Spring Security Kerberos windows身份验证中出错_Security_Spring Security_Active Directory_Spnego_Spring Security Kerberos

Spring Security Kerberos windows身份验证中出错

security spring-security active-directory

Spring Security Kerberos windows身份验证中出错,security,spring-security,active-directory,spnego,spring-security-kerberos,Security,Spring Security,Active Directory,Spnego,Spring Security Kerberos,我正在尝试在我们的环境中设置基于Spring的安全Web应用程序。如中所述为了确认所有设置都正确，我正在尝试运行SpringBoot安全示例应用程序（按此处所述构建：）这是我们在测试域下的测试环境： Active Directory（称为AD服务器）域控制器，Windows 2008 R2 64位计算机名称：adjavatest1 计算机全名：adjavatest1.test.company.info 用户：测试\管理员客户端PC，Windows 7 计算机名称：adjavatest

我正在尝试在我们的环境中设置基于Spring的安全Web应用程序。如中所述

为了确认所有设置都正确，我正在尝试运行SpringBoot安全示例应用程序（按此处所述构建：）

这是我们在测试域下的测试环境：

Active Directory（称为AD服务器）域控制器，Windows 2008 R2 64位
计算机名称：adjavatest1
计算机全名：adjavatest1.test.company.info
用户：测试\管理员

客户端PC，Windows 7
计算机名称：adjavatest2
计算机全名：adjavatest2.test.company.info
用户：测试\管理员

应用服务器（称为Web服务器）
计算机名称：kpiq dev
计算机全名：kpiq-dev.test.company.info
用户：测试\管理员

到目前为止，我已经完成了以下步骤来配置环境和应用程序

1）在AD服务器上设置SPN

setspn -A HTTP/adjavatest1.test.company.info TEST\administrator

>setspn -L TEST\administrator
Registered ServicePrincipalNames for CN=Administrator,CN=Users,DC=test,DC=company,DC=info:
HTTP/adjavatest1.test.company.info

>ktpass -princ HTTP/adjavatest1.test.company.info@TEST.COMPANY.INFO -pass pswd123 -mapuser TEST\Administrator -out .\ adjavatest1.HTTP.keytab -ptype KRB5_NT_PRINCIPAL -crypto All
Targeting domain controller:  adjavatest1.test.company.info
Using legacy password setting method
Successfully mapped HTTP/adjavatest1.test.company.info to Administrator.
Key created.
Key created.
Key created.
Key created.
Key created.
Output keytab to .\ adjavatest1.HTTP.keytab:
Keytab version: 0x502
keysize 85 HTTP/adjavatest1.test.company.info@TEST.COMPANY.INFO ptype 1 (KRB5_NT_PRINCIPAL) vno 5 etype 0x1 (DES-CBC-CRC) keylength 8 (0x6da81379831f37ad)
keysize 85 HTTP/adjavatest1.test.company.info@TEST.COMPANY.INFO ptype 1 (KRB5_NT_PRINCIPAL) vno 5 etype 0x3 (DES-CBC-MD5) keylength 8 (0x6da81379831f37ad)
keysize 93 HTTP/adjavatest1.test.company.info@TEST.COMPANY.INFO ptype 1 (KRB5_NT_PRINCIPAL) vno 5 etype 0x17 (RC4-HMAC ) keylength 16 (0xe32edb70a8df744e3b0f87ea7ff515f7)
keysize 109 HTTP/adjavatest1.test.company.info@TEST.COMPANY.INFO ptype 1 (KRB5_NT_PRINCIPAL) vno 5 etype 0x12 (AES256-SHA1) keylength 32 (0xf744e212c2e48e34c815364c0b5290a68b37b6c65a7cd0befcbcc2625e3e6c79)
keysize 93 HTTP/adjavatest1.test.company.info@TEST.COMPANY.INFO ptype 1 (KRB5_NT_PRINCIPAL) vno 5 etype 0x11 (AES128-SHA1) keylength 16 (0x20f3474a818d4d326136449a8a660e2c)

