前端之家

  1. 首页
  2. 问答

带SPNEGO的CAS始终会退回到NTLM

问答

我们已经在我们的“内部”网络中使用CAS,并且在一个站点中使用Kerberos,并且运行正常。

我们现在要配置我们自己的第二个站点,但配置略有不同(DNS名称/ SPN)。

我尝试解释。.首先是非工作配置,然后是工作配置,进行了一些小的更改。

我们尝试使用SPNEGO运行CAS。

我们可以将kinitcas.keytab(Linux命令)一起使用,并从kdc of REALM2.DE获取有效的Kerberos票证,但它不适用于CAS。 CAS始终会退回到NTLM。我们需要做些什么,才能起作用?也许他使用了来自keytab的错误SPN条目?我不明白。

  • Ubuntu 16 LTS和Ubuntu 18 LTS
  • CAS:5.2.7
  • REALM1 = Windows active Directory(有用户)
  • REALM2 = MIT Linux Kerberos领域(有CAS服务器)
  • acme.de =官方SSL证书的互联网域
  • REALM1和REALM2之间的真实信任。

无法正常使用的配置的说明:

SPN类似于HTTP/cas.acme.de@REALM2.DE

/etc/krb5.conf:

    [libdefaults]
    default_keytab_name = /etc/cas/cas.keytab
    [realms]
    REALM1.DE = {
            kdc = ad1.realm1.de
            kdc = ad2.realm1.de
            kdc = ad3.realm1.de
    }
    REALM2.DE = {
            kdc = kerberos.realm2.de
            kdc = kerberos-1.realm2.de
            kdc = kerberos-2.realm2.de
            admin_server = kadmin.realm2.de
    }

cas.properties:

           cas.server.name=https://cas.acme.de:8443
           cas.server.prefix=https://cas.acme.de:8443/cas
           cas.authn.attributeRepository.defaultAttributesToRelease=cn,givenName,uid,mail
           # KERberOS / SPNEGO
           cas.authn.spnego.kerberosConf=/etc/krb5.conf
         # cas.authn.spnego.mixedmodeAuthentication=false
           cas.authn.spnego.mixedmodeAuthentication=true
           cas.authn.spnego.cachePolicy=600
           cas.authn.spnego.timeout=300000
           cas.authn.spnego.jcifsServicePrincipal=HTTP/cas.acme.de@REALM2.DE
           cas.authn.spnego.jcifsnetbiosWins=
           cas.authn.spnego.loginconf=/etc/cas/login.conf
           cas.authn.spnego.ntlmAllowed=true
           cas.authn.spnego.hostNamePatternString=.+
           cas.authn.spnego.jcifsusername=
           cas.authn.spnego.useSubjectCredsOnly=false
           cas.authn.spnego.supportedBrowsers=MSIE,Trident,Firefox,AppleWebKit
           cas.authn.spnego.jcifsDomainController=
           cas.authn.spnego.dnsTimeout=2000
           cas.authn.spnego.hostNameclientactionStrategy=hostnameSpnegoClientaction
           cas.authn.spnego.kerberosKdc=192.169.1.3
           cas.authn.spnego.alternativeRemoteHostAttribute=alternateRemoteHeader
           cas.authn.spnego.jcifsDomain=
           cas.authn.spnego.ipsToCheckPattern=
           cas.authn.spnego.kerberosDebug=
           cas.authn.spnego.send401OnAuthenticationFailure=true
           cas.authn.spnego.kerberosRealm=REALM2.DE
           cas.authn.spnego.ntlm=false
           cas.authn.spnego.principalWithDomainName=true
           cas.authn.spnego.jcifsServicePassword=
           cas.authn.spnego.jcifsPassword=
           cas.authn.spnego.spnegoattributeName=userPrincipalName
           cas.authn.spnego.name=

/etc/cas/login.conf:

    jcifs.spnego.initiate {
              com.sun.security.auth.module.Krb5Loginmodule required storeKey=true useKeyTab=true keyTab="/etc/cas/cas.keytab";
    };

   jcifs.spnego.accept {
             com.sun.security.auth.module.Krb5Loginmodule required storeKey=true useKeyTab=true keyTab="/etc/cas/cas.keytab";
    };

cas.keytab:

   root@cas:/etc/cas# klist -k /etc/cas/cas.keytab -e -t
   Keytab name: FILE:/etc/cas/cas.keytab

   KVNO Timestamp           Principal
   ---- ------------------- ------------------------------------------------------
   2 17.05.2019 11:38:56 HTTP/cas.realm2.de@REALM2.DE (aes256-cts-hmac-sha1-96)
   2 17.05.2019 11:38:56 HTTP/cas.realm2.de@REALM2.DE (aes128-cts-hmac-sha1-96)
   2 17.05.2019 11:38:56 HTTP/cas.realm2.de@REALM2.DE (arcfour-hmac)
   2 17.05.2019 11:39:03 HTTP/cas.acme.de@REALM2.DE (aes256-cts-hmac-sha1-96)
   2 17.05.2019 11:39:03 HTTP/cas.acme.de@REALM2.DE (aes128-cts-hmac-sha1-96)
   2 17.05.2019 11:39:03 HTTP/cas.acme.de@REALM2.DE (arcfour-hmac)

kinit HTTP/cas.acme.de@REALM2.DE -k -t /etc/cas/cas.keytab
klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: HTTP/cas.acme.de@REALM2.DE
Valid starting       Expires              Service principal
04.12.2019 12:54:18  05.12.2019 12:54:18  krbtgt/REALM2.DE@REALM2.DE

root@cas:/etc/cas# nslookup cas.acme.d
Server:         192.169.1.1
Address:        192.169.1.1#53

Name:   cas.acme.de
Address: 192.169.1.140

root@cas:/etc/cas# nslookup 192.169.1.140
140.1.169.192.in-addr.arpa      name = cas.realm2.de.

