“检测到有缺陷的令牌”错误(NTLM不是Kerberos)与Kerberos/Spring Security/IE/Active Directory
2022-09-01 11:54:57
我们在让Spring Security/Kerberos/AD为我们的Web应用程序工作时遇到了麻烦。我们的诊断是,我们的AD服务器向IE发送NTLM令牌(我们可以告诉它以“TlRMTVNT.....”开头)到IE,然后IE将其发送到我们的应用程序,并且它失败了。我们的 AD 服务器应该向 IE 发送 Kerberos/SPNEGO 令牌。
“活动部件”如下:
- 弹簧安全 3.0(已修补)
- Microsoft Windows Server Enterprise 2003 SP1 Active Directory
- IE 8
- 雄猫 (TC 服务器 6.0)
- Java 1.6
我们已经按照此处的说明中详细说明了所有内容:
https://spring.io/blog/2009/09/28/spring-security-kerberos-spnego-extension
这涉及:
- 创建普通用户作为服务主体(与应用程序所在的计算机名称相同)。我们设置以下帐户选项:
- 已禁用“使用时必须更改下次登录密码”
- 启用“密码永不过期”
- 已启用“使用 Kerberos DES...”。
- 已禁用“不需要 Kerberos 预身份验证”
- 注意:服务器 2003 年未显示“此帐户支持 Kerberos AES 128 位...”。和“此帐户支持 Kerberos AES 256 位...”选项
- 使用“ktpass.exe”将服务主体名称 (SPN) 分配给此新用户,并将此用户密钥导出到密钥表文件。使用 'ktpass /out ourweb.keytab /mapuser ourweb.testdomain.ourcompany.co.uk@TESTDOMAIN.OURCOMPANY.CO.UK /princ HTTP/ourweb.testdomain.ourcompany.co.uk@TESTDOMAIN.OURCOMPANY.CO.UK /通过 *'
- 从 https://src.springframework.org/svn/se-security/trunk 下载源代码。
- 已将密钥表文件从 AD 服务器复制到源代码(应用程序)的 WEB-INF/等。
- 对文件 SunJaasKerbersoTicketValidator 进行了更改.java以读取 keytab 文件。(要解决应用程序无法从 Java 类路径读取 keytab 文件的错误)options.put(“keyTab”, “C:\se-security\spring-security-kerberos\spring-security-kerberos-sample\src\main\webapp\WEB-INF\etc\ourweb.keytab”);
- 已将 web.xml 配置为使用 spnego.xml。contextConfigLocation /WEB-INF/spnego.xml
- 配置Spring Security(spnego.xml)以使用Kerberos(SpnegoEntryPoint,SpnegoAuthenticationProcessingFilter和KerberosServiceAuthenticationProvider beans),通过提供服务prinicipal名称和keytab文件位置。
- 已配置 spnego.xml读取 WEB-INF/等中复制的密钥表文件。
当我们启动TC服务器时,我们可以看到事情初始化得很好(即没有错误 - “从keytab获得的原则密钥”):
Creating instance of bean 'org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator#10fa4b8'
Invoking afterPropertiesSet() on bean with name 'org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator#10fa4b8'
Config name: C:\WINDOWS\krb5.ini
Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator false KeyTab is C:\se-security\spring-security-kerberos\spring-security-kerberos-sample\src\main\webapp\WEB-INF\etc\ourwebapp4.keytab refreshKrb5Config is false principal is HTTP/ourwebappweb4.testdomain.ourcompany.co.uk tryFirstPass is false useFirstPass is false storePass is false clearPass is false
>>> KeyTabInputStream, readName(): TESTDOMAIN.OURCOMPANY.CO.UK
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): ourweb
>>> KeyTab: load() entry length: 78; type: 1
>>> KeyTabInputStream, readName(): TESTDOMAIN.OURCOMPANY.CO.UK
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): ourweb.testdomain.ourcompany.co.uk
>>> KeyTab: load() entry length: 113; type: 1
Added key: 1version: 2
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 1.
0: EncryptionKey: keyType=1 kvno=2 keyValue (hex dump)=
0000: 91 01 43 E3 02 A8 B9 83
principal's key obtained from the keytab
principal is HTTP/ourweb.testdomain.ourcompany.co.uk@TESTDOMAIN.OURCOMPANY.CO.UK
EncryptionKey: keyType=1 keyBytes (hex dump)=0000: 91 01 43 E3 02 A8 B9 83
Added server's keyKerberos Principal HTTP/ourweb.testdomain.ourcompany.co.uk@TESTDOMAIN.OURCOMPANY.CO.UKKey Version 2key EncryptionKey: keyType=1 keyBytes (hex dump)=
0000: 91 01 43 E3 02 A8 B9 83
[Krb5LoginModule] added Krb5Principal HTTP/ourweb.testdomain.ourcompany.co.uk@TESTDOMAIN.OURCOMPANY.CO.UK to Subject Commit Succeeded
Finished creating instance of bean 'org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator#10fa4b8'
准备好进行测试后,我们在 IE 中启用了“Windows 集成身份验证”,并确保该域已在 IE 的本地 Intranet 站点部分中列出。然后,我们使用完全限定的域名连接到我们的 Web 应用程序。
当我们这样做时,我们在浏览器中遇到了以下错误:
500 Internal server error.
和 TC 服务器日志文件中:
Negotiate Header was invalid: Negotiate TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==
org.springframework.security.authentication.BadCredentialsException: Kerberos validation not succesfull
at org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator.validateTicket(SunJaasKerberosTicketValidator.java:74)
at org.springframework.security.extensions.kerberos.KerberosServiceAuthenticationProvider.authenticate(KerberosServiceAuthenticationProvider.java:92)
at org.springframework.security.authentication.ProviderManager.doAuthentication(ProviderManager.java:120)
at org.springframework.security.authentication.AbstractAuthenticationManager.authenticate(AbstractAuthenticationManager.java:48)
at org.springframework.security.extensions.kerberos.web.SpnegoAuthenticationProcessingFilter.doFilter(SpnegoAuthenticationProcessingFilter.java:132)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:355)
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:79)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:355)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:149)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
at com.springsource.metrics.collection.web.HttpRequestMetricCollectionValve.invoke(HttpRequestMetricCollectionValve.java:44)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:849)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:379)
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
at java.lang.Thread.run(Thread.java:619)
Caused by: java.security.PrivilegedActionException: GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:396)
at org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator.validateTicket(SunJaasKerberosTicketValidator.java:72)
... 25 more
Caused by: GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)
at sun.security.jgss.GSSHeader.<init>(GSSHeader.java:80)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:287)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:267)
at org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator$KerberosValidateAction.run(SunJaasKerberosTicketValidator.java:161)
at org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator$KerberosValidateAction.run(SunJaasKerberosTicketValidator.java:1)
... 28 more
SecurityContextHolder now cleared, as request processing completed
似乎(从我们可以看出)AD服务器向IE发送NTLM令牌(我们可以告诉它以“TlRMTVNT.....”开头)到IE,然后IE将其发送到我们的应用程序,并且它失败了。
我们的 AD 服务器应该向 IE 发送 Kerberos/SPNEGO 令牌。
其他注意事项:
- 我们的服务器(tc服务器)和客户端(浏览器)位于不同的(虚拟)机器上,并且位于同一域中。
