几天前我在 JBoss PicketBox 论坛上发布了同样的问题,但还没有收到任何回复(https://community.jboss.org/thread/220959)。所以我想也许我会尝试 StackOverflow 来吸引更多的受众。
我一直在努力让 jboss-negotiation-toolkit 工作几个星期,我想我已经尝试了其他人遇到的所有问题。我现在被困在无法让 servlet 的“安全”版本工作的地步。“安全域测试”和“基本协商”测试工作正常,但 JBoss 在尝试打开安全链接时继续抛出“LoginException”。我很确定这与一些 AD/Kerberos 设置有关,但我无法取得更多进展。
11:49:43,514 ERROR [org.jboss.security.authentication.JBossCachedAuthenticationManager] (http-bardev1.dev.company.com-10.10.5.232-8080-1) Login failure: javax.security.auth.login.LoginException: Continuation Required.
at org.jboss.security.negotiation.spnego.SPNEGOLoginModule.login(SPNEGOLoginModule.java:174) [jboss-negotiation-spnego-2.2.0.SP1.jar:2.2.0.SP1]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.6.0_33]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) [rt.jar:1.6.0_33]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) [rt.jar:1.6.0_33]
at java.lang.reflect.Method.invoke(Method.java:597) [rt.jar:1.6.0_33]
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769) [rt.jar:1.6.0_33]
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186) [rt.jar:1.6.0_33]
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683) [rt.jar:1.6.0_33]
at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.6.0_33]
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680) [rt.jar:1.6.0_33]
at javax.security.auth.login.LoginContext.login(LoginContext.java:579) [rt.jar:1.6.0_33]
at org.jboss.security.authentication.JBossCachedAuthenticationManager.defaultLogin(JBossCachedAuthenticationManager.java:449) [picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final]
...
有没有人遇到过同样的问题,或者有没有人对问题出在哪里有任何建议?抱歉,这篇文章很长,但下面是设置的所有细节以及到目前为止我是如何配置的,试图提供尽可能多的细节。
这是我们的设置:
- Windows 2008 广告 (QAAD)
- DNS 名称:qaad.dev.company.com
- 域名:质量(QUALITY.COMPANY.COM)
- CentOS 6.2 运行 JBoss AS 7.1.1.Final (BARDEV1)
- 部署:jboss-negotiation-toolkit-2.2.2.Final
- DNS 名称:bardev1.dev.company.com
- 测试客户端是加入 QUALITY 域的 WinXP 和 Win7
BARDEV1 当前已加入质量域(这是必要的还是应该在未加入域的情况下工作?)。
JBoss SPNEGO 配置是:
<security-domain name="qaad_kerberos" cache-type="default">
<authentication>
<login-module code="com.sun.security.auth.module.Krb5LoginModule" flag="required">
<module-option name="storeKey" value="true"/>
<module-option name="useKeyTab" value="true"/>
<module-option name="principal" value="HTTP/bardev1.dev.company.com@QUALITY.COMPANY.COM"/>
<module-option name="keyTab" value="/opt/jboss-as-7.1.1.final/standalone/configuration/bardev1_qaad_rc4.keytab"/>
<module-option name="doNotPrompt" value="true"/>
<module-option name="debug" value="true"/>
<module-option name="refreshKrb5Config" value="false"/>
</login-module>
</authentication>
</security-domain>
<security-domain name="SPNEGO" cache-type="default">
<authentication>
<login-module code="org.jboss.security.negotiation.spnego.SPNEGOLoginModule" flag="required">
<module-option name="password-stacking" value="useFirstPass"/>
<module-option name="serverSecurityDomain" value="qaad_kerberos"/>
</login-module>
</authentication>
</security-domain>
/etc/krb5.conf设置为:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = QUALITY.COMPANY.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
default_tgs_enctypes = rc4-hmac
default_tkt_enctypes = rc4-hmac
permitted_enctypes = rc4-hmac
[realms]
QUALITY.COMPANY.COM = {
kdc = qaad.dev.company.com
admin_server = qaad.dev.company.com
default_domain = quality.company.com
}
[domain_realm]
.quality.company.com = QUALITY.COMPANY.COM
quality.company.com = QUALITY.COMPANY.COM
QAAD 盒子有“bardev1”的“计算机”帐户。此帐户的委派设置为“信任此计算机以委派任何服务(仅限 Kerberos)”。keytab 是在 QAAD 盒子上生成的,SPN 是使用以下命令设置的:
