0

我们使用 kerberos 身份验证来执行 SSO。早些时候,我们的产品在 JRE 6 Update 22 上运行,一切正常。我们最近迁移到 JRE 6 update 45,kerberos 身份验证失败。

因此,基本上代码执行 2 个步骤 - 连接和登录 1. “连接”步骤测试 SPN 名称和凭据(密码或密钥表)是否可以登录到由领域和 KDC 信息标识的域控制器。2. “登录”步骤也是如此,然后也尝试使用 GSSAPI 身份验证机制绑定到 AD LDAP 服务。因此,它正在尝试执行 GSSAPI 绑定,但在这一步它现在失败了。

所以,这就是正在发生的事情——

Server(our product) sends AS-REQ to KDC
KDC responds  back with error_code: KRB5KDC_ERR_PREAUTH_REQUIRED (25)
Server again sends AS-REQ to KDC with the timestamp
KDC responds back ( AS-REP) with TGT
MCIM sends the TGS-REQ – From our analysis, this is the problem area, this request is populated with incorrect details as explained below.
KDC responds back with  error_code: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN (7)

现在,这里的问题是,当服务器发送 TGS-REQ 时,它使用服务器名称(未知)发送:ldap/10.213.177.3 而在旧 JRE 版本中,它曾经将 TGS-REQ 发送为 ldap/win2008.mcssoiwa .hari(hostname of kdc) 即使给出了 KDC IP。现在,KDC 没有使用 ldap 和 IP 注册的 SPN,但它有一个使用 KDC 的 Ldap/主机名注册的 SPN

如果我们为 ldap/ 显式执行 setspn 命令,一切都会开始工作。因此,导致此问题的 JRE 6 的更高版本中发生了什么变化。这对我们来说确实是一个障碍,我们不知道如何解决这个问题。任何帮助/指导将不胜感激。

这样做的代码 -

 LDAPConnection connection = new LDAPConnection(request.getServer(), request.getPort());
    GSSAPIBindRequest bindRequest = new GSSAPIBindRequest(request.getAuthnId(), null, "N/A",      null, null, "");
    connection.bind(bindRequest); //throws exception

这会引发以下异常

*

    Caused by: com.unboundid.ldap.sdk.LDAPException: Unable to create the initial GSSAPI      SASL request:  javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))] caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7)) caused by KrbException: Server not found in Kerberos database (7) caused by KrbException: Identifier doesn't match expected value (906)
  at com.unboundid.ldap.sdk.SASLHelper.processSASLBind(SASLHelper.java:120)
  at com.unboundid.ldap.sdk.GSSAPIBindRequest.run(GSSAPIBindRequest.java:1022)
  ... 56 common frames omitted
Caused by: javax.security.sasl.SaslException: GSS initiate failed
  at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(Unknown Source)
  at com.unboundid.ldap.sdk.SASLHelper.processSASLBind(SASLHelper.java:114)
  ... 57 common frames omitted
Caused by: org.ietf.jgss.GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))
  at sun.security.jgss.krb5.Krb5Context.initSecContext(Unknown Source)
  at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
  at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
  ... 59 common frames omitted
Caused by: sun.security.krb5.KrbException: Server not found in Kerberos database (7)
  at sun.security.krb5.KrbTgsRep.<init>(Unknown Source)
  at sun.security.krb5.KrbTgsReq.getReply(Unknown Source)
  at sun.security.krb5.internal.CredentialsUtil.serviceCreds(Unknown Source)
  at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(Unknown Source)
  at sun.security.krb5.Credentials.acquireServiceCreds(Unknown Source)
  ... 62 common frames omitted
Caused by: sun.security.krb5.Asn1Exception: Identifier doesn't match expected value (906)
  at sun.security.krb5.internal.KDCRep.init(Unknown Source)
  at sun.security.krb5.internal.TGSRep.init(Unknown Source)
  at sun.security.krb5.internal.TGSRep.<init>(Unknown Source)*
4

1 回答 1

0

有两件事:简要浏览一下JDK6中的更改,发现在 22 到 45 之间提到了一些 LDAP。我无法立即检测到任何相关内容 - 也许您必须仔细检查所有更改。

UnboundID Solutions 的 Java LDAP SDK 发行说明也可以提供一些指示。也许您需要升级 SDK 以弥补 JDK 的变化。

于 2013-09-24T09:39:52.243 回答