Java 当使用带有委托的Kerberos时,GSS API和SSPI API之间有什么区别?
当使用带有委托的Kerberos时,GSS API和SSPI API之间有什么区别 我在Tomcat服务器中有运行Java代码的中间件。 中间件使用Kerberos(GSS API)对用户进行身份验证。如果授权标头中不存在Kerberos令牌,中间件将返回401并附加WWW Authenticate:Negotiate响应标头以初始化SPNEGO身份验证 使用GSSContext.acceptSecContext检查传入服务票证工作正常 然而,我在代表团一案中有一些问题 正如名称“中间件”所示,我的java服务必须使用Kerberos身份验证和原始用户主体调用后端服务。为此,我实现了Kerberos Java GSS API委托机制。此外,AD配置正确,tomcat作为具有特定服务帐户的服务运行 为了测试这个实现,我编写了一个Java测试客户机,使用GSSAPI获取中间件的票证。使用管理员权限运行Java测试客户端或使用kinit-f获取可转发的票证客户端和中间件的组合工作正常: 客户端获取一个票证,中间件接受票证,GSSContext.getCredDelegState()返回true,使用GSSContext.getDelegCred()中间件获取委派凭据,后端的登录工作正常 此外,我还使用浏览器和一个小型C#测试客户端测试了中间件实现。两者都使用SPNEGO。在这种情况下,授权也起作用。我得到认证成功的消息,并得到用户主体。 使用浏览器或我的C#测试客户端,我在中间件中获得以下调试打印:Java 当使用带有委托的Kerberos时,GSS API和SSPI API之间有什么区别?,java,c#,kerberos,sspi,gss,Java,C#,Kerberos,Sspi,Gss,当使用带有委托的Kerberos时,GSS API和SSPI API之间有什么区别 我在Tomcat服务器中有运行Java代码的中间件。 中间件使用Kerberos(GSS API)对用户进行身份验证。如果授权标头中不存在Kerberos令牌,中间件将返回401并附加WWW Authenticate:Negotiate响应标头以初始化SPNEGO身份验证 使用GSSContext.acceptSecContext检查传入服务票证工作正常 然而,我在代表团一案中有一些问题 正如名称“中间件”所示,
Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt false ticketCache is null isInitiator false KeyTab is D:/app/Tomcat_9019_SSO/conf/tomcat.keytab refreshKrb5Config is true principal is HTTP/SERVICE.MYDOMAIN.NET@MYDOMAIN.NET tryFirstPass is false useFirstPass is false storePass is false clearPass is false
Refreshing Kerberos configuration
Java config name: C:\Windows\kerb5.ini
Loading krb5 profile at C:\Windows\kerb5.ini
Loaded from Java config
>>> KdcAccessibility: reset
principal is HTTP/SERVICE.MYDOMAIN.NET@MYDOMAIN.NET
Will use keytab
Commit Succeeded
2020-03-18 06:36:50.254 INFO .e.s.a.t.a.KerberosCheckAuthTicketAction [TC~3~c80e3d5b-3] : Starting check of incoming Kerberos service ticket.
Search Subject for SPNEGO ACCEPT cred (<<DEF>>, sun.security.jgss.spnego.SpNegoCredElement)
Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>, sun.security.jgss.krb5.Krb5AcceptCredential)
Found KeyTab D:\app\Tomcat_9019_SSO\conf\tomcat.keytab for HTTP/SERVICE.MYDOMAIN.NET@MYDOMAIN.NET
Found KeyTab D:\app\Tomcat_9019_SSO\conf\tomcat.keytab for HTTP/SERVICE.MYDOMAIN.NET@MYDOMAIN.NET
Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>, sun.security.jgss.krb5.Krb5AcceptCredential)
Found KeyTab D:\app\Tomcat_9019_SSO\conf\tomcat.keytab for HTTP/SERVICE.MYDOMAIN.NET@MYDOMAIN.NET
Found KeyTab D:\app\Tomcat_9019_SSO\conf\tomcat.keytab for HTTP/SERVICE.MYDOMAIN.NET@MYDOMAIN.NET
Entered Krb5Context.acceptSecContext with state=STATE_NEW
Looking for keys for: HTTP/SERVICE.MYDOMAIN.NET@MYDOMAIN.NET
Added key: 23version: 0
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
Using builtin default etypes for permitted_enctypes
default etypes for permitted_enctypes: 18 17 20 19 16 23.
