Java La autenticación Kerberos parece funcionar, sigue siendo rechazada

Question

Tengo una aplicación de cliente Java y una aplicación de servidor Java, y estoy tratando de autenticar al servidor a través de Kerberos. El cliente básicamente usa componentes http y SPNEGO para hacer una llamada HTTP GET, pero siempre obtengo 401 Unauthorized como resultado.

no puedo detectar el error en la secuencia de inicio de sesión Kerberos a continuación, tal vez ustedes pueden:

Debug is true storeKey false useTicketCache false useKeyTab false doNotPrompt f 
alse ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is fa 
lse principal is null tryFirstPass is false useFirstPass is false storePass is f 
alse clearPass is false 
Kerberos-Benutzername [GP_Myuser]: GP_Myuser@EESERV.LOCAL 
Kerberos-Passwort f³r GP_Myuser@EESERV.LOCAL: 
       [Krb5LoginModule] user entered username: GP_Myuser@EESERV. 
LOCAL 

default etypes for default_tkt_enctypes: 23. 
Acquire TGT using AS Exchange 
default etypes for default_tkt_enctypes: 23. 
>>> KrbAsReq calling createMessage 
>>> KrbAsReq in createMessage 
>>> KrbKdcReq send: kdc=atlnztdc01.eeserv.local UDP:88, timeout=30000, number of retries =3, #bytes=144 
>>> KDCCommunication: kdc=atlnztdc01.eeserv.local UDP:88, timeout=30000,Attempt=1, #bytes=144 
>>> KrbKdcReq send: #bytes read=181 
>>> KrbKdcReq send: #bytes read=181 
>>> KdcAccessibility: remove atlnztdc01.eeserv.local:88 
>>> KDCRep: init() encoding tag is 126 req type is 11 
>>>KRBError: 
     sTime is Tue Jul 05 16:28:31 CEST 2011 1309876111000 
     suSec is 250145 
     error code is 25 
     error Message is Additional pre-authentication required 
     realm is EESERV.LOCAL 
     sname is krbtgt/EESERV.LOCAL 
     eData provided. 
     msgType is 30 
>>>Pre-Authentication Data: 
     PA-DATA type = 11 
     PA-ETYPE-INFO etype = 23 
     PA-ETYPE-INFO salt = 
>>>Pre-Authentication Data: 
     PA-DATA type = 19 
     PA-ETYPE-INFO2 etype = 23 
     PA-ETYPE-INFO2 salt = null 
>>>Pre-Authentication Data: 
     PA-DATA type = 2 
     PA-ENC-TIMESTAMP 
>>>Pre-Authentication Data: 
     PA-DATA type = 16 
>>>Pre-Authentication Data: 
     PA-DATA type = 15 
AcquireTGT: PREAUTH FAILED/REQUIRED, re-send AS-REQ 
default etypes for default_tkt_enctypes: 23. 
>>>KrbAsReq salt is EESERV.LOCALGP_Myuser 
default etypes for default_tkt_enctypes: 23. 
Pre-Authenticaton: find key for etype = 23 
AS-REQ: Add PA_ENC_TIMESTAMP now 
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType 
>>> KrbAsReq calling createMessage 
>>> KrbAsReq in createMessage 
>>> KrbKdcReq send: kdc=atlnztdc01.eeserv.local UDP:88, timeout=30000, number of 
retries =3, #bytes=222 
>>> KDCCommunication: kdc=atlnztdc01.eeserv.local UDP:88, timeout=30000,Attempt=1, #bytes=222 
>>> KrbKdcReq send: #bytes read=1450 
>>> KrbKdcReq send: #bytes read=1450 
>>> KdcAccessibility: remove atlnztdc01.eeserv.local:88 
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType 
>>> KrbAsRep cons in KrbAsReq.getReply GP_Myuser 
default etypes for default_tkt_enctypes: 23. 
principal is GP_Myuser@EESERV.LOCAL 
EncryptionKey: keyType=23 keyBytes (hex dump)=0000: 3D F9 1C A6 3B 94 7B 27 B3 
6C D7 E5 70 77 84 22 =...;..'.l..pw." 

