Xác thực Kerberos Java dường như hoạt động, vẫn bị từ chối

Question

Tôi đã có ứng dụng khách Java và ứng dụng máy chủ Java và tôi đang cố gắng xác thực với máy chủ qua Kerberos. Khách hàng về cơ bản sử dụng các thành phần http và SPNEGO để thực hiện cuộc gọi HTTP GET, nhưng tôi luôn nhận được kết quả là 401 Unauthorized.

tôi không thể nhận ra các lỗi trong trình tự đăng nhập Kerberos dưới đây, có lẽ các bạn có thể:

Debug is true storeKey false useTicketCache false useKeyTab false doNotPrompt f 
alse ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is fa 
lse principal is null tryFirstPass is false useFirstPass is false storePass is f 
alse clearPass is false 
Kerberos-Benutzername [GP_Myuser]: GP_Myuser@EESERV.LOCAL 
Kerberos-Passwort f³r GP_Myuser@EESERV.LOCAL: 
       [Krb5LoginModule] user entered username: GP_Myuser@EESERV. 
LOCAL 

default etypes for default_tkt_enctypes: 23. 
Acquire TGT using AS Exchange 
default etypes for default_tkt_enctypes: 23. 
>>> KrbAsReq calling createMessage 
>>> KrbAsReq in createMessage 
>>> KrbKdcReq send: kdc=atlnztdc01.eeserv.local UDP:88, timeout=30000, number of retries =3, #bytes=144 
>>> KDCCommunication: kdc=atlnztdc01.eeserv.local UDP:88, timeout=30000,Attempt=1, #bytes=144 
>>> KrbKdcReq send: #bytes read=181 
>>> KrbKdcReq send: #bytes read=181 
>>> KdcAccessibility: remove atlnztdc01.eeserv.local:88 
>>> KDCRep: init() encoding tag is 126 req type is 11 
>>>KRBError: 
     sTime is Tue Jul 05 16:28:31 CEST 2011 1309876111000 
     suSec is 250145 
     error code is 25 
     error Message is Additional pre-authentication required 
     realm is EESERV.LOCAL 
     sname is krbtgt/EESERV.LOCAL 
     eData provided. 
     msgType is 30 
>>>Pre-Authentication Data: 
     PA-DATA type = 11 
     PA-ETYPE-INFO etype = 23 
     PA-ETYPE-INFO salt = 
>>>Pre-Authentication Data: 
     PA-DATA type = 19 
     PA-ETYPE-INFO2 etype = 23 
     PA-ETYPE-INFO2 salt = null 
>>>Pre-Authentication Data: 
     PA-DATA type = 2 
     PA-ENC-TIMESTAMP 
>>>Pre-Authentication Data: 
     PA-DATA type = 16 
>>>Pre-Authentication Data: 
     PA-DATA type = 15 
AcquireTGT: PREAUTH FAILED/REQUIRED, re-send AS-REQ 
default etypes for default_tkt_enctypes: 23. 
>>>KrbAsReq salt is EESERV.LOCALGP_Myuser 
default etypes for default_tkt_enctypes: 23. 
Pre-Authenticaton: find key for etype = 23 
AS-REQ: Add PA_ENC_TIMESTAMP now 
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType 
>>> KrbAsReq calling createMessage 
>>> KrbAsReq in createMessage 
>>> KrbKdcReq send: kdc=atlnztdc01.eeserv.local UDP:88, timeout=30000, number of 
retries =3, #bytes=222 
>>> KDCCommunication: kdc=atlnztdc01.eeserv.local UDP:88, timeout=30000,Attempt=1, #bytes=222 
>>> KrbKdcReq send: #bytes read=1450 
>>> KrbKdcReq send: #bytes read=1450 
>>> KdcAccessibility: remove atlnztdc01.eeserv.local:88 
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType 
>>> KrbAsRep cons in KrbAsReq.getReply GP_Myuser 
default etypes for default_tkt_enctypes: 23. 
principal is GP_Myuser@EESERV.LOCAL 
EncryptionKey: keyType=23 keyBytes (hex dump)=0000: 3D F9 1C A6 3B 94 7B 27 B3 
6C D7 E5 70 77 84 22 =...;..'.l..pw." 