工作配置说明:

仅SPN和Internet DNS名称已更改

SPN类似于HTTP/cast.realm2.de@REALM2.DE

/etc/krb5.conf:

   [libdefaults]
   default_keytab_name = /etc/cas/cast.keytab

   [realms]
   REALM1.DE = {
            kdc = ad1.realm1.de
            kdc = ad2.realm1.de
            kdc = ad3.realm1.de
    }
    REALM2.DE = {
            kdc = kerberos.realm2.de
            kdc = kerberos-1.realm2.de
            kdc = kerberos-2.realm2.de
            admin_server = kadmin.realm2.de
    }

cas.properties:

 cas.server.name=https://cast.realm2.de:8443
 cas.server.prefix=https://cast.realm2.de:8443/cas   
 # KERberOS / SPNEGO
 cas.authn.spnego.kerberosConf=/etc/krb5.conf
#cas.authn.spnego.mixedmodeAuthentication=false
 cas.authn.spnego.mixedmodeAuthentication=true
 cas.authn.spnego.cachePolicy=600
 cas.authn.spnego.timeout=300000
 cas.authn.spnego.jcifsServicePrincipal=HTTP/cast.realm2.de@REALM2.DE
 cas.authn.spnego.jcifsnetbiosWins=
 cas.authn.spnego.loginconf=/etc/cas/login.conf
 cas.authn.spnego.ntlmAllowed=true
 cas.authn.spnego.hostNamePatternString=.+
 cas.authn.spnego.jcifsusername=
 cas.authn.spnego.useSubjectCredsOnly=false
 cas.authn.spnego.supportedBrowsers=MSIE,AppleWebKit
 cas.authn.spnego.jcifsDomainController=
 cas.authn.spnego.dnsTimeout=2000
 cas.authn.spnego.hostNameclientactionStrategy=hostnameSpnegoClientaction
 cas.authn.spnego.kerberosKdc=192.169.1.3
 cas.authn.spnego.alternativeRemoteHostAttribute=alternateRemoteHeader
 cas.authn.spnego.jcifsDomain=
 cas.authn.spnego.ipsToCheckPattern=
 cas.authn.spnego.kerberosDebug=
 cas.authn.spnego.send401OnAuthenticationFailure=true
 cas.authn.spnego.kerberosRealm=REALM2.DE
 cas.authn.spnego.ntlm=false
 cas.authn.spnego.principalWithDomainName=true
 cas.authn.spnego.jcifsServicePassword=
 cas.authn.spnego.jcifsPassword=
 cas.authn.spnego.spnego

/etc/cas/login.conf:

 jcifs.spnego.initiate {
   com.sun.security.auth.module.Krb5Loginmodule required storeKey=true useKeyTab=true keyTab="/etc/cas/cas-t.keytab";
};

 jcifs.spnego.accept {
   com.sun.security.auth.module.Krb5Loginmodule required storeKey=true useKeyTab=true keyTab="/etc/cas/cas-t.keytab";
};

cast.keytab:

klist -k cas-t.keytab -e -t
Keytab name: FILE:cas-t.keytab

KVNO Timestamp           Principal
---- ------------------- ------------------------------------------------------
2 04.10.2018 11:17:39 HTTP/cas-t.realm2.de@REALM2.DE (aes256-cts-hmac-sha1-96)
2 04.10.2018 11:17:39 HTTP/cas-t.realm2.de@REALM2.DE (aes128-cts-hmac-sha1-96)
2 04.10.2018 11:17:39 HTTP/cas-t.realm2.de@REALM2.DE (arcfour-hmac)
2 04.10.2018 11:17:42 HTTP/cast.realm2.de@REALM2.DE (aes256-cts-hmac-sha1-96)
2 04.10.2018 11:17:43 HTTP/cast.realm2.de@REALM2.DE (aes128-cts-hmac-sha1-96)
2 04.10.2018 11:17:43 HTTP/cast.realm2.de@REALM2.DE (arcfour-hmac)

kinit HTTP/cast.realm2@REALM2.DE -k -t ./cas-t.keytab
klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: HTTP/cas-t.realm2.de@REALM2.DE

Valid starting       Expires              Service principal
04.12.2019 12:33:51  05.12.2019 12:33:51  krbtgt/REALM2.DE@REALM2.DE

root@cas:/etc/cas# nslookup cast.realm2.de
Server:         192.169.1.1
Address:        192.169.1.1#53

Name:   cast.realm2.de
Address: 192.169.1.65

root@cas:/etc/cas# nslookup 192.169.1.65
65.1.169.192.in-addr.arpa       name = cast.realm2.de.

我们已经尝试过自行调试,但无法获取。.

我们希望有人能帮助我们解决这个问题。

如果您需要更多信息,请告诉我们

谢谢!

csshcsjm 回答:带SPNEGO的CAS始终会退回到NTLM

深入研究Wireshark之​​后,我们可以解决问题。 实际上,这不是CAS问题,而是KDC-Realm问题。

客户端通过访问cas服务器派生了错误的领域。 客户端的浏览器尝试询问Windows-kdc,但无法检索给定SPN的服务票证。

使用后:

TypeSystem.AllClasses

强制客户端请求正确的linux-kdc,成功请求了服务票,并且CAS身份验证工作顺利。

感谢@Steve的“ b),它正在执行正确的领域转换” ...

apereocaskerberosspnego
本文链接:https://www.f2er.com/2976854.html

大家都在问