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
MemoryCache: add 1584509810/000627/5EBDF35F49476E365F32DE53C3CAFA81C4730A13D881ECA15E9F43023F99A80B/CLIENTUSERD@MYDOMAIN.NET to CLIENTUSERD@MYDOMAIN.NET|HTTP/SERVICE.MYDOMAIN.NET@MYDOMAIN.NET
>>> KrbApReq: authenticate succeed.
Krb5Context setting peerSeqNumber to: 947381056
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
Krb5Context setting mySeqNumber to: 214468704
>>> Constrained deleg from GSSCaller{UNKNOWN}
Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt false ticketCache is null isInitiator true KeyTab is D:/app/Tomcat_9019_SSO/conf/tomcat.keytab refreshKrb5Config is false principal is HTTP/SERVICE.MYDOMAIN.NET@MYDOMAIN.NET tryFirstPass is false useFirstPass is false storePass is false clearPass is false
Looking for keys for: HTTP/SERVICE.MYDOMAIN.NET@MYDOMAIN.NET
Added key: 23version: 0
Looking for keys for: HTTP/SERVICE.MYDOMAIN.NET@MYDOMAIN.NET
Added key: 23version: 0
default etypes for default_tkt_enctypes: 23 18 17.
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=kb01.mydomain.net UDP:88, timeout=30000, number of retries =3, #bytes=174
>>> KDCCommunication: kdc=kb01.mydomain.net UDP:88, timeout=30000,Attempt =1, #bytes=174
>>> KrbKdcReq send: #bytes read=175
>>>Pre-Authentication Data:
PA-DATA type = 11
PA-ETYPE-INFO etype = 23, salt =
>>>Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>>>Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
PA-DATA type = 16
>>>Pre-Authentication Data:
PA-DATA type = 15
>>> KdcAccessibility: remove kb01.mydomain.net
>>> KDCRep: init() encoding tag is 126 req type is 11
>>>KRBError:
sTime is Wed Mar 18 06:36:50 CET 2020 1584509810000
suSec is 765149
error code is 25
error Message is Additional pre-authentication required
sname is krbtgt/MYDOMAIN.NET@MYDOMAIN.NET
eData provided.
msgType is 30
>>>Pre-Authentication Data:
PA-DATA type = 11
PA-ETYPE-INFO etype = 23, salt =
>>>Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>>>Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
PA-DATA type = 16
>>>Pre-Authentication Data:
PA-DATA type = 15
KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
default etypes for default_tkt_enctypes: 23 18 17.
Looking for keys for: HTTP/SERVICE.MYDOMAIN.NET@MYDOMAIN.NET
Added key: 23version: 0
Looking for keys for: HTTP/SERVICE.MYDOMAIN.NET@MYDOMAIN.NET
Added key: 23version: 0
default etypes for default_tkt_enctypes: 23 18 17.
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=kb01.mydomain.net UDP:88, timeout=30000, number of retries =3, #bytes=253
>>> KDCCommunication: kdc=kb01.mydomain.net UDP:88, timeout=30000,Attempt =1, #bytes=253
>>> KrbKdcReq send: #bytes read=90
>>> KrbKdcReq send: kdc=kb01.mydomain.net TCP:88, timeout=30000, number of retries =3, #bytes=253
>>> KDCCommunication: kdc=kb01.mydomain.net TCP:88, timeout=30000,Attempt =1, #bytes=253
>>>DEBUG: TCPClient reading 2154 bytes
>>> KrbKdcReq send: #bytes read=2154
>>> KdcAccessibility: remove kb01.mydomain.net
Looking for keys for: HTTP/SERVICE.MYDOMAIN.NET@MYDOMAIN.NET
Added key: 23version: 0
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
[Krb5LoginModule] authentication failed
Message stream modified (41)
Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt false ticketCache is null isInitiator false KeyTab is D:/app/Tomcat_9019_SSO/conf/tomcat.keytab refreshKrb5Config is true principal is HTTP/SERVICE.MYDOMAIN.NET@MYDOMAIN.NET tryFirstPass is false useFirstPass is false storePass is false clearPass is false
Refreshing Kerberos configuration
Java config name: C:\Windows\kerb5.ini
Loading krb5 profile at C:\Windows\kerb5.ini
Loaded from Java config
>>> KdcAccessibility: reset
principal is HTTP/SERVICE.MYDOMAIN.NET@MYDOMAIN.NET
Will use keytab
Commit Succeeded
2020-03-18 06:47:41.029 INFO .e.s.a.t.a.KerberosCheckAuthTicketAction [TC~9~c80e3d5b-9] : Starting check of incoming Kerberos service ticket.
