Weblogic + Kerberos + SSO [英] Weblogic + Kerberos + SSO
本文介绍了Weblogic + Kerberos + SSO的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
我正在尝试使用weblogic和Kerberos配置Single Sign On.
I’m trying to configure Single Sign On with weblogic and Kerberos.
所以,但是我仍然获得登录页面,可能是您可以通过此日志告诉我出了什么问题:
So, but I still get login page, may be you can tell me what is wrong by this log:
Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt false ticketCache is null isInitiator true KeyTab is /oracle/product12/user_projects/domains/test/krb/test.keytab refreshKrb5Config is false principal is kinp@TEST.ORG tryFirstPass is false useFirstPass is false storePass is false clearPass is false
KeyTab instance already exists
Added key: 23version: 19
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 3.
0: EncryptionKey: keyType=23 kvno=19 keyValue (hex dump)=
0000: C3 CB 19 1C 64 6E F9 7F 6A C9 31 FB EE 69 E7 35 ....dn..j.1..i.5
principal's key obtained from the keytab
Acquire TGT using AS Exchange
default etypes for default_tkt_enctypes: 23 3.
>>> KrbAsReq calling createMessage
>>> KrbAsReq in createMessage
>>> KrbKdcReq send: kdc=192.168.0.100 UDP:88, timeout=30000, number of retries =3, #bytes=137
>>> KDCCommunication: kdc=192.168.0.100 UDP:88, timeout=30000,Attempt =1, #bytes=137
>>> KrbKdcReq send: #bytes read=181
>>> KrbKdcReq send: #bytes read=181
>>> KdcAccessibility: remove 192.168.0.100
>>> KDCRep: init() encoding tag is 126 req type is 11
>>>KRBError:
sTime is Tue Jan 20 10:46:05 EET 2015 1421743565000
suSec is 576578
error code is 25
error Message is Additional pre-authentication required
realm is TEST.ORG
sname is krbtgt/TEST.ORG
eData provided.
msgType is 30
>>>Pre-Authentication Data:
PA-DATA type = 11
PA-ETYPE-INFO etype = 23
PA-ETYPE-INFO salt =
>>>Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 23
PA-ETYPE-INFO2 salt = null
>>>Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
PA-DATA type = 16
>>>Pre-Authentication Data:
PA-DATA type = 15
AcquireTGT: PREAUTH FAILED/REQUIRED, re-send AS-REQ
>>>KrbAsReq salt is TEST.ORGdev
default etypes for default_tkt_enctypes: 23 3.
Pre-Authenticaton: find key for etype = 23
AS-REQ: Add PA_ENC_TIMESTAMP now
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbAsReq calling createMessage
>>> KrbAsReq in createMessage
>>> KrbKdcReq send: kdc=192.168.0.100 UDP:88, timeout=30000, number of retries =3, #bytes=220
>>> KDCCommunication: kdc=192.168.0.100 UDP:88, timeout=30000,Attempt =1, #bytes=220
>>> KrbKdcReq send: #bytes read=1408
>>> KrbKdcReq send: #bytes read=1408
>>> KdcAccessibility: remove 192.168.0.100
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbAsRep cons in KrbAsReq.getReply dev
principal is dev@TEST.ORG
EncryptionKey: keyType=23 keyBytes (hex dump)=0000: C3 CB 19 1C 64 6E F9 7F 6A C9 31 FB EE 69 E7 35 ....dn..j.1..i.5
Added server's keyKerberos Principal dev@TEST.ORGKey Version 19key EncryptionKey: keyType=23 keyBytes (hex dump)=
0000: C3 CB 19 1C 64 6E F9 7F 6A C9 31 FB EE 69 E7 35 ....dn..j.1..i.5
[Krb5LoginModule] added Krb5Principal dev@TEST.ORG to Subject
Commit Succeeded
Found key for dev@TEST.ORG(23)
Entered Krb5Context.acceptSecContext with state=STATE_NEW
当我尝试访问登录页面时,得到此日志.
I get this log, when I’m trying to access login page.
错误异常:
com.bea.security.utils.kerberos.KerberosException: Failure unspecified at GSS-API level (Mechanism level: Specified version of key is not available (44))
at com.bea.security.utils.kerberos.KerberosTokenHandler.acceptGssInitContextTokenInDoAs(KerberosTokenHandler.java:334)
at com.bea.security.utils.kerberos.KerberosTokenHandler.access$000(KerberosTokenHandler.java:41)
at com.bea.security.utils.kerberos.KerberosTokenHandler$1.run(KerberosTokenHandler.java:226)
...
Caused By: GSSException: Failure unspecified at GSS-API level (Mechanism level: Specified version of key is not available (44))
at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:741)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:323)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:267)
...
Caused By: KrbException: Specified version of key is not available (44)
at sun.security.krb5.EncryptionKey.findKey(EncryptionKey.java:516)
at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:260)
at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:134)
...
谢谢!
推荐答案
无法发表评论,将其发布为答案.您需要启用Weblogic的身份验证日志记录:
Can't post comment, posting this as an answer. You need to enable Weblogic's authentication logging:
- 在Weblogic控制台中,单击锁定并删除".修改"按钮.
- 在左侧的域结构" portlet中选择环境-服务器".
- 在服务器摘要"页面上选择服务器.
- 选择调试"标签.
- 深入研究weblogic –安全性– atn.
- 选中单词DebugSecurityAtn左侧的复选框.
- 点击页面顶部或底部的启用"按钮.
- 再次转到您的服务器,单击日志记录"标签,
- 向下滚动并单击高级"
- 在消息目标-日志文件"中,将严重性级别更改为调试"
- 点击页面顶部或底部的保存"按钮.
- 点击左上角的激活更改".
- In Weblogic console click the "Lock & Edit" button in the top left corner.
- Select Environment – Servers in the Domain Structure portlet on the left.
- Select your server on the Summary of Servers page.
- Select the "Debug" tab.
- Drill down to weblogic – security – atn.
- Select the checkbox to the left of word DebugSecurityAtn.
- Click the "Enable" button at the top or bottom of the page.
- Go to your server again, click on Logging tab,
- Scroll down and click on Advanced
- In "Message destination(s) - Log file" change the severity level to Debug
- Click the "Save" button at the top or bottom of the page.
- Click "Activate changes" in the top-left corner.
尝试重新登录后,您的日志中将包含更多信息.
After that try logging in again, you will have much more info in your log.
这篇关于Weblogic + Kerberos + SSO的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文