针对 Kerberos AD 调试共享 SSO 设置

【问题标题】:Debug Share SSO setup against Keberos AD针对 Kerberos AD 调试共享 SSO 设置
【发布时间】:2013-06-20 15:59:00
【问题描述】:

我正在尝试使用 Kerberos AD 实施 SSO 以进行共享,并按照 docs.alfresco.com 上的官方文档中列出的说明进行操作。我不断收到以下异常

2013-06-20 18:07:37,772  DEBUG [app.servlet.KerberosAuthenticationFilter] [http-80-1] Authentication not required (filter), chaining ...
2013-06-20 18:07:37,804  DEBUG [app.servlet.KerberosAuthenticationFilter] [http-80-1] Authentication not required (filter), chaining ...
2013-06-20 18:07:37,819  DEBUG [app.servlet.KerberosAuthenticationFilter] [http-80-1] New Kerberos auth request from X.X.X.X (X.X.X.X:ZZZZ) Checksum failed !

2013-06-05 12:02:30,998  WARN  [site.servlet.KerberosSessionSetupPrivilegedAction] [http-80-3] Caught GSS Error
GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)
    at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:741)
    at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:323)
    at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:267)
    ....

Caused by: KrbException: Checksum failed
    at sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(ArcFourHmacEType.java:85)
    at sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(ArcFourHmacEType.java:77)
    at sun.security.krb5.EncryptedData.decrypt(EncryptedData.java:168)
    at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:268)
    at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:134)
    at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:79)
    at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:724)
    ... 21 more
Caused by: java.security.GeneralSecurityException: Checksum failed
    at sun.security.krb5.internal.crypto.dk.ArcFourCrypto.decrypt(ArcFourCrypto.java:388)
    at sun.security.krb5.internal.crypto.ArcFourHmac.decrypt(ArcFourHmac.java:74)
    at sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(ArcFourHmacEType.java:83)
    ... 27 more

这里是文件的设置、设置和各自的位置。我已经打开了打印上面消息的调试。任何有助于解决问题的建议将不胜感激。我们在 Windows 2008 机器上运行 4.0.d 社区。​​p>

alfresco-global.properties

### Kerberos SSO ###
kerberos.authentication.realm=LOCAL.COM
kerberos.authentication.sso.enabled=true
kerberos.authentication.authenticateCIFS=false
kerberos.authentication.user.configEntryName=AlfrescoHTTP
kerberos.authentication.http.configEntryName=AlfrescoHTTP
#kerberos.authentication.cifs.configEntryName=AlfrescoCIFS
kerberos.authentication.stripUsernameSuffix=true
kerberos.authentication.http.password=password
kerberos.authentication.cifs.password=password
kerberos.authentication.browser.ticketLogons=true
kerberos.authentication.defaultAdministratorUserNames=usera

share-config-custom.xml

<config evaluator="string-compare" condition="Kerberos" replace="true">
    <kerberos>
        <password>password</password>
        <realm>LOCAL.COM</realm>
        <endpoint-spn>HTTP/domain@LOCAL.COM</endpoint-spn>
        <config-entry>ShareHTTP</config-entry>
    </kerberos>
</config>

<config evaluator="string-compare" condition="Remote">
      <remote>
    <connector>
            <id>alfrescoCookie</id>
            <name>Alfresco Connector</name>
            <description>Connects to an Alfresco instance using cookie-based authentication</description>
            <class>org.springframework.extensions.webscripts.connector.AlfrescoConnector</class>
         </connector>

     <endpoint>
            <id>alfresco</id>
            <name>Alfresco - user access</name>
            <description>Access to Alfresco Repository WebScripts that require user authentication</description>
            <connector-id>alfrescoCookie</connector-id>
            <endpoint-url>http://localhost:80/alfresco/wcs</endpoint-url>
            <identity>user</identity>
            <external-auth>true</external-auth>
         </endpoint>
      </remote>
</config>

java.login.config 在 C:\Alfresco\java\jre\lib\security == 如文档中所述,但将 keyTab 位置更改为 C:/etc/alfresco.keytab

还修改了 C:\Alfresco\java\jre\lib\security 中的 java.security 以指向 java.login.config

krb5.ini 在 (C:\Windows)

[libdefaults]
 default_realm = LOCAL.COM
 default_tkt_enctypes = rc4-hmac
 default_tgs_enctypes = rc4-hmac 

[realms]
 LOCAL.COM = {
  kdc = machine.local.com
  admin_server = machine.local.com
 }

[domain_realm]
 machine.local.com = LOCAL.COM
 .machine.local.com = LOCAL.COM

任何有关如何调试的建议将不胜感激;非常感谢。

【问题讨论】:

  • 您是否尝试过调高 log4j 级别以调试相关类,看看他们要说什么?
  • 这些是我在取消注释 Kerberos logj4.properties 文件的部分后收到的消息。如果有任何其他部分需要取消注释;请让我知道,我会这样做。谢谢。
  • @Gagravarr 我还从日志文件中添加了一些额外的消息,以防万一。再次感谢您。
  • 我从未在 Windows 上配置过 Kerberos 身份验证,但您能分享一下您的密钥表的输出吗?在 linux 上,这是例如klist -e -k /etc/alfresco_http.keytab

标签: single-sign-on alfresco kerberos alfresco-share


【解决方案1】:

如果你提供

-Dsun.security.krb5.debug=true -Dsun.security.jgss.debug=true

在 Alfresco 开始时,你会得到一些调试输出。

【讨论】:

    猜你喜欢
    • 1970-01-01
    • 1970-01-01
    • 1970-01-01
    • 2020-05-05
    • 1970-01-01
    • 2016-12-02
    • 2021-09-22
    • 1970-01-01
    • 1970-01-01
    相关资源
    最近更新 更多
    热门标签
    Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode