如何调试“无效”Kerberos票证标头

时间:2022-05-12 20:46:09

I'm trying to use the Spring Security extension for Kerberos to so I can deploy a Java web app within a Kerberos realm which takes advantage of integrated windows authentication.

我正在尝试使用Kerberos的Spring Security扩展,以便我可以在Kerberos领域内部署Java Web应用程序,该领域利用集成的Windows身份验证。

I'm working from the provided Spring Security SPNEGO auth w/ form based fallback example. Everything looks to be working up to the point that the ticket from IE is received and inspected by the web app, at which point it fails to validate with the following exception:

我正在使用提供的Spring Security SPNEGO auth w /基于表单的回退示例。一切看起来都在努力,以至于Web应用程序接收并检查了来自IE的票证,此时它无法通过以下异常进行验证:

GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)

GSSException:检测到有缺陷的令牌(机制级别:GSSHeader找不到正确的标签)

Here is the negotiate header:

这是谈判标题:

Negotiate YIGFBgYrBgEFBQKgezB5oDAwLgYKKwYBBAGCNwICCgYJKoZIgvcSAQICBgkqhkiG9xIBAgIGCisGAQQBgjcCAh6iRQRDTlRMTVNTUAABAAAAl7II4g4ADgA1AAAADQANACgAAAAGAvAjAAAAD1NIQVJFUE9JTlQtU1BTSEFSRVBPSU5ULURFVg==

In tracing the source code in Java it appears that it throws this error if it cannot find the 'tag' which turns out to be 0x60 (or a backtick) at the start of the header. If I base64 decode this using ISO-8859-1 I can see that the first character looks to be a backtick to me so I'm now stuck.

在使用Java跟踪源代码时,如果找不到标记开头的“标记”(0x)(或反引号),它会抛出此错误。如果我使用ISO-8859-1对它进行base64解码,我可以看到第一个字符对我来说是一个反击,所以我现在卡住了。

This running the latest version of Java 7 (under Java 8 I was experiencing a bug where the 'GSSContext srcName' was null - seems to be a known bug).

这运行最新版本的Java 7(在Java 8下我遇到了'GSSContext srcName'为空的错误 - 似乎是一个已知错误)。

Any clues on something probably quite obvious that is wrong with the header or how to decode/debug it further would be great.

关于某些事情的任何线索可能非常明显,标题是错误的,或者如何进一步解码/调试它会很棒。

1 个解决方案

#1


0  

OK - what an idiot I have been. After reading an article on how to force use of NTLM rather than Kerberos (which suggests using the IP of the server and not the SPN to access it) I realised I was always using http://localhost:8080 and not the SPN which in my case was the host name http://sharepoint-sp:8080.

好的 - 我一直是个白痴。在阅读了一篇关于如何强制使用NTLM而不是Kerberos(建议使用服务器的IP而不是SPN来访问它)的文章后,我意识到我总是使用http:// localhost:8080而不是SPN中的我的情况是主机名http:// sharepoint-sp:8080。

It now seems to be working if I use the SPN URL. I guess I will never be able to access this outside of the Kerberos realm or using some alias of the SPN but this ties up with everything I've read on how it is supposed to work and why it is secure.

如果我使用SPN URL,它现在似乎正在工作。我想我永远无法访问Kerberos领域之外或使用SPN的某些别名,但这与我读过的关于它应该如何工作以及为什么它是安全的一切有关。

Oh well, hope this helps someone with a similar issue.

哦,希望这可以帮助有类似问题的人。

#1


0  

OK - what an idiot I have been. After reading an article on how to force use of NTLM rather than Kerberos (which suggests using the IP of the server and not the SPN to access it) I realised I was always using http://localhost:8080 and not the SPN which in my case was the host name http://sharepoint-sp:8080.

好的 - 我一直是个白痴。在阅读了一篇关于如何强制使用NTLM而不是Kerberos(建议使用服务器的IP而不是SPN来访问它)的文章后,我意识到我总是使用http:// localhost:8080而不是SPN中的我的情况是主机名http:// sharepoint-sp:8080。

It now seems to be working if I use the SPN URL. I guess I will never be able to access this outside of the Kerberos realm or using some alias of the SPN but this ties up with everything I've read on how it is supposed to work and why it is secure.

如果我使用SPN URL,它现在似乎正在工作。我想我永远无法访问Kerberos领域之外或使用SPN的某些别名,但这与我读过的关于它应该如何工作以及为什么它是安全的一切有关。

Oh well, hope this helps someone with a similar issue.

哦,希望这可以帮助有类似问题的人。