Java Apereo CAS使用NTLM而不是Kerberos
我将(中央身份验证服务)用于此类“体系结构”: 导言: CAS服务器URL为:Java Apereo CAS使用NTLM而不是Kerberos,java,active-directory,kerberos,cas,ntlm,Java,Active Directory,Kerberos,Cas,Ntlm,我将(中央身份验证服务)用于此类“体系结构”: 导言: CAS服务器URL为: http://dev.domain.com:8080/cas 我们使用userPrincipalNamesysDev@domain.com和下一个注册的SPN:HTTP/dev.domain。com@DOMAIN.COM。 我们生成了keytab文件,它与kinit-V-t-khttp/dev.domain一起工作。com@DOMAIN.COM命令 CAS服务器使用SPNEGO提供即时SSO身份验证。(org.ap
http://dev.domain.com:8080/cas
sysDev@domain.comHTTP/dev.domain。com@DOMAIN.COMkinit-V-t-khttp/dev.domain一起工作。com@DOMAIN.COMorg.apereo.cas:cas服务器支持Maven POM中的spnego webflowcas.propertiescas.server.name: http://10.xxx.xxx.xxx:8080
cas.server.prefix: http://10.xxx.xxx.xxx:8080/cas
server.port=8080
cas.adminPagesSecurity.ip=127\.0\.0\.1
cas.log.dir=/app/log
logging.config: file:/etc/cas/config/log4j2.xml
cas.serviceRegistry.initFromJson=true
cas.authn.spnego.kerberosConf=/etc/cas/config/krb5.conf
cas.authn.spnego.mixedModeAuthentication=true
cas.authn.spnego.jcifsServicePrincipal=HTTP/dev.domain.com@DOMAIN.COM
cas.authn.spnego.jcifsServicePrincipal=sysDev@domain.com
### cas.authn.spnego.jcifsNetbiosWins=true
cas.authn.spnego.loginConf=file:/etc/cas/config/login.conf
cas.authn.spnego.ntlmAllowed=false
### cas.authn.spnego.hostNamePatternString=.+
cas.authn.spnego.jcifsUsername=sysDev
### cas.authn.spnego.useSubjectCredsOnly=false
### cas.authn.spnego.jcifsDomainController=
### cas.authn.spnego.hostNameClientActionStrategy=hostnameSpnegoClientAction
cas.authn.spnego.kerberosKdc=10.yyy.yyy.yyy ### ip found by command nslookup -type=srv _kerberos._tcp.domain.com
### cas.authn.spnego.alternativeRemoteHostAttribute=alternateRemoteHeader
cas.authn.spnego.jcifsDomain=DOMAIN.COM
### cas.authn.spnego.ipsToCheckPattern=127.+
cas.authn.spnego.kerberosDebug=true
### cas.authn.spnego.send401OnAuthenticationFailure=true
cas.authn.spnego.kerberosRealm=DOMAIN.COM
cas.authn.spnego.ntlm=false
### cas.authn.spnego.principalWithDomainName=false
cas.authn.spnego.jcifsServicePassword=<password for sysDev provided as plain text>
