使用Java中的kerberos票证获取AD组 [英] Get AD Groups with kerberos ticket in Java

问题描述

我正在使用以下代码获取kerberos票证：

I am obtaining a kerberos ticket with the following code:

String client = "com.sun.security.jgss.krb5.initiate";

LoginContext lc = new LoginContext(client, new CallbackHandler() {

@Override
public void handle(Callback[] arg0) throws IOException, UnsupportedCallbackException {
                System.out.println("CB: " + arg0);
            }
        });

lc.login();

System.out.println("SUBJ: " + lc.getSubject());

此代码工作正常，我得到一个显示我的用户ID的主题。我现在遇到的问题是我需要知道用户是否属于AD中的某个组。有没有办法从这里做到这一点？

This code works fine, I get a subject that shows my user ID. The problem I'm having is now I need to know whether the user belongs to a certain group in AD. Is there a way to do this from here?

我见过使用LDAP获取用户组的代码，但需要使用用户/密码登录，我需要以SSO的方式进行操作。

I've seen code to get user groups using LDAP but it requires logging in with a user/password, I need to do it the SSO way.

推荐答案

您无法使用登录时获得的票证来实现此目的。问题是Windows PAC（包含组成员身份信息）位于故障单的加密部分。只有域控制器知道如何解密该初始票证。

You cannot actually do this with the kind of ticket you get at login. The problem is that the Windows PAC (which contains the group membership information) is in the encrypted part of the ticket. Only the domain controller knows how to decrypt that initial ticket.

可以使用服务票据。
因此，您可以设置密钥表，使用jgss对自己进行身份验证，然后解密故障单，找到PAC，解码PAC，然后处理SID。我无法在Java中找到大部分代码，尽管它在C中可用。看看这个，用于解密故障单。
现在，在这一点上，您正在讨论编写或查找NDR解码器，阅读有关如何将PAC和sid放在一起的所有规范，或将C代码移植到Java。
我的建议是采取不同的方法。
而是使用Kerberos登录LDAP。查找支持Java的LDAP库 SASL 并且您应该能够使用Kerberos票证登录。

It is possible to do with a service ticket. So, you could set up a keytab, use jgss to authenticate to yourself and then decrypt the ticket, find the PAC, decode the PAC and then process the SIDs. I wasn't able to find code for most of that in Java, although it is available in C. Take a look at this for how to decrypt the ticket. Now, at this point you're talking about writing or finding an NDR decoder, reading all the specs about how the PAC and sids are put together, or porting the C code to Java. My recommendation would be to take a different approach. Instead, use Kerberos to sign into LDAP. Find an LDAP library that supports Java SASL and you should be able to use a Kerberos ticket to log in.

如果您的应用程序想要知道用户所属的组以填充菜单和这样的东西，你可以只是以用户身份登录。
但是，如果您要决定用户具有哪些访问权限，请不要以用户身份登录以获得对LDAP的访问权限。问题在于，使用Kerberos，攻击者可以与用户合作，将整个基础架构模拟到您的应用程序，除非您确认您的票证来自基础架构。
也就是说，因为用户知道他们的密码，并且因为这是您的应用程序知道的唯一秘密，所以用户可以与某人合作假装是LDAP服务器并声称拥有他们想要的任何访问权。

If your application wants to know the groups the user belongs to in order to populate menus and stuff like that, you can just log in as the user. However, if you're going to decide what access the user has, don't log in as the user to gain access to LDAP. The problem is that with Kerberos, an attacker can cooperate with the user to impersonate the entire infrastructure to your application unless you confirm that your ticket comes from the infrastructure. That is, because the user knows their password, and because that's the only secret your application knows about, the user can cooperate with someone to pretend to be the LDAP server and claim to have any access they want.

相反，您的应用程序在访问LDAP时应该拥有自己的帐户。如果这样做，您只需查找组列表即可。
我确实意识到这有点复杂。

Instead, your application should have its own account to use when accessing LDAP. If you do that, you can just look up the group list. I do realize this is all kind of complex.

这篇关于使用Java中的kerberos票证获取AD组的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！