Tomcat Kerberos Spnego授权不起作用
我尝试为Tomcat 7.0.69配置WebSO,并在Kerberos上使用内置SPNEGO身份验证程序。当我访问该应用程序时,会弹出一个HTTP BasicAuth对话框,并在catalina.out中写入一个调试条目(见下文) 我的密钥表文件sso.keytab包含在我的AD服务器上注册的主体(通过ktpass.exe和setspn.exe) 我打开了Kerberos的调试模式,但找不到问题。它只是在某个点停止,然后进入注销。您知道身份验证在哪一步停止吗?原因是什么?感谢您的帮助 catalina.outTomcat Kerberos Spnego授权不起作用,tomcat,single-sign-on,kerberos,web.xml,spnego,Tomcat,Single Sign On,Kerberos,Web.xml,Spnego,我尝试为Tomcat 7.0.69配置WebSO,并在Kerberos上使用内置SPNEGO身份验证程序。当我访问该应用程序时,会弹出一个HTTP BasicAuth对话框,并在catalina.out中写入一个调试条目(见下文) 我的密钥表文件sso.keytab包含在我的AD服务器上注册的主体(通过ktpass.exe和setspn.exe) 我打开了Kerberos的调试模式,但找不到问题。它只是在某个点停止,然后进入注销。您知道身份验证在哪一步停止吗?原因是什么?感谢您的帮助 catal
Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt false ticketCache is null isInitiator true KeyTab is /path/to/tomcat/apache-tomcat-7.0.69/conf/sso.keytab refreshKrb5Config is false principal is HTTP/my.host.com@MY.DOMAIN tryFirstPass is false useFirstPass is false storePass is false clearPass is false
Looking for keys for: HTTP/my.host.com@MY.DOMAIN
Added key: 23version: 0
Looking for keys for: HTTP/my.host.com@MY.DOMAIN
Added key: 23version: 0
default etypes for default_tkt_enctypes: 23 17.
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=server001.my.domain UDP:88, timeout=30000, number of retries =3, #bytes=171
>>> KDCCommunication: kdc=server001.my.domain UDP:88, timeout=30000,Attempt =1, #bytes=171
>>> KrbKdcReq send: #bytes read=189
>>>Pre-Authentication Data:
PA-DATA type = 11
PA-ETYPE-INFO etype = 23, salt =
>>>Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>>>Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
PA-DATA type = 16
>>>Pre-Authentication Data:
PA-DATA type = 15
>>> KdcAccessibility: remove server001.my.domain
>>> KDCRep: init() encoding tag is 126 req type is 11
>>>KRBError:
sTime is Thu Dec 15 15:35:42 CET 2016 1481812542000
suSec is 830454
error code is 25
error Message is Additional pre-authentication required
sname is krbtgt/MY.DOMAIN@MY.DOMAIN
eData provided.
msgType is 30
>>>Pre-Authentication Data:
PA-DATA type = 11
PA-ETYPE-INFO etype = 23, salt =
>>>Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>>>Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
PA-DATA type = 16
>>>Pre-Authentication Data:
PA-DATA type = 15
KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
default etypes for default_tkt_enctypes: 23 17.
Looking for keys for: HTTP/my.host.com@MY.DOMAIN
Added key: 23version: 0
Looking for keys for: HTTP/my.host.com@MY.DOMAIN
Added key: 23version: 0
default etypes for default_tkt_enctypes: 23 17.
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=server001.my.domain UDP:88, timeout=30000, number of retries =3, #bytes=254
>>> KDCCommunication: kdc=server001.my.domain UDP:88, timeout=30000,Attempt =1, #bytes=254
>>> KrbKdcReq send: #bytes read=104
>>> KrbKdcReq send: kdc=server001.my.domain TCP:88, timeout=30000, number of retries =3, #bytes=254
>>> KDCCommunication: kdc=server001.my.domain TCP:88, timeout=30000,Attempt =1, #bytes=254
>>>DEBUG: TCPClient reading 1666 bytes
>>> KrbKdcReq send: #bytes read=1666
>>> KdcAccessibility: remove server001.my.domain
Looking for keys for: HTTP/my.host.com@MY.DOMAIN
Added key: 23version: 0
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbAsRep cons in KrbAsReq.getReply HTTP/my.host.com
principal is HTTP/my.host.com@MY.DOMAIN
Will use keytab
[LoginContext]: login success
Commit Succeeded
[LoginContext]: commit success
Found KeyTab /path/to/tomcat/apache-tomcat-7.0.69/conf/sso.keytab for HTTP/my.host.com@MY.DOMAIN
Found KeyTab /path/to/tomcat/apache-tomcat-7.0.69/conf/sso.keytab for HTTP/my.host.com@MY.DOMAIN
Found ticket for HTTP/my.host.com@MY.DOMAIN to go to krbtgt/MY.DOMAIN@MY.DOMAIN expiring on Fri Dec 16 01:35:42 CET 2016
Entered SpNegoContext.acceptSecContext with state=STATE_NEW
