1. 首頁
  2. 問答
  3. Jboss AS 7.1.1中的JBoss協商。通過AD錯誤測試工具包

Jboss AS 7.1.1中的JBoss協商。通過AD錯誤測試工具包

2014-09-04 93 views
0

我正在測試jboss協商工具包,並且只能成功完成前兩個步驟「基本協商」和「安全域測試」。最後一步「Secured」在GSS-API級別(機制級別:指定版本的密鑰不可用(44))時出現「無法驗證:GSSException:未指定的錯誤」錯誤。我谷歌,但我無法找到有用的東西,我產生的 「SecureKey」 再次和誤差保持不變Jboss AS 7.1.1中的JBoss協商。通過AD錯誤測試工具包

1生成SecureKey

Z:\>ktpass -princ mttsrvdc01/[email protected] -out C:\usuarioAD.mttsrvdc01.keytab -pass 1234 -mapuser krypton\usuarioAD -crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL 
Targeting domain controller: mttsrvdc01.domain.com 
Using legacy password setting method 
WARNING: realm "domain.com" has lowercase characters in it. 
     We only currently support realms in UPPERCASE. 
     assuming you mean "DOMAIN.COM"... 
Successfully mapped mttsrvdc01/usuarioAD to usuarioAD. 
Key created. 
Output keytab to C:\usuarioAD.mttsrvdc01.keytab: 
Keytab version: 0x502 
keysize 83 mttsrvdc01/[email protected] ptype 1 (KRB5_NT_PRI 
NCIPAL) vno 6 etype 0x17 (RC4-HMAC) keylength 16 (0x13c61e319351b92678bef514728d 
011b) 

Z:\>setspn.exe -l usuarioAD 
Registered ServicePrincipalNames for [XYZ]: 
    mttsrvdc01/usuarioAD

2 Standalone.xml (7.1.1 JBOSS)

<security-domain name="host" cache-type="default"> 
        <authentication> 
         <login-module code="Kerberos" flag="required"> 
          <module-option name="storeKey" value="true"/> 
          <module-option name="useKeyTab" value="true"/> 
          <module-option name="principal" value="mttsrvdc01/[email protected]"/> 
          <module-option name="keyTab" value="C:\usuarioAD.mttsrvdc01.keytab"/> 
          <module-option name="doNotPrompt" value="true"/> 
          <module-option name="debug" value="true"/> 
         </login-module> 
        </authentication> 
       </security-domain> 
       <security-domain name="SPNEGO" cache-type="default"> 
        <authentication> 
         <login-module code="SPNEGO" flag="requisite"> 
          <module-option name="password-stacking" value="useFirstPass"/> 
          <module-option name="serverSecurityDomain" value="host"/> 
         </login-module> 
         <login-module code="AdvancedAdLdap" flag="required"> 
          <module-option name="password-stacking" value="useFirstPass"/> 
          <module-option name="bindAuthentication" value="GSSAPI"/> 
          <module-option name="jaasSecurityDomain" value="host"/> 
          <module-option name="java.naming.provider.url" value="ldap://mttsrvdc01:389"/> 
          <module-option name="baseCtxDN" value="OU=MTT,DC=USERS,DC=DOMAIN,DC=com,DC=br"/> 
          <module-option name="baseFilter" value="(userPrincipalName={0})"/> 
          <module-option name="roleAttributeIsDN" value="true"/> 
          <module-option name="roleAttributeID" value="memberOf"/> 
          <module-option name="roleNameAttributeID" value="cn"/> 
          <module-option name="recurseRoles" value="true"/> 
         </login-module> 
        </authentication> 
       </security-domain>

3第一和在工具箱第二測試

NEGOTIATION TOOLKIT 
• Basic Negotiation 
WWW-Authenticate - Negotiate YHkGBisGAQUFAqBvMG2gMDAuBgorBgEEAYI3AgIKBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICHqI5BDdOVExNU1NQAAEAAACXsgjiBwAHADAAAAAIAAgAKAAAAAYBsR0AAAAPTVRUREVWNTVLUllQVE9O 
• NegTokenInit 
Message Oid - SPNEGO 
Mech Types - {NTLM} {Kerberos V5 Legacy} {Kerberos V5} {1.3.6.1.4.1.311.2.2.30} 
Req Flags - 
Mech Token -TlRMTVNTUAABAAAAl7II4gcABwAwAAAACAAIACgAAAAGAbEdAAAAD01UVERFVjU1S1JZUFRPTg== 
Mech List Mic - 


