Kerberos授权不适用于Chrome和FireFox,但适用于IE [英] Kerberos authorization doesn't work on Chrome and FireFox, but works on IE
问题描述
我遵循此指南将cas与Windows AD集成。
它在几天前的每个浏览器上都能正常工作。但不是它只能在IE浏览器上运行,当我使用firefox浏览器时只发送Negotiate TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw ==到服务器,然后浏览器返回到cas登录页面。
最近在生产环境中被发现。
我知道当kerberos票据没有在本地缓存时,浏览器会发送Negotiate TlRMT ..。 。但我可以用klist命令查看票证,它在IE上运行意味着
票证是可以的。
我想这可能是由窗口的某些配置引起的客户端或广告服务器,任何人都可以给我一些建议,tks!
https://1056-app.test.com 已经在firefox上添加到
network.negotiate-auth.trusted-uris。而且我也试过
重新安装firefox,不起作用。
Chrome:55
11
FireFox:56
Clinet浏览器操作系统:Windows 7
AD服务器操作系统:Windows Server 2008 R2
Cas服务器操作系统:Suse11Sp3
这是FireFox上的http转储
GET https:// 1056 -app.test.com/cas/login 401未授权
响应头文件
服务器:nginx / 1.8.0
日期:2017年10月13日星期五10:38:08 GMT
内容类型:text / html; charset = UTF-8
传输编码:分块
连接:保持活动
Pragma:no-cache
过期时间:星期四,1970年1月1日00:00:00 GMT
Cache-Control:no-cache
WWW-Authenticate:协商
Content-Language:en-US
内容编码: gzip
Vary:Accept-Encoding
请求标题
主机:1056-app.test.com
用户代理:Mozilla / 5.0(Windows NT 6。 1; WOW64; rv:53.0)Gecko / 20100101 Firefox / 53.0
Accept:text / html,application / xhtml + xml,application / xml; q = 0.9,* / *; q = 0.8
Accept-Language:en -US,en; q = 0.5
接受编码:gzip,deflate,br
Cookie:JSESSIONID = EE40B3C3FAFB30D13F45DC612E4D383ECC95916DBE12BEDDE21E9D933893964A4EB867271389530BC8A4B6E9B485E944B952
连接:keep-alive
Upgrade-Insecure-Requests:1
GET https://1056-app.test.com/cas/login 401未授权
响应标题
服务器:nginx / 1.8.0
日期:2017年10月13日星期五10:38:08 GMT
Content-Type:text / html; charset = UTF-8
传输编码:chunked
连接:保持活动
Pragma:no-cache
过期时间:星期四,1970年1月1日00:00:00 GMT
Cache-Control:no-cache
Content-Language:en-US
内容编码:gzip
Vary:接受编码
请求标题
主机:1056-app.test.com
用户代理:Mozilla / 5.0(Windows NT 6.1; WOW64; rv:53.0)Gecko / 20100101 Firefox / 53.0
Accept:text / html,application / xhtml + xml,application / xml; q = 0.9,* / *; q = 0.8
Accept-Language:en-US,en; q = 0.5
接受编码:gzip,紧缩,BR
的Cookie:JSESSIONID = EE40B3C3FAFB30D13F45DC612E4D383ECC95916DBE12BEDDE21E9D933893964A4EB867271389530BC8A4B6E9B485E944B952
连接:保持活着
升级不安全,要求:1个
授权:协商TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw = =
客户端klist
客户端:huangq @ SWI.TEST.NET
服务器:HTTP / 1056-app.test.com @ SWI.TEST.NET
KerbTicket加密类型:RSADSI RC4-HMAC(NT)
票证标志0x40a00000 - > (本地)
结束时间:10/13/2017 22:11:01(本地)
续约时间:10/13/2017 12:52:34(本地)
结束时间: 10/20/2017 12:11:01(本地)
会话密钥类型:RSADSI RC4-HMAC(NT)
setspn -Q cmd on client
C:\Users\\ \\ newq> setspn -Q HTTP / 1056-app.test.com
检查域DC = swi,DC = test,DC = net
CN = SOWSLdapA,OU = Service,OU = _Users,DC = swi,DC = test,DC = net
HTTP / 1056-app.test.com
找到现有的SPN!
keytab创建命令
ktpass.exe / out D:\\1056-app.keytab / princ HTTP/1056-app.test.com@SWI.TEST.NET / pass xxx / mapuser SOWSLdapA@swi.test.net / ptype KRB5_NT_PRINCIPAL / crypto RC4-HMAC-NT
找到了根本原因。因为我们使用cname作为dns,而cname不匹配spn地址。
我用这个命令打开firefox协商调试日志。链接
set NSPR_LOG_MODULES = negotiateauth :5
set NSPR_LOG_FILE = C://firefox.log
./firefox.exe
firefox.log
[懒惰空闲]:D / negotiateauth发送长度为9800的令牌
[主线程]:D / negotiateauth服务= 1056-app.test.com
[主线程]:D / negotiateauth使用negotiate-sspi
[主线程]:D / negotiateauth nsAuthSSPI :: Init
[Main Thread]:D / negotiateauth使用[HTTP / *** - nginx-elb - ***。eu-west-1.elb.amazonaws.com]的$ SPN
解决方案:
<
2.修改浏览器以禁用kerberos cname查找。 Chrome 链接。 Firefox不支持。
参考:
//www.chromium.org/developers/design-documents/http-authenticationrel =nofollow noreferrer> https://www.chromium.org/developers/design-documents/http-authentication p>I follow this guide to integrate cas with Windows AD.
