带有Kerberos的Java/Tomcat应用程序
我是一名Kerberos新手,我正在尝试配置一个Java/Tomcat应用程序,以便使用Kerberos与数据库进行身份验证。我得到的堆栈跟踪表明它无法连接,并且没有有效的凭据,但我无法判断问题出在哪里 这是我的krb5.conf带有Kerberos的Java/Tomcat应用程序,java,tomcat,kerberos,Java,Tomcat,Kerberos,我是一名Kerberos新手,我正在尝试配置一个Java/Tomcat应用程序,以便使用Kerberos与数据库进行身份验证。我得到的堆栈跟踪表明它无法连接,并且没有有效的凭据,但我无法判断问题出在哪里 这是我的krb5.conf [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaul
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_keytab_name = FILE:C:\Users\QZAJ\Documents\repos\secure.qzaj\qzaj.keytab
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
# default_realm = WINDOWSKDCDOMAIN
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
WINDOWSKDCDOMAIN = {
kdc = DEVDC01.DEV.MYDOMAIN.COM :88
}
[domain_realm]
#.MYDOMAIN.com = WINDOWSKDCDOMAIN
#MYDOMAIN.com = WINDOWSKDCDOMAIN
还有我的jaas.conf
com.sun.security.jgss.krb5.initiate {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
doNotPrompt=true
keyTab="C:\Users\QZAJ\Documents\repos\secure.qzaj\qzaj.keytab"
principal="QZAJ@MYDOMAIN.NET"
debug=true
};
com.sun.security.jgss.krb5.accept {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
doNotPrompt=true
keyTab="C:\Users\QZAJ\Documents\repos\secure.qzaj\qzaj.keytab"
principal="QZAJ@MYDOMAIN.NET"
debug=true
};
我的密钥表文件
MYDOMAIN.NET QZAJ X\e �...
MYDOMAIN.NET QZAJ X\e �...
以及运行时的错误/堆栈跟踪
>>>KinitOptions cache name is C:\Users\QZAJ\krb5cc_qzaj
>> Acquire default native Credentials
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 17 16 23.
>>> Obtained TGT from LSA: Credentials:
client=QZAJ@MYDOMAIN.NET
server=krbtgt/MYDOMAIN.NET@MYDOMAIN.NET
authTime=20161228220909Z
startTime=20161228220909Z
endTime=20161229073249Z
renewTill=20170104213249Z
flags=FORWARDABLE;RENEWABLE;PRE-AUTHENT
EType (skey)=17
(tkt key)=18
Found ticket for QZAJ@MYDOMAIN.NET to go to krbtgt/MYDOMAIN.NET@MYDOMAIN.NET expiring on Wed Dec 28 23:32:49 PST 2016
Entered Krb5Context.initSecContext with state=STATE_NEW
Service ticket not found in the subject
>>> Credentials acquireServiceCreds: same realm
Using builtin default etypes for default_tgs_enctypes
default etypes for default_tgs_enctypes: 17 16 23.
>>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
>>> EType: sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType
getKDCFromDNS using UDP
>>> KrbKdcReq send: kdc=a0319dc17.MYDOMAIN.net. TCP:88, timeout=30000, number of retries =3, #bytes=2108
>>> KDCCommunication: kdc=a0319dc17.MYDOMAIN.net. TCP:88, timeout=30000,Attempt =1, #bytes=2108
>>>DEBUG: TCPClient reading 2050 bytes
>>> KrbKdcReq send: #bytes read=2050
>>> KdcAccessibility: remove a0319dc17.MYDOMAIN.net.:88
>>> EType: sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType
KrbException: Message stream modified (41)
at sun.security.krb5.KrbKdcRep.check(KrbKdcRep.java:50)
at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:87)
at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:259)
at sun.security.krb5.KrbTgsReq.sendAndGetCreds(KrbTgsReq.java:270)
at sun.security.krb5.internal.CredentialsUtil.serviceCreds(CredentialsUtil.java:302)
at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(CredentialsUtil.java:120)
at sun.security.krb5.Credentials.acquireServiceCreds(Credentials.java:458)
at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:693)
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:248)
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:179)
at com.microsoft.sqlserver.jdbc.KerbAuthentication.intAuthHandShake(KerbAuthentication.java:226)
at com.microsoft.sqlserver.jdbc.KerbAuthentication.GenerateClientContext(KerbAuthentication.java:314)
at com.microsoft.sqlserver.jdbc.SQLServerConnection.sendLogon(SQLServerConnection.java:4116)
at com.microsoft.sqlserver.jdbc.SQLServerConnection.logon(SQLServerConnection.java:3188)
at com.microsoft.sqlserver.jdbc.SQLServerConnection.access$100(SQLServerConnection.java:61)
at com.microsoft.sqlserver.jdbc.SQLServerConnection$LogonCommand.doExecute(SQLServerConnection.java:3151)
at com.microsoft.sqlserver.jdbc.TDSCommand.execute(IOBuffer.java:7535)
at com.microsoft.sqlserver.jdbc.SQLServerConnection.executeCommand(SQLServerConnection.java:2438)
at com.microsoft.sqlserver.jdbc.SQLServerConnection.connectHelper(SQLServerConnection.java:1973)
at com.microsoft.sqlserver.jdbc.SQLServerConnection.login(SQLServerConnection.java:1616)
at com.microsoft.sqlserver.jdbc.SQLServerConnection.connectInternal(SQLServerConnection.java:1447)
at com.microsoft.sqlserver.jdbc.SQLServerConnection.connect(SQLServerConnection.java:788)
at com.microsoft.sqlserver.jdbc.SQLServerDriver.connect(SQLServerDriver.java:1187)
at java.sql.DriverManager.getConnection(DriverManager.java:664)
at java.sql.DriverManager.getConnection(DriverManager.java:270)
...
