密码更改后的Kerberos/Spnego身份验证问题 [英] Kerberos/Spnego authentication issue after password change

问题描述

我将Tomcat设置为使用SPNEGO身份验证，因此用户无需输入密码即可单点登录到我们的Web应用程序，并且一切正常. 昨天，我更改了服务帐户的密码，并重新创建了keytab文件，但是在Tomcat重新启动后，SSO正常工作了. 在我发现的日志中:

I setup Tomcat to use SPNEGO authentication, so the users can Single-Sign-On to our web applications without typing their password and everything worked fine. Yesterday i changed the password of the service account and i recreated the keytab file but after a Tomcat restart the SSO sopped to work. In the logs i found:

 exception [GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)] with root cause
java.security.GeneralSecurityException: Checksum failed
        at sun.security.krb5.internal.crypto.dk.ArcFourCrypto.decrypt(ArcFourCrypto.java:388)
        at sun.security.krb5.internal.crypto.ArcFourHmac.decrypt(ArcFourHmac.java:74)
        at sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(ArcFourHmacEType.java:83)
        at sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(ArcFourHmacEType.java:77)
        at sun.security.krb5.EncryptedData.decrypt(EncryptedData.java:168)
        at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:267)
        at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:134)
       at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:79)
        at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:724)
        at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:323)
        at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:267)
        at sun.security.jgss.spnego.SpNegoContext.GSS_acceptSecContext(SpNegoContext.java:874)
        at sun.security.jgss.spnego.SpNegoContext.acceptSecContext(SpNegoContext.java:541)
        at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:323)
        at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:267)
        at net.sourceforge.spnego.SpnegoAuthenticator.doSpnegoAuth(SpnegoAuthenticator.java:444)
        at net.sourceforge.spnego.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.java:283)

由于配置应该可以，所以我不知道为什么会收到此错误...可能与未刷新的票证授予票证"相关?

Since the configuration should be ok i don't know why i'm getting this error...Could be something related to the Ticket Granting Ticket that wasn't refreshed?

推荐答案

一种可能性是人们拥有使用旧密码发行的未付服务票.如果您重新生成了密钥表，但没有在密钥表中保留旧密钥，则您希望没有注销并登录以刷新其票证并且拥有用于您的服务的服务票证的任何人都会生成该错误.如果在客户端获得了全新的TGT(例如，通过完全退出Windows并重新登录)，它可以正常工作，那么这就是正在发生的事情.如果那不起作用，请编辑您的问题以添加详细信息，我将在另一个答案中探讨其他失败问题.

One possibility is people who had outstanding service tickets issued with the old password. If you regenerated the keytab but did not retain the old key in the keytab, you'd expect anyone who did not log out and log in to refresh their tickets and who had service tickets for your services to generate that error. If it works if you get an entirely new TGT on the client side (say by logging entirely out of Windows and logging back in), that's what's going on. If that doesn't work, edit your question to add details and I'll explore others failures in another answer.

这篇关于密码更改后的Kerberos/Spnego身份验证问题的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！