Commit Succeeded 

Found ticket for GP_Myuser@EESERV.LOCAL to go to krbtgt/EESERV.LOCAL@EESER 
V.LOCAL expiring on Wed Jul 06 02:28:32 CEST 2011 
Entered Krb5Context.initSecContext with state=STATE_NEW 
Service ticket not found in the subject 
>>> Credentials acquireServiceCreds: same realm 
default etypes for default_tgs_enctypes: 23. 
>>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType 
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType 
>>> KrbKdcReq send: kdc=atlnztdc01.eeserv.local UDP:88, timeout=30000, number of 
retries =3, #bytes=1452 
>>> KDCCommunication: kdc=atlnztdc01.eeserv.local UDP:88, timeout=30000,Attempt 
=1, #bytes=1452 
>>> KrbKdcReq send: #bytes read=1436 
>>> KrbKdcReq send: #bytes read=1436 
>>> KdcAccessibility: remove atlnztdc01.eeserv.local:88 
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType 
>>> KrbApReq: APOptions are 00100000 00000000 00000000 00000000 
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType 
Krb5Context setting mySeqNumber to: 512880730 
Created InitSecContextToken: 
0000: 01 00 6E 82 05 51 30 82 05 4D A0 03 02 01 05 A1 ..n..Q0..M...... 
0010: 03 02 01 0E A2 07 03 05 00 20 00 00 00 A3 82 04 ......... ...... 
0020: 6E 61 82 04 6A 30 82 04 66 A0 03 02 01 05 A1 0E na..j0..f....... 
0030: 1B 0C 45 45 53 45 52 56 2E 4C 4F 43 41 4C A2 24 ..EESERV.LOCAL.$ 
0040: 30 22 A0 03 02 01 00 A1 1B 30 19 1B 04 48 54 54 0".......0...HTT 
0050: 50 1B 11 61 6C 66 2D 74 65 73 74 2E 65 6C 69 6E P..alf-test.server 
0060: 2E 63 6F 6D A3 82 04 27 30 82 04 23 A0 03 02 01 .com...'0..#.... 
0070: 17 A1 03 02 01 03 A2 82 04 15 04 82 04 11 C2 1E ................ 
0080: 14 D0 18 19 AF 82 D3 92 7F 62 96 A9 92 F7 94 5B .........b.....[ 
0090: FF CA FE 66 2F C8 A9 C6 36 A2 2E FF EB FB CA 3D ...f/...6......= 
00A0: 5D 5B 59 B5 0F E3 B7 B6 29 C2 62 A3 45 44 42 00 ][Y.....).b.EDB. 
00B0: DA 14 3D 83 1E 50 3D AA A9 9F 0C A6 49 4E F3 51 ..=..P=.....IN.Q 
00C0: 67 68 14 A4 D3 49 E6 6F 1C 2C 7D 04 7B F2 6E BD gh...I.o.,....n. 
00D0: 23 07 DD CD 09 DC 89 62 73 0E 06 EE 68 28 39 A4 #......bs...h(9. 
00E0: 22 3C 92 C0 22 C0 6B 0B 42 4B 95 B5 E5 AC 77 30 "<..".k.BK....w0 
00F0: D8 75 A1 8D E8 FC A5 5A D6 1D A8 5B D4 15 82 C5 .u.....Z...[.... 
0100: AE 1E 36 48 72 01 9B 3C FA A9 60 20 1D 9A 84 20 ..6Hr..<..` ... 
0110: 41 3F FA 71 A8 07 9C 50 73 FA 03 2B 8D 94 98 C8 A?.q...Ps..+.... 
0120: 57 A2 87 09 BF 87 26 62 2B 49 40 6A 67 C4 F1 00 W.....&b+I@jg... 
0130: 66 55 D7 75 6D A6 2F 28 3C 68 86 1F 29 E1 7E 10 fU.um./(<h..)... 
0140: CD 2B F0 78 A7 23 D9 18 8D 5D 98 F9 7D 00 11 78 .+.x.#...].....x 
0150: 7B 5E D3 5E EA EE 74 82 B7 93 A4 DA 0E 3C 61 E6 .^.^..t......<a. 
0160: B3 D5 5A F3 67 8C 03 4C 0E E6 42 96 8F E0 99 98 ..Z.g..L..B..... 
0170: C2 A0 C6 D3 8F B4 A4 CA 99 C1 8A F0 6E 00 E0 BE ............n... 
0180: 95 7F 1F F5 E7 15 3D 0F CD 22 51 D9 41 D0 5F 01 ......=.."Q.A._. 
0190: 48 EB 47 64 B8 74 BC BE 76 0F AE 4B F4 E6 3A 1E H.Gd.t..v..K..:. 
01A0: 2A 62 85 FA 7E 07 E7 8D 60 EC B9 23 10 E3 1B 1E *b......`..#.... 
01B0: C5 90 D2 25 BB C5 2C 05 A3 E2 39 D1 FF 70 CF E7 ...%..,...9..p.. 
01C0: D5 C6 13 E6 BC 60 55 89 C1 B9 FB 0F E4 5D E7 A5 .....`U......].. 
01D0: 95 BA F9 70 EC 06 CB 62 E8 AD F3 29 BA 34 FF C2 ...p...b...).4.. 
01E0: 95 76 21 9B 0D 0B DE 66 05 0E EE 33 31 E7 BE 52 .v!....f...31..R 
01F0: 64 DB 91 8B 55 96 5F E7 2D 2A EA E2 D3 BC 5F CD d...U._.-*...._. 
0200: 46 E5 45 A1 07 68 28 BF 1D 32 7D 04 C0 60 97 78 F.E..h(..2...`.x 
0210: 4F 8E 4C 92 2B F1 B2 C3 9B 04 D9 43 02 7F A5 27 O.L.+......C...' 
0220: A4 8E 48 EE 5E A9 3B 7E 7F C0 54 0D A5 75 D2 B3 ..H.^.;...T..u.. 
