使用Kerberos身份验证时出现登录错误 [英] Login Error when authenticating with Kerberos

问题描述

我们面临着一个有趣的问题.用户使用Kerberos身份验证登录到应用程序.他们很少成功，但是突然他们面临用户登录信息的锁定，并且他们在屏幕上看到以下错误

We are facing an interesting problem. Users login to application with Kerberos authentication. Few times they are successful, but suddenly they face lockout for their user login information and they see the error below on their screen

Login error: com.ibm.security.krb5.KrbException, status code: 24
    message: Pre-authentication information was invalid
Stack Trace : 
javax.security.auth.login.FailedLoginException: Login error: com.ibm.security.krb5.KrbException, status code: 24
    message: Pre-authentication information was invalid
    at com.ibm.security.jgss.i18n.I18NException.throwFailedLoginException(I18NException.java:33)
    at com.ibm.security.auth.module.Krb5LoginModule.a(Krb5LoginModule.java:457)
    at com.ibm.security.auth.module.Krb5LoginModule.b(Krb5LoginModule.java:377)
    at com.ibm.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:200)
    at sun.reflect.GeneratedMethodAccessor36.invoke(Unknown Source)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:56)
    at java.lang.reflect.Method.invoke(Method.java:620)
    at javax.security.auth.login.LoginContext.invoke(LoginContext.java:781)
    at javax.security.auth.login.LoginContext.access$000(LoginContext.java:215)
    at javax.security.auth.login.LoginContext$4.run(LoginContext.java:706)
    at javax.security.auth.login.LoginContext$4.run(LoginContext.java:704)
    at java.security.AccessController.doPrivileged(AccessController.java:452)

当我们重新启动Websphere应用程序服务器时，所有操作都适用于相同的用户，直到他们再次遇到问题为止.我们试图检查日志并更改keytab文件，但是没有任何效果.有人遇到这个问题吗?

When we restart websphere application servers, everything works for the same users till they face the issue again. We have tried to check logs and change keytab file, but nothing has worked. Has anyone face this issue?

推荐答案

它可能与时间(NTP)问题有关.

It might be linked to a time (NTP) issue.

据我所知，Kerberos预身份验证使用时间戳(生成一次性密码)，因此我敢打赌NTP问题可能会导致此类问题.

Kerberos preauthentification uses a timestamp as far as I know (to generate one-time-passwords), so I bet an NTP issue could cause that kind of problems.

此外，凭据未销毁可能会导致此类问题(例如，用户未正确注销)

Also, credentials not being destroyed could lead in such problems I suppose (e;g users not logged off correctly)

检查您的所有服务器(运行应用程序的应用程序服务器以及Kerberos KDC)是否已与NTP服务器同步并且具有完全相同的时间.

Check that all your servers (appservers where the app is running, as well as the Kerberos KDC) are synchronized with an NTP server and have the exact same time.

这篇关于使用Kerberos身份验证时出现登录错误的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！