cas.authn.spnego.jcifsPassword=<password for sysDev provided as plain text>
### cas.authn.spnego.spnegoAttributeName=distinguishedName
### cas.authn.spnego.name=
cas.authn.spnego.principal.principalAttribute=sAMAccountName
### cas.authn.spnego.principal.returnNull=false
cas.authn.spnego.ldap.ldapUrl=ldap://10.yyy.yyy.yyy
### cas.authn.spnego.ldap.connectionStrategy=
cas.authn.spnego.ldap.baseDn=DC=domain,DC=com
cas.authn.spnego.ldap.bindDn=CN=sysDev,DC=domain,DC=com
#cas.authn.spnego.ldap.bindCredential=
# cas.authn.spnego.ldap.providerClass=org.ldaptive.provider.unboundid.UnboundIDProvider
cas.authn.spnego.ldap.failFast=false
cas.authn.spnego.ldap.subtreeSearch=true
cas.authn.spnego.ldap.useSsl=false
cas.authn.spnego.ldap.searchFilter=cn={host}
### cas.authn.spnego.ldap.searchFilter=%s@domain.com ### is it better then above???
cas.server.name:http://10.xxx.xxx.xxx:8080
cas.server.prefix:http://10.xxx.xxx.xxx:8080/cas
server.port=8080
cas.adminPagesSecurity.ip=127\.0\.0\.1
cas.log.dir=/app/log
logging.config:file:/etc/cas/config/log4j2.xml
cas.serviceRegistry.initFromJson=true
cas.authn.spnego.kerberosConf=/etc/cas/config/krb5.conf
cas.authn.spnego.mixedModeAuthentication=true
cas.authn.spnego.jcifsServicePrincipal=HTTP/dev.domain。com@DOMAIN.COM
cas.authn.spnego.jcifsServicePrincipal=sysDev@domain.com
###cas.authn.spnego.jcifsNetbiosWins=true
cas.authn.spnego.loginConf=file:/etc/cas/config/login.conf
cas.authn.spnego.ntlmAllowed=false
###cas.authn.spnego.hostNamePatternString=+
cas.authn.spnego.jcifsUsername=sysDev
###cas.authn.spnego.useSubjectCredsOnly=false
###cas.authn.spnego.JCIFSDOMA控制器=
###cas.authn.spnego.hostNameClientActionStrategy=hostnameSpnegoClientAction
cas.authn.spnego.kerberosKdc=10.yyy.yyy.yyy###ip由命令nslookup-type=srv#u kerberos._tcp.domain.com找到
###cas.authn.spnego.alternativeRemoteHostAttribute=AlternativeRemoteHeader
cas.authn.spnego.jcifsDomain=DOMAIN.COM
###cas.authn.spnego.ipsToCheckPattern=127+
cas.authn.spnego.kerberosDebug=true
###cas.authn.spnego.send401OnAuthenticationFailure=true
cas.authn.spnego.kerberosRealm=DOMAIN.COM
cas.authn.spnego.ntlm=false
###cas.authn.spnego.principalWithDomainName=false
cas.authn.spnego.jcifsServicePassword=
cas.authn.spnego.jcifsPassword=
###cas.authn.spnego.spnegoatTributenName=区分名称
###cas.authn.spnego.name=
cas.authn.spnego.principalAttribute=sAMAccountName
###cas.authn.spnego.principal.returnNull=false
cas.authn.spnego.ldap.ldapUrl=ldap://10.yyy.yyy.yyy
###cas.authn.spnego.ldap.connectionStrategy=
cas.authn.spnego.ldap.baseDn=DC=domain,DC=com
cas.authn.spnego.ldap.bindDn=CN=sysDev,DC=domain,DC=com
#cas.authn.spnego.ldap.bindCredential=
#cas.authn.spnego.ldap.providerClass=org.ldaptive.provider.unbounded.unboundProvider
cas.authn.spnego.ldap.failFast=false
cas.authn.spnego.ldap.subtreeSearch=true
cas.authn.spnego.ldap.useSsl=false
cas.authn.spnego.ldap.searchFilter=cn={host}
###cas.authn.spnego.ldap.searchFilter=%s@domain.com#####比上面好吗???
2017-09-22 10:30:56,074 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: audit:unknown
WHAT: [event=success,timestamp=Fri Sep 22 10:30:56 CEST 2017,source=RankedAuthenticationProviderWebflowEventResolver]
ACTION: AUTHENTICATION_EVENT_TRIGGERED
APPLICATION: CAS
WHEN: Fri Sep 22 10:30:56 CEST 2017
CLIENT IP ADDRESS: 10.aaa.aaa.aaa
SERVER IP ADDRESS: 10.xxx.xxx.xxx
=============================================================
2017-09-22 10:30:56,136 WARN [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <Authentication has failed. Credentials may be incorrect or CAS cannot find authentication handler that supports [unknown] of type [SpnegoCredential], which suggests a configuration problem.>
2017-09-22 10:30:56,138 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: unknown
WHAT: Supplied credentials: [unknown]
ACTION: AUTHENTICATION_FAILED
APPLICATION: CAS
WHEN: Fri Sep 22 10:30:56 CEST 2017
(...)
