浏览器不断发送NTLM令牌而不是Kerberos-如何解决它? [英] Browsers keeps sending NTLM token instead of Kerberos - How to solve it?
问题描述
我似乎无法正确配置系统,并要求浏览器发送 kerberos 票证.而是发送NTLM令牌.
I can't seem to correctly configure the system and have the browser send a kerberos ticket to the web-server. Instead, a NTLM token is sent.
问:我该如何解决?
下面列出了所有详细信息和配置.
All details and configurations are listed below.
基础结构:
我在域COMPANY.local中有三台计算机:
I have three machines within the domain COMPANY.local:
-
PC-I7.COMPANY.local(在192.168.0.5上).它充当KDC的角色,它是Active-Directory服务器,并且在AD中注册了其他计算机(请参见下文).还为本地网络配置了DNS. Active Directory中的域为:COMPANY.local -
SOFTWARE.COMPANY.local(在192.168.0.10上)运行网站-已配置Jetty/SPNego支持的应用程序. -
OTHER.COMPANY.local(在192.168.0.9上),只是一个客户端,所以我可以从另一台计算机访问软件服务器.
PC-I7.COMPANY.local(on192.168.0.5). It acts asKDC, it's anActive-Directoryserver with the other machines (see below) registered in the AD. Also has theDNSfor the local network configured. The domain in the Active Directory is:COMPANY.localSOFTWARE.COMPANY.local(on192.168.0.10) runs the web-application which has theJetty/SPNegosupport configured.OTHER.COMPANY.local(on192.168.0.9), just a client so I can access the software server from another machine.
最后两个实际上是运行在Intranet中linux服务器上的VM.他们可以使用自己的IP进行访问.他们在Network Configuration中的主要DNS指向192.168.0.5.
The last two are actually VMs running on a linux server in the intranet. They are reachable with their own IP. Their primary DNS in Network Configuration points to 192.168.0.5.
两者都在COMPANY.local中加入并且在AD中作为计算机存在.
Both are joined in COMPANY.local and are present as computers in the AD.
我知道客户端和服务器应保留在其他计算机上;并将它们放在两个不同的VM上应该可以避免此问题.
I know client and server should stay on different machines; and being them onto two different VM's should avoid this issue.
所有三台计算机都在DNS中注册为A主机,并在Reverse lookup zone中为其分别指定了反向指针.
All three machines are registered as A hosts in the DNS with a reverse pointer for each of them in the Reverse lookup zone.
SPN
在Active Directory中创建用户software后,我将生成密钥表文件
After having created the user software in the Active Directory, I generate the keytab file
ktpass -princ HTTP/software.company.local@COMPANY.LOCAL -mapuser software@COMPANY.LOCAL -crypto ALL -ptype KRB5_NT_PRINCIPAL -pass __PassForADUserSoftware__ -out C:/winnt/krb5.keytab
我得到以下输出,其中似乎包含错误:
I get the following output which seems to contain an error:
Targeting domain controller: PC-I7.COMPANY.local
Failed to set property 'userPrincipalName' to 'HTTP/software.company.local@COMPANY.LOCAL' on Dn 'CN=Software SSO Kerberized WebServer,DC=COMPANY,DC=local': 0x13.
WARNING: Failed to set UPN HTTP/software.company.local@COMPANY.LOCAL on CN=Software SSO Kerberized WebServer,DC=COMPANY,DC=local.
kinits to 'HTTP/software.company.local@COMPANY.LOCAL' will fail.
Successfully mapped HTTP/software.company.local to software.
Password successfully set!
Key created.
Key created.
Key created.
Key created.
Key created.
Output keytab to C:/winnt/krb5.keytab:
Keytab version: 0x502
keysize 64 HTTP/software.company.local@COMPANY.LOCAL ptype 1 (KRB5_NT_PRINCIPAL) vno 8 etype 0x1 (DES-CBC-CRC) keylength 8 (0x0bf1688040abadba)
keysize 64 HTTP/software.company.local@COMPANY.LOCAL ptype 1 (KRB5_NT_PRINCIPAL) vno 8 etype 0x3 (DES-CBC-MD5) keylength 8 (0x0bf1688040abadba)
keysize 72 HTTP/software.company.local@COMPANY.LOCAL ptype 1 (KRB5_NT_PRINCIPAL) vno 8 etype 0x17 (RC4-HMAC) keylength 16 (0x737d9811dd38e108741461ba79153192)
keysize 88 HTTP/software.company.local@COMPANY.LOCAL ptype 1 (KRB5_NT_PRINCIPAL) vno 8 etype 0x12 (AES256-SHA1) keylength 32 (0xcc8ab2939f822f9df6904a987954e0cfaa261bc36803af6c5f8d9a98f1d4f2aa)
keysize 72 HTTP/software.company.local@COMPANY.LOCAL ptype 1 (KRB5_NT_PRINCIPAL) vno 8 etype 0x11 (AES128-SHA1) keylength 16 (0xd616b814dcd1b955f125ab4de5895d39)
AD用户已选中两个This account supports the Kerbers AES-...复选框.
