我正在使用一个keytab,并使用windows命令行上的kinit命令进行设置。我得到消息"新票证存储在缓存文件中"。之后,当我运行java应用程序访问密钥的keytab文件时,我得到以下错误。
Authentication attempt failed javax.security.auth.login.LoginException: No key to store
javax.security.auth.login.LoginException: No key to store
at com.sun.security.auth.module.Krb5LoginModule.commit(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at javax.security.auth.login.LoginContext.invoke(Unknown Source)
at javax.security.auth.login.LoginContext.access$000(Unknown Source)
at javax.security.auth.login.LoginContext$4.run(Unknown Source)
at javax.security.auth.login.LoginContext$4.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
我正在尝试使用ldap连接到活动目录。以下是配置设置:
-Djavax.security.auth.useSubjectCredsOnly=false
-Djava.security.auth.login.config=C:UserscXXXXXXGitgssapi_jaas.conf
-Dsun.security.krb5.debug=true
Debug为true storeKey true useTicketCache true useKeyTab true doNotPrompt true ticketCache为null isInitiator true KeyTab为
C: \Users\cXXXXXX\Git\abcd.keytab refreshKrb5Config为false主体为xxxx_dev@xxxx.xxxxxx.COMtryFirstPass为false useFirstPass是false storePass是false clearPass是false从缓存获取TGT
KinitOptions缓存名称为C:\Users\cXXXXXX\krb5cc_cXXXXXXDEBUG客户端主体为xxxx_dev@xxxx.xxxxxx.COMDEBUG服务器主体是krbtgt/xxxx.xxxxxx.COM@Txxxx.xxxxxx.COMDEBUG密钥类型:23调试授权时间:美国东部时间2019年7月1日星期一14:20:21调试开始时间:美国东部时间2019年7月1日星期一14:20:21调试结束时间:美国东部时间2019年7月2日星期二00:20:21调试更新时间:nullCCacheInputStream:readFlags()INITIAL;PRE_AUTH;主机地址为/xx.xxx.xx主机地址为/xxx:0:0:xxxx:xxxx:xxxx:xxxxKrbCreds在凭据缓存中找到了默认票证授予票证。Java配置名称:null本机配置名称:C:\windows\krb5.ini从LSA获得TGT:凭据:客户端=sxxxx_dev@xxxx.xxxxxx.COM服务器=krbtgt/Txxxx.xxxxxx.COM@Txxxx.xxxxxx.COMauthTime=20190701182021Z起始时间=20190701182021Z结束时间=20190702042021ZrenewTill=nullflags=INITIAL;预先认证E类型(skey)=23(tkt键)=18委托人是sxxxx_dev@xxxx.xxxxxx.COM
在添加kinit缓存文件之前,我至少能够验证该帐户,然后我遇到了GSSapi安全问题。试图解决我添加了缓存,这个新问题开始发生
public static void main(String[] args) {
// 1. Log in (to Kerberos)
LoginContext lc = null;
try {
/*lc = new LoginContext(Azrm017.class.getName(),
new LuwCallBackHandler());
*/
lc = new LoginContext("Azrm017");
// Attempt authentication
// You might want to do this in a "for" loop to give
// user more than one chance to enter correct username/password
lc.login();
} catch (LoginException le) {
System.err.println("Authentication attempt failed " + le);
le.printStackTrace();
System.err.println("Authentication attempt failed " + le.getSuppressed());
System.exit(-1);
}
// 2. Perform JNDI work as logged in subject
NamingEnumeration<SearchResult> ne =
(NamingEnumeration<SearchResult>) Subject.doAs(lc.getSubject(),
new SearchAction());
while(ne.hasMoreElements()) {
System.out.println(">>>> : " + ne.nextElement().getName());
}
//Subject.doAs(lc.getSubject(), new JndiAction(args));
}
}
/**
* The application must supply a PrivilegedAction that is to be run
* inside a Subject.doAs() or Subject.doAsPrivileged().
*/
class SearchAction implements java.security.PrivilegedAction {
public Object run() {
// Set up the environment for creating the initial context
Hashtable<String, String> env = new Hashtable<> (11);
env.put(Context.INITIAL_CONTEXT_FACTORY,
"com.sun.jndi.ldap.LdapCtxFactory");
String cn = "dn:CN=xxxxxxx,OU=Service xxxxx,OU=Accounts,OU=xxxxx,DC=test,DC=xxxxxx,DC=com";
env.put(Context.PROVIDER_URL, "ldap://test.xxxxxxx.com:389");
env.put(Context.SECURITY_AUTHENTICATION, "GSSAPI");
env.put("javax.security.sasl.server.authentication", "true");
env.put("javax.security.sasl.qop", "auth-conf");
DirContext ctx = null;
try {
// Create initial context
ctx = new InitialDirContext(env);
SearchControls ctls = new SearchControls();
ctls.setReturningAttributes(
new String[] {"displayName", "mail","description", "suSunetID"});
NamingEnumeration<SearchResult> answer =
ctx.search("cn=People, dc=test, dc=xxxxxxxx, dc=com",
"(&(cn=p*)(sn=s*))", ctls);
return answer;
} catch (Exception e) {
e.printStackTrace();
}
// Close the context when we're done
finally {
closeContext(ctx);
}
return null;
}
附于上方
这是Krb5LoginModule选项的错误组合。如果您希望启动器存储密钥,则必须使用该密钥来获取票证(即useTicketCache不应为true)。
你为什么要储存钥匙?引发剂也会充当受体吗?如果是,您应该使用keytab进行身份验证(即useTicketCache=false)或使用ENC-TKT-IN-SKEY方式(即storeKey=false)。