我们正在 JBoss AS 7.1.1 上的 OWF 7(臭氧小部件框架)中配置 Spring Security Kerberos 扩展。我们看到以下错误:
23:01:44,172 WARN [org.springframework.security.extensions.kerberos.web.SpnegoAuthenticationProcessingFilter] (http--10.200.69.103-8080-2) Negotiate Header was invalid: Negotiate TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==: org.springframework.security.authentication.BadCredentialsException: Kerberos validation not succesfull
at org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator.validateTicket(SunJaasKerberosTicketValidator.java:69) [spring-security-kerberos-core-1.0.0.M2.jar:]
at org.springframework.security.extensions.kerberos.KerberosServiceAuthenticationProvider.authenticate(KerberosServiceAuthenticationProvider.java:86) [spring-security-kerberos-core-1.0.0.M2.jar:]
at org.springframework.security.authentication.ProviderManager.doAuthentication(ProviderManager.java:120) [spring-security-core-3.0.2.RELEASE.jar:]
at org.springframework.security.authentication.AbstractAuthenticationManager.authenticate(AbstractAuthenticationManager.java:48) [spring-security-core-3.0.2.RELEASE.jar:]
at org.springframework.security.extensions.kerberos.web.SpnegoAuthenticationProcessingFilter.doFilter(SpnegoAuthenticationProcessingFilter.java:131) [spring-security-kerberos-core-1.0.0.M2.jar:]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:355) [spring-security-web-3.0.2.RELEASE.jar:]
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:79) [spring-security-web-3.0.2.RELEASE.jar:]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:355) [spring-security-web-3.0.2.RELEASE.jar:]
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:149) [spring-security-web-3.0.2.RELEASE.jar:]
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237) [org.springframework.web-3.0.5.RELEASE.jar:3.0.5.RELEASE]
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167) [org.springframework.web-3.0.5.RELEASE.jar:3.0.5.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:280) [jbossweb-7.0.13.Final.jar:]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:248) [jbossweb-7.0.13.Final.jar:]
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:275) [jbossweb-7.0.13.Final.jar:]
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:161) [jbossweb-7.0.13.Final.jar:]
at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:153) [jboss-as-web-7.1.1.Final.jar:7.1.1.Final]
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155) [jbossweb-7.0.13.Final.jar:]
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) [jbossweb-7.0.13.Final.jar:]
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) [jbossweb-7.0.13.Final.jar:]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:368) [jbossweb-7.0.13.Final.jar:]
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877) [jbossweb-7.0.13.Final.jar:]
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:671) [jbossweb-7.0.13.Final.jar:]
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:930) [jbossweb-7.0.13.Final.jar:]
at java.lang.Thread.run(Thread.java:662) [rt.jar:1.6.0_31]
Caused by: java.security.PrivilegedActionException: GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)
at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.6.0_31]
at javax.security.auth.Subject.doAs(Subject.java:396) [rt.jar:1.6.0_31]
at org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator.validateTicket(SunJaasKerberosTicketValidator.java:67) [spring-security-kerberos-core-1.0.0.M2.jar:]
... 23 more
Caused by: GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)
at sun.security.jgss.GSSHeader.<init>(GSSHeader.java:80) [rt.jar:1.6.0_31]
