密码的SPNEGO身份验证问题 [英] SPNEGO authentication issue with password
问题描述
我已将我的应用程序配置为通过SPNEGO与Websphere一起使用Kerberos身份验证。
I have configured my application to use Kerberos authentication through SPNEGO with Websphere.
以下是详细信息
krb5.conf
krb5.conf
[libdefaults]
default_realm = ABC.MYCOMPANY.COM
default_keytab_name = FILE:C:\IBM\WebSphere\AppServer\kerberos\MyServer.keytab
default_tkt_enctypes = rc4-hmac des-cbc-md5
default_tgs_enctypes = rc4-hmac des-cbc-md5
forwardable = true
renewable = true
noaddresses = true
clockskew = 300
[realms]
ABC.MYCOMPANY.COM = {
kdc = TEST.abc.mycompany.com:88
default_domain = mycompany.com
}
[domain_realm]
.mycompany.com = ABC.MYCOMPANY.COM
login.conf
login.conf
spnego-client {
com.sun.security.auth.module.Krb5LoginModule required;
};
spnego-server {
com.sun.security.auth.module.Krb5LoginModule required
storeKey=true
useKeyTab=true
keyTab="MyServer.keytab";
};
spnego properties
spnego properties
Spnego properties:
spnego.allow.basic=false
spnego.allow.localhost=false
spnego.allow.unsecure.basic=false
spnego.login.client.module=spnego-client
spnego.login.server.module=spnego-server
spnego.prompt.ntlm=false
spnego.allow.delegation=true
spnego.logger.level=1
当我访问我的应用程序时,出现以下错误
When I access my application, I get the following error
Config missing param value for: spnego.preauth.password Stack Trace : java.lang.NullPointerException: Config missing param value for: spnego.preauth.password at net.sourceforge.spnego.SpnegoAuthenticator$1.getInitParameter(SpnegoAuthenticator.java:218) at net.sourceforge.spnego.SpnegoFilterConfig.<init>(SpnegoFilterConfig.java:145) at net.sourceforge.spnego.SpnegoFilterConfig.getInstance(SpnegoFilterConfig.java:316) at net.sourceforge.spnego.SpnegoAuthenticator.<init>(SpnegoAuthenticator.java:206)
创建密钥表文件的命令
C:\IBM\WebSphere\AppServer\java>ktpass -out c:\temp\MyServer.keytab -princ HTTP/TEST.abc.mycompany.com@ABC.MYCOMPANY.COM -mapUser wasMyServer -mapOp set -pass mypassword -crypto RC4-HMAC-NT -pType KRB5_NT_PRINCIPAL
我没有使用spnego密码,我希望它使用keytab,我不明白为什么抛出错误说param丢失了。
I am not using spnego password, I want it to use keytab, I don't understand why it is throwing error saying that param is missing.
推荐答案
虽然您没有使用Active-Directory标记您的问题,但您必须运行它,因为您尝试使用RC4-HMAC-NT,它曾经是主要的加密算法到Microsoft Active Directory。我曾经说过,因为从Windows Server 2008 R2开始,AES26-SHA1成为默认的加密算法。也就是说,需要将Active Directory帐户 wasMyServer 配置为符合Kerberos协议。根据WebSphere安装说明,它应该是用户帐户,而不是计算机帐户,并且可以灵活地在应用程序服务器上正确运行Kerberized服务。也就是说,在用户帐户wasMyServer的帐户标签上:
While you didn't tag your question with Active-Directory, you must be running it because you are trying to use RC4-HMAC-NT, which used to be the dominant encryption algorithm to Microsoft Active Directory. I say used to be, because starting with Windows Server 2008 R2, AES26-SHA1 became the default encryption algorithm. That said, the Active Directory account wasMyServer needs to be configured to comply with the Kerberos Protocol. It should be a user account, not a computer account, according to WebSphere setup instructions, and to give you the flexibility to run the Kerberized service on the application server properly. That said, on the "Account" tab for the user account "wasMyServer":
- 确保所有帐户选项(密码永不过期)都是未经检查。
- 确保已将SPN HTTP / TEST.abc.mycompany.com 分配给该帐户。
- Ensure all account options (except password never expires) are unchecked.
- Ensure the SPN HTTP/TEST.abc.mycompany.com is assigned to the account.
参考:管理WebSphere Application Server中的SPNEGO:使用Kerberos服务主体名称的提示
编辑:
KRB5.CONF
krb5.conf中似乎存在问题。您只有这两行显示为支持RC4-HMAC:
There appears to be a problem inside your krb5.conf. You have only these two lines showing as supporting RC4-HMAC:
default_tkt_enctypes = rc4-hmac des-cbc-md5
default_tgs_enctypes = rc4-hmac des-cbc-md5
要完全启用RC4-HMAC加密类型,在下面添加额外的行:
To fully enable the RC4-HMAC encryption type, add the additional line underneath:
permitted_enctypes = rc4-hmac des-cbc-md5
(作为旁注,没有人再使用des-cbc-md5加密类型,但我把它留在那里)
(As a side note, no one uses des-cbc-md5 encryption type anymore, but I left it in there)
DNS域名需要在整个文件中保持一致。为简单起见,DNS域名和Kerberos域名称应匹配(除了在UPPER情况下指定的Kerberos域名称)。它们不一定匹配,但是当它们不匹配时,它会使故障排除难度更大。
The DNS domain name needs to be consistent throughout this file. For simplicity sake, the DNS domain name and Kerberos realm name should match (apart from the Kerberos realm name being specified in UPPER case). They don't have to match, but it makes troubleshooting orders of magnitude harder when they don't match.