2017-09-22 10:30:56,074 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: audit:unknown
WHAT: [event=success,timestamp=Fri Sep 22 10:30:56 CEST 2017,source=RankedAuthenticationProviderWebflowEventResolver]
ACTION: AUTHENTICATION_EVENT_TRIGGERED
APPLICATION: CAS
WHEN: Fri Sep 22 10:30:56 CEST 2017
CLIENT IP ADDRESS: 10.aaa.aaa.aaa
SERVER IP ADDRESS: 10.xxx.xxx.xxx
=============================================================
2017-09-22 10:30:56,136 WARN [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <Authentication has failed. Credentials may be incorrect or CAS cannot find authentication handler that supports [unknown] of type [SpnegoCredential], which suggests a configuration problem.>
2017-09-22 10:30:56,138 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: unknown
WHAT: Supplied credentials: [unknown]
ACTION: AUTHENTICATION_FAILED
APPLICATION: CAS
WHEN: Fri Sep 22 10:30:56 CEST 2017
(...)
2017-09-22 10:30:56074信息[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager]-dev.domain.com是CNAME吗?如果是,请将其更改为记录。当服务实例的FQDN部分是CNAME时,许多web浏览器,特别是Chrome和Firefox,并不总是能很好地与Kerberos配合使用。当Kerberos失败时,NTLM是许多(但不是所有)情况下的后备方案。dev.domain.com是CNAME吗?如果是,请将其更改为记录。当服务实例的FQDN部分是CNAME时,许多web浏览器,特别是Chrome和Firefox,并不总是能很好地与Kerberos配合使用。当Kerberos失败时,NTLM是许多(但不是所有)场景下的后备方案。是的,这是DNS配置的问题-我已经和管理员谈过,管理员做了必要的更改。谢谢你的评论。如果你把答案写在这里,我可以接受。@jsosnowski-很好的参考资料。非常感谢。
2017-09-22 12:13:18,232 DEBUG [org.apereo.cas.web.flow.InitializeLoginAction] - <Initialized login sequence>
2017-09-22 12:13:18,232 DEBUG [org.springframework.webflow.engine.Transition] - <Exiting state 'initializeLoginForm'>
2017-09-22 12:13:18,232 DEBUG [org.springframework.webflow.engine.ActionState] - <Entering state 'startSpnegoAuthenticate' of flow 'login'>
2017-09-22 12:13:18,232 DEBUG [org.springframework.webflow.execution.ActionExecutor] - <Executing [EvaluateAction@595ba047 expression = negociateSpnego, resultExpression = [null]]>
2017-09-22 12:13:18,232 DEBUG [org.springframework.webflow.execution.ActionExecutor] - <Executing org.apereo.cas.web.flow.SpnegoNegociateCredentialsAction@54c68eda>
2017-09-22 12:13:18,232 DEBUG [org.apereo.cas.web.flow.SpnegoNegociateCredentialsAction] - <Authorization header [Negotiate TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==], User Agent header [Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)]>
2017-09-22 12:13:18,233 DEBUG [org.springframework.webflow.execution.ActionExecutor] - <Finished executing org.apereo.cas.web.flow.SpnegoNegociateCredentialsAction@54c68eda; result = success>
2017-09-22 12:13:18,233 DEBUG [org.springframework.webflow.execution.ActionExecutor] - <Finished executing [EvaluateAction@595ba047 expression = negociateSpnego, resultExpression = [null]]; result = success>
2017-09-22 12:13:18,233 DEBUG [org.springframework.webflow.engine.Transition] - <Executing [Transition@49e5cb05 on = success, to = spnego]>
2017-09-22 12:13:18,233 DEBUG [org.springframework.webflow.engine.Transition] - <Exiting state 'startSpnegoAuthenticate'>
2017-09-22 12:13:18,233 DEBUG [org.springframework.webflow.engine.ActionState] - <Entering state 'spnego' of flow 'login'>
2017-09-22 12:13:18,233 DEBUG [org.springframework.webflow.execution.ActionExecutor] - <Executing [EvaluateAction@5ed25881 expression = spnego, resultExpression = [null]]>
2017-09-22 12:13:18,233 DEBUG [org.springframework.webflow.execution.ActionExecutor] - <Executing org.apereo.cas.web.flow.SpnegoCredentialsAction@7c4ac70a>
2017-09-22 12:13:18,233 DEBUG [org.apereo.cas.web.flow.SpnegoCredentialsAction] - <SPNEGO Authorization header located as [Negotiate TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==]>
