SSO身份验证,响应始终为NTLM [英] SSO authentication, response is always NTLM
问题描述
我正在尝试在我们正在开发的Intranet应用程序上实现SSO.我为此使用 SPNEGO .现在我在配置SSO时遇到了一些麻烦,希望这里有人可以帮助我.
I'm trying to implement SSO on an intranet application we are developing. I am using SPNEGO for this. Now I'm having some trouble configuring the SSO and hope someone here is able to help me.
设置如下:
- 带有tomcat的Linux服务器为内部网应用程序提供服务
- Windows Server 2008作为域控制器(Active Directory)
- 带有IE9和Firefox的Windows 7客户端
当我打开Intranet应用程序时,我看到一个GET请求从客户端发送到tomcat服务器. tomcat服务器和SpnegoFilter的第一个响应是401未经授权,这是正确的,因为需要对客户端进行身份验证.
When I open the intranet application I see a GET request going from the client to the tomcat server. The first response of the tomcat server and the SpnegoFilter is a 401 unauthorized which is right, cause the client needs to be authenticated.
806 6.117724 192.168.65.50 192.168.65.50 HTTP 284 HTTP/1.1 401 Unauthorized
WWW-Authenticate: Negotiate\r\n
然后,客户端的响应是带有标志NTLMSSP_NEGOTIATE的GET请求.在这里坏了.我不希望出现NTLM响应,但希望得到kerberos/spnego响应.我以某种方式无法弄清楚如何将正确的响应发送到tomcat服务器.
The response of the client then is a GET request with a flag NTLMSSP_NEGOTIATE. Here it breaks. I don't expect a NTLM response, but a kerberos/spnego response. Somehow I just can't figure out how to send the correct response to the tomcat server.
808 6.123277 192.168.65.50 192.168.65.50 HTTP 637 GET / HTTP/1.1 , NTLMSSP_NEGOTIATE
默认情况下,SPNEGO不支持NTLM,因此我在日志中得到以下条目:
By default NTLM isn't supported by SPNEGO so I get the following entry in my log:
java.lang.UnsupportedOperationException:指定了NTLM.降级为基本身份验证(和/或SSL),但不支持降级.
java.lang.UnsupportedOperationException: NTLM specified. Downgraded to Basic Auth (and/or SSL) but downgrade not supported.
所以我做错了事,但是经过一天摆弄配置和策略之后,我只是弄不清楚它是什么.
So I'm doing something wrong, but aftert a day fiddling with configurations and policies I just can't figure out what it is.
希望得到一些回应.
推荐答案
Kerberos在IP上不起作用,请使用完全限定的域名.
Kerberos does not work on IPs, use fully qualified domain names.
这篇关于SSO身份验证,响应始终为NTLM的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!