA3coGnD2eNCklPBiuNkZE1ssoVPb1coS8Y1or/y8t3HEk9ME623bckx2+d2IG2tCeDylhxFz6Dy4edE9UP952TZj97YotDeME3ILm45vsN4lOzpXVOfPhVlN+KXXtdXMmKo5kLvuJNxIcT8ZbGFwo9CWcB5eYz9qTYFcE7ACogwPiydd4ibtEY4T9Zg98Pd9JGtBeG5Bxi7fYdKXKPt8X9Nb9/UeSkSDV/hDsQh/cSSPgrg9f/qiy35MvMwk930TJHxaauw7cdmBwQo9Ru66ooGxsDgyIHQXQB6GEXAh7lAvKirSRzw43Wg5Gm3S9EZA3SFd38ICf0bOT62imToOHEmO4cBtFTAbYc4v2AoH0H9ZHrtpv1ItK5EUrMduuHvvsXzuYKfgrf45Wrj7Mc6fIXij5eCmsgPxKaBYlbpMDClwdeSh0zCBkXBmbtrS5fPQwQyBjzTFMimOVQ7yLRQtoPOfGsOn0o+S1qc3SLd5q9Z7IFEafsaYwFES2b6iIYqjY6q8VGgp2mzqZAmdKk4ILeZwfHKHs59KhPaG7FC/YAMtG3TB6VH2uLmUx9dzLb+tCsx5qEETt0hKnO9oTfhgHTUb0O/QMp0eBp3lcQWKGFNvIjXZL25ugJKQW+I0kigXhuDq5gN8coH7ij51FAEfZ35A2YbddEGYzGLzQZFXn951Lkw3HlyQxMo1Qka1NDaMkTkTtECHIhW3qArucCNkXCg8N59OXduXI8z/wM0YYcBubaEMuyCxf5GmmhlxjhQ1bOvuu0CGyJk5tVqf8SOEDarN+kzle9jGNZFJetEgxKXBHbsClu+ektux5lWAwEIXboLhTLQv+h46HRru8xkgtxucCmOZYt0LCR30aD1s//U0w34T40n3fMlIEkrheJQ2bs/CigFQeUZyKMJ/oPPGwO1oleQ0q4+d8SjJL9kQzueHCOGz+/0m3LcsoInUXNaCYoF5lHaMV+qVZRJvdfVhCeHKL9uXLRKsjPHMJdOQTqNYoyAxOJ/N16UnJOsIu1feRK0ipzO9VNPuJI5ulcZqzOS+44i9BhYV6QY1oXZ3xVYLIOsQoZIVYOudfn68A+yO+LNsNsRRuXV+ZNWKW6C+SvRuIhqZcBBAS8AfVmzbxxqwpsgv4Z8un+W7t8tus+rqoy8RqjmeQ+8P3APGG20b1gah4BipAvZKhaSBtjCBs6ADAgEXooGrBIGoQ15WbDD8EQZKsUVM1rJuR5lu3EMiS5itx9pDddgBALaSrf+75w9/XfgyuXnzfXdmZgvZ9nE+AINPfmyY14yp2+tys5LsgOOncfvCaXEjR4Xr07E4JQWhTOT8ecsCLNObggVpxNGCfwxN7YlvHwBVaxPAbrOTrWAbIdfMe042ThBWWRLew048z5Il1iLxemJ10IyLsn3vakdnnz57uzM4PvaOLu57Bfic
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 17 16 23 1 3.
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=192.168.10.84 UDP:88, timeout=30000, number of retries =3, #bytes=151
>>> KDCCommunication: kdc=192.168.10.84 UDP:88, timeout=30000,Attempt =1, #bytes=151
>>> KrbKdcReq send: #bytes read=245
>>>Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 17, salt = MYDOMAIN.COMHTTPMYDOMAIN.com, s2kparams = null
PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
PA-ETYPE-INFO2 etype = 3, salt = MYDOMAIN.COMHTTPMYDOMAIN.com, s2kparams = null
PA-ETYPE-INFO2 etype = 1, salt = MYDOMAIN.COMHTTPMYDOMAIN.com, s2kparams = null
>>>Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
PA-DATA type = 16
>>>Pre-Authentication Data:
PA-DATA type = 15
>>> KdcAccessibility: remove 192.168.10.84
>>> KDCRep: init() encoding tag is 126 req type is 11
>>>KRBError:
sTime is Wed May 28 17:39:33 IST 2014 1401278973000
suSec is 896308
error code is 25
error Message is Additional pre-authentication required
realm is MYDOMAIN.COM
sname is krbtgt/MYDOMAIN.COM
eData provided.
msgType is 30
>>>Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 17, salt = MYDOMAIN.COMHTTPMYDOMAIN.com, s2kparams = null
PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
PA-ETYPE-INFO2 etype = 3, salt = MYDOMAIN.COMHTTPMYDOMAIN.com, s2kparams = null
PA-ETYPE-INFO2 etype = 1, salt = MYDOMAIN.COMHTTPMYDOMAIN.com, s2kparams = null
>>>Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
PA-DATA type = 16
>>>Pre-Authentication Data:
PA-DATA type = 15
KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 17 16 23 1 3.