NEGOTIATION TOOLKIT 
• Security Domain Test 
Testing security-domain 'host' 
Authenticated 
Assunto: 
Principal: mttsrvdc01/[email protected] 
Credencial Privada: Ticket (hex) = 
0000: 61 82 01 35 30 82 01 31 A0 03 02 01 05 A1 19 1B a..50..1........ 
0010: 17 4B 52 59 50 54 4F 4E 2E 4D 45 54 41 54 52 4F .DOMAIN......... 
0020: 4E 2E 43 4F 4D 2E 42 52 A2 2C 30 2A A0 03 02 01 .COM.BR.,0*..... 
0030: 02 A1 23 30 21 1B 06 6B 72 62 74 67 74 1B 17 4B ..#0!..krbtgt..D 
0040: 52 59 50 54 4F 4E 2E 4D 45 54 41 54 52 4F 4E 2E OMAIN.COM....... 
0050: 43 4F 4D 2E 42 52 A3 81 E0 30 81 DD A0 03 02 01 COM.BR...0...... 
0060: 17 A1 03 02 01 02 A2 81 D0 04 81 CD 91 C5 8C 7A ...............z 
0070: 6E F7 2A 44 33 62 43 CB 96 E1 F2 BC 39 B9 C8 92 n.*D3bC.....9... 
0080: DB BA 0E D5 5D FA B4 E4 AA 08 13 D2 7E 2F BE 02 ....]......../.. 
0090: 43 FC 02 86 C7 BE F6 D6 58 B6 6A 3B A3 B7 F2 1C C.......X.j;.... 
00A0: 15 33 9A C0 20 BB 4D 77 E0 95 17 26 73 0C CA 5C .3.. .Mw...&s..\ 
00B0: B7 A5 47 DC 5A 49 25 D6 4F 52 79 1D 74 BC E3 BD ..G.ZI%.ORy.t... 
00C0: 8C A8 A0 0B 05 74 F3 61 B7 6C 17 29 DC D1 F6 0B .....t.a.l.).... 
00D0: 03 15 16 08 D7 22 5F 8A BC 5B E2 A3 48 58 7B 01 ....."_..[..HX.. 
00E0: CA 67 27 DF 5C 0C D1 E2 19 67 A7 EC D3 70 CD 94 .g'.\....g...p.. 
00F0: 97 BE 47 B4 F8 2E 50 5C E0 F7 21 3A 17 D7 F0 25 ..G...P\..!:...% 
0100: D7 0F B0 23 F2 E4 94 2C CF E0 D5 5F B2 CA 1E 5B ...#...,..._...[ 
0110: C0 0D 83 57 70 C8 43 FF 90 F9 33 1F 96 ED A5 99 ...Wp.C...3..... 
0120: F1 7F C9 D1 9B 28 C6 50 42 6C 36 F5 4C 41 35 19 .....(.PBl6.LA5. 
0130: 7E 73 7A 26 56 71 20 8D 79 .sz&Vq .y 

Client Principal = mttsrvdc01/[email protected] 
Server Principal = krbtgt/[email protected] 
Session Key = EncryptionKey: keyType=23 keyBytes (hex dump)= 
0000: 60 46 45 1C F8 FD 44 26 50 B7 40 42 F1 06 A3 2E `FE...D&[email protected] 


Forwardable Ticket false 
Forwarded Ticket false 
Proxiable Ticket false 
Proxy Ticket false 
Postdated Ticket false 
Renewable Ticket false 
Initial Ticket false 
Auth Time = Thu Sep 04 15:46:17 BRT 2014 
Start Time = Thu Sep 04 15:46:17 BRT 2014 
End Time = Fri Sep 05 01:46:17 BRT 2014 
Renew Till = null 
Client Addresses Null 
Credencial Privada: C:\usuarioAD.mttsrvdc01.keytab 
Credencial Privada: Kerberos Principal mttsrvdc01/[email protected] Version 6key EncryptionKey: keyType=23 keyBytes (hex dump)= 
0000: 13 C6 1E 31 93 51 B9 26 78 BE F5 14 72 8D 01 1B ...1.Q.&x...r...