SpNegoContext.acceptSecContext: receiving token = a0 82 13 79 30 82 13 75 a0 30 30 2e 06 09 2a 86 48 86 f7 12 01 02 02
SpNegoToken NegTokenInit: reading Mechanism Oid = 1.2.840.113554.1.2.2
SpNegoToken NegTokenInit: reading Mechanism Oid = 1.2.840.48018.1.2.2
SpNegoToken NegTokenInit: reading Mechanism Oid = 1.3.6.1.4.1.311.2.2.30
SpNegoToken NegTokenInit: reading Mechanism Oid = 1.3.6.1.4.1.311.2.2.10
SpNegoToken NegTokenInit: reading Mech Token
SpNegoContext.acceptSecContext: received token of type = SPNEGO NegTokenInit
SpNegoContext: negotiated mechanism = 1.2.840.113554.1.2.2
Entered Krb5Context.acceptSecContext with state=STATE_NEW
Looking for keys for: HTTP/my.host.com@MY.DOMAIN
Added key: 23version: 0
[Krb5LoginModule]: Entering logout
[Krb5LoginModule]: logged out Subject
[LoginContext]: logout success
[libdefaults]
default_realm = MY.DOMAIN
default_keytab_name = FILE:/path/to/tomcat/apache-tomcat-7.0.69/conf/sso.keytab
default_tkt_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
default_tgs_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
permitted_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
[realms]
MY.DOMAIN = {
kdc = server001.my.domain
admin_server = server001.my.domain
default_domain = MY.DOMAIN
}
[domain_realm]
.my.domain = MY.DOMAIN
my.domain = MY.DOMAIN
spnego-client {
com.sun.security.auth.module.Krb5LoginModule required;
};
spnego-server {
com.sun.security.auth.module.Krb5LoginModule required
storeKey=true
useKeyTab=true
keyTab="/path/to/tomcat/apache-tomcat-7.0.69/conf/sso.keytab"
principal="HTTP/my.host.com@MY.DOMAIN"
debug=true;
};
<login-config>
<auth-method>SPNEGO</auth-method>
</login-config>
<security-constraint>
<web-resource-collection>
<web-resource-name>SSO Login</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>
斯普尼戈
单点登录
/*
*
- 广告服务器Windows Server 2016
- 带有Oracle JVM和Tomcat 7.0.69的应用服务器Unix-Redhat6
- 带有Internet Explorer 11的客户端Windows 10
- 多亏了,我才找到了解决方案。密钥表文件是使用错误的加密类型生成的。对于Windows7/10和我的环境,它必须显式设置为AES256-SHA1
正确的ktpass调用:
ktpass -out D:\TEMP\sso.keytab -mapuser MYUSER -princ HTTP/my.host.com@MY.DOMAIN -ptype KRB5_NT_PRINCIPAL -kvno 0 -crypto AES256-SHA1 -pass ****
ktpass -out D:\TEMP\sso.keytab -mapuser MYUSER -princ HTTP/my.host.com@MY.DOMAIN -ptype KRB5_NT_PRINCIPAL -kvno 0 -crypto AES256-SHA1 -pass ****
非常感谢您的支持 我们可以了解更多关于您的体系结构的详细信息吗?Tomcat运行在什么操作系统上?它运行在(希望)与Active Directory(AD)域控制器分开的服务器上吗?您的客户端运行/使用的操作系统版本和web浏览器/版本是什么?你们有哪种版本的广告?我有一种感觉是什么导致了“PREAUTH FAILED/REQ”消息,但我想先从您那里获得这些详细信息。@T-Heron感谢您的回复!我在描述中添加了信息。我不知道AD版本。“PREAUTH FAILED/REQ”消息也出现在我的测试环境中,其中身份验证正在工作,所以我认为这可能与“预授权失败/REQ”无关“由于几个原因,消息可能会失败。其中之一是有问题的服务器没有使用正确的键表。你能验证它吗?在Tomcat服务器上,在与keytab本身相同的目录中,运行此命令,查看是否可以使用keytab:kinit-V-k-t/path/to/Tomcat/apache-Tomcat-7.0.69/conf/sso.keytab HTTP/my.host来获取Kerberos票证。com@MY.DOMAINResult已通过Kerberos v5I的身份验证,请重新读取错误消息,Kerberos客户端似乎正在尝试对Tomcat实例使用RC4加密类型,当Tomcat不接受该类型时,IE会弹出“基本身份验证”对话框。现在我们已经排除了其他潜在的问题,关于SPN HTTP/my.host的AD帐户。com@MY.DOMAIN,转到“帐户”选项卡。在该选项卡的底部向下滚动,确保选中了“此帐户接受kerberos AES 128位加密”框。我认为现在的问题可能是因为没有在AD帐户属性中选中AES 128框。我们可以获得有关您的体系结构的更多详细信息吗?Tomcat运行在什么操作系统上,以及它是否(希望)运行在与Active Directory(AD)域控制器分离的服务器上?您的客户端运行/使用的操作系统版本和web浏览器/版本是什么?你们有哪种版本的广告?我有一种感觉是什么导致了“PREAUTH FAILED/REQ”消息,但我想先从您那里获得这些详细信息。@T-Heron感谢您的回复!我在描述中添加了信息。我不知道AD版本。“PREAUTH FAILED/REQ”消息也出现在我的测试环境中,其中身份验证正在工作,所以我认为这可能与“预授权失败/REQ”无关“由于几个原因,消息可能会失败。其中之一是有问题的服务器没有使用正确的键表。你能验证它吗?在Tomcat服务器上,在与keytab本身相同的目录中,运行此命令,查看是否可以使用keytab:kinit-V-k-t/path/to/Tomcat/apache-Tomcat-7.0.69/conf/sso.keytab HTTP/my.host来获取Kerberos票证。com@MY.DOMAINResult已通过Kerberos v5I的身份验证,请重新读取错误消息,Kerberos客户端似乎正在尝试对Tomcat实例使用RC4加密类型,当Tomcat不接受该类型时,IE会弹出“基本身份验证”对话框。现在我们已经排除了其他潜在的问题,关于SPN HTTP/my.host的AD帐户。com@MY.DOMAIN,转到“帐户”选项卡。在该选项卡的底部向下滚动,确保选中了“此帐户接受kerberos AES 128位加密”框。我认为现在的问题可能是因为广告帐户属性中没有选中AES 128框。很高兴听到这个消息!很高兴听到这个消息!