1. 首頁
  2. 問答
  3. 針對Active Directory的Java驗證,驗證不匹配?

針對Active Directory的Java驗證,驗證不匹配?

2012-11-28 96 views
7

所以我有一些代碼,我正在測試,以確保它很好地進行身份驗證。它可以很好地對抗直線kerberos,所以我覺得應該只有一些小的打嗝與AD。不幸的是,我無法解決KrbException:KDC不支持加密類型(14)。針對Active Directory的Java驗證,驗證不匹配?

我知道錯誤是加密類型不匹配。但我可以很好,只有在我遇到問題的代碼中。我沒有設置任何東西,所以我認爲它應該繼承與kinit相同的默認值,但顯然並非如此。

的代碼 -

System.setProperty("sun.security.krb5.debug", "true"); 
System.setProperty("java.security.krb5.realm", "TEST.SQRRL.COM"); 
System.setProperty("java.security.krb5.kdc", "172.16.101.128"); 
System.setProperty("java.security.auth.login.config", "./conf/jaas.conf"); 
System.setProperty("javax.security.auth.useSubjectCredsOnly", "true"); 

// "Client" references the JAAS configuration in the jaas.conf file. 
LoginContext loginCtx = null; 
loginCtx = new LoginContext("Server", new LoginCallbackHandler("test".toCharArray())); 
loginCtx.login(); 
subject = loginCtx.getSubject();

和的Jaas.conf

Server { 
com.sun.security.auth.module.Krb5LoginModule required 
useKeyTab=false 
storeKey=true 
useTicketCache=true 
principal="[email protected]"; 
};

而且,堆棧trace-

>>>KRBError: 
    sTime is Tue Nov 27 18:16:36 EST 2012 1354058196000 
    suSec is 257213 
    error code is 14 
    error Message is KDC has no support for encryption type 
    realm is test.SQRRL.COM 
    sname is krbtgt/test.SQRRL.COM 
    msgType is 30 
javax.security.auth.login.LoginException: KDC has no support for encryption type (14) 
    at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:696) 
    at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:542) 
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) 
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) 
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) 
    at java.lang.reflect.Method.invoke(Method.java:597) 
    at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769) 
    at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186) 
    at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683) 
    at java.security.AccessController.doPrivileged(Native Method) 
    at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680) 
    at javax.security.auth.login.LoginContext.login(LoginContext.java:579) 
    at authenticators.KerberosAuthenticator.<init>(KerberosAuthenticator.java:37) 
    at main.ServerImpl.<init>(ServerImpl.java:91) 
    at main.PlugServer.run(PlugServer.java:22) 
    at main.PlugServer.main(PlugServer.java:42) 
Caused by: KrbException: KDC has no support for encryption type (14) 
    at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:66) 
    at sun.security.krb5.KrbAsReq.getReply(KrbAsReq.java:446) 
    at sun.security.krb5.Credentials.sendASRequest(Credentials.java:401) 
    at sun.security.krb5.Credentials.acquireTGT(Credentials.java:373) 
    at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:662) 
    ... 15 more 
Caused by: KrbException: Identifier doesn't match expected value (906) 
    at sun.security.krb5.internal.KDCRep.init(KDCRep.java:133) 
    at sun.security.krb5.internal.ASRep.init(ASRep.java:58) 
    at sun.security.krb5.internal.ASRep.<init>(ASRep.java:53) 
    at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:50) 
    ... 19 more 
Exception in thread "main" java.lang.RuntimeException: javax.security.auth.login.LoginException: KDC has no support for encryption type (14) 
    at main.PlugServer.run(PlugServer.java:36) 
    at main.PlugServer.main(PlugServer.java:42) 
Caused by: javax.security.auth.login.LoginException: KDC has no support for encryption type (14) 
    at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:696) 
    at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:542) 
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) 
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) 
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) 
    at java.lang.reflect.Method.invoke(Method.java:597) 
    at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769) 
    at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186) 
    at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683) 
    at java.security.AccessController.doPrivileged(Native Method) 
    at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680) 
    at javax.security.auth.login.LoginContext.login(LoginContext.java:579) 
    at authenticators.KerberosAuthenticator.<init>(KerberosAuthenticator.java:37) 
    at main.ServerImpl.<init>(ServerImpl.java:91) 
    at main.PlugServer.run(PlugServer.java:22) 
    ... 1 more 
Caused by: KrbException: KDC has no support for encryption type (14) 
    at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:66) 
    at sun.security.krb5.KrbAsReq.getReply(KrbAsReq.java:446) 
    at sun.security.krb5.Credentials.sendASRequest(Credentials.java:401) 
    at sun.security.krb5.Credentials.acquireTGT(Credentials.java:373) 
    at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:662) 
    ... 15 more 
Caused by: KrbException: Identifier doesn't match expected value (906) 
    at sun.security.krb5.internal.KDCRep.init(KDCRep.java:133) 
    at sun.security.krb5.internal.ASRep.init(ASRep.java:58) 
    at sun.security.krb5.internal.ASRep.<init>(ASRep.java:53) 
    at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:50) 
    ... 19 more

