1

我们已经在我们的“内部”网络中使用了 CAS,并且在一个站点中使用了 Kerberos,并且它可以正常工作。

我们现在想要配置我们自己的第二个站点,但配置稍有不同(DNS 名称/SPN)。

我试着解释一下..首先是非工作配置,然后是工作配置,有一些小的变化..

我们尝试使用 SPNEGO 运行 CAS。

我们可以在 中使用kinit(linux 命令)cas.keytab并从 中获取有效的 Kerberos 票证kdc of REALM2.DE,但它不适用于 CAS。CAS 总是回退到 NTLM。我们需要做什么,它会起作用吗?也许他使用了来自 keytab 的错误 SPN 条目?我无法得到它。

  • Ubuntu 16 LTS 和 Ubuntu 18 LTS
  • CAS:5.2.7
  • REALM1 = Windows Active Directory(有用户)
  • REALM2 = MIT Linux Kerberos Realm(有 CAS 服务器)
  • acme.de = 官方 SSL 证书的互联网域
  • REALM1 和 REALM2 之间的 REALM 信任工作。

不工作配置的描述:

SPN 就像HTTP/cas.acme.de@REALM2.DE

/etc/krb5.conf:

    [libdefaults]
    default_keytab_name = /etc/cas/cas.keytab
    [realms]
    REALM1.DE = {
            kdc = ad1.realm1.de
            kdc = ad2.realm1.de
            kdc = ad3.realm1.de
    }
    REALM2.DE = {
            kdc = kerberos.realm2.de
            kdc = kerberos-1.realm2.de
            kdc = kerberos-2.realm2.de
            admin_server = kadmin.realm2.de
    }

cas.properties:

           cas.server.name=https://cas.acme.de:8443
           cas.server.prefix=https://cas.acme.de:8443/cas
           cas.authn.attributeRepository.defaultAttributesToRelease=cn,givenName,uid,mail
           # KERBEROS / SPNEGO
           cas.authn.spnego.kerberosConf=/etc/krb5.conf
         # cas.authn.spnego.mixedModeAuthentication=false
           cas.authn.spnego.mixedModeAuthentication=true
           cas.authn.spnego.cachePolicy=600
           cas.authn.spnego.timeout=300000
           cas.authn.spnego.jcifsServicePrincipal=HTTP/cas.acme.de@REALM2.DE
           cas.authn.spnego.jcifsNetbiosWins=
           cas.authn.spnego.loginConf=/etc/cas/login.conf
           cas.authn.spnego.ntlmAllowed=true
           cas.authn.spnego.hostNamePatternString=.+
           cas.authn.spnego.jcifsUsername=
           cas.authn.spnego.useSubjectCredsOnly=false
           cas.authn.spnego.supportedBrowsers=MSIE,Trident,Firefox,AppleWebKit
           cas.authn.spnego.jcifsDomainController=
           cas.authn.spnego.dnsTimeout=2000
           cas.authn.spnego.hostNameClientActionStrategy=hostnameSpnegoClientAction
           cas.authn.spnego.kerberosKdc=192.169.1.3
           cas.authn.spnego.alternativeRemoteHostAttribute=alternateRemoteHeader
           cas.authn.spnego.jcifsDomain=
           cas.authn.spnego.ipsToCheckPattern=
           cas.authn.spnego.kerberosDebug=
           cas.authn.spnego.send401OnAuthenticationFailure=true
           cas.authn.spnego.kerberosRealm=REALM2.DE
           cas.authn.spnego.ntlm=false
           cas.authn.spnego.principalWithDomainName=true
           cas.authn.spnego.jcifsServicePassword=
           cas.authn.spnego.jcifsPassword=
           cas.authn.spnego.spnegoAttributeName=userPrincipalName
           cas.authn.spnego.name=

/etc/cas/login.conf:

    jcifs.spnego.initiate {
              com.sun.security.auth.module.Krb5LoginModule required storeKey=true useKeyTab=true keyTab="/etc/cas/cas.keytab";
    };

   jcifs.spnego.accept {
             com.sun.security.auth.module.Krb5LoginModule required storeKey=true useKeyTab=true keyTab="/etc/cas/cas.keytab";
    };

cas.keytab:

   root@cas:/etc/cas# klist -k /etc/cas/cas.keytab -e -t
   Keytab name: FILE:/etc/cas/cas.keytab

   KVNO Timestamp           Principal
   ---- ------------------- ------------------------------------------------------
   2 17.05.2019 11:38:56 HTTP/cas.realm2.de@REALM2.DE (aes256-cts-hmac-sha1-96)
   2 17.05.2019 11:38:56 HTTP/cas.realm2.de@REALM2.DE (aes128-cts-hmac-sha1-96)
   2 17.05.2019 11:38:56 HTTP/cas.realm2.de@REALM2.DE (arcfour-hmac)
   2 17.05.2019 11:39:03 HTTP/cas.acme.de@REALM2.DE (aes256-cts-hmac-sha1-96)
   2 17.05.2019 11:39:03 HTTP/cas.acme.de@REALM2.DE (aes128-cts-hmac-sha1-96)
   2 17.05.2019 11:39:03 HTTP/cas.acme.de@REALM2.DE (arcfour-hmac)

kinit HTTP/cas.acme.de@REALM2.DE -k -t /etc/cas/cas.keytab
klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: HTTP/cas.acme.de@REALM2.DE
Valid starting       Expires              Service principal
04.12.2019 12:54:18  05.12.2019 12:54:18  krbtgt/REALM2.DE@REALM2.DE

root@cas:/etc/cas# nslookup cas.acme.d
Server:         192.169.1.1
Address:        192.169.1.1#53

Name:   cas.acme.de
Address: 192.169.1.140

root@cas:/etc/cas# nslookup 192.169.1.140
140.1.169.192.in-addr.arpa      name = cas.realm2.de.