4堆棧跟蹤

15:46:35,722 INFO [stdout] (http--0.0.0.0-8081-1) Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is C:\usuarioAD.mttsrvdc01.keytab refreshKrb5Config is false principal is mttsrvdc01/[email protected] tryFirstPass is false useFirstPass is false storePass is false clearPass is false 
15:46:35,733 INFO [stdout] (http--0.0.0.0-8081-1) principal is mttsrvdc01/[email protected] 

15:46:35,734 INFO [stdout] (http--0.0.0.0-8081-1) Will use keytab 

15:46:35,736 INFO [stdout] (http--0.0.0.0-8081-1) Commit Succeeded 
15:46:35,737 INFO [stdout] (http--0.0.0.0-8081-1) 

15:46:35,759 INFO [stdout] (http--0.0.0.0-8081-1)  [Krb5LoginModule]: Entering logout 

15:46:35,760 INFO [stdout] (http--0.0.0.0-8081-1)  [Krb5LoginModule]: logged out Subject 

15:46:35,761 ERROR [org.jboss.security.negotiation.spnego.SPNEGOLoginModule] (http--0.0.0.0-8081-1) Unable to authenticate: GSSException: Failure unspecified at GSS-API level (Mechanism level: Specified version of key is not available (44)) 
    at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:788) [rt.jar:1.7.0_60] 
    at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342) [rt.jar:1.7.0_60] 
    at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285) [rt.jar:1.7.0_60] 
    at org.jboss.security.negotiation.spnego.SPNEGOLoginModule$AcceptSecContext.run(SPNEGOLoginModule.java:396) [jboss-negotiation-spnego-2.2.0.SP1.jar:2.2.0.SP1] 
    at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.7.0_60] 
    at javax.security.auth.Subject.doAs(Subject.java:356) [rt.jar:1.7.0_60] 
    at org.jboss.security.negotiation.spnego.SPNEGOLoginModule.spnegoLogin(SPNEGOLoginModule.java:237) [jboss-negotiation-spnego-2.2.0.SP1.jar:2.2.0.SP1] 
    at org.jboss.security.negotiation.spnego.SPNEGOLoginModule.innerLogin(SPNEGOLoginModule.java:194) [jboss-negotiation-spnego-2.2.0.SP1.jar:2.2.0.SP1] 
    at org.jboss.security.negotiation.spnego.SPNEGOLoginModule.login(SPNEGOLoginModule.java:137) [jboss-negotiation-spnego-2.2.0.SP1.jar:2.2.0.SP1] 
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.7.0_60] 
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) [rt.jar:1.7.0_60] 
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.7.0_60] 
    at java.lang.reflect.Method.invoke(Method.java:606) [rt.jar:1.7.0_60] 
    at javax.security.auth.login.LoginContext.invoke(LoginContext.java:762) [rt.jar:1.7.0_60] 
    at javax.security.auth.login.LoginContext.access$000(LoginContext.java:203) [rt.jar:1.7.0_60] 
    at javax.security.auth.login.LoginContext$4.run(LoginContext.java:690) [rt.jar:1.7.0_60] 
    at javax.security.auth.login.LoginContext$4.run(LoginContext.java:688) [rt.jar:1.7.0_60] 
    at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.7.0_60] 
    at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:687) [rt.jar:1.7.0_60] 
    at javax.security.auth.login.LoginContext.login(LoginContext.java:595) [rt.jar:1.7.0_60] 
    at org.jboss.security.authentication.JBossCachedAuthenticationManager.defaultLogin(JBossCachedAuthenticationManager.java:449) [picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final] 
    at org.jboss.security.authentication.JBossCachedAuthenticationManager.proceedWithJaasLogin(JBossCachedAuthenticationManager.java:383) [picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final] 
    at org.jboss.security.authentication.JBossCachedAuthenticationManager.authenticate(JBossCachedAuthenticationManager.java:371) [picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final] 
    at org.jboss.security.authentication.JBossCachedAuthenticationManager.isValid(JBossCachedAuthenticationManager.java:160) [picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final] 
    at org.jboss.as.web.security.JBossWebRealm.authenticate(JBossWebRealm.java:214) [jboss-as-web-7.1.1.Final.jar:7.1.1.Final] 
    at org.jboss.security.negotiation.NegotiationAuthenticator.authenticate(NegotiationAuthenticator.java:187) [jboss-negotiation-common-2.2.0.SP1.jar:2.2.0.SP1] 
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:455) [jbossweb-7.0.13.Final.jar:] 
    at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:153) [jboss-as-web-7.1.1.Final.jar:7.1.1.Final] 
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155) [jbossweb-7.0.13.Final.jar:] 
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) [jbossweb-7.0.13.Final.jar:] 
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) [jbossweb-7.0.13.Final.jar:] 
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:368) [jbossweb-7.0.13.Final.jar:] 
    at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877) [jbossweb-7.0.13.Final.jar:] 
    at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:671) [jbossweb-7.0.13.Final.jar:] 
    at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:930) [jbossweb-7.0.13.Final.jar:] 
    at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_60] 
Caused by: KrbException: Specified version of key is not available (44) 
    at sun.security.krb5.EncryptionKey.findKey(EncryptionKey.java:588) [rt.jar:1.7.0_60] 
    at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:270) [rt.jar:1.7.0_60] 
    at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:144) [rt.jar:1.7.0_60] 
    at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:108) [rt.jar:1.7.0_60] 
    at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:771) [rt.jar:1.7.0_60] 
    ... 35 more 

