我已经使用 AWS Aurora Kerberos 详细信息配置了 Kerberos 身份验证模块(Windows 桌面 SSO 节点)。我已关注此文档-https: //backstage.forgerock.com/marketplace/entry/AWyLw-zpDPiiBBbH4Pu- 以下是日志中的错误。我已按照此文档解决 - https://backstage.forgerock.com/knowledge/kb/article/a62965844但在遵循解决方案后无法解决。
使用此命令创建密钥表文件 - ktpass -out fileName.keytab -princ HTTP/openam.forgerock.com@AD_DOMAIN.COM -pass +rdnPass -maxPass 256 -mapuser amKerberos@frdpcloud.com -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL - kvno 0
SPN 为:HTTP/danvledwse01.xyz.com@XYZ.COM
18-Oct-2021 13:27:20.840 SEVERE [main] org.apache.catalina.loader.WebappClassLoaderBase.checkThreadLocalMapForLeaks The web application [openam] created a ThreadLocal with key of type [java.lang.ThreadLocal.SuppliedThreadLocal] (value [java.lang.ThreadLocal$SuppliedThreadLocal@7bbd38c1]) and a value of type [org.forgerock.openam.audit.context.AuditRequestContext] (value [org.forgerock.openam.audit.context.AuditRequestContext@407cbfdc]) but failed to remove it when the web application was stopped. Threads are going to be renewed over time to try and avoid a probable memory leak.
18-Oct-2021 13:27:20.840 SEVERE [main] org.apache.catalina.loader.WebappClassLoaderBase.checkThreadLocalMapForLeaks The web application [openam] created a ThreadLocal with key of type [java.lang.ThreadLocal.SuppliedThreadLocal] (value [java.lang.ThreadLocal$SuppliedThreadLocal@79238e6a]) and a value of type [org.forgerock.opendj.ldap.AttributeDescription$1] (value [{objectclass=Pair [Schema Core Schema-0 mr=773 syntaxes=45 at=109, objectclass]}]) but failed to remove it when the web application was stopped. Threads are going to be renewed over time to try and avoid a probable memory leak.
18-Oct-2021 13:27:20.874 INFO [main] org.apache.coyote.AbstractProtocol.stop Stopping ProtocolHandler ["https-jsse-nio-8444"]
18-Oct-2021 13:27:20.926 INFO [main] org.apache.coyote.AbstractProtocol.destroy Destroying ProtocolHandler ["https-jsse-nio-8444"]
18-Oct-2021 13:27:48.078 WARNING [main] org.apache.tomcat.util.digester.SetPropertiesRule.begin Match [Server/Service/Connector] failed to set property [sslVerifyClient] to [optional]
18-Oct-2021 13:27:48.157 WARNING [main] org.apache.tomcat.util.net.SSLHostConfig.setProtocols The protocol [TLSv1.1] was added to the list of protocols on the SSLHostConfig named [_default_]. Check if a +/- prefix is missing.
18-Oct-2021 13:27:48.157 WARNING [main] org.apache.tomcat.util.net.SSLHostConfig.setProtocols The protocol [SSLv2Hello] was added to the list of protocols on the SSLHostConfig named [_default_]. Check if a +/- prefix is missing.
18-Oct-2021 13:27:48.193 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Server version name: Apache Tomcat/9.0.52
18-Oct-2021 13:27:48.194 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Server built: Jul 31 2021 04:12:17 UTC
18-Oct-2021 13:27:48.194 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Server version number: 9.0.52.0
18-Oct-2021 13:27:48.194 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log OS Name: Linux
18-Oct-2021 13:27:48.194 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log OS Version: 4.18.0-305.17.1.el8_4.x86_64
18-Oct-2021 13:27:48.194 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Architecture: amd64
18-Oct-2021 13:27:48.194 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Java Home: /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.302.b08-0.el8_4.x86_64/jre
18-Oct-2021 13:27:48.194 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log JVM Version: 1.8.0_302-b08
18-Oct-2021 13:27:48.194 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log JVM Vendor: Red Hat, Inc.
