Spring Security Kerberos + AD,校验和失败 [英] Spring Security Kerberos + AD, Checksum Fail
问题描述
我正在尝试使用Active Directory凭证执行Spring Security Kerberos,如
I'm trying to do a Spring Security Kerberos with Active Directory credentials as stated in http://docs.spring.io/spring-security-kerberos/docs/1.0.1.RELEASE/reference/htmlsingle/#samples-sec-server-win-auth. I'd like to say that I've got most of the things down (SPN, keytabs, etc.). Now I've got a checksum fail. Supposing I change my principal name, I get an AES encryption error.
我正在RHEL 6和Oracle Java 1.8 + JCE上使用Spring Boot 来自 https://github.com/spring-projects/spring-security-kerberos/tree/master/spring-security-kerberos-samples/sec-server-win-auth
I'm using Spring Boot on RHEL 6 with Oracle Java 1.8 + JCE Sample from https://github.com/spring-projects/spring-security-kerberos/tree/master/spring-security-kerberos-samples/sec-server-win-auth
这是我在运行罐子时得到的东西
Here is what I get when run the jar
调试为真 storeKey为true useTicketCache为false useKeyTab是 doNotPrompt true ticketCache为null isInitiator为假 KeyTab是/home/boss/webdev125-3.keytab refreshKrb5Config为false 主体是http/webdev@EXAMPLE.ORG tryFirstPass为假 useFirstPass为假 storePass为假 clearPass为假
Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator false KeyTab is /home/boss/webdev125-3.keytab refreshKrb5Config is false principal is http/webdev@EXAMPLE.ORG tryFirstPass is false useFirstPass is false storePass is false clearPass is false
主要是http/webdev@EXAMPLE.ORG 将使用keytab 提交成功
principal is http/webdev@EXAMPLE.ORG Will use keytab Commit Succeeded
....
2015-11-25 11:29:09.631调试5559 --- [nio-8080-exec-3] .a.KerberosServiceAuthenticationProvider:尝试验证Kerberos令牌 2015-11-25 11:29:10.003警告5559 --- [nio-8080-exec-3] w.a.SpnegoAuthenticationProcessingFilter:协商标题无效:
2015-11-25 11:29:09.631 DEBUG 5559 --- [nio-8080-exec-3] .a.KerberosServiceAuthenticationProvider : Try to validate Kerberos Token 2015-11-25 11:29:10.003 WARN 5559 --- [nio-8080-exec-3] w.a.SpnegoAuthenticationProcessingFilter : Negotiate Header was invalid:
...
org.springframework.security.authentication.BadCredentialsException:Kerberos验证不成功 在org.springframework.security.kerberos.authentication.sun.SunJaasKerberosTicketValidator.validateTicket(SunJaasKerberosTicketValidator.java:71)上 在org.springframework.security.kerberos.authentication.KerberosServiceAuthenticationProvider.authenticate(KerberosServiceAuthenticationProvider.java:64) 在org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156)
org.springframework.security.authentication.BadCredentialsException: Kerberos validation not successful at org.springframework.security.kerberos.authentication.sun.SunJaasKerberosTicketValidator.validateTicket(SunJaasKerberosTicketValidator.java:71) at org.springframework.security.kerberos.authentication.KerberosServiceAuthenticationProvider.authenticate(KerberosServiceAuthenticationProvider.java:64) at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156)
...
由以下原因导致:org.ietf.jgss.GSSException:在GSS-API级别上未指定失败(机制级别:校验和失败)
Caused by: org.ietf.jgss.GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)
at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:856)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
at sun.security.jgss.spnego.SpNegoContext.GSS_acceptSecContext(SpNegoContext.java:906)
at sun.security.jgss.spnego.SpNegoContext.acceptSecContext(SpNegoContext.java:556)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
at org.springframework.security.kerberos.authentication.sun.SunJaasKerberosTicketValidator$KerberosValidateAction.run(SunJaasKerberosTicketValidator.java:170)
at org.springframework.security.kerberos.authentication.sun.SunJaasKerberosTicketValidator$KerberosValidateAction.run(SunJaasKerberosTicketValidator.java:153)
... 48 common frames omitted
原因:sun.security.krb5.KrbCryptoException:校验和失败
Caused by: sun.security.krb5.KrbCryptoException: Checksum failed
at sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Aes256CtsHmacSha1EType.java:102)
at sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Aes256CtsHmacSha1EType.java:94)
at sun.security.krb5.EncryptedData.decrypt(EncryptedData.java:175)
at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:281)
at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:149)
at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:108)
at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:829)
... 56 common frames omitted
由以下原因引起:java.security.GeneralSecurityException:校验和失败
Caused by: java.security.GeneralSecurityException: Checksum failed
at sun.security.krb5.internal.crypto.dk.AesDkCrypto.decryptCTS(AesDkCrypto.java:451)
at sun.security.krb5.internal.crypto.dk.AesDkCrypto.decrypt(AesDkCrypto.java:272)
at sun.security.krb5.internal.crypto.Aes256.decrypt(Aes256.java:76)
at sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Aes256CtsHmacSha1EType.java:100)
... 62 common frames omitted
其他一些细节:
Some other details:
- /etc/krb5.conf确实具有default_tgs_enctypes和default_tkt_enctypes以包含aes256-cts-hmac-sha1-96
- 默认密钥表位置在应用程序和krb5.conf之间匹配
- 密钥表是在Windows服务器上生成的,然后复制到RHEL
推荐答案
似乎我与现有的服务主体映射有冲突.清理完毕后,错误停止发生.此链接帮助我找到了解决方案- https://developer.jboss.org/wiki/ConfiguringJBossNegotiationInAnAllWindowsDomain ?_sscc = t
It seems that I had conflicts with existing Service Principal Mappings. Once I cleaned it up, the error stopped happening. This link helped me find the solution - https://developer.jboss.org/wiki/ConfiguringJBossNegotiationInAnAllWindowsDomain?_sscc=t
这篇关于Spring Security Kerberos + AD,校验和失败的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
