通过IP地址访问网站的时候Kerberos失败 [英] Kerberos fails when accessing site by IP address

查看:491
本文介绍了通过IP地址访问网站的时候Kerberos失败的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

问题出现。
例如:

Problems appear when accessing Kerberos protected site by IP address. For example:

HTTP:/10.10.1.x:3001 / 给出故障

的http:/我的主机:3001 / SSO就是成功完成

http:/my-host:3001/ sso is completes successfully.

Apache的错误日志中说:

Apache error logs say:

的src / mod_auth_kerb.c(1261):客户端10.10.1.x]获取creds
  HTTP@10.10.1.x [客户10.10.1.x] gss_acquire_cred()失败:
  未指定GSS失败。次要code可提供更多的信息(重点
  没有找到表项)

src/mod_auth_kerb.c(1261): [client 10.10.1.x] Acquiring creds for HTTP@10.10.1.x [client 10.10.1.x] gss_acquire_cred() failed: Unspecified GSS failure. Minor code may provide more information (Key table entry not found)

的src / mod_auth_kerb.c(1261):客户端10.10.1.x获取的creds
  HTTP // @我的主机[调试]的src / mod_auth_kerb.c(1407):客户端10.10.1.x]
  验证使用KRB5 GSS-API [调试]客户数据
  SRC / mod_auth_kerb.c(1423):客户端10.10.1.x]返回验证
  code 0

src/mod_auth_kerb.c(1261): [client 10.10.1.x Acquiring creds for HTTP@my-host [debug] src/mod_auth_kerb.c(1407): [client 10.10.1.x] Verifying client data using KRB5 GSS-API [debug] src/mod_auth_kerb.c(1423): [client 10.10.1.x] Verification returned code 0

正如你可以看到的Kerberos试图找到 HTTP@10.10.1.x HTTP // @我的主机校长。对于这两个校长在创建虚拟的ActiveDirectory帐户。在密钥表文件中还包括两者的:

As you could see Kerberos tries to find HTTP@10.10.1.x or HTTP@my-host principals. For both principals created dummy accounts in ActiveDirectory. In keytab file also included both of them:

KVNO Timestamp         Principal
---- ----------------- -----------------------------------------------------
   5 01/01/70 03:00:00 HTTP/10.10.1.x@MY_DOMAIN.LAN (ArcFour with HMAC/md5)

  11 09/04/12 12:03:01 HTTP/my-host@MY_DOMAIN.LAN (ArcFour with HMAC/md5)

kinit命令适用于他们两个。

Kinit works for both of them.

在服务器上的Kerberos配置:

Kerberos config on server:

   Krb5Keytab /etc/krb5.keytab
   AuthType Kerberos
   KrbMethodNegotiate On
   AuthName "Kerberos Login"
   KrbAuthRealms MY_DOMAIN.LAN
   KrbVerifyKDC Off
   KrbMethodK5Passwd On
   Require valid-user

有人能猜出问题出在哪里?是否有可能在Kerberos的SSO使用的IP地址?

Someone could guess where the problem is? Is it possible to use IP address in Kerberos SSO?

推荐答案

Kerberos不与IP不会忽略,它依赖于域名和正确的DNS条目只。

Kerberos does not work with IP adresses, it relies on domain names and correct DNS entries only.

这篇关于通过IP地址访问网站的时候Kerberos失败的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
相关文章
ASP .NET最新文章
热门教程
热门工具
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