Kerberos SPN是否在Windows服务器上缓存? [英] Kerberos SPN gets cached on Windows Servers?
问题描述
曾经将Kerberos身份验证集成到我的SSO项目中.遇到了一个特殊的情况.
Been integrating Kerberos authentication in my SSO project. Came across a peculiar scenario.
我创建了一个新用户,并为其附加了SPN.在此问题中按照步骤进行操作,一切正常.我的意思是:-
I made a new user and attached an SPN to it. Followed steps on this question and got everything working. By everything I mean :-
- kinit用户名-输入密码后,我收到了保存票证的消息.
- kinit spn(int格式为HTTP/FQDN)-然后输入密码,我得到了打勾的消息已保存.
一段时间后,我决定再次尝试此操作,因此我使用了命令
After some time I decided to try this over once again, and so I used the command
setspn -D spn username
将spn与用户名分离.然后我从AD中删除了该用户(用户名).
to detach the spn from username. Then I deleted this user(username) from AD.
接下来,我创建了一个新用户,即username1,并按照此问题进行操作为该新用户注册与上述步骤相同的spn.
Next I created a new user say username1 and did as per this question to register the same spn as in above step for this new user.
现在,kinit用户名1-输入密码会显示已保存票证的消息,但是kinit spn-输入密码会给我错误
Now kinit username1 - and entering password gave the message that ticket is saved, however kinit spn - and entering password gave me the error
client not found in Kerberos database.
请注意,如果我使用其他(新)spn,则一切正常.
Note that everything works fine if I use a different(new) spn.
所以问题是,Windows服务器是否具有一定的缓存,其中某些链接仍然存在,因此我无法再次使用此spn?还是从用户分离spn时出现了一些错误?
So the question is, does Windows server have certain cache wherein some links are still present due to which I am not able to use this spn again? Or did I do some mistake while detaching the spn from user?
谢谢, 尼基尔
推荐答案
在回顾了您在Chat中编写的内容以及完整的问题历史记录之后,该问题实际上是两个问题. (1)在创建密钥表之前,您需要始终删除使用中的SPN. (2)在ktpass.exe键表创建命令中,您将需要使用 HTTP/vinw12sec5225.eqsectest.local 的SPN映射用户,而不是简短的登录名 krbspn .另外,我只是观察一下-您不需要将SPN都大写.这很难阅读,尽管出于连续性考虑,我没有改变.只有Kerberos领域大写.根据您提供的信息,要解决这种情况,应执行以下命令:
After reviewing what you wrote in Chat, as well as the full problem history, the problem is actually two problems. (1) You need to always delete the in-use SPN before creating the keytab. (2) Inside the ktpass.exe keytab creation command, you will need to map the user using the SPN of HTTP/vinw12sec5225.eqsectest.local, instead of the short logon name krbspn. Also, I will just make an observation - you do not need to place the SPN in all caps. That makes it hard to read, though for sake of continuity, I did not change that. Only the Kerberos realm should be in all caps. Based on the information you provided, to resolve this case, you should perform the following commands:
-
setspn -D HTTP/VINW12SEC5225.EQSECTEST.LOCAL krbspn -
ktpass /princ HTTP/VINW12SEC5225.EQSECTEST.LOCAL@EQSECTEST.LOCAL /ptype krb5_nt_principal /crypto All /mapuser krbspn@EQSECTEST.LOCAL /out c:\ticket\krbspn.keytab -kvno 0 /pass eQ@12345 -
klist -e -k -t c:\ticket\krbspn.keytab
setspn -D HTTP/VINW12SEC5225.EQSECTEST.LOCAL krbspnktpass /princ HTTP/VINW12SEC5225.EQSECTEST.LOCAL@EQSECTEST.LOCAL /ptype krb5_nt_principal /crypto All /mapuser krbspn@EQSECTEST.LOCAL /out c:\ticket\krbspn.keytab -kvno 0 /pass eQ@12345klist -e -k -t c:\ticket\krbspn.keytab
作为参考,我在此处显示一个示例,说明如何在Microsoft Active Directory用作目录服务时如何创建密钥表:
For a reference, I show an example of how to create a keytab when Microsoft Active Directory is in use as the Directory Service here: Kerberos Keytabs – Explained. I also provide an accompanying explanation of each ktpass.exe syntax parameter.
为帮助解决上述步骤后仍然可能出现的问题,然后使用Notepad ++(不是常规的Notepad)右键单击并编辑您的keytab文件,只需复制keytab文件的内容(不要进行任何更改),然后然后检查结果.内部的密钥将被加密-好的,请查看密钥表中SPN的格式.它应与AD帐户上为SPN显示的内容匹配.当这些不匹配时,您将收到在Kerberos数据库中找不到客户端"错误.另外,如果对密钥表进行了任何更改,请确保将应用程序服务器配置指向正确的密钥表文件,并重新启动应用程序服务.
To help resolve what still could be wrong after the above steps, then using Notepad++ (not regular Notepad) right-click and edit your keytab file, simply copy the contents of the keytab file (don't make any changes) and then examine the results. The secret key inside will be encrypted - that's ok, look at how the SPN is formulated inside the keytab. It should match to what is shown for the SPN on the AD account. When these don't match you will get "client not found in Kerberos database" error. Also ensure the application server config is pointed to the right keytab file and restart the application service if anything is changed regarding the keytab.
这篇关于Kerberos SPN是否在Windows服务器上缓存?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
