1

我正在尝试创建一个通用的 apache2 网络服务器作为身份验证“网关”。

场景:有人浏览到spn-servername.active-directory.int/secure,apache 应该尝试使用 kerberos 来验证用户(使用 SSO 的最佳情况)并将他重定向到后端/另一个 web 服务。

它工作到身份验证和 SSO 成功的地步,但我不知道如何将它推广到 OpenShift 上的不同容器并使用相同的 Active Directory 用户。

问题是,如果我更改servername容器和 apache confservername的 auth 仍然有效,但 SSO 失败。我猜这是因为活动目录用户的SPN和servername不同?我想在不更改用户/密钥表的情况下部署具有不同服务器名的不同应用程序。

配置具有不同主机名但具有相同 Active Directory 用户的多个 apache 身份验证网关的最佳做法是什么?

000default.conf

<VirtualHost *:80>
  ServerName generic-hostname.active-directory.int

  DocumentRoot "/var/www/html"

    <IfModule !mod_auth_kerb.c>
        LoadModule auth_gssapi_module /usr/lib/apache2/modules/mod_auth_gssapi.so
    </IfModule>

  LimitRequestFieldSize 32768
  <Location "/secure">
    AuthType GSSAPI
    AuthName "GSSAPILogin"
    GssapiBasicAuth On
    GssapiCredStore keytab:/etc/http.keytab
    require valid-user
  </Location>

  LogLevel debug
  ErrorLog /var/log/apache2/sso.test.local-error.log
  CustomLog /var/log/apache2/sso.test.local-access.log combined
</VirtualHost>

密钥表生成:

ktpass -princ HTTP/spn-servername.active-directory.int@active-directory.int -mapuser sysaccount99@active-directory.int -pass mysecret -crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL -out c:\Temp\http.keytab

活动目录用户:

displayName: sysaccount99
sAMAccountName: sysaccount99
userPrincipalName: HTTP/spn-servername.active-directory.int@active-directory.int
servicePrincipalName: : HTTP/spn-servername.active-directory.int@active-directory.int and HTTP/spn-servername.active-directory.int

/var/log/apache2/sso.test.local-error.log 如果 SSO 不工作:

[Wed Jan 08 14:00:11.964555 2020] [core:trace5] [pid 871:tid 139656674920192] protocol.c(653): [client 192.168.56.1:55607] Request received from client: GET /secure/ HTTP/1.1
[Wed Jan 08 14:00:11.964643 2020] [http:trace4] [pid 871:tid 139656674920192] http_request.c(394): [client 192.168.56.1:55607] Headers received from client:
[Wed Jan 08 14:00:11.964649 2020] [http:trace4] [pid 871:tid 139656674920192] http_request.c(398): [client 192.168.56.1:55607]   Host: generic-hostname.active-directory.int
[Wed Jan 08 14:00:11.964652 2020] [http:trace4] [pid 871:tid 139656674920192] http_request.c(398): [client 192.168.56.1:55607]   User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:60.0) Gecko/20100101 Firefox/60.0
[Wed Jan 08 14:00:11.964655 2020] [http:trace4] [pid 871:tid 139656674920192] http_request.c(398): [client 192.168.56.1:55607]   Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
[Wed Jan 08 14:00:11.964658 2020] [http:trace4] [pid 871:tid 139656674920192] http_request.c(398): [client 192.168.56.1:55607]   Accept-Language: de,en-US;q=0.7,en;q=0.3
[Wed Jan 08 14:00:11.964661 2020] [http:trace4] [pid 871:tid 139656674920192] http_request.c(398): [client 192.168.56.1:55607]   Accept-Encoding: gzip, deflate
[Wed Jan 08 14:00:11.964664 2020] [http:trace4] [pid 871:tid 139656674920192] http_request.c(398): [client 192.168.56.1:55607]   Connection: keep-alive
[Wed Jan 08 14:00:11.964667 2020] [http:trace4] [pid 871:tid 139656674920192] http_request.c(398): [client 192.168.56.1:55607]   Upgrade-Insecure-Requests: 1
[Wed Jan 08 14:00:11.964707 2020] [authz_core:debug] [pid 871:tid 139656674920192] mod_authz_core.c(809): [client 192.168.56.1:55607] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
[Wed Jan 08 14:00:11.964713 2020] [authz_core:debug] [pid 871:tid 139656674920192] mod_authz_core.c(809): [client 192.168.56.1:55607] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Wed Jan 08 14:00:11.964728 2020] [auth_kerb:debug] [pid 871:tid 139656674920192] src/mod_auth_kerb.c(1971): [client 192.168.56.1:55607] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Wed Jan 08 14:00:11.964734 2020] [core:trace3] [pid 871:tid 139656674920192] request.c(119): [client 192.168.56.1:55607] auth phase 'check user' gave status 401: /secure/
[Wed Jan 08 14:00:11.964796 2020] [http:trace3] [pid 871:tid 139656674920192] http_filters.c(1129): [client 192.168.56.1:55607] Response sent with status 401, headers:
[Wed Jan 08 14:00:11.964804 2020] [http:trace5] [pid 871:tid 139656674920192] http_filters.c(1136): [client 192.168.56.1:55607]   Date: Wed, 08 Jan 2020 14:00:11 GMT
[Wed Jan 08 14:00:11.964807 2020] [http:trace5] [pid 871:tid 139656674920192] http_filters.c(1139): [client 192.168.56.1:55607]   Server: Apache/2.4.18 (Ubuntu)
[Wed Jan 08 14:00:11.964810 2020] [http:trace4] [pid 871:tid 139656674920192] http_filters.c(958): [client 192.168.56.1:55607]   WWW-Authenticate: Negotiate
[Wed Jan 08 14:00:11.964813 2020] [http:trace4] [pid 871:tid 139656674920192] http_filters.c(958): [client 192.168.56.1:55607]   WWW-Authenticate: Basic realm=\\"
[Wed Jan 08 14:00:11.964816 2020] [http:trace4] [pid 871:tid 139656674920192] http_filters.c(958): [client 192.168.56.1:55607]   Content-Length: 479
[Wed Jan 08 14:00:11.964819 2020] [http:trace4] [pid 871:tid 139656674920192] http_filters.c(958): [client 192.168.56.1:55607]   Keep-Alive: timeout=5, max=100
[Wed Jan 08 14:00:11.964822 2020] [http:trace4] [pid 871:tid 139656674920192] http_filters.c(958): [client 192.168.56.1:55607]   Connection: Keep-Alive
[Wed Jan 08 14:00:11.964824 2020] [http:trace4] [pid 871:tid 139656674920192] http_filters.c(958): [client 192.168.56.1:55607]   Content-Type: text/html; charset=iso-8859-1
[Wed Jan 08 14:00:11.974410 2020] [core:trace5] [pid 871:tid 139656658134784] protocol.c(653): [client 192.168.56.1:55607] Request received from client: GET /secure/ HTTP/1.1
[Wed Jan 08 14:00:11.974456 2020] [http:trace4] [pid 871:tid 139656658134784] http_request.c(394): [client 192.168.56.1:55607] Headers received from client:
[Wed Jan 08 14:00:11.974469 2020] [http:trace4] [pid 871:tid 139656658134784] http_request.c(398): [client 192.168.56.1:55607]   Host: generic-hostname.active-directory.int