（许多来源建议创建SPN“HTTP/adjavatest1”和“HOST/adjavatest1”——我已经尝试过了，没有任何区别。）

2）验证AD服务器上的SPN

setspn -A HTTP/adjavatest1.test.company.info TEST\administrator

>setspn -L TEST\administrator
Registered ServicePrincipalNames for CN=Administrator,CN=Users,DC=test,DC=company,DC=info:
HTTP/adjavatest1.test.company.info

>ktpass -princ HTTP/adjavatest1.test.company.info@TEST.COMPANY.INFO -pass pswd123 -mapuser TEST\Administrator -out .\ adjavatest1.HTTP.keytab -ptype KRB5_NT_PRINCIPAL -crypto All
Targeting domain controller:  adjavatest1.test.company.info
Using legacy password setting method
Successfully mapped HTTP/adjavatest1.test.company.info to Administrator.
Key created.
Key created.
Key created.
Key created.
Key created.
Output keytab to .\ adjavatest1.HTTP.keytab:
Keytab version: 0x502
keysize 85 HTTP/adjavatest1.test.company.info@TEST.COMPANY.INFO ptype 1 (KRB5_NT_PRINCIPAL) vno 5 etype 0x1 (DES-CBC-CRC) keylength 8 (0x6da81379831f37ad)
keysize 85 HTTP/adjavatest1.test.company.info@TEST.COMPANY.INFO ptype 1 (KRB5_NT_PRINCIPAL) vno 5 etype 0x3 (DES-CBC-MD5) keylength 8 (0x6da81379831f37ad)
keysize 93 HTTP/adjavatest1.test.company.info@TEST.COMPANY.INFO ptype 1 (KRB5_NT_PRINCIPAL) vno 5 etype 0x17 (RC4-HMAC ) keylength 16 (0xe32edb70a8df744e3b0f87ea7ff515f7)
keysize 109 HTTP/adjavatest1.test.company.info@TEST.COMPANY.INFO ptype 1 (KRB5_NT_PRINCIPAL) vno 5 etype 0x12 (AES256-SHA1) keylength 32 (0xf744e212c2e48e34c815364c0b5290a68b37b6c65a7cd0befcbcc2625e3e6c79)
keysize 93 HTTP/adjavatest1.test.company.info@TEST.COMPANY.INFO ptype 1 (KRB5_NT_PRINCIPAL) vno 5 etype 0x11 (AES128-SHA1) keylength 16 (0x20f3474a818d4d326136449a8a660e2c)

3）在AD服务器上映射用户/服务并生成密钥表文件

setspn -A HTTP/adjavatest1.test.company.info TEST\administrator

>setspn -L TEST\administrator
Registered ServicePrincipalNames for CN=Administrator,CN=Users,DC=test,DC=company,DC=info:
HTTP/adjavatest1.test.company.info

>ktpass -princ HTTP/adjavatest1.test.company.info@TEST.COMPANY.INFO -pass pswd123 -mapuser TEST\Administrator -out .\ adjavatest1.HTTP.keytab -ptype KRB5_NT_PRINCIPAL -crypto All
Targeting domain controller:  adjavatest1.test.company.info
Using legacy password setting method
Successfully mapped HTTP/adjavatest1.test.company.info to Administrator.
Key created.
Key created.
Key created.
Key created.
Key created.
Output keytab to .\ adjavatest1.HTTP.keytab:
Keytab version: 0x502
keysize 85 HTTP/adjavatest1.test.company.info@TEST.COMPANY.INFO ptype 1 (KRB5_NT_PRINCIPAL) vno 5 etype 0x1 (DES-CBC-CRC) keylength 8 (0x6da81379831f37ad)
keysize 85 HTTP/adjavatest1.test.company.info@TEST.COMPANY.INFO ptype 1 (KRB5_NT_PRINCIPAL) vno 5 etype 0x3 (DES-CBC-MD5) keylength 8 (0x6da81379831f37ad)
keysize 93 HTTP/adjavatest1.test.company.info@TEST.COMPANY.INFO ptype 1 (KRB5_NT_PRINCIPAL) vno 5 etype 0x17 (RC4-HMAC ) keylength 16 (0xe32edb70a8df744e3b0f87ea7ff515f7)
keysize 109 HTTP/adjavatest1.test.company.info@TEST.COMPANY.INFO ptype 1 (KRB5_NT_PRINCIPAL) vno 5 etype 0x12 (AES256-SHA1) keylength 32 (0xf744e212c2e48e34c815364c0b5290a68b37b6c65a7cd0befcbcc2625e3e6c79)
keysize 93 HTTP/adjavatest1.test.company.info@TEST.COMPANY.INFO ptype 1 (KRB5_NT_PRINCIPAL) vno 5 etype 0x11 (AES128-SHA1) keylength 16 (0x20f3474a818d4d326136449a8a660e2c)