Search Subject for SPNEGO ACCEPT cred (<<DEF>>, sun.security.jgss.spnego.SpNegoCredElement)
Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>, sun.security.jgss.krb5.Krb5AcceptCredential)
Found KeyTab D:\app\Tomcat_9019_SSO\conf\tomcat.keytab for HTTP/SERVICE.MYDOMAIN.NET@MYDOMAIN.NET
Found KeyTab D:\app\Tomcat_9019_SSO\conf\tomcat.keytab for HTTP/SERVICE.MYDOMAIN.NET@MYDOMAIN.NET
Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>, sun.security.jgss.krb5.Krb5AcceptCredential)
Found KeyTab D:\app\Tomcat_9019_SSO\conf\tomcat.keytab for HTTP/SERVICE.MYDOMAIN.NET@MYDOMAIN.NET
Found KeyTab D:\app\Tomcat_9019_SSO\conf\tomcat.keytab for HTTP/SERVICE.MYDOMAIN.NET@MYDOMAIN.NET
Entered Krb5Context.acceptSecContext with state=STATE_NEW
Looking for keys for: HTTP/SERVICE.MYDOMAIN.NET@MYDOMAIN.NET
Added key: 23version: 0
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
Using builtin default etypes for permitted_enctypes
default etypes for permitted_enctypes: 18 17 20 19 16 23.
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
MemoryCache: add 1584510459/567826/FDE0027391B8BF26BF807FF04E5FD5F7CE38794A3264EB298BB36F736B2CF050/CLIENTUSERD@MYDOMAIN.NET to CLIENTUSERD@MYDOMAIN.NET|HTTP/SERVICE.MYDOMAIN.NET@MYDOMAIN.NET
>>> KrbApReq: authenticate succeed.
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>>Delegated Creds have pname=CLIENTUSERD@MYDOMAIN.NET sname=krbtgt/MYDOMAIN.NET@MYDOMAIN.NET authtime=20200318054735Z starttime=20200318054739Z endtime=20200318154735ZrenewTill=null
Krb5Context setting peerSeqNumber to: 99984043
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
Krb5Context setting mySeqNumber to: 161819208
Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt false ticketCache is null isInitiator false KeyTab is D:/app/Tomcat\u 9019\u SSO/conf/Tomcat.KeyTab refreshKrb5Config is true主体为HTTP/SERVICE.MYDOMAIN。NET@MYDOMAIN.NETtryFirstPass为假useFirstPass为假storePass为假clearPass为假
刷新Kerberos配置
Java配置名称:C:\Windows\kerb5.ini
正在C:\Windows\kerb5.ini加载krb5配置文件
从Java配置加载
>>>KDCAccessability:重置
主体是HTTP/SERVICE.MYDOMAIN。NET@MYDOMAIN.NET
将使用keytab
提交成功
2020-03-18 06:36:50.254信息e.s.a.t.a.KerberosCheckAuthTicketAction[TC~3~c80e3d5b-3]:开始检查传入的Kerberos服务票证。
搜索SPNEGO ACCEPT cred(,sun.security.jgss.SPNEGO.spnegoCredeElement)的主题
Kerberos V5 ACCEPT cred(,sun.security.jgss.krb5.krb5 AcceptCredential)的搜索主题
找到HTTP/SERVICE.MYDOMAIN的KeyTab D:\app\Tomcat\u 9019\u SSO\conf\Tomcat.KeyTab。NET@MYDOMAIN.NET
找到HTTP/SERVICE.MYDOMAIN的KeyTab D:\app\Tomcat\u 9019\u SSO\conf\Tomcat.KeyTab。NET@MYDOMAIN.NET
Kerberos V5 ACCEPT cred(,sun.security.jgss.krb5.krb5 AcceptCredential)的搜索主题
