我已经遇到了一些困难,主机,t.p.no.我正在使用http://grolmsnet.de/kerbtut,它已经为其他人克服了未添加到Windows域的主机。Kerberos SSO与mod_auth_kerb:验证码589824和令牌似乎是NTLM
由于某种原因,问题似乎是客户端NTLM令牌。
我会去通过服务器的设置和状态,然后测试客户端:
服务器
环境:
OS是CentOS的5.9,
的Kerberos,用yum安装Apache和mod_auth_kerb:
httpd.x86_64 2.2.3-76.el5.centos installed
httpd-devel.i386 2.2.3-76.el5.centos installed
httpd-devel.x86_64 2.2.3-76.el5.centos installed
mod_auth_kerb.x86_64 5.1-5.el5 installed
krb5-devel.x86_64 1.6.1-70.el5 installed
krb5-libs.i386 1.6.1-70.el5 installed
krb5-libs.x86_64 1.6.1-70.el5 installed
krb5-workstation.x86_64 1.6.1-70.el5 installed
pam_krb5.i386 2.2.14-22.el5 installed
pam_krb5.x86_64 2.2.14-22.el5 installed
KDC/DC是Windows Server 2003 SP2的
的Kerberos:
我有一个域管理员创建帐号AD和运行的ktpass到SPN与映射到这个帐户:
ktpass.exe /princ HTTP/[email protected] /mapuser testsone2\user
/crypto DES-CBC-MD5 +DesOnly /Pass *** /ptype KRB5_NT_PRINCIPAL /out t.keytab
在服务器/主机即时试图kerberize,我已经做到了这一点,以验证Kerberos是正确配置:
# kinit -V [email protected]
Password for [email protected]:
Authenticated to Kerberos v5
# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [email protected]
Valid starting Expires Service principal
05/13/13 15:32:13 05/14/13 01:32:17 krbtgt/[email protected]
renew until 05/14/13 15:32:13
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
而且我已经检查了KDC送我票我的校长:
# kvno HTTP/[email protected]
HTTP/[email protected]: kvno = 9
# klist -e
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [email protected]
Valid starting Expires Service principal
05/13/13 15:32:13 05/14/13 01:32:17 krbtgt/[email protected]
renew until 05/14/13 15:32:13, Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5
05/13/13 15:34:27 05/14/13 01:32:17 HTTP/[email protected]
renew until 05/14/13 15:32:13, Etype (skey, tkt): DES cbc mode with CRC-32, DES cbc mode with RSA-MD5
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
的KVNO相匹配的密钥表中:
# ktutil
ktutil: rkt t.keytab
ktutil: l
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
1 9 HTTP/[email protected]
tpno是A记录解析到一个IP地址反向解析为tpno
这是我的虚拟主机配置,它是一个简单的乘客服务的导轨应用程序。与认证相关的指令将位置部分测试之前的工作:
<VirtualHost *:80>
DocumentRoot /home/p/testapp/public
ServerName t.p.no
RackEnv staging
RailsEnv staging
<Directory /home/p/testapp/public>
Options -MultiViews
</Directory>
<Location />
AuthType Kerberos
AuthName "Logg inn"
KrbMethodNegotiate On
KrbMethodK5Passwd Off
KrbAuthRealms TESTSONE2.P.LOCAL
KrbServiceName HTTP # No difference if using full SPN here
Krb5KeyTab /etc/httpd/keys/t.keytab
require valid-user
</Location>
LogLevel debug
CustomLog logs/t.p.no-access_log combined_forwarded
ErrorLog logs/t.p.no-error_log
</VirtualHost>
当客户进入tpno在Internet Explorer中,Apache日志如下:
[debug] src/mod_auth_kerb.c(1496): [client 139.x.x.201] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[debug] src/mod_auth_kerb.c(1496): [client 139.x.x.201] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[debug] src/mod_auth_kerb.c(1151): [client 139.x.x.201] Acquiring creds for HTTP/[email protected]
[debug] src/mod_auth_kerb.c(1270): [client 139.x.x.201] Verifying client data using KRB5 GSS-API
[debug] src/mod_auth_kerb.c(1286): [client 139.x.x.201] Verification returned code 589824
[debug] src/mod_auth_kerb.c(1313): [client 139.x.x.201] Warning: received token seems to be NTLM, which isn't supported by the Kerberos module. Check your IE configuration.
[error] [client 139.116.152.201] gss_accept_sec_context() failed: Invalid token was supplied (No error)
客户
OS: Windows Server 2008 SP1
IE已启用IWA,http://t.p.no已添加到i内部网主机列表。
在客户端上,当试图访问t.p.no时,我在Fiddler中看到两个请求,第一个客户端没有发送Authentication-headers,服务器响应状态401和头WWW-Authenticate:Negotiate。
在第二请求,客户端发送的报头:授权:协商[令牌数据] 在Fiddler中的Auth-标签中的令牌数据被示出:
-[NTLM Type1: Negotiation]------------------------------
Provider: NTLMSSP
Type: 1
OS Version: 6.1:7601
Flags: 0xe2088297
Unicode supported in security buffer.
OEM strings supported in security buffer.
Request server's authentication realm included in Type2 reply.
Sign (integrity)
NTLM authentication.
Negotiate Always Sign.
Negotiate NTLM2 Key.
Supports 56-bit encryption.
Supports 128-bit encryption.
Client will provide master key in Type 3 Session Key field.
Domain_Offset: 0; Domain_Length: 0; Domain_Length2: 0
Host_Offset: 0; Host_Length: 0; Host_Length2: 0
Host:
Domain:
------------------------------------
在找出原因所有帮助NTLM令牌被发送将不胜感激!