4）用C语言将keytab文件复制到Web服务器上\SpringSSO目录

5）在Web服务器上验证密钥表
使用MIT kerberos工具中的kinit c:\SpringSSO>kinit-V-k-t adjavatest1.HTTP.keytab HTTP/adjavatest1.test.company。info@TEST.COMPANY.INFO 使用现有缓存：初始默认ccache 使用主体：HTTP/adjavatest1.test.company。info@TEST.COMPANY.INFO 使用keytab:adjavatest1.HTTP.keytab 通过Kerberos v5的身份验证用jdk的kinit c:\SpringSSO>kinit-k-t adjavatest1.HTTP.keytab HTTP/adjavatest1.test.company。info@TEST.COMPANY.INFO 新票证存储在缓存文件C:\Users\administrator.TEST\krb5cc\u administrator中

6）在两个位置的Web服务器上的jre/lib/security中安装“Kerberos和无限强度策略”：

c:\Program Files\Java\jre1.8.0_65\lib\security\
c:\Program Files\Java\jdk1.8.0_65\jre\lib\security\

7）检查Web服务器上的windows注册表：

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\
Value Name: allowtgtsessionkey
Value: 0x1

8） build spring security kerberos示例\sec服务器win auth应用程序取自使用application.yml中的配置属性

server:
    port: 80
app:
    ad-domain: TEST.COMPANY.INFO
    ad-server: ldap://ADJAVATEST1.TEST.COMPANY.INFO/
    service-principal: HTTP/adjavatest1.test.company.info@TEST.COMPANY.INFO
    keytab-location:  adjavatest1.HTTP.keytab
    ldap-search-base: DC=TEST,DC=COMPANY,DC=INFO
    ldap-search-filter: "(| (userPrincipalName={0}) (sAMAccountName={0}))"

9）将Spring启动应用程序部署到C:\SpringSSO目录中的Web服务器

10）在web服务器上启动web应用程序 c:\SpringSSO>java-Dsun.security.krb5.debug=true-Djava.security.krb5.conf=。\krb5.conf-jar sec-server-win-auth-1.0.2.BUILD-SNAPSHOT.jar

krb5.conf中的Kerberos配置（我尝试了不同的加密类型，“arcfour-hmac-md5”只是最后一个实验）

11）在客户端的IE浏览器中将路径*.test.company.info作为intranet模式添加到IE浏览器将浏览器指向http://kpiq-dev.test.company.info/hello