Commit Succeeded 

Found ticket for GP_Myuser@EESERV.LOCAL to go to krbtgt/EESERV.LOCAL@EESER 
V.LOCAL expiring on Wed Jul 06 02:28:32 CEST 2011 
Entered Krb5Context.initSecContext with state=STATE_NEW 
Service ticket not found in the subject 
>>> Credentials acquireServiceCreds: same realm 
default etypes for default_tgs_enctypes: 23. 
>>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType 
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType 
>>> KrbKdcReq send: kdc=atlnztdc01.eeserv.local UDP:88, timeout=30000, number of 
retries =3, #bytes=1452 
>>> KDCCommunication: kdc=atlnztdc01.eeserv.local UDP:88, timeout=30000,Attempt 
=1, #bytes=1452 
>>> KrbKdcReq send: #bytes read=1436 
>>> KrbKdcReq send: #bytes read=1436 
>>> KdcAccessibility: remove atlnztdc01.eeserv.local:88 
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType 
>>> KrbApReq: APOptions are 00100000 00000000 00000000 00000000 
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType 
Krb5Context setting mySeqNumber to: 512880730 
Created InitSecContextToken: 
0000: 01 00 6E 82 05 51 30 82 05 4D A0 03 02 01 05 A1 ..n..Q0..M...... 
0010: 03 02 01 0E A2 07 03 05 00 20 00 00 00 A3 82 04 ......... ...... 
0020: 6E 61 82 04 6A 30 82 04 66 A0 03 02 01 05 A1 0E na..j0..f....... 
0030: 1B 0C 45 45 53 45 52 56 2E 4C 4F 43 41 4C A2 24 ..EESERV.LOCAL.$ 
0040: 30 22 A0 03 02 01 00 A1 1B 30 19 1B 04 48 54 54 0".......0...HTT 
0050: 50 1B 11 61 6C 66 2D 74 65 73 74 2E 65 6C 69 6E P..alf-test.server 
0060: 2E 63 6F 6D A3 82 04 27 30 82 04 23 A0 03 02 01 .com...'0..#.... 
0070: 17 A1 03 02 01 03 A2 82 04 15 04 82 04 11 C2 1E ................ 
0080: 14 D0 18 19 AF 82 D3 92 7F 62 96 A9 92 F7 94 5B .........b.....[ 
0090: FF CA FE 66 2F C8 A9 C6 36 A2 2E FF EB FB CA 3D ...f/...6......= 
00A0: 5D 5B 59 B5 0F E3 B7 B6 29 C2 62 A3 45 44 42 00 ][Y.....).b.EDB. 
00B0: DA 14 3D 83 1E 50 3D AA A9 9F 0C A6 49 4E F3 51 ..=..P=.....IN.Q 
00C0: 67 68 14 A4 D3 49 E6 6F 1C 2C 7D 04 7B F2 6E BD gh...I.o.,....n. 
00D0: 23 07 DD CD 09 DC 89 62 73 0E 06 EE 68 28 39 A4 #......bs...h(9. 
00E0: 22 3C 92 C0 22 C0 6B 0B 42 4B 95 B5 E5 AC 77 30 "<..".k.BK....w0 
00F0: D8 75 A1 8D E8 FC A5 5A D6 1D A8 5B D4 15 82 C5 .u.....Z...[.... 
0100: AE 1E 36 48 72 01 9B 3C FA A9 60 20 1D 9A 84 20 ..6Hr..<..` ... 
0110: 41 3F FA 71 A8 07 9C 50 73 FA 03 2B 8D 94 98 C8 A?.q...Ps..+.... 
0120: 57 A2 87 09 BF 87 26 62 2B 49 40 6A 67 C4 F1 00 W.....&b+I@jg... 
0130: 66 55 D7 75 6D A6 2F 28 3C 68 86 1F 29 E1 7E 10 fU.um./(<h..)... 
0140: CD 2B F0 78 A7 23 D9 18 8D 5D 98 F9 7D 00 11 78 .+.x.#...].....x 
0150: 7B 5E D3 5E EA EE 74 82 B7 93 A4 DA 0E 3C 61 E6 .^.^..t......<a. 
0160: B3 D5 5A F3 67 8C 03 4C 0E E6 42 96 8F E0 99 98 ..Z.g..L..B..... 
0170: C2 A0 C6 D3 8F B4 A4 CA 99 C1 8A F0 6E 00 E0 BE ............n... 
0180: 95 7F 1F F5 E7 15 3D 0F CD 22 51 D9 41 D0 5F 01 ......=.."Q.A._. 
0190: 48 EB 47 64 B8 74 BC BE 76 0F AE 4B F4 E6 3A 1E H.Gd.t..v..K..:. 
01A0: 2A 62 85 FA 7E 07 E7 8D 60 EC B9 23 10 E3 1B 1E *b......`..#.... 
01B0: C5 90 D2 25 BB C5 2C 05 A3 E2 39 D1 FF 70 CF E7 ...%..,...9..p.. 
01C0: D5 C6 13 E6 BC 60 55 89 C1 B9 FB 0F E4 5D E7 A5 .....`U......].. 
01D0: 95 BA F9 70 EC 06 CB 62 E8 AD F3 29 BA 34 FF C2 ...p...b...).4.. 
01E0: 95 76 21 9B 0D 0B DE 66 05 0E EE 33 31 E7 BE 52 .v!....f...31..R 
01F0: 64 DB 91 8B 55 96 5F E7 2D 2A EA E2 D3 BC 5F CD d...U._.-*...._. 
0200: 46 E5 45 A1 07 68 28 BF 1D 32 7D 04 C0 60 97 78 F.E..h(..2...`.x 
0210: 4F 8E 4C 92 2B F1 B2 C3 9B 04 D9 43 02 7F A5 27 O.L.+......C...' 
0220: A4 8E 48 EE 5E A9 3B 7E 7F C0 54 0D A5 75 D2 B3 ..H.^.;...T..u.. 
