SPNEGO用Java提示密码多次 [英] SPNEGO with Java prompting password many times

问题描述

我正在使用spnego http://spnego.sourceforge.net 在我的网站上进行单一登录系统，问题是还要输入正确的密码，它会一次又一次地提示。

I'm using spnego http://spnego.sourceforge.net to make a single sign on on my system, the problem is that also typing the right password it will be prompt again and again.

有时，如果您键入两次，您可以加入系统，有时您需要输入相同用户和密码的10倍以上才能访问系统。

Sometimes if you type it twice you can join the system, sometimes you need to type more than 10 times the same user and password until get access to the system.

登录系统后，可以在随机时间，一次又一次地提示密码多次。

After you are logged in to the system, the password can be prompted many times on random time, again and again and again.

提前致谢

推荐答案

我还没有尝试过那个特定的spnego模块，但我遇到过这个问题之前。

I've not tried that specific spnego module yet, but I've encountered this issue before.

SPNEGO和两个登录提示的问题通常与以下内容有关：

The issue with SPNEGO and two login prompts is often related to:

1. 应用程序的登录服务配置为允许协商和基本：

1. The application's login service is configured to allow both negotiate and basic:

WWW-Authenticate: Negotiate
WWW-Authenticate: basic

如果Windows Native Authentication是在Internet Explorer中启用，但Windows客户端无法检索服务的Kerberos票证（出于某种原因），IE将

If Windows Native Authentication is enabled in Internet Explorer, but the Windows client fails to retrieve a Kerberos ticket for the service (for some reason), IE will

• 提示登录，但无论你在这里写什么，它都会使用
  发送NTMLSSP令牌授权：谈判

• Prompt for login, but no matter what you write here it will send an NTMLSSP token using Authorization: Negotiate

使用NTMLSSP令牌的身份验证将失败，您将获得一个辅助登录提示，该提示将使用Basic
Authorization：Basic

Authentication using the NTMLSSP token will fail and you'll get a secondary login prompt, which will be submitted using Basic Authorization: Basic

不确定为什么认证两次以上有时会让你进入，但是......

Not sure why authenticating more than two times sometimes will let you in, though..

进一步调查问题：

• 检查服务器日志文件（设置java选项-Dsun.security.krb5.debug = true和web.xml spnego.logger.level = 1）获取线索。


• 检查Windows客户端是否已登录到域。


• 检查是否在Internet Explorer中启用了Windows本机身份验证。


• 检查该网站是否已添加到Internet Explorer中的本地Intranet站点（或者不使用dot网站名称中的。。


• 检查keytab，krb 5.conf和login.conf是为您的应用服务器配置的。 （请参阅spnego docs pre_flight和reference_docs）


• 检查密钥表中使用的主体名称是DNS A记录，而不是服务的DNS CNAME记录。


• Fiddler2是调试网络流量的绝佳工具。安装并查看Internet Explorer响应身份验证质询的内容（HTTP 401）。


• 如果Internet Explorer indeeds提交NTMLSSP令牌，您可能还想使用Wireshark并过滤Kerberos流量到看看您的域控制器是否使用包含用于访问您服务的Kerberos票证的TGS-REP进行响应。

• Check server log files (set java option -Dsun.security.krb5.debug=true and web.xml spnego.logger.level=1) for clues.
• Check that the Windows client is logged on to domain.
• Check that Windows Native Authentication is enabled in Internet Explorer.
• Check that the website is added to local intranet sites in Internet Explorer (or available without using dot "." in the web site name).
• Check that keytab, krb5.conf and login.conf is configured for your app server. (See spnego docs pre_flight and reference_docs)
• Check that the principal name used in the keytab is the DNS A record and not a DNS CNAME record for your service.
• An excellent tool for debugging web traffic is Fiddler2. Install and see what Internet Explorer responds to the authentication challenges (HTTP 401).
• If Internet Explorer indeeds submits an NTMLSSP token, you might also want to use Wireshark and filter "Kerberos" traffic to see if your domain controller responds with a TGS-REP containing a Kerberos ticket for accessing your service.

如果您还在好运，如果你可以提供全部或部分的话，我们可能会帮助你。

If you're still out of luck, we'll might be able to help you further if you can make available all or some of

• spnego配置


• 服务器日志（如果有相关内容）


• Fiddler2 trace


• Wireshark trace

• spnego configuration
• Server logs (if anything relevant)
• Fiddler2 trace
• Wireshark trace

Øyvind

这篇关于SPNEGO用Java提示密码多次的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！