18-Oct-2021 13:27:48.194 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log CATALINA_BASE: /home/forgerock/data/stage/apache-tomcat-9.0.52
18-Oct-2021 13:27:48.194 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log CATALINA_HOME: /home/forgerock/data/stage/apache-tomcat-9.0.52
18-Oct-2021 13:27:48.196 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.util.logging.config.file=/home/forgerock/data/stage/apache-tomcat-9.0.52/conf/logging.properties
18-Oct-2021 13:27:48.196 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
18-Oct-2021 13:27:48.196 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djdk.tls.ephemeralDHKeySize=2048
18-Oct-2021 13:27:48.196 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.protocol.handler.pkgs=org.apache.catalina.webresources
18-Oct-2021 13:27:48.196 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dorg.apache.catalina.security.SecurityListener.UMASK=0027
18-Oct-2021 13:27:48.196 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dsun.security.krb5.debug=true
18-Oct-2021 13:27:48.196 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dsun.security.jgss.debug=true
18-Oct-2021 13:27:48.196 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dsun.security.spnego.debug=true
18-Oct-2021 13:27:48.196 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dignore.endorsed.dirs=
18-Oct-2021 13:27:48.197 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dcatalina.base=/home/forgerock/data/stage/apache-tomcat-9.0.52
18-Oct-2021 13:27:48.197 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dcatalina.home=/home/forgerock/data/stage/apache-tomcat-9.0.52
18-Oct-2021 13:27:48.197 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.io.tmpdir=/home/forgerock/data/stage/apache-tomcat-9.0.52/temp
18-Oct-2021 13:27:48.198 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent The Apache Tomcat Native library which allows using OpenSSL was not found on the java.library.path: [/usr/java/packages/lib/amd64:/usr/lib64:/lib64:/lib:/usr/lib]
18-Oct-2021 13:27:48.718 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["https-jsse-nio-8444"]
18-Oct-2021 13:27:49.135 INFO [main] org.apache.catalina.startup.Catalina.load Server initialization in [1192] milliseconds
18-Oct-2021 13:27:49.174 INFO [main] org.apache.catalina.core.StandardService.startInternal Starting service [Catalina]
18-Oct-2021 13:27:49.175 INFO [main] org.apache.catalina.core.StandardEngine.startInternal Starting Servlet engine: [Apache Tomcat/9.0.52]
18-Oct-2021 13:27:50.326 INFO [main] org.apache.catalina.startup.HostConfig.deployWAR Deploying web application archive [/home/forgerock/data/stage/apache-tomcat-9.0.52/webapps/openam.war]
18-Oct-2021 13:28:02.421 INFO [main] org.apache.jasper.servlet.TldScanner.scanJars At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug logging for this logger for a complete list of JARs that were scanned but no TLDs were found in them. Skipping unneeded JARs during scanning can improve startup time and JSP compilation time.
Starting up OpenAM at Oct 18, 2021 1:28:05 PM
SLF4J: Failed to load class "org.slf4j.impl.StaticMDCBinder".
SLF4J: Defaulting to no-operation MDCAdapter implementation.
SLF4J: See http://www.slf4j.org/codes.html#no_static_mdc_binder for further details.
18-Oct-2021 13:28:14.928 INFO [main] org.apache.catalina.startup.HostConfig.deployWAR Deployment of web application archive [/home/forgerock/data/stage/apache-tomcat-9.0.52/webapps/openam.war] has finished in [24,602] ms
18-Oct-2021 13:28:14.985 INFO [main] org.apache.catalina.startup.HostConfig.deployDirectory Deploying web application directory [/home/forgerock/data/stage/apache-tomcat-9.0.52/webapps/ROOT]
18-Oct-2021 13:28:15.004 INFO [main] org.apache.catalina.startup.HostConfig.deployDirectory Deployment of web application directory [/home/forgerock/data/stage/apache-tomcat-9.0.52/webapps/ROOT] has finished in [19] ms
18-Oct-2021 13:28:15.004 INFO [main] org.apache.catalina.startup.HostConfig.deployDirectory Deploying web application directory [/home/forgerock/data/stage/apache-tomcat-9.0.52/webapps/docs]