0230: FC 72 3A 80 F4 9A F1 34 7C 51 54 13 F7 9E FE 79 .r:....4.QT....y 
0240: 8F 15 5A A7 9E 47 9B 36 10 33 F3 08 EA F2 33 BB ..Z..G.6.3....3. 
0250: 9F 45 61 ED 91 1F CF 30 05 76 C0 56 FB 38 51 25 .Ea....0.v.V.8Q% 
0260: 27 1F 39 A5 C9 F9 0C D2 00 F2 6B E2 28 09 B2 30 '.9.......k.(..0 
0270: A2 63 68 FE 46 A5 33 E0 60 BB B2 B5 DA 5A 78 2A .ch.F.3.`....Zx* 
0280: 37 FE 16 0D 8E E6 97 52 47 28 B2 D0 92 DB F3 CD 7......RG(...... 
0290: 9A 5F 98 16 4E C9 96 2C 00 7C FE 96 B0 DE CD 6D ._..N..,.......m 
02A0: 5A BC 13 1B E2 E7 F6 74 DE DC 2B B7 16 AB C0 0F Z......t..+..... 
02B0: BA 4C 08 C3 4F 25 3C 1A 9A E5 36 32 8E D9 C7 10 .L..O%<...62.... 
02C0: 62 F2 13 BB 62 B4 C5 F2 9D 69 DB 6C 0C 37 E1 AF b...b....i.l.7.. 
02D0: F5 C6 D9 CD B5 F6 60 A2 93 DD 98 8C B2 59 C7 7A ......`......Y.z 
02E0: 50 4D 27 7B CC DA C9 28 9D 05 9C E8 FC 57 F8 4A PM'....(.....W.J 
02F0: 12 67 ED 7E 23 AB B5 FB 8A B7 CE 4D DA 1B 7F 1A .g..#......M.... 
0300: B3 6F DF 42 9F C4 90 C9 35 D9 77 33 CD 6C C5 B5 .o.B....5.w3.l.. 
0310: C2 A8 15 8C AE BD AE 5F 0A 0A AB 7C 8C F8 E2 9F ......._........ 
0320: 27 3C 27 85 B3 97 D9 9D DA 6E 56 25 3B BA D5 FB '<'......nV%;... 
0330: AB 24 8B BE B7 26 12 7F B6 25 E5 26 DE 8D 54 AA .$...&...%.&..T. 
0340: 0B 68 DB 4B 81 AD 9C FD 88 0F 7D 6A 97 79 E5 0F .h.K.......j.y.. 
0350: 5B 82 43 6F 05 AE C0 EB 77 A6 E3 39 BE 85 6E F0 [.Co....w..9..n. 
0360: B5 F5 0B 13 E7 CC 7B 1E 81 4F 37 77 BB 02 26 C2 .........O7w..&. 
0370: D7 2C 80 CD 62 91 A7 0C F8 D1 76 5C 21 39 A0 93 .,..b.....v\!9.. 
0380: 83 04 0A F7 1F C3 4B 0B 34 85 2D 90 75 4E FE 31 ......K.4.-.uN.1 
0390: 61 BF D8 F3 36 B5 40 BA 06 F8 47 33 D4 DD EE 2A a...6.@...G3...* 
03A0: 9C FB 5E 51 7A 25 F7 C1 3F 4D 58 73 F2 4A 50 EA ..^Qz%..?MXs.JP. 
03B0: 68 09 27 85 F3 2E BB EA 8E B4 D3 7C DC 3B 52 71 h.'..........;Rq 
03C0: 87 34 1B 6F 80 D1 D2 F1 7D C3 9E C4 C3 79 8A A7 .4.o.........y.. 
03D0: DA 0B A2 69 7C DE D5 67 C7 20 AD 97 A2 98 6A E3 ...i...g. ....j. 
03E0: A3 59 BD D2 B6 19 18 1D AB A7 58 3A 56 16 ED 2A .Y........X:V..* 
03F0: 75 73 4E DB 02 B5 77 4B F5 9D 1D A4 36 ED 39 26 usN...wK....6.9& 
0400: B8 A4 CD 7C 79 5E 11 3C 36 9D DA DA E7 F5 D2 9F ....y^.<6....... 
0410: BA 4B 45 E0 67 E5 4F 33 9E 0B 60 E6 76 EB 02 AC .KE.g.O3..`.v... 
0420: CC 24 C4 EB 37 C4 31 B7 EA F3 EA 5B 39 D6 E3 0A .$..7.1....[9... 
0430: DC F8 DE 8B 18 8C E0 25 5C 4B 85 38 B0 99 04 9C .......%\K.8.... 
0440: 61 75 17 E3 E6 0C 88 D9 7B C4 9A 2D 25 B3 C1 FE au.........-%... 
0450: 9F FD 12 4F E0 DF CF E6 C1 BA 68 00 32 E8 1F 9A ...O......h.2... 
0460: 2F 0E FB 44 59 53 8B 43 C5 B6 24 D3 76 B4 04 D2 /..DYS.C..$.v... 
0470: 39 A9 21 41 EC A3 78 D1 9B 07 64 10 5B 64 EB 18 9.!A..x...d.[d.. 
0480: 08 5B 2C 45 90 53 C9 90 A0 4C 15 AF 8A D4 80 A4 .[,E.S...L...... 
0490: 81 C5 30 81 C2 A0 03 02 01 17 A2 81 BA 04 81 B7 ..0............. 
04A0: CB D6 6F 4E E7 6C 78 93 EF 6D EA 0C C8 A9 6B 37 ..oN.lx..m....k7 
04B0: EB 0E 9C C5 86 9E E6 BA 0D 88 26 BA FE A8 83 86 ..........&..... 
04C0: D4 06 52 50 AF 48 BC 8F 66 08 F1 1E A4 97 5E 05 ..RP.H..f.....^. 
04D0: 24 B4 DC 44 94 F3 5D 3D 07 17 10 33 15 D8 E0 0C $..D..]=...3.... 
04E0: E8 E8 0F 70 E6 23 B3 FF D5 23 63 02 A4 6B 86 C9 ...p.#...#c..k.. 
04F0: 88 96 FA 8B 02 3C E6 C6 19 7E 86 58 D5 07 80 8F .....<.....X.... 
0500: 21 10 7A F8 2D E2 C0 AE 33 19 A3 87 8F 18 03 A0 !.z.-...3....... 
0510: 22 13 37 66 D5 CA 02 02 E9 51 87 D5 E5 7D 3E 84 ".7f.....Q....>. 
0520: 6E 62 4A 0B 04 8D CF 79 07 DE 69 3B 49 95 B1 80 nbJ....y..i;I... 
0530: F4 9A 86 62 8D BD F4 DA FB BC 69 97 9A 8D DE 92 ...b......i..... 
0540: 0E 8A 65 E7 7C 62 E1 3D E6 93 AD 6F 0A 53 00 B0 ..e..b.=...o.S.. 
0550: 2F E7 09 A6 1B 01 72        /.....r 