It works fine on every browser few days ago. But not it only works on IE, when I use firefox browser only send "Negotiate TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==" to server, then browser return to cas login page.
This problem only have been found on production environment recently. I have a test environment with same configuration, but it works fine until now.
I know when kerberos ticket is not cached on local, browser will send "Negotiate TlRMT...". But I can see ticket with klist command, and it works on IE means the ticket is ok.
I guess it's probably caused by some configuration of the windows client or ad server, could anyone give me some advice, tks!
"https://1056-app.test.com" have already add to "network.negotiate-auth.trusted-uris" on firefox. And I also tried to reinstall firefox, not works.
Chrome: 55
IE:11
FireFox:56
Clinet Browser OS:Windows 7
AD Server OS: Windows Server 2008 R2
Cas Server OS: Suse11Sp3
Here is the http dump on FireFox
GET https://1056-app.test.com/cas/login 401 Unauthorized
Response Headers
Server : nginx/1.8.0
Date : Fri, 13 Oct 2017 10:38:08 GMT
Content-Type : text/html;charset=UTF-8
Transfer-Encoding : chunked
Connection : keep-alive
Pragma : no-cache
Expires : Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control : no-cache
WWW-Authenticate : Negotiate
Content-Language : en-US
Content-Encoding : gzip
Vary : Accept-Encoding
Request Headers
Host : 1056-app.test.com
User-Agent : Mozilla/5.0 (Windows NT 6.1; WOW64; rv:53.0) Gecko/20100101 Firefox/53.0
Accept : text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language : en-US,en;q=0.5
Accept-Encoding : gzip, deflate, br
Cookie : JSESSIONID=EE40B3C3FAFB30D13F45DC612E4D383ECC95916DBE12BEDDE21E9D933893964A4EB867271389530BC8A4B6E9B485E944B952
Connection : keep-alive
Upgrade-Insecure-Requests : 1
GET https://1056-app.test.com/cas/login 401 Unauthorized
Response Headers
Server : nginx/1.8.0
Date : Fri, 13 Oct 2017 10:38:08 GMT
Content-Type : text/html;charset=UTF-8
Transfer-Encoding : chunked
Connection : keep-alive
Pragma : no-cache
Expires : Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control : no-cache
Content-Language : en-US
Content-Encoding : gzip
Vary : Accept-Encoding
Request Headers
Host : 1056-app.test.com
User-Agent : Mozilla/5.0 (Windows NT 6.1; WOW64; rv:53.0) Gecko/20100101 Firefox/53.0
Accept : text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language : en-US,en;q=0.5
Accept-Encoding : gzip, deflate, br
Cookie : JSESSIONID=EE40B3C3FAFB30D13F45DC612E4D383ECC95916DBE12BEDDE21E9D933893964A4EB867271389530BC8A4B6E9B485E944B952
Connection : keep-alive
Upgrade-Insecure-Requests : 1
Authorization : Negotiate TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==
klist on client
Client: huangq @ SWI.TEST.NET
Server: HTTP/1056-app.test.com @ SWI.TEST.NET
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
Ticket Flags 0x40a00000 -> forwardable renewable pre_authent
Start Time: 10/13/2017 12:52:34 (local)
End Time: 10/13/2017 22:11:01 (local)
Renew Time: 10/20/2017 12:11:01 (local)
Session Key Type: RSADSI RC4-HMAC(NT)
setspn -Q cmd on client
C:\Users\huangq>setspn -Q HTTP/1056-app.test.com
Checking domain DC=swi,DC=test,DC=net
CN=SOWSLdapA,OU=Service,OU=_Users,DC=swi,DC=test,DC=net
HTTP/1056-app.test.com
Existing SPN found!
keytab create command
ktpass.exe /out D:\\1056-app.keytab /princ HTTP/1056-app.test.com@SWI.TEST.NET /pass xxx /mapuser SOWSLdapA@swi.test.net /ptype KRB5_NT_PRINCIPAL /crypto RC4-HMAC-NT
The root cause has been found. Because we use cname for dns, and cname not match spn address.
I use this command to open firefox negotiate debug log.link
set NSPR_LOG_MODULES=negotiateauth:5
set NSPR_LOG_FILE=C://firefox.log
./firefox.exe
firefox.log
[Lazy Idle]: D/negotiateauth Sending a token of length 9800
[Main Thread]: D/negotiateauth service = 1056-app.test.com
[Main Thread]: D/negotiateauth using negotiate-sspi
[Main Thread]: D/negotiateauth nsAuthSSPI::Init
[Main Thread]: D/negotiateauth Using SPN of [HTTP/***-nginx-elb-***.eu-west-1.elb.amazonaws.com]
Solution:
1.Change DNS to A type
2.Modify browser to disable kerberos cname lookup. Chrome link. Firefox not support.
Reference:
https://www.chromium.org/developers/design-documents/http-authentication
这篇关于Kerberos授权不适用于Chrome和FireFox,但适用于IE的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
