Authentication Kerberos-AES-256密钥表不起作用
我们的广告团队将禁用RC4-HMAC,因此我必须将JBoss应用程序更改为AES。 我将aes类型添加到krb5.conf并创建了新的键表,但这似乎不起作用。除kinit应用程序外的测试也显示了相同的结果 有一个解决方案,但它的解决方案已经为我们启用。还有另一个人(里克·莫里茨)对我的问题没有答案 服务器:SLES12 广告:Windows Server 2016 krb5.confAuthentication Kerberos-AES-256密钥表不起作用,authentication,kerberos,sles,keytab,ktpass,Authentication,Kerberos,Sles,Keytab,Ktpass,我们的广告团队将禁用RC4-HMAC,因此我必须将JBoss应用程序更改为AES。 我将aes类型添加到krb5.conf并创建了新的键表,但这似乎不起作用。除kinit应用程序外的测试也显示了相同的结果 有一个解决方案,但它的解决方案已经为我们启用。还有另一个人(里克·莫里茨)对我的问题没有答案 服务器:SLES12 广告:Windows Server 2016 krb5.conf [libdefaults] debug = false default_realm = MY.DOMAI
[libdefaults]
debug = false
default_realm = MY.DOMAIN
ticket_lifetime = 24000
default_keytab_name = /app/myapp/sso/myapp_eu.keytab_AES
dns_lookup_realm = false
dns_lookup_kdc = false
default_tkt_enctypes = aes256-cts aes128-cts rc4-hmac
default_tgs_enctypes = aes256-cts aes128-cts rc4-hmac
permitted_enctypes = aes256-cts aes128-cts rc4-hmac
[realms]
MY.DOMAIN = {
kdc = my.domain
default_domain = my.domain
}
[domain_realm]
.my.domain = MY.DOMAIN
my.domain = MY.DOMAIN
[appdefaults]
forwardable = true
键选项卡
PS X:\> ktpass -out x:\MyappEUv3.keytab -mapOp set +DumpSalt -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL -pass xxxxxx -princ MyappEU@MY.DOMAIN
Building salt with principalname MyappEU and domain MY.DOMAIN (encryption type 18)...
Hashing password with salt "MY.DOMAINMyappEU".
Key created.
Output keytab to x:\MyappEUv3.keytab:
Keytab version: 0x502
keysize 71 MyappEU@MY.DOMAIN ptype 1 (KRB5_NT_PRINCIPAL) vno 1 etype 0x12 (AES256-SHA1) keylength 32 (0x326dd53c7fce5ac4f25d1d17c6a1cf721d7d044f7eb72eaa92a20125055a3b25)
keytab旧RC4:
klist -ket myapp_eu.keytab_RC4
Keytab name: FILE:myapp_eu.keytab_RC4
KVNO Timestamp Principal
---- ------------------- ------------------------------------------------------
0 02/19/2018 14:41:39 MyappEU@MY.DOMAIN (arcfour-hmac)
keytab新AES256:
klist -ket myapp_eu.keytab_AES
Keytab name: FILE:myapp_eu.keytab_AES
KVNO Timestamp Principal
---- ------------------- ------------------------------------------------------
0 03/14/2018 15:03:31 MyappEU@MY.DOMAIN (aes256-cts-hmac-sha1-96)
kinit测试(krb5版本1.12.5)
使用密码进行身份验证(成功):
使用旧密钥表RC4进行身份验证(成功):
使用新密钥表AES256进行身份验证(失败):
查看etypes可以看出aes似乎是有效的。但我不明白为什么aes键盘会出现预验证错误
旧的和新的键选项卡是通过以下ktpass命令创建的:
ktpass -princ MyappEU@MY.DOMAIN -crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL -pass xxxxxxxx -kvno 0 -out myapp_eu.keytab_RC4
ktpass -princ MyappEU@MY.DOMAIN -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL -pass xxxxxxxx -kvno 0 -out myapp_eu.keytab_AES
我已经用正确的kvno而不是0尝试了它,结果相同
谢谢你的帮助或想法
p.S.匿名化MY.DOMAIN和myapp
使用新编译的krb5 1.16进行测试
我结合了Samson Scharfrichter和T.Heron的提示,现在我看到了我在创建keytab时从ktpass获得的盐和kinit的跟踪输出之间的差异。但我不知道它从哪里来,如何改变它。在这种情况下,盐由一个SPN组成
ktpass
PS X:\> ktpass -out x:\MyappEUv3.keytab -mapOp set +DumpSalt -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL -pass xxxxxx -princ MyappEU@MY.DOMAIN
Building salt with principalname MyappEU and domain MY.DOMAIN (encryption type 18)...
Hashing password with salt "MY.DOMAINMyappEU".
Key created.
