是否有人成功在Win 2012上使用JDK 1.7在Web Logic 12.1.2上配置了Kerberos SSO? [英] Has anyone configured Kerberos SSO on Web Logic 12.1.2 with JDK 1.7 on Win 2012 successfully?
问题描述
我正在尝试使用Win 2012 R2上的JDK 1.7.x在Web Logic 12.1.2上配置 Kerberos SSO .我正在使用Java ktab java command to create keytab file.加密包括 DES和rc4-hmac .我的 kerberos ini文件仅使用 rc4-hmac加密.
但是,当我尝试登录到我的应用程序时,Web Logic日志文件(片段)中出现此错误:
I am trying to configure Kerberos SSO on Web Logic 12.1.2 with JDK 1.7.x on Win 2012 R2. I am using Java ktab java command to create keytab file. The encryption includes DES and rc4-hmac. My kerberos ini file only uses rc4-hmac encryption.
But when I try to login to my application I am getting this error in Web Logic log file (fragment):
####<Nov 13, 2014 7:24:29 AM PST> <Debug> <SecurityAtn> <ifvm00131> <ICN_ManagedServer_2> <[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1415892269395> <BEA-000000> <acceptGssInitContextToken failed
com.bea.security.utils.kerberos.KerberosException: Failure unspecified at GSS-API level (Mechanism level: Encryption type AES256 CTS mode with HMAC SHA1-96 is not supported/enabled)
at com.bea.security.utils.kerberos.KerberosTokenHandler.acceptGssInitContextTokenInDoAs(KerberosTokenHandler.java:351)
at com.bea.security.utils.kerberos.KerberosTokenHandler.access$100(KerberosTokenHandler.java:43)
at com.bea.security.utils.kerberos.KerberosTokenHandler$2.run(KerberosTokenHandler.java:239)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAsPrivileged(Subject.java:536)
at com.bea.security.utils.kerberos.KerberosTokenHandler.acceptGssInitContextToken(KerberosTokenHandler.java:237)
at com.bea.security.utils.kerberos.KerberosTokenHandler.acceptGssInitContextToken(KerberosTokenHandler.java:165)
at com.bea.common.security.internal.utils.negotiate.SPNEGONegotiateToken.getUsername(SPNEGONegotiateToken.java:57)
at weblogic.security.providers.authentication.NegotiateIdentityAsserterProviderImpl.assertChallengeIdentity(NegotiateIdentityAsserterProviderImpl.java:210)
at com.bea.common.security.internal.legacy.service.ChallengeIdentityAssertionProviderImpl$ChallengeIdentityAsserterV2Adapter.assertChallengeIdentity(ChallengeIdentityAssertionProviderImpl.java:130)
at com.bea.common.security.internal.service.ChallengeIdentityAssertionTokenServiceImpl.assertChallengeIdentity(ChallengeIdentityAssertionTokenServiceImpl.java:120)
并且无法成功登录我的应用程序.我在浏览器中遇到错误 401-未经授权的错误.
and login to my application is unsuccessful. I am getting in browser Error 401--Unauthorized error.
当我使用 AES256加密重新配置环境时,出现了校验和失败错误.
When I reconfigure the env using the AES256 encryption I am getting Checksum failed error.
我想知道是否有人遇到过类似的问题并且能够成功地重新命名它?
I wonder if anyone experienced similar issues and was able to resole it successfully?
这是我的krb5.ini文件,位于c:\ windows目录中
Here is my krb5.ini file located in the c:\windows directory
[libdefaults]
default_realm = MYREALM.LOCAL
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
default_tgs_enctypes = rc4-hmac
default_tkt_enctypes = rc4-hmac
ticket_lifetime = 600
[realms]
MYREALM.LOCAL = {
kdc = adhostname.mydomain.local:88
admin_server = adhostname.mydomain.local
default_domain = mydomain.local
}
[domain_realm]
mydomain.local = MYREALM.LOCAL
.mydomain.local = MYREALM.LOCAL
这是我的配置文件
com.sun.security.jgss.krb5.initiate
{
com.sun.security.auth.module.Krb5LoginModule required
principal="account@REALM.LOCAL" useKeyTab=true
keyTab="C:\\sso\\wlker.keytab" storeKey=true debug=true;
};
com.sun.security.jgss.krb5.accept
{
com.sun.security.auth.module.Krb5LoginModule Required
principal="account@REALM.LOCAL" useKeyTab=true
keyTab="C:\\sso\\wlker.keytab" storeKey=true debug=true;
};
Myapp
{
weblogic.security.auth.login.UsernamePasswordLoginModule required authOnLogin=true;
};
推荐答案
我之前已经回答过.请搜索,您必须启用/安装无限的安全策略.
I have already answered this before. Please search, you have to enable/install unlimited security policy.
这篇关于是否有人成功在Win 2012上使用JDK 1.7在Web Logic 12.1.2上配置了Kerberos SSO?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