0230: FC 72 3A 80 F4 9A F1 34 7C 51 54 13 F7 9E FE 79 .r:....4.QT....y 
0240: 8F 15 5A A7 9E 47 9B 36 10 33 F3 08 EA F2 33 BB ..Z..G.6.3....3. 
0250: 9F 45 61 ED 91 1F CF 30 05 76 C0 56 FB 38 51 25 .Ea....0.v.V.8Q% 
0260: 27 1F 39 A5 C9 F9 0C D2 00 F2 6B E2 28 09 B2 30 '.9.......k.(..0 
0270: A2 63 68 FE 46 A5 33 E0 60 BB B2 B5 DA 5A 78 2A .ch.F.3.`....Zx* 
0280: 37 FE 16 0D 8E E6 97 52 47 28 B2 D0 92 DB F3 CD 7......RG(...... 
0290: 9A 5F 98 16 4E C9 96 2C 00 7C FE 96 B0 DE CD 6D ._..N..,.......m 
02A0: 5A BC 13 1B E2 E7 F6 74 DE DC 2B B7 16 AB C0 0F Z......t..+..... 
02B0: BA 4C 08 C3 4F 25 3C 1A 9A E5 36 32 8E D9 C7 10 .L..O%<...62.... 
02C0: 62 F2 13 BB 62 B4 C5 F2 9D 69 DB 6C 0C 37 E1 AF b...b....i.l.7.. 
02D0: F5 C6 D9 CD B5 F6 60 A2 93 DD 98 8C B2 59 C7 7A ......`......Y.z 
02E0: 50 4D 27 7B CC DA C9 28 9D 05 9C E8 FC 57 F8 4A PM'....(.....W.J 
02F0: 12 67 ED 7E 23 AB B5 FB 8A B7 CE 4D DA 1B 7F 1A .g..#......M.... 
0300: B3 6F DF 42 9F C4 90 C9 35 D9 77 33 CD 6C C5 B5 .o.B....5.w3.l.. 
0310: C2 A8 15 8C AE BD AE 5F 0A 0A AB 7C 8C F8 E2 9F ......._........ 
0320: 27 3C 27 85 B3 97 D9 9D DA 6E 56 25 3B BA D5 FB '<'......nV%;... 
0330: AB 24 8B BE B7 26 12 7F B6 25 E5 26 DE 8D 54 AA .$...&...%.&..T. 
0340: 0B 68 DB 4B 81 AD 9C FD 88 0F 7D 6A 97 79 E5 0F .h.K.......j.y.. 
0350: 5B 82 43 6F 05 AE C0 EB 77 A6 E3 39 BE 85 6E F0 [.Co....w..9..n. 
0360: B5 F5 0B 13 E7 CC 7B 1E 81 4F 37 77 BB 02 26 C2 .........O7w..&. 
0370: D7 2C 80 CD 62 91 A7 0C F8 D1 76 5C 21 39 A0 93 .,..b.....v\!9.. 
0380: 83 04 0A F7 1F C3 4B 0B 34 85 2D 90 75 4E FE 31 ......K.4.-.uN.1 
0390: 61 BF D8 F3 36 B5 40 BA 06 F8 47 33 D4 DD EE 2A a...6.@...G3...* 
03A0: 9C FB 5E 51 7A 25 F7 C1 3F 4D 58 73 F2 4A 50 EA ..^Qz%..?MXs.JP. 
03B0: 68 09 27 85 F3 2E BB EA 8E B4 D3 7C DC 3B 52 71 h.'..........;Rq 
03C0: 87 34 1B 6F 80 D1 D2 F1 7D C3 9E C4 C3 79 8A A7 .4.o.........y.. 
03D0: DA 0B A2 69 7C DE D5 67 C7 20 AD 97 A2 98 6A E3 ...i...g. ....j. 
03E0: A3 59 BD D2 B6 19 18 1D AB A7 58 3A 56 16 ED 2A .Y........X:V..* 
03F0: 75 73 4E DB 02 B5 77 4B F5 9D 1D A4 36 ED 39 26 usN...wK....6.9& 
0400: B8 A4 CD 7C 79 5E 11 3C 36 9D DA DA E7 F5 D2 9F ....y^.<6....... 
0410: BA 4B 45 E0 67 E5 4F 33 9E 0B 60 E6 76 EB 02 AC .KE.g.O3..`.v... 
0420: CC 24 C4 EB 37 C4 31 B7 EA F3 EA 5B 39 D6 E3 0A .$..7.1....[9... 
0430: DC F8 DE 8B 18 8C E0 25 5C 4B 85 38 B0 99 04 9C .......%\K.8.... 
0440: 61 75 17 E3 E6 0C 88 D9 7B C4 9A 2D 25 B3 C1 FE au.........-%... 
0450: 9F FD 12 4F E0 DF CF E6 C1 BA 68 00 32 E8 1F 9A ...O......h.2... 
0460: 2F 0E FB 44 59 53 8B 43 C5 B6 24 D3 76 B4 04 D2 /..DYS.C..$.v... 
0470: 39 A9 21 41 EC A3 78 D1 9B 07 64 10 5B 64 EB 18 9.!A..x...d.[d.. 
0480: 08 5B 2C 45 90 53 C9 90 A0 4C 15 AF 8A D4 80 A4 .[,E.S...L...... 
0490: 81 C5 30 81 C2 A0 03 02 01 17 A2 81 BA 04 81 B7 ..0............. 
04A0: CB D6 6F 4E E7 6C 78 93 EF 6D EA 0C C8 A9 6B 37 ..oN.lx..m....k7 
04B0: EB 0E 9C C5 86 9E E6 BA 0D 88 26 BA FE A8 83 86 ..........&..... 
04C0: D4 06 52 50 AF 48 BC 8F 66 08 F1 1E A4 97 5E 05 ..RP.H..f.....^. 
04D0: 24 B4 DC 44 94 F3 5D 3D 07 17 10 33 15 D8 E0 0C $..D..]=...3.... 
04E0: E8 E8 0F 70 E6 23 B3 FF D5 23 63 02 A4 6B 86 C9 ...p.#...#c..k.. 
04F0: 88 96 FA 8B 02 3C E6 C6 19 7E 86 58 D5 07 80 8F .....<.....X.... 
0500: 21 10 7A F8 2D E2 C0 AE 33 19 A3 87 8F 18 03 A0 !.z.-...3....... 
0510: 22 13 37 66 D5 CA 02 02 E9 51 87 D5 E5 7D 3E 84 ".7f.....Q....>. 
0520: 6E 62 4A 0B 04 8D CF 79 07 DE 69 3B 49 95 B1 80 nbJ....y..i;I... 
0530: F4 9A 86 62 8D BD F4 DA FB BC 69 97 9A 8D DE 92 ...b......i..... 
0540: 0E 8A 65 E7 7C 62 E1 3D E6 93 AD 6F 0A 53 00 B0 ..e..b.=...o.S.. 
0550: 2F E7 09 A6 1B 01 72        /.....r 