2017-09-22 12:13:18,233 DEBUG [org.apereo.cas.web.flow.SpnegoCredentialsAction] - <SPNEGO Authorization header found with [56] bytes>
2017-09-22 12:13:18,233 DEBUG [org.apereo.cas.web.flow.SpnegoCredentialsAction] - <Obtained token: [NTLMSSP^@^A^@^@^@��^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^F^A�^]^@^@^@^O]. Creating SPNEGO credential...>
2017-09-22 12:13:18,234 DEBUG [org.apereo.cas.authentication.adaptive.DefaultAdaptiveAuthenticationPolicy] - <Located client IP address as [<ip adress>]>
2017-09-22 12:13:18,234 DEBUG [org.apereo.cas.authentication.adaptive.DefaultAdaptiveAuthenticationPolicy] - <User agent [Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)] is authorized to proceed>
2017-09-22 12:13:18,234 DEBUG [org.apereo.cas.authentication.adaptive.DefaultAdaptiveAuthenticationPolicy] - <Adaptive authentication policy has authorized client [<ip adress>] to proceed.>
2017-09-22 12:13:18,234 DEBUG [org.apereo.cas.web.support.WebUtils] - <Evaluating request to determine if warning cookie should be generated>
2017-09-22 12:13:18,235 DEBUG [org.apereo.cas.web.flow.resolver.impl.ServiceTicketRequestWebflowEventResolver] - <Located ticket-granting ticket [null] from the request context>
2017-09-22 12:13:18,235 DEBUG [org.apereo.cas.web.flow.resolver.impl.ServiceTicketRequestWebflowEventResolver] - <Located service [null] from the request context>
2017-09-22 12:13:18,235 DEBUG [org.apereo.cas.web.flow.resolver.impl.ServiceTicketRequestWebflowEventResolver] - <Provided value for [renew] request parameter is [null]>
2017-09-22 12:13:18,235 DEBUG [org.apereo.cas.web.flow.resolver.impl.ServiceTicketRequestWebflowEventResolver] - <Request is not eligible to be issued service tickets just yet>
2017-09-22 12:13:18,236 DEBUG [org.apereo.cas.web.support.WebUtils] - <Evaluating request to determine if warning cookie should be generated>
2017-09-22 12:13:18,236 DEBUG [org.apereo.cas.authentication.RegisteredServiceAuthenticationHandlerResolver] - <Authentication handlers used for this transaction are [HttpBasedServiceCredentialsAuthenticationHandlerJcifsSpnegoAuthenticationHandler]>
2017-09-22 12:13:18,237 DEBUG [org.apereo.cas.support.spnego.authentication.handler.support.JcifsSpnegoAuthenticationHandler] - <Processing SPNEGO authentication>
2017-09-22 12:13:18,240 INFO [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <[JcifsSpnegoAuthenticationHandler] failed authenticating [unknown]>
(...)
2017-09-22 12:13:18,241 WARN [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <Authentication has failed. Credentials may be incorrect or CAS cannot find authentication handler that supports [unknown] of type [SpnegoCredential], which suggests a configuration problem.>
(...)
>
2017-09-22 12:13:18,243 DEBUG [org.apereo.cas.web.flow.resolver.impl.InitialAuthenticationAttemptWebflowEventResolver] - <1 errors, 0 successes>
org.apereo.cas.authentication.AuthenticationException: 1 errors, 0 successes
at org.apereo.cas.authentication.PolicyBasedAuthenticationManager.evaluateProducedAuthenticationContext(PolicyBasedAuthenticationManager.java:173) ~[cas-server-core-authentication-5.1.1.jar:5.1.1]
at org.apereo.cas.authentication.PolicyBasedAuthenticationManager.authenticateInternal(PolicyBasedAuthenticationManager.java:153) ~[cas-server-core-authentication-5.1.1.jar:5.1.1]
at org.apereo.cas.authentication.AbstractAuthenticationManager.authenticate(AbstractAuthenticationManager.java:140) ~[cas-server-core-authentication-5.1.1.jar:5.1.1]
at org.apereo.cas.authentication.AbstractAuthenticationManager$$FastClassBySpringCGLIB$$12a86894.invoke(<generated>) ~[cas-server-core-authentication-5.1.1.jar:5.1.1]
at org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:204) ~[spring-core-4.3.8.RELEASE.jar:4.3.8.RELEASE]