因为你澄清了你的AD域名是 abc.mycompany.com ,我建议使用krb5.conf文件,如下所示:
Since you clarified that your AD domain name is abc.mycompany.com, I suggest to use a krb5.conf file which looks like this:
[libdefaults]
default_realm = ABC.MYCOMPANY.COM
default_keytab_name = FILE:C:\IBM\WebSphere\AppServer\kerberos\MyServer.keytab
default_tkt_enctypes = rc4-hmac des-cbc-md5
default_tgs_enctypes = rc4-hmac des-cbc-md5
permitted_enctypes = rc4-hmac des-cbc-md5
forwardable = true
renewable = true
noaddresses = true
clockskew = 300
[realms]
ABC.MYCOMPANY.COM = {
kdc = TEST.abc.mycompany.com:88
default_domain = abc.mycompany.com
}
[domain_realm]
.abc.mycompany.com = ABC.MYCOMPANY.COM
abc.mycompany.com = ABC.MYCOMPANY.COM
SPN
所有SPN在任何给定的Kerberos领域中必须是唯一的。如果出现重复的SPN,请运行以下命令以查找已注册重复SPN的AD帐户,并从SPN未正在使用的帐户中删除SPN。对此的提示是,生成密钥表的AD帐户的SPN是应该注册SPN的唯一位置。因此,对于这种情况,只有AD帐户 wasMyServer 应该具有SPN HTTP / TEST.abc.mycompany.com 。要在目录中查找所有重复的SPN,请在加入AD域的计算机上的Windows命令行管理程序中运行以下命令:
All SPNs must be unique within any given Kerberos realm. In the event of a duplicate SPN, run the below command to find the AD accounts to which duplicate SPNs are registered, and remove the SPN from the account which the SPN is not being used. The hint for that, is that the SPN to the AD account with which the keytab was generated is the only place where the SPN should be registered. So for this case, only the AD account wasMyServer should have the SPN HTTP/TEST.abc.mycompany.com. To find all duplicate SPNs in the Directory, run the following in a Windows Command Shell on a computer joined to the AD domain:
setspn -X
输出将列出所有已注册重复SPN的AD帐户,您可以采取根据我的指导纠正行动。命令:
The output will list all AD accounts to which duplicate SPNs are registered, and you can take corrective action according to my guidance. The command:
setspn -D HTTP/TEST.abc.mycompany.com wasMyServer
...将从AD帐户名称中删除重复的SPN。或者您也可以在AD用户和计算机GUI中删除它。每次重新创建密钥表之前,请运行以上命令清理AD帐户。
...will remove a duplicate SPN from an AD account name. Or you can remove it within the AD Users and Computers GUI as well. Run the above command to clean the AD account each time right before you re-create the keytab.
Keytab
- 随时更换密钥表时重新启动WebSphere应用程序服务。
- 通过运行以下命令验证WAS服务器上的密钥表。验证从KDC中提取Kerberos票证,因此如果成功,则表示keytab没有任何问题。
kinit -k -t MyServer.keytab HTTP / TEST.abc.mycompany.com
kinit -k -t MyServer.keytab HTTP/TEST.abc.mycompany.com
注意:kinit不附带Windows,但它附带Java JRE / JDK,因此您需要放置keytab的副本进入kinit存在的同一目录,或者确保< JAVA HOME> 在系统PATH中,以便成功运行命令。
Note: kinit does not come with Windows, but it does come with Java JRE/JDK, so you need to either place a copy of the keytab into the same directory where kinit exists or otherwise ensure <JAVA HOME> is in the system PATH in order to run the command successfully.
Web浏览器
确保您的Web浏览器配置为发送Windows凭据(实质上是包含Kerberos的SPNEGO令牌)服务票证)自动到应用程序服务器。为此,请按照以下说明操作。
Ensure that your web browser is configured to send Windows credentials (essentially, a SPNEGO token containing a Kerberos service ticket) to the application server automatically. To do this, follow the below instructions.
Internet Explorer:
Internet Explorer:
- 打开通过从控制面板或Internet Explorer的工具菜单中选择Internet选项,选择Internet选项对话框。
- 在Internet选项对话框的安全选项卡上,选择本地Intranet,然后选择Internet选项。然后单击自定义级别。
- 在安全设置对话框的登录下,选择仅在Intranet区域中自动登录,然后单击确定。
- 在安全设置选项卡上的Internet选项对话框中,仍选择本地Intranet,单击站点。
- 在本地Intranet对话框中,单击高级。
- 在下一个对话框(也称为本地Intranet)中,键入网站的URL(例如, http://test.abc.mycompany.com )在将此网站添加到区域框中,然后单击添加。
- 在本地Intran中et dialog,框中单击OK。
- 在原始的Local Intranet对话框中,单击OK。
- 在Advanced选项卡下,确保Enable Integrated Windows身份验证已启用(这是默认设置)。
- 在Internet选项对话框中,单击确定。
- Open the Internet Options dialog box by choosing Internet Options either from Control Panel or from the Tools menu in Internet Explorer.
- In the Internet Options dialog box, on the Security tab, select Local Intranet, and then click Custom Level.
- In the Security Settings dialog box, under Logon, select "Automatic logon only in Intranet zone", and then click OK.
- In the Internet Options dialog box on the Security Settings tab with Local Intranet still selected, click Sites.
- In the Local intranet dialog box, click Advanced.
- In the next dialog box (also titled Local intranet), type the URL of your web site (for example, http://test.abc.mycompany.com) in the "Add this Web site to the zone" box, and then click Add.
- In the Local Intranet dialog, box click OK.
- In the original Local Intranet dialog box, click OK.
- Under the Advanced tab, ensure that "Enable Integrated Windows Authentication" is enabled (this is the default).
- In the Internet Options dialog box, click OK.
这篇关于密码的SPNEGO身份验证问题的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