05.07.2011 16:28:33 org.apache.http.impl.client.DefaultRequestDirector tryExecute 
INFO: I/O exception (org.apache.http.NoHttpResponseException) caught when proces 
sing request: The target server failed to respond 
05.07.2011 16:28:33 org.apache.http.impl.client.DefaultRequestDirector tryExecute 
INFO: Retrying request 
---------------------------------------- 
HTTP/1.1 401 Unauthorized 
---------------------------------------- 
<html><head> 
<meta http-equiv="Refresh" content="0; url=/share/page?pt=login"> 
</head><body><p>Please <a href="/share/page?pt=login">log in</a>.</p> 
</body></html> 

---------------------------------------- 

Answer 1

thư viện nào bạn sử dụng ở phía máy chủ? Bạn đã bật cờ gỡ lỗi để xem điều gì xảy ra khi máy chủ xử lý vé dịch vụ?

Answer 2

Cấu hình Kerberos của bạn có thể hoàn toàn ổn. Các messsage 401 có nghĩa là xác thực chính nó có thể đã đi tốt. Tuy nhiên, tôi nghi ngờ webapp chỉ cho phép người dùng nếu họ được chỉ định một vai trò. Cơ chế SPNego không gán vai trò như vậy ngoài hộp. Bạn vẫn cần phải cấu hình một Realm thực hiện ánh xạ.

Xem thêm câu hỏi của tôi trên danh sách gửi thư của người dùng Tomcat. https://mail-archives.apache.org/mod_mbox/tomcat-users/201210.mbox/%3C5075ECC6.8060501@christopherschultz.net%3E