通过IP地址访问网站的时候Kerberos失败 [英] Kerberos fails when accessing site by IP address
问题描述
问题出现。
例如:
Problems appear when accessing Kerberos protected site by IP address. For example:
HTTP:/10.10.1.x:3001 /
给出故障
的http:/我的主机:3001 /
SSO就是成功完成
http:/my-host:3001/
sso is completes successfully.
Apache的错误日志中说:
Apache error logs say:
的src / mod_auth_kerb.c(1261):客户端10.10.1.x]获取creds
HTTP@10.10.1.x [客户10.10.1.x] gss_acquire_cred()失败:
未指定GSS失败。次要code可提供更多的信息(重点
没有找到表项)
src/mod_auth_kerb.c(1261): [client 10.10.1.x] Acquiring creds for HTTP@10.10.1.x [client 10.10.1.x] gss_acquire_cred() failed: Unspecified GSS failure. Minor code may provide more information (Key table entry not found)
的src / mod_auth_kerb.c(1261):客户端10.10.1.x获取的creds
HTTP // @我的主机[调试]的src / mod_auth_kerb.c(1407):客户端10.10.1.x]
验证使用KRB5 GSS-API [调试]客户数据
SRC / mod_auth_kerb.c(1423):客户端10.10.1.x]返回验证
code 0
src/mod_auth_kerb.c(1261): [client 10.10.1.x Acquiring creds for HTTP@my-host [debug] src/mod_auth_kerb.c(1407): [client 10.10.1.x] Verifying client data using KRB5 GSS-API [debug] src/mod_auth_kerb.c(1423): [client 10.10.1.x] Verification returned code 0
正如你可以看到的Kerberos试图找到 HTTP@10.10.1.x
或 HTTP // @我的主机
校长。对于这两个校长在创建虚拟的ActiveDirectory帐户。在密钥表文件中还包括两者的:
As you could see Kerberos tries to find HTTP@10.10.1.x
or HTTP@my-host
principals. For both principals created dummy accounts in ActiveDirectory. In keytab file also included both of them:
KVNO Timestamp Principal
---- ----------------- -----------------------------------------------------
5 01/01/70 03:00:00 HTTP/10.10.1.x@MY_DOMAIN.LAN (ArcFour with HMAC/md5)
11 09/04/12 12:03:01 HTTP/my-host@MY_DOMAIN.LAN (ArcFour with HMAC/md5)
kinit命令适用于他们两个。
Kinit works for both of them.
在服务器上的Kerberos配置:
Kerberos config on server:
Krb5Keytab /etc/krb5.keytab
AuthType Kerberos
KrbMethodNegotiate On
AuthName "Kerberos Login"
KrbAuthRealms MY_DOMAIN.LAN
KrbVerifyKDC Off
KrbMethodK5Passwd On
Require valid-user
有人能猜出问题出在哪里?是否有可能在Kerberos的SSO使用的IP地址?
Someone could guess where the problem is? Is it possible to use IP address in Kerberos SSO?
推荐答案
Kerberos不与IP不会忽略,它依赖于域名和正确的DNS条目只。
Kerberos does not work with IP adresses, it relies on domain names and correct DNS entries only.
这篇关于通过IP地址访问网站的时候Kerberos失败的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!