com.microsoft.sqlserver.jdbc.SQLServerException: Integrated authentication failed. ClientConnectionId:a27a8ca0-5c80-4f88-9908-49650040a303
at com.microsoft.sqlserver.jdbc.SQLServerConnection.terminate(SQLServerConnection.java:2392)
at com.microsoft.sqlserver.jdbc.KerbAuthentication.intAuthHandShake(KerbAuthentication.java:247)
at com.microsoft.sqlserver.jdbc.KerbAuthentication.GenerateClientContext(KerbAuthentication.java:314)
at com.microsoft.sqlserver.jdbc.SQLServerConnection.sendLogon(SQLServerConnection.java:4116)
at com.microsoft.sqlserver.jdbc.SQLServerConnection.logon(SQLServerConnection.java:3188)
at com.microsoft.sqlserver.jdbc.SQLServerConnection.access$100(SQLServerConnection.java:61)
at com.microsoft.sqlserver.jdbc.SQLServerConnection$LogonCommand.doExecute(SQLServerConnection.java:3151)
at com.microsoft.sqlserver.jdbc.TDSCommand.execute(IOBuffer.java:7535)
at com.microsoft.sqlserver.jdbc.SQLServerConnection.executeCommand(SQLServerConnection.java:2438)
at com.microsoft.sqlserver.jdbc.SQLServerConnection.connectHelper(SQLServerConnection.java:1973)
at com.microsoft.sqlserver.jdbc.SQLServerConnection.login(SQLServerConnection.java:1616)
at com.microsoft.sqlserver.jdbc.SQLServerConnection.connectInternal(SQLServerConnection.java:1447)
at com.microsoft.sqlserver.jdbc.SQLServerConnection.connect(SQLServerConnection.java:788)
at com.microsoft.sqlserver.jdbc.SQLServerDriver.connect(SQLServerDriver.java:1187)
at java.sql.DriverManager.getConnection(DriverManager.java:664)
at java.sql.DriverManager.getConnection(DriverManager.java:270)
...
Caused by: GSSException: No valid credentials provided (Mechanism level: Message stream modified (41))
at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:770)
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:248)
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:179)
at com.microsoft.sqlserver.jdbc.KerbAuthentication.intAuthHandShake(KerbAuthentication.java:226)
...
Caused by: KrbException: Message stream modified (41)
at sun.security.krb5.KrbKdcRep.check(KrbKdcRep.java:50)
at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:87)
at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:259)
at sun.security.krb5.KrbTgsReq.sendAndGetCreds(KrbTgsReq.java:270)
at sun.security.krb5.internal.CredentialsUtil.serviceCreds(CredentialsUtil.java:302)
at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(CredentialsUtil.java:120)
at sun.security.krb5.Credentials.acquireServiceCreds(Credentials.java:458)
at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:693)
...
