尽管allowtgtsessionkey注册表项，仍无法检索TGT [英] Cannot retrieve TGT despite allowtgtsessionkey registry entry

问题描述

我正在尝试连接我们的Windows客户端应用程序以使用单点登录机制。我正在按照此处中的说明进行操作。我已经无法完成第一步工作，即获取签名用户的票证授予票证。运行我的单元测试时（代码见下文），我得到以下异常：

I'm trying to wire our windows client application to use a single-sign-on mechanism. I'm following the explanations that can be found here. I'm already having trouble getting the first step to work, that is, acquiring the Signed On User's Ticket-Granting-Ticket. When running my unit test (code see below), I'm getting the following exception:

javax.security.auth.login.LoginException: Unable to obtain Princpal Name for authentication 
at com.sun.security.auth.module.Krb5LoginModule.promptForName(Krb5LoginModule.java:800)
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:671)
at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:584)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:784)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:203)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:698)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:696)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:695)
at javax.security.auth.login.LoginContext.login(LoginContext.java:594)
at org.myapp.test.cases.SSOTest.testSSO(SSOTest.java:28)

当我运行时会发生这种情况使用Java 7进行测试。我认为这意味着票证缓存为空。但是，当我使用Java 6运行测试时，登录成功，我可以从 LoginContext Subject 对象C $ C>。当我读到此处，Java 7现在完全尊重允许/拒绝导出TGT的Windows 7策略。所以我在我的注册表中设置了 allowtgtsessionkey 值，希望这可以解决我的问题。但是尽管已经重新启动并重新启动，我仍然无法使用Java 7访问我的TGT。使用Java 6，它可以正常工作。有谁可以指出我缺少的东西？

This happens when I run the test with Java 7. I thought this means that the ticket cache is empty. However, when I run the test with Java 6, the login is successful, and I can retrieve a fully populated Subject object from the LoginContext. As I read here, Java 7 now fully respects the Windows 7 policies which allow/deny exporting TGTs. So I set the the allowtgtsessionkey value in my registry, hoping this would fix my problem. But despite having relogged and restarted, I still can't access my TGT with Java 7. With Java 6, it works just fine. Could anyone point out what I'm missing?

SSOTest.java：

SSOTest.java:

    @Test
    public void testSSO() {
    System.setProperty("java.security.auth.login.config", "D:\\login.conf");

    LoginContext lc = null;
    try {
        lc = new LoginContext("TestLoginContext1");
    } catch (LoginException e1) {
        e1.printStackTrace();
    }

    try {
        lc.login(); // Exception happens here
    } catch (LoginException e) {
        e.printStackTrace();
    }

    Subject signedOnUserSubject = lc.getSubject();
    System.out.println(signedOnUserSubject);
    }

login.conf

login.conf

TestLoginContext1 {
   com.sun.security.auth.module.Krb5LoginModule required useTicketCache=true doNotPrompt=true debug=true;
};

krb5.conf

krb5.conf

[libdefaults]
default_realm = MY.DOMAIN.COM
[realms]
MY.DOMAIN.COM = {
    kdc = domaincontroller.my.domain.com
    admin_server = domaincontroller.my.domain.com
    default_domain = MY.DOMAIN.COM
}

推荐答案

对于同样位于本地管理组中的帐户，这似乎是Windows的限制。我阅读了以下此处：

It seems this is a limitation of Windows when it comes to accounts that are also in the local administration group. I read the following here:

已知问题

Known Issues

如果AD帐户也添加到本地管理员组中
客户端PC，Microsoft限制此类客户端获取票证的
会话密钥（即使您将allowtgtsessionkey
注册表项设置为1）。解决方法是：忘记你是用户中记录的
，调用kinit.exe。不要依赖于LSA凭证缓存。

If an AD account is also added into local administrator group on the client PC, Microsoft restricts such client from getting the session key for tickets (even if you set the allowtgtsessionkey registry key to 1). The workaround is: Just forget you're a logged in user, call kinit.exe. Do not depends on LSA credential cache.

在最近的修补程序中
（[35] http://support.microsoft.com/kb/942219/en-us ，应该是Vista SP1中包含的
），此限制取消正常的
服务票。但是，它仍然适用于TGT。由于Java使用TGT
来获取其他服务的票证（标准Kerberos进程），因此
此更新对Windows上的JGSS编程没有任何好处。

此外，即使执行Java被更改为从LSA缓存读取
服务票证，它仍然无法执行
委托，因为在这种情况下总是需要TGT。

In a recent hotfix ([35]http://support.microsoft.com/kb/942219/en-us, should be included in Vista SP1), this restriction is lifted for normal
service tickets. However, it still applies to TGT. Since Java uses TGT to acquire tickets for other services (the standard Kerberos process), this update provides no benefit to JGSS programming on Windows.
Furthermore, even if the implementation of Java is changed to read
service tickets from the LSA cache, it still cannot perform delegation, since a TGT is always needed in that case.

这篇关于尽管allowtgtsessionkey注册表项，仍无法检索TGT的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！