The AD user has the two This account supports the Kerbers AES-... checkboxes checked.
OTHER.COMPANY.local服务器
The OTHER.COMPANY.local server
我通过RDP使用凭据登录到该计算机:
I login to this machine via RDP with the credentials:
user: Administrator
pass: ARandomPass
使用OTHER服务器请求票证时
When asking for a ticket from OTHER server with
kinit HTTP/software.company.local@COMPANY.LOCAL
我可以用wireshark
Internet Explorer(因此还有Chrome)在Internet Options中具有以下设置:
Internet explorer (and therefore Chrome) have the following settings in Internet Options:
Security > Local Intranet > Sites > *.company.local
Security > Custom level > Automatic logon only in Intranet area
当我在http://software.company.local:8998/software/login
我可以看到浏览器发送了NTLM请求
I can see the browser sends a NTLM request
,我可以在服务器端看到有缺陷的令牌异常
and I can see the Defective Token exception on the server side
WARN:oejs.SpnegoLoginService:qtp506835709-28:
GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)
at sun.security.jgss.GSSHeader.<init>(GSSHeader.java:97)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:306)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
at org.eclipse.jetty.security.SpnegoLoginService.login(SpnegoLoginService.java:138)
at org.eclipse.jetty.security.authentication.LoginAuthenticator.login(LoginAuthenticator.java:61)
at org.eclipse.jetty.security.authentication.SpnegoAuthenticator.validateRequest(SpnegoAuthenticator.java:99)
at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:483)
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:134)
at org.eclipse.jetty.server.Server.handle(Server.java:524)
at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:319)
at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:253)
at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:273)
at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:95)
at org.eclipse.jetty.io.SelectChannelEndPoint$2.run(SelectChannelEndPoint.java:93)
at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.executeProduceConsume(ExecuteProduceConsume.java:303)
at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.produceConsume(ExecuteProduceConsume.java:148)
at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.run(ExecuteProduceConsume.java:136)
at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:671)
at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:589)
at java.lang.Thread.run(Thread.java:748)
此信息还会显示在java日志中:
Also this info appears in the java log:
Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt false
ticketCache is null isInitiator false
KeyTab is C:/software/inst/modules/common-config/auth/krb5.keytab refreshKrb5Config is false
principal is HTTP/software.company.local@COMPANY.LOCAL tryFirstPass is false
useFirstPass is false storePass is false clearPass is false
我可以从链接的答案中收集信息:
Information I can gather from the linked answer:
-
要点1:HTTP服务的SPN与浏览器输入的URL匹配.我在浏览器中输入了与SPN
HTTP/software.company.local@COMPANY.LOCAL
第2点:*.company.local已添加到受信任的站点.
Point 2: *.company.local is added to the trusted sites.
要点3:我不将密码限制为DES-CBC-MD5
Point 3: I'm not restricting the encrpytion to DES-CBC-MD5
要点3:我已经检查了AES-128和AES-256 ...,但没有检查DES,因为我正在使用的Windows Server版本具有复选框Use only Kerberos DES encryption types for this account,这不是我想要的.我应该检查一下吗?
Point 3: I have checked AES-128 and AES-256 ... but not DES because the Windows Server version I am working with has the checkbox saying Use only Kerberos DES encryption types for this account, which is not what I want. Should I check it?
SOFTWARE.COMPANY.local服务器
The SOFTWARE.COMPANY.local server
Web应用程序已注册为Windows Server.
The web-application is registered as a Windows Server.
