新KerberosToken上格式错误的PAC登录信息 [英] Malformed PAC logon info on new KerberosToken
问题描述
我正在使用代码此处来获取身份验证信息从Kerberos令牌.在其中,我已经配置了domainUsername和domainUserPassword,并按照readme.md中指定的方式运行了它.
I'm using the code here to get authentication information from a Kerberos token. In there I've configured the domainUsername and domainUserPassword and just ran it as specified in the readme.md.
然后,通过AD域中的浏览器,我连接到 http://server:8080/spnego ,然后在打开的页面上看到我的username @ domain.该页面还应该包含我的用户所属的AD组的SID.
Then, from a browser that is in the AD domain, I connect to http://server:8080/spnego and I see on the opened page my username@domain. The page should also contain the SID of the AD groups to which my user belongs.
查看服务器日志,我看到:
Looking at the server logs, I see:
org.jaaslounge.decoding.DecodingException: Malformed PAC logon info.
at org.jaaslounge.decoding.pac.PacLogonInfo.<init>(PacLogonInfo.java:209)
at org.jaaslounge.decoding.pac.Pac.<init>(Pac.java:45)
at org.jaaslounge.decoding.kerberos.KerberosPacAuthData.<init>(KerberosPacAuthData.java:13)
at org.jaaslounge.decoding.kerberos.KerberosAuthData.parse(KerberosAuthData.java:21)
at org.jaaslounge.decoding.kerberos.KerberosRelevantAuthData.<init>(KerberosRelevantAuthData.java:41)
at org.jaaslounge.decoding.kerberos.KerberosAuthData.parse(KerberosAuthData.java:18)
at org.jaaslounge.decoding.kerberos.KerberosEncData.<init>(KerberosEncData.java:136)
at org.jaaslounge.decoding.kerberos.KerberosTicket.<init>(KerberosTicket.java:103)
at org.jaaslounge.decoding.kerberos.KerberosApRequest.<init>(KerberosApRequest.java:62)
at org.jaaslounge.decoding.kerberos.KerberosToken.<init>(KerberosToken.java:52)
at com.example.ManualSpnegoNegotiateServlet.attemptNegotiation(ManualSpnegoNegotiateServlet.java:271)
第271行如下
KerberosToken token = new KerberosToken(kerberosTokenData, keys);
该错误消息过于模糊.我不知道如何继续,并且从不同的客户端得到相同的错误.
That error message is too vague. I've no idea how to continue and I get the same error from different clients.
有人对此有任何建议吗?
Does anyone have any tip about this?
推荐答案
我自己已经弄清楚了.原来,消息格式错误的PAC登录信息"实际上是正确的.试图获取资源组数据"时,代码失败.
I've figured this one out myself. It turns out that the message "Malformed PAC logon info" is actually correct. The code failed when it was trying to get the "Resource groups data".
最初,我认为 PAC_LOGON_INFO结构编写了 jaaslounge实施(2010年某处).我认为是因为 MS-PAC规范根本没有提及它
Initially I thought that the PAC_LOGON_INFO structure has changed since the last jaaslounge implementation was written (somewhere in 2010). I thought that because the MS-PAC specification does not mention it at all.
实际上,问题出在一个完全不同的地方:KDC.它在Win Server 2012上运行,Microsoft在默认版本中添加了资源SID压缩 resource SID Compression .
Actually, the problem is coming from a completely different place: the KDC. It's running on a Win Server 2012, version in which Microsoft added by default resource SID Compression.
有了它,如果您在KDC上关闭了资源SID压缩,一切都会开始工作(无需接触其他任何东西,例如jaaslounge的版本或用无限的补丁修补hava) JCE政策).
There you have it, if you turn off resource SID Compression on the KDC, everything will start working (no need to touch anything else, i.e. the version of jaaslounge or to patch hava with an unlimited JCE policy).
这篇关于新KerberosToken上格式错误的PAC登录信息的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
