我正在使用 keytab 并使用我的 Windows 命令行上的 kinit 命令进行设置。我收到消息“新票证存储在缓存文件中”。之后,当我运行我的 java 应用程序以访问密钥的 keytab 文件时,我得到以下错误。
Authentication attempt failed javax.security.auth.login.LoginException: No key to store
javax.security.auth.login.LoginException: No key to store
at com.sun.security.auth.module.Krb5LoginModule.commit(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at javax.security.auth.login.LoginContext.invoke(Unknown Source)
at javax.security.auth.login.LoginContext.access$000(Unknown Source)
at javax.security.auth.login.LoginContext$4.run(Unknown Source)
at javax.security.auth.login.LoginContext$4.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
我正在尝试使用 ldap 连接到活动目录。以下是配置设置:
-Djavax.security.auth.useSubjectCredsOnly=false
-Djava.security.auth.login.config=C:\Users\cXXXXXX\Git\gssapi_jaas.conf
-Dsun.security.krb5.debug=true
Debug 为 true storeKey true useTicketCache true useKeyTab true doNotPrompt true ticketCache 为 null isInitiator true KeyTab 为
C:\Users\cXXXXXX\Git\abcd.keytab refreshKrb5Config 为假 principal 为 xxxx_dev@xxxx.xxxxxx.COM tryFirstPass 为假 useFirstPass 为假 storePass 为假 clearPass 为假 从缓存获取 TGT
KinitOptions 缓存名称为 C:\Users\cXXXXXX\krb5cc_cXXXXXX 调试客户端主体为 xxxx_dev@xxxx.xxxxxx.COM 调试服务器主体为 krbtgt/xxxx.xxxxxx.COM@Txxxx.xxxxxx.COM 调试密钥类型:23 调试授权时间:周一2019 年 7 月 1 日 14:20:21 EDT 调试开始时间:周一 2019 年 7 月 1 日星期一 14:20:21 EDT 2019 年调试结束时间:2019 年 7 月 2 日星期二 00:20:21 EDT 调试 renew_till 时间:null CCacheInputStream: readFlags() INITIAL; 预授权;主机地址为 /xx.xx.xxx.xx 主机地址为 /xxx:0:0:0:xxxx:xxxx:xxxx:xxxx KrbCreds 在凭证缓存中找到了默认的票据授予票据。Java 配置名称:null 本机配置名称:C:\windows\krb5.ini 从 LSA 获得的 TGT:凭据:client=sxxxx_dev@xxxx.xxxxxx.COM server=krbtgt/Txxxx.xxxxxx。
在添加 kinit 缓存文件之前,我至少能够验证帐户,然后我遇到了 GSSapi 安全问题。试图解决我添加了缓存并且这个新问题开始发生
public static void main(String[] args) {
// 1. Log in (to Kerberos)
LoginContext lc = null;
try {
/*lc = new LoginContext(Azrm017.class.getName(),
new LuwCallBackHandler());
*/
lc = new LoginContext("Azrm017");
// Attempt authentication
// You might want to do this in a "for" loop to give
// user more than one chance to enter correct username/password
lc.login();
} catch (LoginException le) {
System.err.println("Authentication attempt failed " + le);
le.printStackTrace();
System.err.println("Authentication attempt failed " + le.getSuppressed());
System.exit(-1);
}
// 2. Perform JNDI work as logged in subject
NamingEnumeration<SearchResult> ne =
(NamingEnumeration<SearchResult>) Subject.doAs(lc.getSubject(),
new SearchAction());
while(ne.hasMoreElements()) {
System.out.println(">>>> : " + ne.nextElement().getName());
}
//Subject.doAs(lc.getSubject(), new JndiAction(args));
}
}
/**
* The application must supply a PrivilegedAction that is to be run
* inside a Subject.doAs() or Subject.doAsPrivileged().
*/
class SearchAction implements java.security.PrivilegedAction {
public Object run() {
// Set up the environment for creating the initial context
Hashtable<String, String> env = new Hashtable<> (11);
env.put(Context.INITIAL_CONTEXT_FACTORY,
"com.sun.jndi.ldap.LdapCtxFactory");
String cn = "dn:CN=xxxxxxx,OU=Service xxxxx,OU=Accounts,OU=xxxxx,DC=test,DC=xxxxxx,DC=com";
env.put(Context.PROVIDER_URL, "ldap://test.xxxxxxx.com:389");
env.put(Context.SECURITY_AUTHENTICATION, "GSSAPI");
env.put("javax.security.sasl.server.authentication", "true");
env.put("javax.security.sasl.qop", "auth-conf");
DirContext ctx = null;
try {
// Create initial context
ctx = new InitialDirContext(env);
SearchControls ctls = new SearchControls();
ctls.setReturningAttributes(
new String[] {"displayName", "mail","description", "suSunetID"});
NamingEnumeration<SearchResult> answer =
ctx.search("cn=People, dc=test, dc=xxxxxxxx, dc=com",
"(&(cn=p*)(sn=s*))", ctls);
return answer;
} catch (Exception e) {
e.printStackTrace();
}
// Close the context when we're done
finally {
closeContext(ctx);
}
return null;
}
附在上面