Output keytab to x:\MyappEUv3.keytab:
Keytab version: 0x502
keysize 71 MyappEU@MY.DOMAIN ptype 1 (KRB5_NT_PRINCIPAL) vno 1 etype 0x12 (AES256-SHA1) keylength 32 (0x326dd53c7fce5ac4f25d1d17c6a1cf721d7d044f7eb72eaa92a20125055a3b25)
kinit跟踪
env KRB5_TRACE=/dev/stdout /home/akirsch/krb5-1.16_made/bin/kinit -fV -k -t /home/akirsch/MyappEUv3.keytab MyappEU@MY.DOMAIN
Using default cache: /tmp/krb5cc_0
Using principal: MyappEU@MY.DOMAIN
Using keytab: /home/akirsch/MyappEUv3.keytab
[32175] 1521108914.135563: Getting initial credentials for MyappEU@MY.DOMAIN
[32175] 1521108914.135564: Looked up etypes in keytab: aes256-cts
[32175] 1521108914.135566: Sending unauthenticated request
[32175] 1521108914.135567: Sending request (153 bytes) to MY.DOMAIN
[32175] 1521108914.135568: Resolving hostname MY.DOMAIN
[32175] 1521108914.135569: Sending initial UDP request to dgram 172.18.32.134:88
[32175] 1521108914.135570: Received answer (214 bytes) from dgram 172.18.32.134:88
[32175] 1521108914.135571: Response was not from master KDC
[32175] 1521108914.135572: Received error from KDC: -1765328359/Additional pre-authentication required
[32175] 1521108914.135575: Preauthenticating using KDC method data
[32175] 1521108914.135576: Processing preauth types: 16, 15, 19, 2
[32175] 1521108914.135577: Selected etype info: etype aes256-cts, salt "MY.DOMAINHTTPmyapp-entw.intranet-test.my.domain", params ""
[32175] 1521108914.135578: Retrieving MyappEU@MY.DOMAIN from FILE:/home/akirsch/MyappEUv3.keytab (vno 0, enctype aes256-cts) with result: 0/Success
[32175] 1521108914.135579: AS key obtained for encrypted timestamp: aes256-cts/ECF3
[32175] 1521108914.135581: Encrypted timestamp (for 1521108914.396292): plain 301AA011180F32303138303331353130313531345AA1050203060C04, encrypted F92E4F783F834FF6500EA86CAF8CA3088517CB02F75BD2C962E5B454DC02C6F3BBCAF59EEB6F52D58AA873FF5EDFCA1496F59D2A587701A1
[32175] 1521108914.135582: Preauth module encrypted_timestamp (2) (real) returned: 0/Success
[32175] 1521108914.135583: Produced preauth for next request: 2
[32175] 1521108914.135584: Sending request (231 bytes) to MY.DOMAIN
[32175] 1521108914.135585: Resolving hostname MY.DOMAIN
[32175] 1521108914.135586: Sending initial UDP request to dgram 10.174.50.13:88
[32175] 1521108914.135587: Received answer (181 bytes) from dgram 10.174.50.13:88
[32175] 1521108914.135588: Response was not from master KDC
[32175] 1521108914.135589: Received error from KDC: -1765328360/Preauthentication failed
[32175] 1521108914.135592: Preauthenticating using KDC method data
[32175] 1521108914.135593: Processing preauth types: 19
[32175] 1521108914.135594: Selected etype info: etype aes256-cts, salt "MY.DOMAINHTTPmyapp-entw.intranet-test.my.domain", params ""
[32175] 1521108914.135595: Getting initial credentials for MyappEU@MY.DOMAIN
[32175] 1521108914.135596: Looked up etypes in keytab: des-cbc-crc, des, des-cbc-crc, rc4-hmac, aes256-cts, aes128-cts
[32175] 1521108914.135598: Sending unauthenticated request
[32175] 1521108914.135599: Sending request (153 bytes) to MY.DOMAIN (master)
kinit: Preauthentication failed while getting initial credentials
在生成新的密钥表之前,请确保从与密钥表相关的Active Directory帐户中清除SPN。这是一个鲜为人知的问题。在您的情况下,我将运行以下六个步骤的过程,它应该可以工作:
setspn-D HTTP/myapp.my.domain MyappEU
ktpass-princ HTTP/myapp.my.domain-mapUserMyappEU@MY.DOMAIN-通过xxxxxxxx-加密AES256-SHA1-类型KRB5\u NT\u主体-kvno 0-输出myapp\u eu.keytab\u AES
setspn-L MyappEU
感谢T.Heron和Samson的提示 最后,只有两个步骤要做
env KRB5_TRACE=/dev/stdout env KRB5_CONFIG=krb5.conf kinit -fV ADUSER@MYDOMAIN.COM