05.07.2011 16:28:33 org.apache.http.impl.client.DefaultRequestDirector tryExecute 
INFO: I/O exception (org.apache.http.NoHttpResponseException) caught when proces 
sing request: The target server failed to respond 
05.07.2011 16:28:33 org.apache.http.impl.client.DefaultRequestDirector tryExecute 
INFO: Retrying request 
---------------------------------------- 
HTTP/1.1 401 Unauthorized 
---------------------------------------- 
<html><head> 
<meta http-equiv="Refresh" content="0; url=/share/page?pt=login"> 
</head><body><p>Please <a href="/share/page?pt=login">log in</a>.</p> 
</body></html> 

---------------------------------------- 

Answer 1

Lo biblioteca usa en el lado del servidor? ¿Habilita los indicadores de depuración para ver qué sucede cuando el servidor procesa el ticket de servicio?

Answer 2

Su configuración de Kerberos podría estar completamente bien. El mensaje 401 significa que la autentificación misma probablemente fue bien. Sin embargo, sospecho que la aplicación web solo permite a los usuarios si tienen asignada una función. El mecanismo SPNego no asigna dicha función de inmediato. Aún necesita configurar un Reino que realice la asignación.

Consulte también mi pregunta en la lista de correo de los usuarios de Tomcat. https://mail-archives.apache.org/mod_mbox/tomcat-users/201210.mbox/%3C5075ECC6.8060501@christopherschultz.net%3E