12）将浏览器指向http://kpiq-dev.test.company.info/hello

13）检查Web服务器上的日志，表明服务器无法编码

2015-12-17 08:55:35.893 DEBUG 1876 --- [p-nio-80-exec-3] w.a.SpnegoAuthenticationProcessingFilter : Received Negotiate Header for request http:// kpiq-dev.test.company.info/hello: Negotiate YIIH ...trucated... H4qgvsM
2015-12-17 08:55:35.893 DEBUG 1876 --- [p-nio-80-exec-3] o.s.s.authentication.ProviderManager     : Authentication attempt using org.springframework.security.kerberos.authentication.KerberosServiceAuthenticationProvider
2015-12-17 08:55:35.893 DEBUG 1876 --- [p-nio-80-exec-3] .a.KerberosServiceAuthenticationProvider : Try to validate Kerberos Token
Found KeyTab c:\SpringSSO\ adjavatest1.HTTP.keytab for HTTP/adjavatest1.test.company.info@TEST.COMPANY.INFO
Found KeyTab c:\SpringSSO\ adjavatest1.HTTP.keytab for HTTP/adjavatest1.test.company.info@TEST.COMPANY.INFO
Entered Krb5Context.acceptSecContext with state=STATE_NEW
Java config name: .\krb5.conf
Loaded from Java config
>>> KeyTabInputStream, readName(): TEST.COMPANY.INFO
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName():  adjavatest1.test.company.info
>>> KeyTab: load() entry length: 85; type: 1
>>> KeyTabInputStream, readName(): TEST.COMPANY.INFO
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName():  adjavatest1.test.company.info
>>> KeyTab: load() entry length: 85; type: 3
>>> KeyTabInputStream, readName(): TEST.COMPANY.INFO
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName():  adjavatest1.test.company.info
>>> KeyTab: load() entry length: 93; type: 23
>>> KeyTabInputStream, readName(): TEST.COMPANY.INFO
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName():  adjavatest1.test.company.info
>>> KeyTab: load() entry length: 109; type: 18
>>> KeyTabInputStream, readName(): TEST.COMPANY.INFO
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName():  adjavatest1.test.company.info
>>> KeyTab: load() entry length: 93; type: 17
Looking for keys for: HTTP/adjavatest1.test.company.info@TEST.COMPANY.INFO
Added key: 17version: 5
Added key: 18version: 5
Added key: 23version: 5
Found unsupported keytype (3) for HTTP/adjavatest1.test.company.info@TEST.COMPANY.INFO
Found unsupported keytype (1) for HTTP/adjavatest1.test.company.info@TEST.COMPANY.INFO
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
2015-12-17 08:55:36.236  WARN 1876 --- [p-nio-80-exec-3] w.a.SpnegoAuthenticationProcessingFilter : Negotiate Header was invalid: Negotiate YIIHNAYGKwYBBQU ...trucated... dH4qgvsM

org.springframework.security.authentication.BadCredentialsException: Kerberos validation not successful
            at org.springframework.security.kerberos.authentication.sun.SunJaasKerberosTicketValidator.validateTicket(SunJaasKerberosTicketValidator.java:71)
            at org.springframework.security.kerberos.authentication.KerberosServiceAuthenticationProvider.authenticate(KerberosServiceAuthenticationProvider.java:64)
            at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156)
            at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:177)
            at org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter$AuthenticationManagerDelegator.authenticate(WebSecurityConfigurerAdapter.java:446)
            at org.springframework.security.kerberos.web.authentication.SpnegoAuthenticationProcessingFilter.doFilter(SpnegoAuthenticationProcessingFilter.java:145)
            at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
...trucated...
            at java.lang.Thread.run(Unknown Source)
Caused by: java.security.PrivilegedActionException: null
            at java.security.AccessController.doPrivileged(Native Method)
            at javax.security.auth.Subject.doAs(Unknown Source)
            at org.springframework.security.kerberos.authentication.sun.SunJaasKerberosTicketValidator.validateTicket(SunJaasKerberosTicketValidator.java:68)
            ... 45 common frames omitted
Caused by: org.ietf.jgss.GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)
            at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Unknown Source)
            at sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
            at sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
            at sun.security.jgss.spnego.SpNegoContext.GSS_acceptSecContext(Unknown Source)
            at sun.security.jgss.spnego.SpNegoContext.acceptSecContext(Unknown Source)
            at sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
            at sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
            at org.springframework.security.kerberos.authentication.sun.SunJaasKerberosTicketValidator$KerberosValidateAction.run(SunJaasKerberosTicketValidator.java:170)
            at org.springframework.security.kerberos.authentication.sun.SunJaasKerberosTicketValidator$KerberosValidateAction.run(SunJaasKerberosTicketValidator.java:153)
            ... 48 common frames omitted
Caused by: sun.security.krb5.KrbCryptoException: Checksum failed
            at sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Unknown Source)
            at sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Unknown Source)
            at sun.security.krb5.EncryptedData.decrypt(Unknown Source)
            at sun.security.krb5.KrbApReq.authenticate(Unknown Source)
            at sun.security.krb5.KrbApReq.<init>(Unknown Source)
            at sun.security.jgss.krb5.InitSecContextToken.<init>(Unknown Source)
            ... 57 common frames omitted
Caused by: java.security.GeneralSecurityException: Checksum failed
            at sun.security.krb5.internal.crypto.dk.AesDkCrypto.decryptCTS(Unknown Source)
            at sun.security.krb5.internal.crypto.dk.AesDkCrypto.decrypt(Unknown Source)
            at sun.security.krb5.internal.crypto.Aes256.decrypt(Unknown Source)
            ... 63 common frames omitted