- setspn -S HTTP/bardev1.dev.company.com@QUALITY.COMPANY.COM bardev1
ktpass /out bardev1_qaad_rc4.keytab /princ HTTP/bardev1.dev.company.com@QUALITY.COMPANY.COM /mapuser quality\administrator -crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL /pass * /kvno 0
- (注意:必须设置 /kvno 0 否则我得到:KrbException: Specified version of key is not available (44))
setspn -L bardev1
- 输出:CN=bardev1,CN=Computers,DC=quality,DC=company,DC=com 的注册 ServicePrincipalNames:HTTP/bardev1.dev.company.com@QUALITY.COMPANY.COM HOST/bardev1.dev.company.com HOST /BARDEV1
- setspn -L 管理员
- 输出:CN=Administrator、CN=Users、DC=quality、DC=company、DC=com 的注册 ServicePrincipalNames:HTTP/bardev1.dev.company.com
使用“管理员”帐户进行初始测试,因此我不必处理新的用户帐户。该帐户已将委派设置为“信任此计算机以委派任何服务(仅限 Kerberos)”,并且没有设置其他帐户选项,例如“使用 kerberos DES 加密...”、“帐户支持 AES 128/256...”或'不需要 kerberos preauth'。他们中的任何一个都需要吗?
在客户端机器上,为了让浏览器使用登录用户的凭据,我必须将 URL 设置为:
- http://bardev1:8080/jboss-negotiation-toolkit-2.2.2.Final
如果我把它说成:
- http://bardev1.dev.company.com:8080/jboss-negotiation-toolkit-2.2.2.Final
然后我会弹出用户名和密码。
我确实尝试使用'HTTP/bardev1@QUALITY.COMPANY.COM' 运行setspn 和ktpass,结果相同,即基本和域测试有效,但安全无效。
“SecurityDomainTest”的输出:
JBoss 日志:
12:01:33,229 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is /opt/jboss-as-7.1.1.final/standalone/configuration/bardev1_qaad_rc4_domain.keytab refreshKrb5Config is false principal is HTTP/bardev1.dev.company.com@QUALITY.COMPANY.COM tryFirstPass is false useFirstPass is false storePass is false clearPass is false
12:01:33,238 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) principal's key obtained from the keytab
12:01:33,241 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) Acquire TGT using AS Exchange
12:01:33,259 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) principal is HTTP/bardev1.dev.company.com@QUALITY.COMPANY.COM
12:01:33,269 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) EncryptionKey: keyType=23 keyBytes (hex dump)=0000: 30 89 05 17 EB 07 89 AE 06 E2 B1 5D 58 B6 6E A4 0..........]X.n.
12:01:33,273 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1)
12:01:33,276 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) Added server's keyKerberos Principal HTTP/bardev1.dev.company.com@QUALITY.COMPANY.COMKey Version 0key EncryptionKey: keyType=23 keyBytes (hex dump)=
12:01:33,283 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) 0000: 30 89 05 17 EB 07 89 AE 06 E2 B1 5D 58 B6 6E A4 0..........]X.n.
12:01:33,285 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1)
12:01:33,285 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1)
12:01:33,286 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) [Krb5LoginModule] added Krb5Principal HTTP/bardev1.dev.company.com@QUALITY.COMPANY.COM to Subject
12:01:33,288 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) Commit Succeeded
12:01:33,290 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1)
12:01:33,295 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) [Krb5LoginModule]: Entering logout
12:01:33,296 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) [Krb5LoginModule]: logged out Subject
浏览器:
Negotiation Toolkit
Security Domain Test
Testing security-domain 'qaad_kerberos'
Authenticated
Subject:
Principal: HTTP/bardev1.dev.company.com@QUALITY.COMPANY.COM
Private Credential: Ticket (hex) =
0000: 61 82 04 A6 30 82 04 A2 A0 03 02 01 05 A1 16 1B a...0...........
0010: 14 51 55 41 4C 49 54 59 2E 53 59 4D 50 48 4F 4E .QUALITY.COMPANY
0020: 4F 2E 43 4F 4D A2 29 30 27 A0 03 02 01 02 A1 20 O.COM.)0'......
0030: 30 1E 1B 06 6B 72 62 74 67 74 1B 14 51 55 41 4C 0...krbtgt..QUAL
...