[Wed Jan 08 14:00:11.974473 2020] [http:trace4] [pid 871:tid 139656658134784] http_request.c(398): [client 192.168.56.1:55607]   User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:60.0) Gecko/20100101 Firefox/60.0
[Wed Jan 08 14:00:11.974476 2020] [http:trace4] [pid 871:tid 139656658134784] http_request.c(398): [client 192.168.56.1:55607]   Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
[Wed Jan 08 14:00:11.974479 2020] [http:trace4] [pid 871:tid 139656658134784] http_request.c(398): [client 192.168.56.1:55607]   Accept-Language: de,en-US;q=0.7,en;q=0.3
[Wed Jan 08 14:00:11.974482 2020] [http:trace4] [pid 871:tid 139656658134784] http_request.c(398): [client 192.168.56.1:55607]   Accept-Encoding: gzip, deflate
[Wed Jan 08 14:00:11.974484 2020] [http:trace4] [pid 871:tid 139656658134784] http_request.c(398): [client 192.168.56.1:55607]   Connection: keep-alive
[Wed Jan 08 14:00:11.974487 2020] [http:trace4] [pid 871:tid 139656658134784] http_request.c(398): [client 192.168.56.1:55607]   Upgrade-Insecure-Requests: 1
[Wed Jan 08 14:00:11.974490 2020] [http:trace4] [pid 871:tid 139656658134784] http_request.c(398): [client 192.168.56.1:55607]   Authorization: Negotiate TlRMLLVNTUAABAAKKl4II4gAAAAAAAABBBBBBBBAAAAGA4AlAAAADw==
[Wed Jan 08 14:00:11.974524 2020] [authz_core:debug] [pid 871:tid 139656658134784] mod_authz_core.c(809): [client 192.168.56.1:55607] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
[Wed Jan 08 14:00:11.974529 2020] [authz_core:debug] [pid 871:tid 139656658134784] mod_authz_core.c(809): [client 192.168.56.1:55607] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Wed Jan 08 14:00:11.974561 2020] [auth_kerb:debug] [pid 871:tid 139656658134784] src/mod_auth_kerb.c(1971): [client 192.168.56.1:55607] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Wed Jan 08 14:00:11.974598 2020] [auth_kerb:debug] [pid 871:tid 139656658134784] src/mod_auth_kerb.c(1722): [client 192.168.56.1:55607] Verifying client data using KRB5 GSS-API 
[Wed Jan 08 14:00:11.974671 2020] [auth_kerb:debug] [pid 871:tid 139656658134784] src/mod_auth_kerb.c(1738): [client 192.168.56.1:55607] Client didn't delegate us their credential
[Wed Jan 08 14:00:11.974676 2020] [auth_kerb:debug] [pid 871:tid 139656658134784] src/mod_auth_kerb.c(1766): [client 192.168.56.1:55607] Warning: received token seems to be NTLM, which isn't supported by the Kerberos module. Check your IE configuration.
[Wed Jan 08 14:00:11.974681 2020] [auth_kerb:debug] [pid 871:tid 139656658134784] src/mod_auth_kerb.c(1159): [client 192.168.56.1:55607] GSS-API major_status:00010000, minor_status:00000000
[Wed Jan 08 14:00:11.974688 2020] [auth_kerb:error] [pid 871:tid 139656658134784] [client 192.168.56.1:55607] gss_accept_sec_context() failed: An unsupported mechanism was requested (, Unknown error)
[Wed Jan 08 14:00:11.974696 2020] [core:trace3] [pid 871:tid 139656658134784] request.c(119): [client 192.168.56.1:55607] auth phase 'check user' gave status 401: /secure/
[Wed Jan 08 14:00:11.974712 2020] [http:trace3] [pid 871:tid 139656658134784] http_filters.c(1129): [client 192.168.56.1:55607] Response sent with status 401, headers:
[Wed Jan 08 14:00:11.974716 2020] [http:trace5] [pid 871:tid 139656658134784] http_filters.c(1136): [client 192.168.56.1:55607]   Date: Wed, 08 Jan 2020 14:00:11 GMT
[Wed Jan 08 14:00:11.974718 2020] [http:trace5] [pid 871:tid 139656658134784] http_filters.c(1139): [client 192.168.56.1:55607]   Server: Apache/2.4.18 (Ubuntu)
[Wed Jan 08 14:00:11.974722 2020] [http:trace4] [pid 871:tid 139656658134784] http_filters.c(958): [client 192.168.56.1:55607]   WWW-Authenticate: Basic realm=\\"
[Wed Jan 08 14:00:11.974725 2020] [http:trace4] [pid 871:tid 139656658134784] http_filters.c(958): [client 192.168.56.1:55607]   Content-Length: 479
[Wed Jan 08 14:00:11.974731 2020] [http:trace4] [pid 871:tid 139656658134784] http_filters.c(958): [client 192.168.56.1:55607]   Keep-Alive: timeout=5, max=99
[Wed Jan 08 14:00:11.974734 2020] [http:trace4] [pid 871:tid 139656658134784] http_filters.c(958): [client 192.168.56.1:55607]   Connection: Keep-Alive
[Wed Jan 08 14:00:11.974737 2020] [http:trace4] [pid 871:tid 139656658134784] http_filters.c(958): [client 192.168.56.1:55607]   Content-Type: text/html; charset=iso-8859-1
4

0 回答 0