18-Oct-2021 13:28:15.020 INFO [main] org.apache.catalina.startup.HostConfig.deployDirectory Deployment of web application directory [/home/forgerock/data/stage/apache-tomcat-9.0.52/webapps/docs] has finished in [16] ms
18-Oct-2021 13:28:15.021 INFO [main] org.apache.catalina.startup.HostConfig.deployDirectory Deploying web application directory [/home/forgerock/data/stage/apache-tomcat-9.0.52/webapps/examples]
18-Oct-2021 13:28:15.535 INFO [main] org.apache.catalina.startup.HostConfig.deployDirectory Deployment of web application directory [/home/forgerock/data/stage/apache-tomcat-9.0.52/webapps/examples] has finished in [514] ms
18-Oct-2021 13:28:15.535 INFO [main] org.apache.catalina.startup.HostConfig.deployDirectory Deploying web application directory [/home/forgerock/data/stage/apache-tomcat-9.0.52/webapps/host-manager]
18-Oct-2021 13:28:15.568 INFO [main] org.apache.catalina.startup.HostConfig.deployDirectory Deployment of web application directory [/home/forgerock/data/stage/apache-tomcat-9.0.52/webapps/host-manager] has finished in [32] ms
18-Oct-2021 13:28:15.568 INFO [main] org.apache.catalina.startup.HostConfig.deployDirectory Deploying web application directory [/home/forgerock/data/stage/apache-tomcat-9.0.52/webapps/manager]
18-Oct-2021 13:28:15.600 INFO [main] org.apache.catalina.startup.HostConfig.deployDirectory Deployment of web application directory [/home/forgerock/data/stage/apache-tomcat-9.0.52/webapps/manager] has finished in [32] ms
18-Oct-2021 13:28:15.612 INFO [main] org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler ["https-jsse-nio-8444"]
18-Oct-2021 13:28:15.626 INFO [main] org.apache.catalina.startup.Catalina.start Server startup in [26490] milliseconds
>>> KeyTabInputStream, readName(): XYZ.COM
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): danvledwse01.xyz.com
>>> KeyTab: load() entry length: 72; type: 23
Looking for keys for: HTTP/danvledwse01.xyz.com@XYZ.COM
Java config name: /home/forgerock/openam/krb5.conf
Loaded from Java config
Added key: 23version: 0
>>> KdcAccessibility: reset
Looking for keys for: HTTP/danvledwse01.xyz.com@XYZ.COM
Added key: 23version: 0
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 18 17 16 23.
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=172.20.2.196 UDP:88, timeout=30000, number of retries =3, #bytes=153
>>> KDCCommunication: kdc=172.20.2.196 UDP:88, timeout=30000,Attempt =1, #bytes=153
>>> KrbKdcReq send: #bytes read=175
>>>Pre-Authentication Data:
PA-DATA type = 11
PA-ETYPE-INFO etype = 23, salt =
>>>Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>>>Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
PA-DATA type = 16
>>>Pre-Authentication Data:
PA-DATA type = 15
>>> KdcAccessibility: remove 172.20.2.196
>>> KDCRep: init() encoding tag is 126 req type is 11
>>>KRBError:
sTime is Mon Oct 18 13:28:37 UTC 2021 1634563717000
suSec is 124522
error code is 25
error Message is Additional pre-authentication required
sname is krbtgt/XYZ.COM@XYZ.COM
eData provided.
msgType is 30
>>>Pre-Authentication Data:
PA-DATA type = 11
PA-ETYPE-INFO etype = 23, salt =
>>>Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>>>Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
PA-DATA type = 16
>>>Pre-Authentication Data:
PA-DATA type = 15
KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 18 17 16 23.
Looking for keys for: HTTP/danvledwse01.xyz.com@XYZ.COM
Added key: 23version: 0
Looking for keys for: HTTP/danvledwse01.xyz.com@XYZ.COM
Added key: 23version: 0
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 18 17 16 23.
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=172.20.2.196 UDP:88, timeout=30000, number of retries =3, #bytes=235
>>> KDCCommunication: kdc=172.20.2.196 UDP:88, timeout=30000,Attempt =1, #bytes=235
>>> KrbKdcReq send: #bytes read=90
>>> KrbKdcReq send: kdc=172.20.2.196 TCP:88, timeout=30000, number of retries =3, #bytes=235
>>> KDCCommunication: kdc=172.20.2.196 TCP:88, timeout=30000,Attempt =1, #bytes=235
>>>DEBUG: TCPClient reading 1474 bytes
>>> KrbKdcReq send: #bytes read=1474
>>> KdcAccessibility: remove 172.20.2.196
Looking for keys for: HTTP/danvledwse01.xyz.com@XYZ.COM
Added key: 23version: 0
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbAsRep cons in KrbAsReq.getReply HTTP/danvledwse01.xyz.com