2015-12-17 08:55:35.893调试1876---[p-nio-80-exec-3]w.a.SpnegoAuthenticationProcessingFilter:收到请求的协商头http://kpiq-dev.test.company.info/hello:govertiate YIIH…trucated。。。H4qgvsM
2015-12-17 08:55:35.893调试1876---[p-nio-80-exec-3]o.s.s.authentication.ProviderManager:使用org.springframework.security.kerberos.authentication.KerberosServiceAuthenticationProvider进行身份验证尝试
2015-12-17 08:55:35.893调试1876---[p-nio-80-exec-3].a.KerberosServiceAuthenticationProvider:尝试验证Kerberos令牌
找到HTTP/adjavatest1.test.company的键表c:\SpringSSO\adjavatest1.HTTP.KeyTab。info@TEST.COMPANY.INFO
找到HTTP/adjavatest1.test.company的键表c:\SpringSSO\adjavatest1.HTTP.KeyTab。info@TEST.COMPANY.INFO
输入状态为state\u NEW的Krb5Context.acceptSecContext
Java配置名称：。\krb5.conf
从Java配置加载
>>>KeyTabInputStream，readName（）：TEST.COMPANY.INFO
>>>KeyTabInputStream，readName（）：HTTP
>>>KeyTabInputStream，readName（）：adjavatest1.test.company.info
>>>KeyTab:load（）输入长度：85；类型：1
>>>KeyTabInputStream，readName（）：TEST.COMPANY.INFO
>>>KeyTabInputStream，readName（）：HTTP
>>>KeyTabInputStream，readName（）：adjavatest1.test.company.info
>>>KeyTab:load（）输入长度：85；类型：3
>>>KeyTabInputStream，readName（）：TEST.COMPANY.INFO
>>>KeyTabInputStream，readName（）：HTTP
>>>KeyTabInputStream，readName（）：adjavatest1.test.company.info
>>>KeyTab:load（）输入长度：93；类型：23
>>>KeyTabInputStream，readName（）：TEST.COMPANY.INFO
>>>KeyTabInputStream，readName（）：HTTP
>>>KeyTabInputStream，readName（）：adjavatest1.test.company.info
>>>KeyTab:load（）输入长度：109；类型：18
>>>KeyTabInputStream，readName（）：TEST.COMPANY.INFO
>>>KeyTabInputStream，readName（）：HTTP
>>>KeyTabInputStream，readName（）：adjavatest1.test.company.info
>>>KeyTab:load（）输入长度：93；类型：17
正在查找：HTTP/adjavatest1.test.company的密钥。info@TEST.COMPANY.INFO
新增密钥：17版本：5
新增密钥：18版本：5
新增密钥：23版本：5
找到HTTP/adjavatest1.test.company不支持的密钥类型（3）。info@TEST.COMPANY.INFO
找到HTTP/adjavatest1.test.company不支持的密钥类型（1）。info@TEST.COMPANY.INFO
>>>EType:sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
2015-12-17 08:55:36.236警告1876---[p-nio-80-exec-3]w.a.SPNEGAuthenticationProcessingFilter:协商标头无效：协商Yihnagwybbqu…已编译。。。dH4qgvsM
org.springframework.security.authentication.BadCredentialsException:Kerberos验证未成功
位于org.springframework.security.kerberos.authentication.sun.SunJaasKerberosTicketValidator.validatecket（SunJaasKerberosTicketValidator.java:71）
位于org.springframework.security.kerberos.authentication.KerberosServiceAuthenticationProvider.authenticate（KerberosServiceAuthenticationProvider.java:64）
位于org.springframework.security.authentication.ProviderManager.authenticate（ProviderManager.java:156）
位于org.springframework.s