ExampleOutputLine(本例中为错误的盐)
Java有Kerberos调试的跟踪标志——不容易理解,但至少你可以比较OK/KO场景,看看这该死的东西失败的地方>>
-Djava.security.debug=gssloginconfig、configfile、configparser、logincontext
和C代码的-Dsun.security.krb5.debug=true
,例如kinit
。。。我不熟悉KRB5_TRACE的输出,但它可能会有所帮助。您没有在ktpass语法中定义服务主体。这里列出的是一个用户主体。关于ktpass语法的一个很好的例子,请参阅我的文章(大约是一半):当客户端访问JBOSS应用程序时,他们将使用什么web URL?有了这些,我就可以写一个详细的答案来说明如何使它工作。@Samson Scharfrichter我添加了参数,但它只提供了我默认的调试输出。我将部分日志添加到我的主要问题中。
env KRB5_TRACE=/dev/stdout /home/akirsch/krb5-1.16_made/bin/kinit -fV -k -t /home/akirsch/MyappEUv3.keytab MyappEU@MY.DOMAIN
Using default cache: /tmp/krb5cc_0
Using principal: MyappEU@MY.DOMAIN
Using keytab: /home/akirsch/MyappEUv3.keytab
[32175] 1521108914.135563: Getting initial credentials for MyappEU@MY.DOMAIN
[32175] 1521108914.135564: Looked up etypes in keytab: aes256-cts
[32175] 1521108914.135566: Sending unauthenticated request
[32175] 1521108914.135567: Sending request (153 bytes) to MY.DOMAIN
[32175] 1521108914.135568: Resolving hostname MY.DOMAIN
[32175] 1521108914.135569: Sending initial UDP request to dgram 172.18.32.134:88
[32175] 1521108914.135570: Received answer (214 bytes) from dgram 172.18.32.134:88
[32175] 1521108914.135571: Response was not from master KDC
[32175] 1521108914.135572: Received error from KDC: -1765328359/Additional pre-authentication required
[32175] 1521108914.135575: Preauthenticating using KDC method data
[32175] 1521108914.135576: Processing preauth types: 16, 15, 19, 2
[32175] 1521108914.135577: Selected etype info: etype aes256-cts, salt "MY.DOMAINHTTPmyapp-entw.intranet-test.my.domain", params ""
[32175] 1521108914.135578: Retrieving MyappEU@MY.DOMAIN from FILE:/home/akirsch/MyappEUv3.keytab (vno 0, enctype aes256-cts) with result: 0/Success
[32175] 1521108914.135579: AS key obtained for encrypted timestamp: aes256-cts/ECF3
[32175] 1521108914.135581: Encrypted timestamp (for 1521108914.396292): plain 301AA011180F32303138303331353130313531345AA1050203060C04, encrypted F92E4F783F834FF6500EA86CAF8CA3088517CB02F75BD2C962E5B454DC02C6F3BBCAF59EEB6F52D58AA873FF5EDFCA1496F59D2A587701A1
[32175] 1521108914.135582: Preauth module encrypted_timestamp (2) (real) returned: 0/Success
[32175] 1521108914.135583: Produced preauth for next request: 2
[32175] 1521108914.135584: Sending request (231 bytes) to MY.DOMAIN
[32175] 1521108914.135585: Resolving hostname MY.DOMAIN
[32175] 1521108914.135586: Sending initial UDP request to dgram 10.174.50.13:88
[32175] 1521108914.135587: Received answer (181 bytes) from dgram 10.174.50.13:88
[32175] 1521108914.135588: Response was not from master KDC
[32175] 1521108914.135589: Received error from KDC: -1765328360/Preauthentication failed
[32175] 1521108914.135592: Preauthenticating using KDC method data
[32175] 1521108914.135593: Processing preauth types: 19
[32175] 1521108914.135594: Selected etype info: etype aes256-cts, salt "MY.DOMAINHTTPmyapp-entw.intranet-test.my.domain", params ""
[32175] 1521108914.135595: Getting initial credentials for MyappEU@MY.DOMAIN
[32175] 1521108914.135596: Looked up etypes in keytab: des-cbc-crc, des, des-cbc-crc, rc4-hmac, aes256-cts, aes128-cts
[32175] 1521108914.135598: Sending unauthenticated request
[32175] 1521108914.135599: Sending request (153 bytes) to MY.DOMAIN (master)
kinit: Preauthentication failed while getting initial credentials
env KRB5_TRACE=/dev/stdout env KRB5_CONFIG=krb5.conf kinit -fV ADUSER@MYDOMAIN.COM
[10757] 1523617677.379889: Selected etype info: etype aes256-cts, salt "MYDOMAIN.COMHTTPvm41568226", params ""