04A0: 1C 85 74 1A 9B EF B9 EE D2 A8 ..t.......
Client Principal = HTTP/bardev1.dev.company.com@QUALITY.COMPANY.COM
Server Principal = krbtgt/QUALITY.COMPANY.COM@QUALITY.COMPANY.COM
Session Key = EncryptionKey: keyType=23 keyBytes (hex dump)=
0000: 67 2B 5A 9B FE 97 00 2B 68 0B D2 0F 35 FA D1 CB g+Z....+h...5...
Forwardable Ticket true
Forwarded Ticket false
Proxiable Ticket false
Proxy Ticket false
Postdated Ticket false
Renewable Ticket false
Initial Ticket false
Auth Time = Tue Feb 05 12:01:33 CST 2013
Start Time = Tue Feb 05 12:01:33 CST 2013
End Time = Tue Feb 05 22:01:33 CST 2013
Renew Till = null
Client Addresses Null
Private Credential: Kerberos Principal HTTP/bardev1.dev.company.com@QUALITY.COMPANY.COMKey Version 0key EncryptionKey: keyType=23 keyBytes (hex dump)=
0000: 30 89 05 17 EB 07 89 AE 06 E2 B1 5D 58 B6 6E A4 0..........]X.n.
“基本谈判”的输出:
JBoss 日志:
12:48:01,226 INFO [org.jboss.security.negotiation.toolkit.BasicNegotiationServlet] (http-bardev1.dev.company.com-10.10.5.232-8080-1) No Authorization Header, sending 401
12:48:01,243 INFO [org.jboss.security.negotiation.toolkit.BasicNegotiationServlet] (http-bardev1.dev.company.com-10.10.5.232-8080-1) Authorization header received - decoding token.
浏览器:
Negotiation Toolkit
Basic Negotiation
WWW-Authenticate - Negotiate YIILwgYGKwYBBQUCoIILtjCCC7KgJDAiBgkqhkiC9xIBAgIGCSq ... i4=
NegTokenInit
Message Oid - SPNEGO
Mech Types - {Kerberos V5 Legacy} {Kerberos V5} {NTLM}
Req Flags -
Mech Token -YIILgAYJKoZIhvcSAQICAQBuggtvMIILa6A ... Gi4=
Mech List Mic -
“安全”的输出:
JBoss 日志:
12:51:52,877 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is /opt/jboss-as-7.1.1.final/standalone/configuration/bardev1_qaad_rc4_domain.keytab refreshKrb5Config is false principal is HTTP/bardev1.dev.company.com@QUALITY.COMPANY.COM tryFirstPass is false useFirstPass is false storePass is false clearPass is false
12:51:52,894 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) principal's key obtained from the keytab
12:51:52,895 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) Acquire TGT using AS Exchange
12:51:52,929 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) principal is HTTP/bardev1.dev.company.com@QUALITY.COMPANY.COM
12:51:52,933 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) EncryptionKey: keyType=23 keyBytes (hex dump)=0000: 30 89 05 17 EB 07 89 AE 06 E2 B1 5D 58 B6 6E A4 0..........]X.n.
12:51:52,937 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1)
12:51:52,939 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) Added server's keyKerberos Principal HTTP/bardev1.dev.company.com@QUALITY.COMPANY.COMKey Version 0key EncryptionKey: keyType=23 keyBytes (hex dump)=
12:51:52,944 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) 0000: 30 89 05 17 EB 07 89 AE 06 E2 B1 5D 58 B6 6E A4 0..........]X.n.
12:51:52,945 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1)
12:51:52,946 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1)
12:51:52,947 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) [Krb5LoginModule] added Krb5Principal HTTP/bardev1.dev.company.com@QUALITY.COMPANY.COM to Subject
12:51:52,949 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) Commit Succeeded
12:51:52,950 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1)
12:51:52,950 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) [Krb5LoginModule]: Entering logout
12:51:52,952 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) [Krb5LoginModule]: logged out Subject
12:51:52,953 ERROR [org.jboss.security.authentication.JBossCachedAuthenticationManager] (http-bardev1.dev.company.com-10.10.5.232-8080-1) Login failure: javax.security.auth.login.LoginException: Continuation Required.