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:287) [rt.jar:1.6.0_31]
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:267) [rt.jar:1.6.0_31]
at org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator$KerberosValidateAction.run(SunJaasKerberosTicketValidator.java:146) [spring-security-kerberos-core-1.0.0.M2.jar:]
at org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator$KerberosValidateAction.run(SunJaasKerberosTicketValidator.java:136) [spring-security-kerberos-core-1.0.0.M2.jar:]
... 26 more
我看到了一篇关于堆栈溢出的帖子(“检测到缺陷令牌”错误(NTLM 不是 Kerberos)与 Kerberos/Spring Security/IE/Active Directory)并认为有人可以帮助我解决我们的情况。
我们的设置:
JDK 1.6.0_31 JBoss AS 7.1.1.Final 在 x86_64 Windows Server 2008 Active Directory Spring Security Kerberos Extension M2 上运行在 Red Hat Enterprise Linux Server 版本 6.2 (Santiago) 内核 2.6.32-220.el6.x86_64 上(配置如下他们的博客中提供的说明:http: //blog.springsource.com/2009/09/28/spring-security-kerberos/)Firefox 21(在 VM 上运行)IE 10(在 VM 上运行)
从上面列出的上一篇文章中可以看出,AD 服务器正在向 IE 发送 NTLM 令牌,而 IE 正在向应用程序发送此令牌。我们的应用服务器(JBoss)、AD 服务器和客户端(IE、Firefox)在不同的机器上加入到同一个域中。以下是 JBoss 所在的 linux 框 /etc 文件夹中的 krb5.conf 文件:
[libdefaults]
default_realm = ENTERPRISELABS.MYCOMPANY.COM
default_tgs_enctypes = aes256-cts aes128-cts arcfour-hmac-md5 des-cbc-md5 des-cbc-crc
default_tkt_enctypes = aes256-cts aes128-cts arcfour-hmac-md5 des-cbc-md5 des-cbc-crc
permitted_enctypes = aes256-cts aes128-cts arcfour-hmac-md5 des-cbc-md5 des-cbc-crc
dns_lookup_realm = true
dns_lookup_kdc = true
passwd_check_s_address = false
noaddresses = true
udp_preference_limit = 1
ccache_type = 3
kdc_timesync = 0
kdc_timesync = 0
[domain_realm]
.enterpriselabs.com = ENTERPRISELABS.MYCOMPANY.COM
enterpriselabs.com = ENTERPRISELABS.MYCOMPANY.COM
.cdc.lab = ENTERPRISELABS.MYCOMPANY.COM
cdc.lab = ENTERPRISELABS.MYCOMPANY.COM
.dcas-i-2-069103 = ENTERPRISELABS.MYCOMPANY.COM
.enterpriselabs.mycompany.com = ENTERPRISELABS.MYCOMPANY.COM
dcas-i-2-069103 = ENTERPRISELABS.MYCOMPANY.COM
enterpriselabs.mycompany.com = ENTERPRISELABS.MYCOMPANY.COM
mcc-ad01.enterpriselabs.mycompany.com = ENTERPRISELABS.MYCOMPANY.COM
mcc-ad03.enterpriselabs.mycompany.com = ENTERPRISELABS.MYCOMPANY.COM
scr0-i-1-069137.scr0.enterpriselabs.mycompany.com = SCR0.ENTERPRISELABS.MYCOMPANY.COM
ssbox8.cdc.lab = ENTERPRISELABS.MYCOMPANY.COM
[realms]
ENTERPRISELABS.MYCOMPANY.COM = {
kdc = mcc-ad01.enterpriselabs.mycompany.com:88
master_kdc = mcc-ad01.enterpriselabs.mycompany.com:88
kpasswd = mcc-ad01.enterpriselabs.mycompany.com:464
kpasswd_server = mcc-ad01.enterpriselabs.mycompany.com:464
kdc = mcc-ad03.enterpriselabs.mycompany.com:88
master_kdc = mcc-ad03.enterpriselabs.mycompany.com:88
kpasswd = mcc-ad03.enterpriselabs.mycompany.com:464
kpasswd_server = mcc-ad03.enterpriselabs.mycompany.com:464
}
SCR0.ENTERPRISELABS.mycompany.COM = {
kdc = scr0-i-1-069137.scr0.enterpriselabs.mycompany.com:88
master_kdc = scr0-i-1-069137.scr0.enterpriselabs.mycompany.com:88
kpasswd = scr0-i-1-069137.scr0.enterpriselabs.mycompany.com:464
kpasswd_server = scr0-i-1-069137.scr0.enterpriselabs.mycompany.com:464
}
在 [domain_realm] 块下,前 2 个条目中不会包含 .mycompany。这是一个问题吗?
我们通过运行以下命令生成了 keytab 文件: ktpass /princ HTTP/jaguar.enterpriselabs.mycompany.com@ENTERPRISELABS.MYCOMPANY.COM /mapuser jaguar@ENTERPRISELABS.MYCOMPANY.COM -crypto all -pass password -ptype KRB5_NT_PRINCIPAL -out c :\jaguar-host.keytab
我们将生成的 keytab 文件复制到 JBoss 上应用程序的 WEB-INF/classes 文件夹中。当我们联系我们的技术支持时,他们还提到创建的测试用户帐户已选中“Kerberos 身份验证”复选框。我认为当我们登录到域时,我们使用 kerberos 而不是 NTLM 进行了身份验证(我不知道它是否正确)。但是,这并没有帮助我们摆脱上述问题。我使用 fiddler 并在其中一个屏幕中看到了“NTLM 身份验证”。请帮助我们调试此问题。我认为问题出在 AD 某处,不知道在哪里寻找答案。我们是否必须遵循任何特定步骤来确保我们的 AD 配置正确?有没有办法配置 AD 服务器发送 Kerberos 令牌?