來源

2012-11-28 ohshazbot

回答

5

所以,我經歷了這個階段。我只能猜測Windows Server 2012的活動目錄中的DES支持已損壞,因爲我最終調整了我的krb5.conf文件並將兩種默認票據類型和允許的類型設置爲aes256-cts-hmac-sha1-96,並且它爲一個用戶工作。在AD中爲其他用戶啓用aes256後,它繼續工作。

來源

2012-12-12 23:03:56 ohshazbot

+0

aes256-cts與2008R2合作 – sura2k

0

望着init() in KDCRep.java,看起來它的唯一部分可能會拋出你的錯誤是:

 
    150   if ((subDer.getTag() & 0x1F) == 0x00) { 
    151    pvno = subDer.getData().getBigInteger().intValue(); 
    152    if (pvno != Krb5.PVNO) { 
    153     throw new KrbApErrException(Krb5.KRB_AP_ERR_BADVERSION); 
    154    } 
    155   } else { 
    156    throw new Asn1Exception(Krb5.ASN1_BAD_ID); 
    157   }

它似乎有點奇怪的是,錯誤的被打印爲KrbException,但它可以工作,因爲KrbApErrExceptionKrbException一個子類。但是,init()不能拋出KrbException的任何其他子類。

劃痕。更好的可能性是它是其中的一個Asn1Exception,因爲the constructor in KrbAsRep.java將這些錯誤捕獲並重新排列爲KrbException(適當的initCause與堆棧跟蹤相匹配)。

"Identifier doesn't match expected value (906)"使我相信這是投擲Asn1Exception(Krb5.ASN1_BAD_ID),since Krb5.ASN1_BAD_ID has value 906。這不是太有幫助,因爲這似乎是init()中的默認錯誤。

看看你是否可以生成DerValue對應於您的配置和手動檢查它,看到那裏init()會拒絕它,然後從那裏後退一步,看着你的配置的一部分創建的錯誤位。

經進一步檢查,該消息"KDC has no support for encryption type"使我相信Krb5.KDC_ERR_ETYPE_NOSUPP必須已被使用。但是,因爲這是only used for the default instance of Etype,這可能沒有多大意義。

來源

2012-11-29 13:40:34 rampion

+0

「標識符與預期值不符(906)」是Kerberos GSSAPI實現的較低級別中的標準例外。它被拋出了很多東西,但在它上面的層中有適當的錯誤處理。我相當確信服務器和Java客戶端之間的某種加密不匹配,來自KDC的消息。我想我所堅持的是如何在java客戶端中設置不同的加密類型。系統的配置很好,因爲kinit工作。這是關閉的Java設置,我不知道如何解決它。 (我認爲) – ohshazbot

1

您需要訪問用戶的帳戶並選中'使用kerberos DES加密類型'複選框。

您需要以管理員身份登錄到DS才能做到這一點。

來源

2012-12-04 15:42:45

+1

我檢查了這些框並重置用戶的密碼沒有成功。這是在Windows Server 2012上的活動目錄。 – ohshazbot

相關問題

 相關問題