工作配置说明:

只是 SPN 和 Internet DNS 名称已更改

SPN 就像HTTP/cast.realm2.de@REALM2.DE

/etc/krb5.conf:

   [libdefaults]
   default_keytab_name = /etc/cas/cast.keytab

   [realms]
   REALM1.DE = {
            kdc = ad1.realm1.de
            kdc = ad2.realm1.de
            kdc = ad3.realm1.de
    }
    REALM2.DE = {
            kdc = kerberos.realm2.de
            kdc = kerberos-1.realm2.de
            kdc = kerberos-2.realm2.de
            admin_server = kadmin.realm2.de
    }

cas.properties:

 cas.server.name=https://cast.realm2.de:8443
 cas.server.prefix=https://cast.realm2.de:8443/cas   
 # KERBEROS / SPNEGO
 cas.authn.spnego.kerberosConf=/etc/krb5.conf
#cas.authn.spnego.mixedModeAuthentication=false
 cas.authn.spnego.mixedModeAuthentication=true
 cas.authn.spnego.cachePolicy=600
 cas.authn.spnego.timeout=300000
 cas.authn.spnego.jcifsServicePrincipal=HTTP/cast.realm2.de@REALM2.DE
 cas.authn.spnego.jcifsNetbiosWins=
 cas.authn.spnego.loginConf=/etc/cas/login.conf
 cas.authn.spnego.ntlmAllowed=true
 cas.authn.spnego.hostNamePatternString=.+
 cas.authn.spnego.jcifsUsername=
 cas.authn.spnego.useSubjectCredsOnly=false
 cas.authn.spnego.supportedBrowsers=MSIE,Trident,Firefox,AppleWebKit
 cas.authn.spnego.jcifsDomainController=
 cas.authn.spnego.dnsTimeout=2000
 cas.authn.spnego.hostNameClientActionStrategy=hostnameSpnegoClientAction
 cas.authn.spnego.kerberosKdc=192.169.1.3
 cas.authn.spnego.alternativeRemoteHostAttribute=alternateRemoteHeader
 cas.authn.spnego.jcifsDomain=
 cas.authn.spnego.ipsToCheckPattern=
 cas.authn.spnego.kerberosDebug=
 cas.authn.spnego.send401OnAuthenticationFailure=true
 cas.authn.spnego.kerberosRealm=REALM2.DE
 cas.authn.spnego.ntlm=false
 cas.authn.spnego.principalWithDomainName=true
 cas.authn.spnego.jcifsServicePassword=
 cas.authn.spnego.jcifsPassword=
 cas.authn.spnego.spnego

/etc/cas/login.conf:

 jcifs.spnego.initiate {
   com.sun.security.auth.module.Krb5LoginModule required storeKey=true useKeyTab=true keyTab="/etc/cas/cas-t.keytab";
};

 jcifs.spnego.accept {
   com.sun.security.auth.module.Krb5LoginModule required storeKey=true useKeyTab=true keyTab="/etc/cas/cas-t.keytab";
}; 

cast.keytab:

klist -k cas-t.keytab -e -t
Keytab name: FILE:cas-t.keytab

KVNO Timestamp           Principal
---- ------------------- ------------------------------------------------------
2 04.10.2018 11:17:39 HTTP/cas-t.realm2.de@REALM2.DE (aes256-cts-hmac-sha1-96)
2 04.10.2018 11:17:39 HTTP/cas-t.realm2.de@REALM2.DE (aes128-cts-hmac-sha1-96)
2 04.10.2018 11:17:39 HTTP/cas-t.realm2.de@REALM2.DE (arcfour-hmac)
2 04.10.2018 11:17:42 HTTP/cast.realm2.de@REALM2.DE (aes256-cts-hmac-sha1-96)
2 04.10.2018 11:17:43 HTTP/cast.realm2.de@REALM2.DE (aes128-cts-hmac-sha1-96)
2 04.10.2018 11:17:43 HTTP/cast.realm2.de@REALM2.DE (arcfour-hmac)

kinit HTTP/cast.realm2@REALM2.DE -k -t ./cas-t.keytab
klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: HTTP/cas-t.realm2.de@REALM2.DE

Valid starting       Expires              Service principal
04.12.2019 12:33:51  05.12.2019 12:33:51  krbtgt/REALM2.DE@REALM2.DE

root@cas:/etc/cas# nslookup cast.realm2.de
Server:         192.169.1.1
Address:        192.169.1.1#53

Name:   cast.realm2.de
Address: 192.169.1.65

root@cas:/etc/cas# nslookup 192.169.1.65
65.1.169.192.in-addr.arpa       name = cast.realm2.de.

我们已经尝试过自己调试,但我们无法得到它..

我们希望有人可以帮助我们解决这个问题。

如果您需要任何进一步的信息,请告诉我们

谢谢!

4

1 回答 1

0

在用 Wireshark 深入挖掘之后,我们可以解决这个问题。事实上,这不是 CAS 问题,而是 KDC-Realm 问题。

客户端通过访问 cas-server 派生了错误的领域。客户端的浏览器尝试询问 windows-kdc,但无法检索给定 SPN 的服务票证。

使用后:

ksetup /AddHostToRealmMap <host name of CAS> <realm>

为了强制客户端请求正确的 linux-kdc,成功请求了服务票证并且 CAS 身份验证运行良好。

感谢@Steve 的“b)它正在做正确的领域转换”......

于 2019-12-10T10:11:22.793 回答