at org.jboss.security.negotiation.spnego.SPNEGOLoginModule.login(SPNEGOLoginModule.java:174) [jboss-negotiation-spnego-2.2.0.SP1.jar:2.2.0.SP1]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.6.0_33]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) [rt.jar:1.6.0_33]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) [rt.jar:1.6.0_33]
at java.lang.reflect.Method.invoke(Method.java:597) [rt.jar:1.6.0_33]
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769) [rt.jar:1.6.0_33]
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186) [rt.jar:1.6.0_33]
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683) [rt.jar:1.6.0_33]
at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.6.0_33]
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680) [rt.jar:1.6.0_33]
at javax.security.auth.login.LoginContext.login(LoginContext.java:579) [rt.jar:1.6.0_33]
at org.jboss.security.authentication.JBossCachedAuthenticationManager.defaultLogin(JBossCachedAuthenticationManager.java:449) [picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final]
at org.jboss.security.authentication.JBossCachedAuthenticationManager.proceedWithJaasLogin(JBossCachedAuthenticationManager.java:383) [picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final]
at org.jboss.security.authentication.JBossCachedAuthenticationManager.authenticate(JBossCachedAuthenticationManager.java:371) [picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final]
at org.jboss.security.authentication.JBossCachedAuthenticationManager.isValid(JBossCachedAuthenticationManager.java:160) [picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final]
at org.jboss.as.web.security.JBossWebRealm.authenticate(JBossWebRealm.java:214) [jboss-as-web-7.1.1.Final.jar:7.1.1.Final]
at org.jboss.security.negotiation.NegotiationAuthenticator.authenticate(NegotiationAuthenticator.java:187) [jboss-negotiation-common-2.2.0.SP1.jar:2.2.0.SP1]
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:455) [jbossweb-7.0.13.Final.jar:]
at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:153) [jboss-as-web-7.1.1.Final.jar:7.1.1.Final]
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155) [jbossweb-7.0.13.Final.jar:]
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) [jbossweb-7.0.13.Final.jar:]
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) [jbossweb-7.0.13.Final.jar:]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:368) [jbossweb-7.0.13.Final.jar:]
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877) [jbossweb-7.0.13.Final.jar:]
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:671) [jbossweb-7.0.13.Final.jar:]
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:930) [jbossweb-7.0.13.Final.jar:]
at java.lang.Thread.run(Thread.java:662) [rt.jar:1.6.0_33]
12:51:52,985 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is /opt/jboss-as-7.1.1.final/standalone/configuration/bardev1_qaad_rc4_domain.keytab refreshKrb5Config is false principal is HTTP/bardev1.dev.company.com@QUALITY.COMPANY.COM tryFirstPass is false useFirstPass is false storePass is false clearPass is false
12:51:52,989 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) principal's key obtained from the keytab
12:51:52,990 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) Acquire TGT using AS Exchange
12:51:53,015 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) principal is HTTP/bardev1.dev.company.com@QUALITY.COMPANY.COM
12:51:53,058 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) EncryptionKey: keyType=23 keyBytes (hex dump)=0000: 30 89 05 17 EB 07 89 AE 06 E2 B1 5D 58 B6 6E A4 0..........]X.n.
12:51:53,060 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1)
12:51:53,061 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) Added server's keyKerberos Principal HTTP/bardev1.dev.company.com@QUALITY.COMPANY.COMKey Version 0key EncryptionKey: keyType=23 keyBytes (hex dump)=
12:51:53,063 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) 0000: 30 89 05 17 EB 07 89 AE 06 E2 B1 5D 58 B6 6E A4 0..........]X.n.
12:51:53,065 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1)
12:51:53,065 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1)
12:51:53,066 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) [Krb5LoginModule] added Krb5Principal HTTP/bardev1.dev.company.com@QUALITY.COMPANY.COM to Subject
12:51:53,068 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) Commit Succeeded
12:51:53,068 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1)
12:51:53,081 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) [Krb5LoginModule]: Entering logout
12:51:53,082 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) [Krb5LoginModule]: logged out Subject
浏览器:
HTTP Status 403 - Access to the requested resource has been denied
执行的其他测试/设置
我还尝试在 QAAD Windows 服务器本身上运行 jboss 实例,更新了 setspn 和 ktpass 命令,但结果相同,“安全”测试失败并出现 LoginException。
我还尝试使用不同的 AD 服务器(COLLAB,在 Windows 2003 AD 服务器上运行),但结果相同。
所以我很确定这是一些设置/配置/环境问题,但我似乎无法深入了解它。