Weblogic + Kerberos + SSO [英] Weblogic + Kerberos + SSO

问题描述

我正在尝试使用weblogic和Kerberos配置Single Sign On.

I’m trying to configure Single Sign On with weblogic and Kerberos.

所以，但是我仍然获得登录页面，可能是您可以通过此日志告诉我出了什么问题:

So, but I still get login page, may be you can tell me what is wrong by this log:

Debug is  true storeKey true useTicketCache false useKeyTab true doNotPrompt false ticketCache is null isInitiator true KeyTab is /oracle/product12/user_projects/domains/test/krb/test.keytab refreshKrb5Config is false principal is kinp@TEST.ORG tryFirstPass is false useFirstPass is false storePass is false clearPass is false
KeyTab instance already exists
Added key: 23version: 19
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 3.
0: EncryptionKey: keyType=23 kvno=19 keyValue (hex dump)=
0000: C3 CB 19 1C 64 6E F9 7F   6A C9 31 FB EE 69 E7 35  ....dn..j.1..i.5


principal's key obtained from the keytab
Acquire TGT using AS Exchange
default etypes for default_tkt_enctypes: 23 3.
>>> KrbAsReq calling createMessage
>>> KrbAsReq in createMessage
>>> KrbKdcReq send: kdc=192.168.0.100 UDP:88, timeout=30000, number of retries =3, #bytes=137
>>> KDCCommunication: kdc=192.168.0.100 UDP:88, timeout=30000,Attempt =1, #bytes=137
>>> KrbKdcReq send: #bytes read=181
>>> KrbKdcReq send: #bytes read=181
>>> KdcAccessibility: remove 192.168.0.100
>>> KDCRep: init() encoding tag is 126 req type is 11
>>>KRBError:
     sTime is Tue Jan 20 10:46:05 EET 2015 1421743565000
     suSec is 576578
     error code is 25
     error Message is Additional pre-authentication required
     realm is TEST.ORG
     sname is krbtgt/TEST.ORG
     eData provided.
     msgType is 30
>>>Pre-Authentication Data:
     PA-DATA type = 11
     PA-ETYPE-INFO etype = 23
     PA-ETYPE-INFO salt = 
>>>Pre-Authentication Data:
     PA-DATA type = 19
     PA-ETYPE-INFO2 etype = 23
     PA-ETYPE-INFO2 salt = null
>>>Pre-Authentication Data:
     PA-DATA type = 2
     PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
     PA-DATA type = 16
>>>Pre-Authentication Data:
     PA-DATA type = 15
AcquireTGT: PREAUTH FAILED/REQUIRED, re-send AS-REQ
>>>KrbAsReq salt is TEST.ORGdev
default etypes for default_tkt_enctypes: 23 3.
Pre-Authenticaton: find key for etype = 23
AS-REQ: Add PA_ENC_TIMESTAMP now
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbAsReq calling createMessage
>>> KrbAsReq in createMessage
>>> KrbKdcReq send: kdc=192.168.0.100 UDP:88, timeout=30000, number of retries =3, #bytes=220
>>> KDCCommunication: kdc=192.168.0.100 UDP:88, timeout=30000,Attempt =1, #bytes=220
>>> KrbKdcReq send: #bytes read=1408
>>> KrbKdcReq send: #bytes read=1408
>>> KdcAccessibility: remove 192.168.0.100
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbAsRep cons in KrbAsReq.getReply dev
principal is dev@TEST.ORG
EncryptionKey: keyType=23 keyBytes (hex dump)=0000: C3 CB 19 1C 64 6E F9 7F   6A C9 31 FB EE 69 E7 35  ....dn..j.1..i.5

Added server's keyKerberos Principal dev@TEST.ORGKey Version 19key EncryptionKey: keyType=23 keyBytes (hex dump)=
0000: C3 CB 19 1C 64 6E F9 7F   6A C9 31 FB EE 69 E7 35  ....dn..j.1..i.5


        [Krb5LoginModule] added Krb5Principal  dev@TEST.ORG to Subject
Commit Succeeded 

Found key for dev@TEST.ORG(23)
Entered Krb5Context.acceptSecContext with state=STATE_NEW

当我尝试访问登录页面时，得到此日志.

I get this log, when I’m trying to access login page.

错误异常:

com.bea.security.utils.kerberos.KerberosException: Failure unspecified at GSS-API level (Mechanism level: Specified version of key is not available (44))
    at com.bea.security.utils.kerberos.KerberosTokenHandler.acceptGssInitContextTokenInDoAs(KerberosTokenHandler.java:334)
    at com.bea.security.utils.kerberos.KerberosTokenHandler.access$000(KerberosTokenHandler.java:41)
    at com.bea.security.utils.kerberos.KerberosTokenHandler$1.run(KerberosTokenHandler.java:226)
...
Caused By: GSSException: Failure unspecified at GSS-API level (Mechanism level: Specified version of key is not available (44))
    at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:741)
    at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:323)
    at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:267)
...
Caused By: KrbException: Specified version of key is not available (44)
    at sun.security.krb5.EncryptionKey.findKey(EncryptionKey.java:516)
    at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:260)
    at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:134)
...

谢谢！

推荐答案

无法发表评论，将其发布为答案.您需要启用Weblogic的身份验证日志记录:

Can't post comment, posting this as an answer. You need to enable Weblogic's authentication logging:

1. 在Weblogic控制台中，单击锁定并删除".修改"按钮.
2. 在左侧的域结构" portlet中选择环境-服务器".
3. 在服务器摘要"页面上选择服务器.
4. 选择调试"标签.
5. 深入研究weblogic –安全性– atn.
6. 选中单词DebugSecurityAtn左侧的复选框.
7. 点击页面顶部或底部的启用"按钮.
8. 再次转到您的服务器，单击日志记录"标签，
9. 向下滚动并单击高级"
10. 在消息目标-日志文件"中，将严重性级别更改为调试"
11. 点击页面顶部或底部的保存"按钮.
12. 点击左上角的激活更改".

1. In Weblogic console click the "Lock & Edit" button in the top left corner.
2. Select Environment – Servers in the Domain Structure portlet on the left.
3. Select your server on the Summary of Servers page.
4. Select the "Debug" tab.
5. Drill down to weblogic – security – atn.
6. Select the checkbox to the left of word DebugSecurityAtn.
7. Click the "Enable" button at the top or bottom of the page.
8. Go to your server again, click on Logging tab,
9. Scroll down and click on Advanced
10. In "Message destination(s) - Log file" change the severity level to Debug
11. Click the "Save" button at the top or bottom of the page.
12. Click "Activate changes" in the top-left corner.

尝试重新登录后，您的日志中将包含更多信息.

After that try logging in again, you will have much more info in your log.

这篇关于Weblogic + Kerberos + SSO的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！