在Java中为kerberos启用详细日志记录 [英] Enable detailed logging for kerberos in java

问题描述

我有一个基于Java的Web应用程序，该应用程序使用包含用户名和密码的Web表单的内容，并使用kerberos对基于Windows的域进行身份验证.

I have a java-based web application that takes the contents of a web form containing a username and password and authenticates using kerberos to a Windows-based domain.

KDC地址显然已配置为在每次查找时映射到不同的IP地址，这可以通过使用命令行中的ping命令来确认.

The KDC address is apparently configured to map to different IP addresses at each lookup and this can be confirmed by using the ping command from the command line.

对于大多数请求，呼叫会立即响应，但响应会间歇性地变慢(5-10秒甚至更长).我认为这可能是由于使用了哪个域控制器造成的.

The call responds immediately for most requests but the response is slow (5-10 seconds or even longer) intermittently. I think this may be due to which domain controller is used.

我尝试打开kerberos日志记录，但是未显示域控制器的IP地址.我该如何打开更详细的日志记录来尝试识别狡猾的域控制器?

I've tried to turn on kerberos logging but the IP address of the domain controller is not shown. How can I turn on more detailed logging to try to identify dodgy domain controllers please?

代码提取文件系统中的kerb.conf和kerb_context.conf.

The code extract sources the kerb.conf and kerb_context.conf from the filesystem.

kerb.conf是:

The kerb.conf is:

[libdefaults]
default_realm = EXAMPLE.COM

[realms]
CYMRU.NHS.UK = {
        kdc = example.com:88
        admin_server = example.com
        kpasswd_server = example.com
}

kerb_context.conf是:

The kerb_context.conf is:

 primaryLoginContext {
        com.sun.security.auth.module.Krb5LoginModule required
        useTicketCache=false
        refreshKrb5Config=true
        debug=true;
};

示例来源是:

static NadexUser executePerformLogin(String username, String password) throws LoginException {
            char[] passwd = password.toCharArray();
            String kerbConf = ERXFileUtilities.pathForResourceNamed("nadex/kerb.conf", "RSCorp", null);
            String kerbContextConf = ERXFileUtilities.pathURLForResourceNamed("nadex/kerb_context.conf", "RSCorp", null).toExternalForm();
            System.setProperty("java.security.krb5.conf", kerbConf);
            System.setProperty("java.security.auth.login.config", kerbContextConf);
            try {
                    LoginContext lc = new LoginContext("primaryLoginContext", new UserNamePasswordCallbackHandler(username, password));
                    lc.login();
                    return new _NadexUser(lc.getSubject());
            }
            catch (javax.security.auth.login.LoginException le) {
                    throw new LoginException("Failed to login : " + le.getLocalizedMessage(), le);
            }
    }

推荐答案

您可以通过将系统属性sun.security.krb5.debug设置为true来启用日志记录.

You can enable logging by setting system property sun.security.krb5.debug to true.

请参见 Oracle文档

这篇关于在Java中为kerberos启用详细日志记录的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！