15:46:35,827 ERROR [org.jboss.security.authentication.JBossCachedAuthenticationManager] (http--0.0.0.0-8081-1) Login failure: javax.security.auth.login.LoginException: Unable to authenticate - Failure unspecified at GSS-API level (Mechanism level: Specified version of key is not available (44)) 
    at org.jboss.security.negotiation.spnego.SPNEGOLoginModule.login(SPNEGOLoginModule.java:163) [jboss-negotiation-spnego-2.2.0.SP1.jar:2.2.0.SP1] 
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.7.0_60] 
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) [rt.jar:1.7.0_60] 
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.7.0_60] 
    at java.lang.reflect.Method.invoke(Method.java:606) [rt.jar:1.7.0_60] 
    at javax.security.auth.login.LoginContext.invoke(LoginContext.java:762) [rt.jar:1.7.0_60] 
    at javax.security.auth.login.LoginContext.access$000(LoginContext.java:203) [rt.jar:1.7.0_60] 
    at javax.security.auth.login.LoginContext$4.run(LoginContext.java:690) [rt.jar:1.7.0_60] 
    at javax.security.auth.login.LoginContext$4.run(LoginContext.java:688) [rt.jar:1.7.0_60] 
    at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.7.0_60] 
    at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:687) [rt.jar:1.7.0_60] 
    at javax.security.auth.login.LoginContext.login(LoginContext.java:595) [rt.jar:1.7.0_60] 
    at org.jboss.security.authentication.JBossCachedAuthenticationManager.defaultLogin(JBossCachedAuthenticationManager.java:449) [picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final] 
    at org.jboss.security.authentication.JBossCachedAuthenticationManager.proceedWithJaasLogin(JBossCachedAuthenticationManager.java:383) [picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final] 
    at org.jboss.security.authentication.JBossCachedAuthenticationManager.authenticate(JBossCachedAuthenticationManager.java:371) [picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final] 
    at org.jboss.security.authentication.JBossCachedAuthenticationManager.isValid(JBossCachedAuthenticationManager.java:160) [picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final] 
    at org.jboss.as.web.security.JBossWebRealm.authenticate(JBossWebRealm.java:214) [jboss-as-web-7.1.1.Final.jar:7.1.1.Final] 
    at org.jboss.security.negotiation.NegotiationAuthenticator.authenticate(NegotiationAuthenticator.java:187) [jboss-negotiation-common-2.2.0.SP1.jar:2.2.0.SP1] 
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:455) [jbossweb-7.0.13.Final.jar:] 
    at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:153) [jboss-as-web-7.1.1.Final.jar:7.1.1.Final] 
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155) [jbossweb-7.0.13.Final.jar:] 
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) [jbossweb-7.0.13.Final.jar:] 
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) [jbossweb-7.0.13.Final.jar:] 
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:368) [jbossweb-7.0.13.Final.jar:] 
    at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877) [jbossweb-7.0.13.Final.jar:] 
    at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:671) [jbossweb-7.0.13.Final.jar:] 
    at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:930) [jbossweb-7.0.13.Final.jar:] 
    at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_60]

來源

2014-09-04 Cateno Viglio

+0

測試平臺是否仍在運行?在回答之前,我想確保給出的答案可以針對原始問題架構進行驗證。 – 2017-10-29 02:02:50

回答

0

「鍵的指定版本不可用(44)」

IIRC 「版本」 是服務帳戶密碼重置的序列號,並你的密鑰表必須與真實密鑰表匹配。此外,將密碼必須在你的密鑰表= 0

使用JDK ktab您可以使用參數-n以(AES256也許?)匹配,且可能需要添加其他編碼形式比HMAC-RC4

來源

2015-03-04 12:38:42 stox

0

嘗試集KVNO做到這一點

我使用這個密鑰類型:

default_tkt_enctypes = RC4-HMAC DES3-CBC-SHA1 DES-CBC-MD5 DES-CBC-CRC 當我試着使用AES128-CTS我收到了校驗和錯誤。

來源

2016-08-12 14:29:36

相關問題

 相關問題