KinitOptions缓存名称为C:\Users\QZAJ\krb5cc\u QZAJ
>>获取默认本机凭据
使用默认类型的内置默认etype
默认类型的默认etype:17 16 23。
>>>已从LSA获得TGT:凭据:
客户=QZAJ@MYDOMAIN.NET
服务器=krbtgt/MYDOMAIN。NET@MYDOMAIN.NET
authTime=20161228220909Z
起始时间=20161228220909Z
结束时间=20161229073249Z
续约时间=20170104213249Z
标志=可转发;可再生的前作者
词缀(skey)=17
(tkt键)=18
找到QZAJ@MYDOMAIN.NET转到krbtgt/MYDOMAIN。NET@MYDOMAIN.NET于2016年12月28日星期三23:32:49太平洋标准时间到期
输入状态为state\u NEW的Krb5Context.initSecContext
在主题中找不到服务票证
>>>凭据acquireServiceCreds:同一领域
使用默认类型的内置默认etype
默认类型的默认etype:17 16 23。
>>>CksumType:sun.security.krb5.internal.crypto.RsaMd5CksumType
>>>EType:sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType
使用UDP获取kdcfromdns
>>>KrbKdcReq发送:kdc=a0319dc17.MYDOMAIN.net。TCP:88,超时=30000,重试次数=3,#字节=2108
>>>kdc通信:kdc=a0319dc17.MYDOMAIN.net。TCP:88,超时=30000,尝试=1,#字节=2108
>>>调试:TCPClient正在读取2050字节
>>>KrbKdcReq发送:#字节读取=2050
>>>KDCAccessability:删除a0319dc17.MYDOMAIN.net.:88
>>>EType:sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType
KrbException:消息流已修改(41)
在sun.security.krb5.krbkdprep.check(krbkdprep.java:50)上
在sun.security.krb5.KrbTgsRep.(KrbTgsRep.java:87)
位于sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:259)
位于sun.security.krb5.KrbTgsReq.sendAndGetCreds(KrbTgsReq.java:270)
位于sun.security.krb5.internal.CredentialsUtil.serviceCreds(CredentialsUtil.java:302)
位于sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(CredentialsUtil.java:120)
位于sun.security.krb5.Credentials.acquireServiceCreds(Credentials.java:458)
位于sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:693)
位于sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:248)
位于sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:179)
位于com.microsoft.sqlserver.jdbc.KerbAuthentication.intAuthHandShake(KerbAuthentication.java:226)
位于com.microsoft.sqlserver.jdbc.KerbAuthentication.GenerateClientContext(KerbAuthentication.java:314)
位于com.microsoft.sqlserver.jdbc.SQLServerConnection.sendLogon(SQLServerConnection.java:4116)
位于com.microsoft.sqlserver.jdbc.SQLServerConnection.logon(SQLServerConnection.java:3188)
位于com.microsoft.sqlserver.jdbc.SQLServerConnection.access$100(SQLServerConnection.java:61)
位于com.microsoft.sqlserver.jdbc.SQLServerConnection$LogonCommand.doExecute(SQLServerConnection.java:3151)
位于com.microsoft.sqlserver.jdbc.TDSCommand.execute(IOBuffer.java:7535)
位于com.microsoft.sqlserver.jdbc.SQLServerConnection.executeCommand(SQLServerConnection.java:2438)
位于com.microsoft.sqlserver.jdbc.SQLServerConnection.connectHelper(SQLServerConnection.java:1973)
位于com.microsoft.sqlserver.jdbc.SQLServerConnection.login(SQLServerConnection.java:1616)
位于com.microsoft.sqlserver.jdbc.SQLServerConnection.connectioninternal(SQLServerConnection.java:1447)
位于com.microsoft.sqlserver.jdbc.SQLServerConnection.connect(SQLServerConnection.java:788)
位于com.microsoft.sqlserver.jdbc.SQLServerDriver.connect(SQLServerDriver.java:1187)
位于java.sql.DriverManager.getConnection(DriverManager.java:664)
位于java.sql.DriverManager.getConnection(DriverManager.java:270)
...
com.microsoft.sqlserver.jdbc.SQLServerException:集成身份验证失败。客户连接ID:a27a8ca0-5c80-4f88-9908-49650040a303
位于com.microsoft.sqlserver.jdbc.SQLServerConnection.terminate(SQLServerConnection.java:2392)
位于com.microsoft.sqlserver.jdbc.KerbAuthentication.intAuthHandShake(KerbAuthentication.java:247)
位于com.microsoft.sqlserver.jdbc.KerbAuthentication.GenerateClientContext(KerbAuthentication.java:314)
位于com.microsoft.sqlserver.jdbc.SQLServerConnection.sendLogon(SQLServerConnection.java:4116)
位于com.microsoft.sqlserver.jdbc.SQLServerConnection.logon(SQLServerConnection.java:3188)
位于com.microsoft.sqlserver.jdbc.SQLServerConnection.access$100(SQLServerConnection.java:61)
位于com.microsoft.sqlserver.jdbc.SQLServerConnection$LogonCommand.doExecute(SQLServerConnection.java:3151)
位于com.microsoft.sqlserver.jdbc.TDSCommand.execute(IOBuffer.java:7535)
位于com.microsoft.sqlserver.jdbc.SQLServerConnection.executeCommand(SQLServerConnection.java:2438)
位于com.microsoft.sqlserver.jdbc.SQLServerConnection.connectHelper(SQLServerConnection.java:1973)
位于com.microsoft.sqlserver.jdbc.SQLServerConnection.login(SQLServerConnection.java:1616)
位于com.microsoft.sqlserver.jdbc.SQLServerConnection.connectioninternal(SQLServerConnection.java:1447)
位于com.microsoft.sqlserver.jdbc.SQLServerConnection.connect(SQLServerConnection.java:788)
位于com.microsoft.sqlserver.jdbc.SQLServerDriver.connect(SQLServerDriver.java:1187)
位于java.sql.DriverManager.getConnection(DriverManager.java:664)
位于java.sql.DriverManager.getConnection(DriverManager.java:270)
...
原因:GSSExException:未提供有效凭据(机制级别:消息流已修改(41))
位于sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:770)
位于sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:248)
在sun.security.jgss.GSSConte