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 17 16 23 1 3.
>>> EType: sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=192.168.10.84 UDP:88, timeout=30000, number of retries =3, #bytes=233
>>> KDCCommunication: kdc=192.168.10.84 UDP:88, timeout=30000,Attempt =1, #bytes=233
>>> KrbKdcReq send: #bytes read=1404
>>> KdcAccessibility: remove 192.168.10.84
>>> EType: sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType
>>> KrbAsRep cons in KrbAsReq.getReply testsso
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 17 16 23 1 3.
Found KerberosKey for testsso@MYDOMAIN.COM
Found KerberosKey for testsso@MYDOMAIN.COM
Found KerberosKey for testsso@MYDOMAIN.COM
Found KerberosKey for testsso@MYDOMAIN.COM
Found KerberosKey for testsso@MYDOMAIN.COM
Entered Krb5Context.acceptSecContext with state=STATE_NEW
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)
at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
at sun.security.jgss.spnego.SpNegoContext.GSS_acceptSecContext(Unknown Source)
at sun.security.jgss.spnego.SpNegoContext.acceptSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
at one.TEST$2.run(TEST.java:357)
at one.TEST$2.run(TEST.java:1)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Unknown Source)
at one.TEST.acceptSecurityContext(TEST.java:279)
at one.TEST.authenticate(TEST.java:146)
at one.TEST.doGet(TEST.java:103)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:621)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:304)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:240)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:164)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:462)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:164)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:100)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:562)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:395)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:250)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:188)
at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:302)
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
Caused by: KrbException: Checksum failed
at sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(Unknown Source)
at sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(Unknown Source)
at sun.security.krb5.EncryptedData.decrypt(Unknown Source)
at sun.security.krb5.KrbApReq.authenticate(Unknown Source)
at sun.security.krb5.KrbApReq.<init>(Unknown Source)
at sun.security.jgss.krb5.InitSecContextToken.<init>(Unknown Source)
... 32 more
Caused by: java.security.GeneralSecurityException: Checksum failed
at sun.security.krb5.internal.crypto.dk.ArcFourCrypto.decrypt(Unknown Source)
at sun.security.krb5.internal.crypto.ArcFourHmac.decrypt(Unknown Source)
... 38 more