找到HTTP/SERVICE.MYDOMAIN的KeyTab D:\app\Tomcat\u 9019\u SSO\conf\Tomcat.KeyTab。NET@MYDOMAIN.NET
找到HTTP/SERVICE.MYDOMAIN的KeyTab D:\app\Tomcat\u 9019\u SSO\conf\Tomcat.KeyTab。NET@MYDOMAIN.NET
输入状态为state\u NEW的Krb5Context.acceptSecContext
正在查找:HTTP/SERVICE.MYDOMAIN的密钥。NET@MYDOMAIN.NET
已添加密钥:23版本:0
>>>EType:sun.security.krb5.internal.crypto.ArcFourHmacEType
对允许的类型使用内置默认etype
允许的加密类型的默认etype:18 17 20 19 16 23。
>>>EType:sun.security.krb5.internal.crypto.ArcFourHmacEType
内存缓存:添加1584509810/000627/5EBDF35F49476E365F32DE53C3CAFA81C4730A13D881ECA15E9F43023F99A80B/CLIENTUSERD@MYDOMAIN.NET到CLIENTUSERD@MYDOMAIN.NET|HTTP/SERVICE.MYDOMAIN。NET@MYDOMAIN.NET
>>>KrbApReq:验证成功。
Krb5Context将peerSeqNumber设置为:947381056
>>>EType:sun.security.krb5.internal.crypto.ArcFourHmacEType
Krb5Context将mySeqNumber设置为:214468704
>>>GSSCaller{未知}中的约束deleg
Debug为true storeKey true useTicketCache false UseTicket true doNotPrompt false ticketCache为null isInitiator true KeyTab为D:/app/Tomcat_9019\u SSO/conf/Tomcat.KeyTab refreshKrb5Config为false主体为HTTP/SERVICE.MYDOMAIN。NET@MYDOMAIN.NETtryFirstPass为假useFirstPass为假storePass为假clearPass为假
正在查找:HTTP/SERVICE.MYDOMAIN的密钥。NET@MYDOMAIN.NET
已添加密钥:23版本:0
正在查找:HTTP/SERVICE.MYDOMAIN的密钥。NET@MYDOMAIN.NET
已添加密钥:23版本:0
默认类型的默认etype:23 18 17。
>>>KrbAsReq创建消息
>>>KrbKdcReq send:kdc=kb01.mydomain.net UDP:88,超时=30000,重试次数=3,#字节=174
>>>kdc通信:kdc=kb01.mydomain.net UDP:88,超时=30000,尝试=1,#字节=174
>>>KrbKdcReq发送:#字节读取=175
>>>预验证数据:
PA-数据类型=11
PA-ETYPE-INFO ETYPE=23,盐=
>>>预验证数据:
PA-数据类型=19
PA-ETYPE-INFO2 ETYPE=23,salt=null,s2kparams=null
>>>预验证数据:
PA-数据类型=2
PA-ENC-TIMESTAMP
>>>预验证数据:
PA-数据类型=16
>>>预验证数据:
PA-数据类型=15
>>>KDCAccessability:删除kb01.mydomain.net
>>>KDCRep:init()编码标记为126,请求类型为11
>>>KRBError:
时间是周三3月18日06:36:50 CET 2020 1584509810000
苏塞克是765149
错误代码是25
错误消息需要额外的预身份验证
sname是krbtgt/MYDOMAIN。NET@MYDOMAIN.NET
eData提供。
msgType是30
>>>预验证数据:
PA-数据类型=11
PA-ETYPE-INFO ETYPE=23,盐=
>>>预验证数据:
PA-数据类型=19
PA-ETYPE-INFO2 ETYPE=23,salt=null,s2kparams=null
>>>预验证数据:
PA-数据类型=2
PA-ENC-TIMESTAMP
>>>预验证数据:
PA-数据类型=16
>>>预验证数据:
帕达
[realms]
MYDOMAIN.NET = {
kdc = d01.mydomain.net
admin_server = d01.mydomain.net
default_domain = MYDOMAIN.NET
}
System.setProperty("java.security.krb5.kdc", d01.mydomain.net);
#2> Client: CLIENTUSERD @ MYDOMAIN.NET
Server: HTTP/SERVICE.MYDOMAIN.NET @ MYDOMAIN.NET
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
Ticket Flags 0x40a00000 -> forwardable renewable pre_authent
Start Time: 3/24/2020 5:33:39 (local)
End Time: 3/24/2020 15:33:39 (local)
Renew Time: 3/31/2020 5:33:39 (local)
Session Key Type: RSADSI RC4-HMAC(NT)
Cache Flags: 0
Kdc Called: d02.mydomain.net