我有以下内容
- JBoss EAP 7.2.2 上的 Spring Web 应用程序 - Machine CentOs
- CentO 上的 Keycloak 3.3.4
- 活动目录
我们在 OpenJDK 8 上运行
用户使用其 Active Directory 帐户从 Windows 计算机登录。
Keycloak 配置有 kerberos 使用联合。在 CentOs 机器上,使用以下命令安装 kerberos 客户端
yum install krb5-user krb5-doc
yum install krb5-pkinit krb5-workstation
yum install krb5-libs krb5-devel
yum install krb5-server krb5-workstation pam_krb5
在keycloak用户联合中,keytab文件路径和其他配置都是正确的。 keycloak 日志文件证实了这一点。
领域:XYZ.COM
服务器主体 HTTP/主体名称@REALM
Keytab 文件是使用生成的
ktpass.exe /out file.keytab /mapuser user-name@REALM /mapop set /princ HTTP/principal-name@REALM /ptype KRB5_NT_PRINCIPAL /pass XXXXXX /crypto RC4-HMAC-NT
在 krb5.conf 中输入以下内容
default_tgs_enctypes = arcfour-hmac
default_tkt_enctypes = arcfour-hmac
permitted_enctypes = arcfour-hmac
问题是登录时出现异常
Looking for keys for: HTTP/principal-name@REALM
2020-02-24 09:34:06,327 WARN [org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator] (default task-13) SPNEGO login failed: java.security.PrivilegedActionException: GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - RC4 with HMAC)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:422)
at org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator.authenticate(SPNEGOAuthenticator.java:68)
at org.keycloak.storage.ldap.LDAPStorageProvider.authenticate(LDAPStorageProvider.java:677)
at org.keycloak.credential.UserCredentialStoreManager.authenticate(UserCredentialStoreManager.java:296)
at org.keycloak.authentication.authenticators.browser.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.java:89)
at org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:200)
at org.keycloak.authentication.AuthenticationProcessor.authenticateOnly(AuthenticationProcessor.java:853)
at org.keycloak.authentication.AuthenticationProcessor.authenticate(AuthenticationProcessor.java:722)
at org.keycloak.protocol.AuthorizationEndpointBase.handleBrowserAuthenticationRequest(AuthorizationEndpointBase.java:145)
at ...
Caused by: GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - RC4 with HMAC)
at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:856)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
at sun.security.jgss.spnego.SpNegoContext.GSS_acceptSecContext(SpNegoContext.java:906)
at sun.security.jgss.spnego.SpNegoContext.acceptSecContext(SpNegoContext.java:556)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
at org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator.establishContext(SPNEGOAuthenticator.java:169)
at org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator$AcceptSecContext.run(SPNEGOAuthenticator.java:132)
at org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator$AcceptSecContext.run(SPNEGOAuthenticator.java:122)
... 72 more
Caused by: KrbException: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - RC4 with HMAC
at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:278)
at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:149)
at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:108)
at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:829)
... 81 more
2020-02-24 09:34:06,328 INFO [stdout] (default task-13) [Krb5LoginModule]: Entering logout
2020-02-24 09:34:06,328 INFO [stdout] (default task-13) [Krb5LoginModule]: logged out Subject
我已经做了很多研究,不幸的是排除了所有可能的原因。进行了以下测试:
klist -k {密钥表文件的路径} -e
Result4 HTTP/主体名称@REALM arcfour-hmac
在 Active Directory 中,msDS-KeyVersionNumber = 4
kinit HTTP/主体名称@REALM
klist-e
Result:... Etype(skey、TKT)arcfour-hmac、aes256-cts-hmac-sha1-96
总之,Keycloak 能够读取密钥表,但无法查找解密密钥。
有人可以帮忙吗?
我已经看过这个帖子了Kerberos - 无法找到适当类型的密钥来使用 HMAC 解密 AP REP - RC4 https://stackoverflow.com/questions/31877027/kerberos-cannot-find-key-of-appropriate-type-to-decrypt-ap-rep-rc4-with-hmac
以及以下链接:https://bugs.openjdk.java.net/browse/JDK-8193855 https://bugs.openjdk.java.net/browse/JDK-8193855
和许多其他帖子,但没有成功。