Auth is::协商令牌为YIEE9WYGWYBBQUCOIE6ZCCBOEGJDAIBGKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 ij5ecmsgpxkabylbpmdclwde2.一方面,一方面,一方面,一方面,一方面,一方面,一方面,一方面,一方面,一方面,一方面,一方面,一方面,一方面,一方面,一方面,一方面,一方面,一方面,一方面,一方面,一方面,一方面,一方面,一方面,一方面,一方面,一方面,一方面,一方面,一方面,一方面,一方面,一方面,一方面,一方面,一方面,一方面,一方面,一方面,一方面,一方面,一方面,一方面,一方面,一方面,一方面,一方面,一方面,一方面,一方面,一方面,一方面,一方面,一方面,一方面,一方面,一方面,一方面,一方面,一方面,一方面,一方面,一方面,一方面,一方面,一方面,一方面,一方面,一方面,一方面,一方面,一方面,一方面,一方面,一方面,一方面,一方面,一方面,一个EmuYCxF5GmmHlxJHQ1Bovu0Cyjk5)TQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQXXXXXXXXXXXXXXXXQQQQQXXXXXXXXXXXXXQQQQQQQQQQXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXWKW6C+SvRuIhqZcBBAS8AfVmzbxxqwpsgv4Z8un+W7T8T8TUS+rqoy8RqjmeQ+8P3APGG20B1GAH4BIPAVZKHASBTJCBS6ADAGEXOGRBIGOQ15WBDD8EQZKSUVM1JUR5LU55LEMIT9PDDDGBALASRF+75w9/XFGYUXNZNZFxDmZGVZ9NE+AINPfmyY14yp2+TYS5LsgooncFvJR4XR4XR07E4JQWHTOT8ECNOBGVPVxNGCFW7N7YL7YLWWWWWWWWWWWWWWWWWWBVAXPABRABZ5L5BLUZ5BLUZ5BLUZ5BLOYL5BW5BLU5BW5BW5BW5BLUZ
使用默认类型的内置默认etype
默认类型的默认etype:17 16 23 1 3。
>>>KrbAsReq创建消息
>>>KrbKdcReq发送:kdc=192.168.10.84 UDP:88,超时=30000,重试次数=3,#字节=151
>>>kdc通信:kdc=192.168.10.84 UDP:88,超时=30000,尝试=1,#字节=151
>>>KrbKdcReq发送:#字节读取=245
>>>预验证数据:
PA-数据类型=19
PA-ETYPE-INFO2 ETYPE=17,salt=MYDOMAIN.COMHTTPMYDOMAIN.com,s2kparams=null
PA-ETYPE-INFO2 ETYPE=23,salt=null,s2kparams=null
PA-ETYPE-INFO2 ETYPE=3,salt=MYDOMAIN.COMHTTPMYDOMAIN.com,s2kparams=null
PA-ETYPE-INFO2 ETYPE=1,salt=MYDOMAIN.COMHTTPMYDOMAIN.com,s2kparams=null
>>>预验证数据:
PA-数据类型=2
PA-ENC-TIMESTAMP
>>>预验证数据:
PA-数据类型=16
>>>预验证数据:
PA-数据类型=15
>>>KDCAccessability:删除192.168.10.84
>>>KDCRep:init()编码标记为126,请求类型为11
>>>KRBError:
时间是星期三5月28日17:39:33 IST 2014 1401278973000
苏塞克是896308
错误代码是25
错误消息需要额外的预身份验证
域名是MYDOMAIN.COM
sname是krbtgt/MYDOMAIN.COM
eData提供。
msgType是30
>>>预验证数据:
PA-数据类型=19
PA-ETYPE-INFO2 ETYPE=17,salt=MYDOMAIN.COMHTTPMYDOMAIN.com,s2kparams=null
PA-ETYPE-INFO2 ETYPE=23,salt=null,s2kparams=null
PA-ETYPE-INFO2 ETYPE=3,salt=MYDOMAIN.COMHTTPMYDOMAIN.com,s2kparams=null
PA-ETYPE-INFO2 ETYPE=1,salt=MYDOMAIN.COMHTTPMYDOMAIN.com,s2kparams=null
>>>预验证数据:
PA-数据类型=2
PA-ENC-TIMESTAMP
>>>预验证数据:
PA-数据类型=16
>>>预验证数据:
PA-数据类型=15
KrbAsReqBuilder:预授权失败/REQ,按要求重新发送
使用默认类型的内置默认etype
默认类型的默认etype:17 16 23 1 3。
使用默认类型的内置默认etype
默认类型的默认etype:17 16 23 1 3。
>>>EType:sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType
>>>KrbAsReq创建消息
>>>KrbKdcReq发送:kdc=192.168.10.84 UDP:88,超时=30000,重试次数=3,#字节=233
>>>kdc通信:kdc=192.168.10.84 UDP:88,超时=30000,尝试=1,#字节=233
>>>KrbKdcReq发送:#字节读取=1404
>>>KDCAccessability:删除192.168.10.84
>>>EType:sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType
>>>KrbAsReq.getReply testsso中的KrbAsRep cons
使用默认类型的内置默认etype
默认类型的默认etype:17 16 23 1 3。
为您找到KerberosKeytestsso@MYDOMAIN.COM
为您找到KerberosKeytestsso@MYDOMAIN.COM
为您找到KerberosKeytestsso@MYDOMAIN.COM
为您找到KerberosKeytestsso@MYDOMAIN.COM
为您找到KerberosKeytestsso@MYDOMAIN.COM
输入状态为state\u NEW的Krb5Context.acceptSecContext
>>>EType:sun.security.krb5.internal.crypto.ArcFourHmacEType
GSSExException:在GSS-API级别未指定故障(机制级别:校验和失败)
位于sun.security.jgss.krb5.Krb5Context.acceptSecContext(未知源)
位于sun.security.jgss.GSSContextImpl.acceptSecContext(未知源)
位于sun.security.jgss.GSSContextImpl.acceptSecContext(未知源)
位于sun.security.jgss.spnego.SpNegoContext.GSS_acceptSecContext(未知源)
位于sun.security.jgss.spnego.SpNegoContext.acceptSecContext(未知源)
位于sun.security.jgss.GSSContextImpl.acceptSecContext(未知源)
位于sun.security.jgss.GSSContextImpl.acceptSecContext(未知源)
TEST$2.run(TEST.java:357)
TEST$2.run(TEST.java:1)
位于java.security.AccessController.doPrivileged(N