这些是配置文件:
krb5.ini文件:
[libdefaults]
default_realm = COMPANY.LOCAL
permitted_enctypes = rc4-hmac,aes128-cts,aes256-cts,arcfour-hmac-md5,aes256-cts-hmac-sha1-96
default_tgs_enctypes = rc4-hmac,aes128-cts,aes256-cts,arcfour-hmac-md5,aes256-cts-hmac-sha1-96
default_tkt_enctypes = rc4-hmac,aes128-cts,aes256-cts,arcfour-hmac-md5,aes256-cts-hmac-sha1-96
default_keytab_name = FILE:C:/software/inst/modules/common-config/krb5.keytab
[domain_realm]
COMPANY.local = COMPANY.LOCAL
.company.local = COMPANY.LOCAL
[realms]
COMPANY.LOCAL = {
admin_server = PC-I7.COMPANY.local
kdc = PC-I7.COMPANY.local:88
}
spnego.conf文件:
com.sun.security.jgss.initiate {
com.sun.security.auth.module.Krb5LoginModule required
principal = "HTTP/software.company.local@COMPANY.LOCAL"
keyTab = "C:/software/inst/modules/common-config/auth/krb5.keytab"
useKeyTab = true
storeKey = true
debug = true
isInitiator = false;
};
com.sun.security.jgss.accept {
com.sun.security.auth.module.Krb5LoginModule required
principal = "HTTP/software.company.local@COMPANY.LOCAL"
useKeyTab = true
keyTab = "C:/software/inst/modules/common-config/auth/krb5.keytab"
storeKey=true
debug=true
isInitiator=false;
};
这是spnego.properties文件:
targetName = HTTP/software.company.local
我的jetty-web.xml配置文件包含:
<Get name="securityHandler">
<Set name="loginService">
<New class="org.eclipse.jetty.security.SpnegoLoginService">
<Set name="name">Company Realm</Set>
<Set name="config">
<SystemProperty name="jetty.home" default="."/>/modules/common-config/auth/spnego.properties</Set>
</New>
</Set>
<Set name="checkWelcomeFiles">true</Set>
</Get>
这是我以编程方式在Java中注册spnego配置的方式:
This is how I programmatically register the spnego configuration in Java:
private SecurityHandler wrapEnableSSOAuthHandlers(final Handler collection) {
// ini file
System.setProperty(
"java.security.krb5.conf",
_config.getString("authentication.win_sso.spnego.krb5") // the krb5.ini file
);
System.setProperty(
"java.security.auth.login.config",
_config.getString("authentication.win_sso.spnego.login") // the spnego.conf file
);
System.setProperty(
"javax.security.auth.useSubjectCredsOnly",
"false"
);
final Constraint spnegoConstraint = new Constraint();
spnegoConstraint.setName(Constraint.__SPNEGO_AUTH);
final String domainRealm = _config.getString("authentication.win_sso.domain.realm"); // resolves to COMPANY.LOCAL
spnegoConstraint.setRoles(new String[]{domainRealm});
spnegoConstraint.setAuthenticate(true);
final ConstraintMapping mapping = new ConstraintMapping();
mapping.setConstraint(spnegoConstraint);
mapping.setPathSpec("/*");
final String spnegoProperties = _config.getString("authentication.win_sso.spnego.properties"); // the spnego.properties file
final SpnegoLoginService loginService = new SpnegoLoginService();
loginService.setConfig(spnegoProperties);
loginService.setName(domainRealm);
final ConstraintSecurityHandler securityHandler = new ConstraintSecurityHandler();
securityHandler.setLoginService(loginService);
securityHandler.setConstraintMappings(new ConstraintMapping[]{mapping});
securityHandler.setRealmName(domainRealm);
securityHandler.setAuthenticator(new SpnegoAuthenticator());
securityHandler.setHandler(collection);
return securityHandler;
}
和
// here I disable the TRACE method for all calls
Handler wrappedSecurityHandler = wrapDisableTraceHandlers(handlers);
wrappedSecurityHandler = wrapEnableSSOAuthHandlers(wrappedSecurityHandler);
_server.setHandler(wrappedSecurityHandler);
其他信息
我已经下载了 Kerberos身份验证测试器工具,当从KDC服务器(192.168.0.5)运行它并针对http://software.company.local:8998进行测试时,它会显示正确的Kerberos身份验证.
I have downloaded the Kerberos Authentication Tester Tool and when running it from the KDC server (192.168.0.5) and testing against http://software.company.local:8998 it shows a correct Kerberos authentication.
从192.168.0.10服务器(在浏览器所在的位置)运行它时,它会显示:
When running it from the 192.168.0.10 server (where the browser is) it says:
意外的授权标头
Unexpected authorization header
和身份验证方法:NTLM.
我想这可能是DNS问题,还是它们在同一服务器上是两个VM的事实.
I guess it's either a DNS issue or the fact that they are two VM on the same server.
推荐答案
显然,将客户端和服务器放在两个不同的虚拟机(位于同一计算机上的!)上会导致NTLM令牌.
Apparently, having client and server on two distinct virtual machines ( that are on the same physical server! ) can lead to a NTLM token.
我认为VM可以避开 client-and-server-on-the-same-machine-issue a>.
I thought VM's would dodge the client-and-server-on-the-same-machine-issue.
所以,如果你
- 像我一样,正在将
VM驻留在同一台物理计算机上进行测试,并且 - 已正确设置所有内容,但仍获得
Defective token detected
- like me, are testing with
VM's residing on the same physical machine, and - have set everything right but still getting a
Defective token detected,
您应该尝试从另一台计算机访问server(只要该计算机已加入公司域).
you should try to access the server from a different computer (as long as that machine is joined to the company domain).
这篇关于浏览器不断发送NTLM令牌而不是Kerberos-如何解决它?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
