我正在尝试使用 Active Directory 凭据执行 Spring Security Kerberos,如中所述http://docs.spring.io/spring-security-kerberos/docs/1.0.1.RELEASE/reference/htmlsingle/#samples-sec-server-win-auth http://docs.spring.io/spring-security-kerberos/docs/1.0.1.RELEASE/reference/htmlsingle/#samples-sec-server-win-auth。我想说我已经记下了大部分内容(SPN、密钥表等)。现在我的校验和失败了。假设我更改主体名称,则会收到 AES 加密错误。
我在 RHEL 6 上使用 Spring Boot 和 Oracle Java 1.8 + JCE
样本来自https://github.com/spring-projects/spring-security-kerberos/tree/master/spring-security-kerberos-samples/sec-server-win-auth https://github.com/spring-projects/spring-security-kerberos/tree/master/spring-security-kerberos-samples/sec-server-win-auth
这是运行 jar 时得到的结果
调试正确
商店密钥 true
useTicketCache false
使用KeyTab true
不提示 true
票证缓存为空
isInitiator false
KeyTab 是 /home/boss/webdev125-3.keytab
freshKrb5Config 为 false
主体是http/[电子邮件受保护] /cdn-cgi/l/email-protectiontryFirstPass 为 false
useFirstPass 为 false
商店密码为假
清除密码为假
主体是http/[电子邮件受保护] /cdn-cgi/l/email-protection将使用密钥表
提交成功
....
2015-11-25 11:29:09.631 DEBUG 5559 --- [nio-8080-exec-3] .a.KerberosServiceAuthenticationProvider :尝试验证 Kerberos 令牌
2015-11-25 11:29:10.003 警告 5559 --- [nio-8080-exec-3] w.a.SpnegoAuthenticationProcessingFilter :协商标头无效:
...
org.springframework.security.authentication.BadCredentialsException:Kerberos 验证不成功
在 org.springframework.security.kerberos.authentication.sun.SunJaasKerberosTicketValidator.validateTicket(SunJaasKerberosTicketValidator.java:71)
在 org.springframework.security.kerberos.authentication.KerberosServiceAuthenticationProvider.authenticate(KerberosServiceAuthenticationProvider.java:64)
在 org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156)
...
引起原因:org.ietf.jgss.GSSException:GSS-API 级别未指定故障(机制级别:校验和失败)
at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:856)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
at sun.security.jgss.spnego.SpNegoContext.GSS_acceptSecContext(SpNegoContext.java:906)
at sun.security.jgss.spnego.SpNegoContext.acceptSecContext(SpNegoContext.java:556)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
at org.springframework.security.kerberos.authentication.sun.SunJaasKerberosTicketValidator$KerberosValidateAction.run(SunJaasKerberosTicketValidator.java:170)
at org.springframework.security.kerberos.authentication.sun.SunJaasKerberosTicketValidator$KerberosValidateAction.run(SunJaasKerberosTicketValidator.java:153)
... 48 common frames omitted
原因:sun.security.krb5.KrbCryptoException:校验和失败
at sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Aes256CtsHmacSha1EType.java:102)
at sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Aes256CtsHmacSha1EType.java:94)
at sun.security.krb5.EncryptedData.decrypt(EncryptedData.java:175)
at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:281)
at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:149)
at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:108)
at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:829)
... 56 common frames omitted
原因:java.security.GeneralSecurityException:校验和失败
at sun.security.krb5.internal.crypto.dk.AesDkCrypto.decryptCTS(AesDkCrypto.java:451)
at sun.security.krb5.internal.crypto.dk.AesDkCrypto.decrypt(AesDkCrypto.java:272)
at sun.security.krb5.internal.crypto.Aes256.decrypt(Aes256.java:76)
at sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Aes256CtsHmacSha1EType.java:100)
... 62 common frames omitted
其他一些细节:
- /etc/krb5.conf 确实有 default_tgs_enctypes、default_tkt_enctypes 以包含 aes256-cts-hmac-sha1-96
- 默认密钥表位置在应用程序和 krb5.conf 之间匹配
- 密钥表在 Windows 服务器上生成,然后复制到 RHEL