我们使用 kerberos 身份验证来执行 SSO。早些时候,我们的产品在 JRE 6 Update 22 上运行,一切正常。我们最近迁移到 JRE 6 update 45,kerberos 身份验证失败。
因此,基本上代码执行 2 个步骤 - 连接和登录 1. “连接”步骤测试 SPN 名称和凭据(密码或密钥表)是否可以登录到由领域和 KDC 信息标识的域控制器。2. “登录”步骤也是如此,然后也尝试使用 GSSAPI 身份验证机制绑定到 AD LDAP 服务。因此,它正在尝试执行 GSSAPI 绑定,但在这一步它现在失败了。
所以,这就是正在发生的事情——
Server(our product) sends AS-REQ to KDC
KDC responds back with error_code: KRB5KDC_ERR_PREAUTH_REQUIRED (25)
Server again sends AS-REQ to KDC with the timestamp
KDC responds back ( AS-REP) with TGT
MCIM sends the TGS-REQ – From our analysis, this is the problem area, this request is populated with incorrect details as explained below.
KDC responds back with error_code: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN (7)
现在,这里的问题是,当服务器发送 TGS-REQ 时,它使用服务器名称(未知)发送:ldap/10.213.177.3 而在旧 JRE 版本中,它曾经将 TGS-REQ 发送为 ldap/win2008.mcssoiwa .hari(hostname of kdc) 即使给出了 KDC IP。现在,KDC 没有使用 ldap 和 IP 注册的 SPN,但它有一个使用 KDC 的 Ldap/主机名注册的 SPN
如果我们为 ldap/ 显式执行 setspn 命令,一切都会开始工作。因此,导致此问题的 JRE 6 的更高版本中发生了什么变化。这对我们来说确实是一个障碍,我们不知道如何解决这个问题。任何帮助/指导将不胜感激。
这样做的代码 -
LDAPConnection connection = new LDAPConnection(request.getServer(), request.getPort());
GSSAPIBindRequest bindRequest = new GSSAPIBindRequest(request.getAuthnId(), null, "N/A", null, null, "");
connection.bind(bindRequest); //throws exception
这会引发以下异常
*
Caused by: com.unboundid.ldap.sdk.LDAPException: Unable to create the initial GSSAPI SASL request: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))] caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7)) caused by KrbException: Server not found in Kerberos database (7) caused by KrbException: Identifier doesn't match expected value (906)
at com.unboundid.ldap.sdk.SASLHelper.processSASLBind(SASLHelper.java:120)
at com.unboundid.ldap.sdk.GSSAPIBindRequest.run(GSSAPIBindRequest.java:1022)
... 56 common frames omitted
Caused by: javax.security.sasl.SaslException: GSS initiate failed
at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(Unknown Source)
at com.unboundid.ldap.sdk.SASLHelper.processSASLBind(SASLHelper.java:114)
... 57 common frames omitted
Caused by: org.ietf.jgss.GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))
at sun.security.jgss.krb5.Krb5Context.initSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
... 59 common frames omitted
Caused by: sun.security.krb5.KrbException: Server not found in Kerberos database (7)
at sun.security.krb5.KrbTgsRep.<init>(Unknown Source)
at sun.security.krb5.KrbTgsReq.getReply(Unknown Source)
at sun.security.krb5.internal.CredentialsUtil.serviceCreds(Unknown Source)
at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(Unknown Source)
at sun.security.krb5.Credentials.acquireServiceCreds(Unknown Source)
... 62 common frames omitted
Caused by: sun.security.krb5.Asn1Exception: Identifier doesn't match expected value (906)
at sun.security.krb5.internal.KDCRep.init(Unknown Source)
at sun.security.krb5.internal.TGSRep.init(Unknown Source)
at sun.security.krb5.internal.TGSRep.<init>(Unknown Source)*