1. 首页
  2. 问答
  3. Kerberos SSO与mod_auth_kerb:验证码589824和令牌似乎是NTLM

Kerberos SSO与mod_auth_kerb:验证码589824和令牌似乎是NTLM

2013-05-14 201 views
2

我已经遇到了一些困难,主机,t.p.no.我正在使用http://grolmsnet.de/kerbtut,它已经为其他人克服了未添加到Windows域的主机。Kerberos SSO与mod_auth_kerb:验证码589824和令牌似乎是NTLM

由于某种原因,问题似乎是客户端NTLM令牌。

我会去通过服务器的设置和状态,然后测试客户端:

服务器

环境:

OS是CentOS的5.9,

的Kerberos,用yum安装Apache和mod_auth_kerb:

httpd.x86_64        2.2.3-76.el5.centos   installed 
httpd-devel.i386       2.2.3-76.el5.centos   installed 
httpd-devel.x86_64      2.2.3-76.el5.centos   installed 

mod_auth_kerb.x86_64      5.1-5.el5     installed 

krb5-devel.x86_64       1.6.1-70.el5     installed 
krb5-libs.i386       1.6.1-70.el5     installed 
krb5-libs.x86_64       1.6.1-70.el5     installed 
krb5-workstation.x86_64     1.6.1-70.el5     installed 
pam_krb5.i386        2.2.14-22.el5    installed 
pam_krb5.x86_64       2.2.14-22.el5    installed

KDC/DC是Windows Server 2003 SP2的

的Kerberos:

我有一个域管理员创建帐号AD和运行的ktpass到SPN与映射到这个帐户:

ktpass.exe /princ HTTP/[email protected] /mapuser testsone2\user 
/crypto DES-CBC-MD5 +DesOnly /Pass *** /ptype KRB5_NT_PRINCIPAL /out t.keytab

在服务器/主机即时试图kerberize,我已经做到了这一点,以验证Kerberos是正确配置:

# kinit -V [email protected] 
Password for [email protected]: 
Authenticated to Kerberos v5 

# klist 
Ticket cache: FILE:/tmp/krb5cc_0 
Default principal: [email protected] 

Valid starting  Expires   Service principal 
05/13/13 15:32:13 05/14/13 01:32:17 krbtgt/[email protected] 
    renew until 05/14/13 15:32:13 


Kerberos 4 ticket cache: /tmp/tkt0 
klist: You have no tickets cached

而且我已经检查了KDC送我票我的校长:

# kvno HTTP/[email protected] 
HTTP/[email protected]: kvno = 9 

# klist -e 
Ticket cache: FILE:/tmp/krb5cc_0 
Default principal: [email protected] 

Valid starting  Expires   Service principal 
05/13/13 15:32:13 05/14/13 01:32:17 krbtgt/[email protected] 
    renew until 05/14/13 15:32:13, Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5 
05/13/13 15:34:27 05/14/13 01:32:17 HTTP/[email protected] 
    renew until 05/14/13 15:32:13, Etype (skey, tkt): DES cbc mode with CRC-32, DES cbc mode with RSA-MD5 

Kerberos 4 ticket cache: /tmp/tkt0 
klist: You have no tickets cached

的KVNO相匹配的密钥表中:

# ktutil 
ktutil: rkt t.keytab 
ktutil: l 
slot KVNO Principal 
---- ---- --------------------------------------------------------------------- 
    1 9 HTTP/[email protected]

tpno是A记录解析到一个IP地址反向解析为tpno

这是我的虚拟主机配置,它是一个简单的乘客服务的导轨应用程序。与认证相关的指令将位置部分测试之前的工作:

<VirtualHost *:80> 
    DocumentRoot /home/p/testapp/public 
    ServerName t.p.no 

    RackEnv staging 
    RailsEnv staging 

    <Directory /home/p/testapp/public> 
    Options -MultiViews 
    </Directory> 

    <Location /> 
    AuthType Kerberos 
    AuthName "Logg inn" 
    KrbMethodNegotiate On 
    KrbMethodK5Passwd Off 
    KrbAuthRealms TESTSONE2.P.LOCAL 
    KrbServiceName HTTP # No difference if using full SPN here 
    Krb5KeyTab /etc/httpd/keys/t.keytab 
    require valid-user 
    </Location> 

    LogLevel debug 
    CustomLog logs/t.p.no-access_log combined_forwarded 
    ErrorLog logs/t.p.no-error_log 

</VirtualHost>

当客户进入tpno在Internet Explorer中,Apache日志如下:

[debug] src/mod_auth_kerb.c(1496): [client 139.x.x.201] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos 
[debug] src/mod_auth_kerb.c(1496): [client 139.x.x.201] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos 
[debug] src/mod_auth_kerb.c(1151): [client 139.x.x.201] Acquiring creds for HTTP/[email protected] 
[debug] src/mod_auth_kerb.c(1270): [client 139.x.x.201] Verifying client data using KRB5 GSS-API 
[debug] src/mod_auth_kerb.c(1286): [client 139.x.x.201] Verification returned code 589824 
[debug] src/mod_auth_kerb.c(1313): [client 139.x.x.201] Warning: received token seems to be NTLM, which isn't supported by the Kerberos module. Check your IE configuration. 
[error] [client 139.116.152.201] gss_accept_sec_context() failed: Invalid token was supplied (No error)

客户

OS: Windows Server 2008 SP1

IE已启用IWA,http://t.p.no已添加到i内部网主机列表。

在客户端上,当试图访问t.p.no时,我在Fiddler中看到两个请求,第一个客户端没有发送Authentication-headers,服务器响应状态401和头WWW-Authenticate:Negotiate。

在第二请求,客户端发送的报头:授权:协商[令牌数据] 在Fiddler中的Auth-标签中的令牌数据被示出:

-[NTLM Type1: Negotiation]------------------------------ 
Provider: NTLMSSP 
Type: 1 
OS Version: 6.1:7601 
Flags: 0xe2088297 
    Unicode supported in security buffer. 
    OEM strings supported in security buffer. 
    Request server's authentication realm included in Type2 reply. 
    Sign (integrity) 
    NTLM authentication. 
    Negotiate Always Sign. 
    Negotiate NTLM2 Key. 
    Supports 56-bit encryption. 
    Supports 128-bit encryption. 
    Client will provide master key in Type 3 Session Key field. 
Domain_Offset: 0; Domain_Length: 0; Domain_Length2: 0 
Host_Offset: 0; Host_Length: 0; Host_Length2: 0 
Host: 
Domain: 
------------------------------------

在找出原因所有帮助NTLM令牌被发送将不胜感激!

来源

2013-05-14 jhsveli

回答

1

如前所述,我的测试客户端是2008服务器R2。与Windows 7客户端和Windows Server 2008 R2有关的文章(http://support.microsoft.com/kb/977321)指出,在这些产品中默认禁用用于Kerberos身份验证的DES加密。

我按照文章中的步骤重新启用客户端上的DES,KDC是2003,所以它应该仍然支持DES。认证成功。

来源

2013-05-22 10:41:27 jhsveli

0

您的krb5软件包已过时。这些需要更新以支持更强大的加密。

DES绝对应该被禁用。我所有的linux系统都使用128位AES作为kerberos。

来源

2015-08-27 16:10:51

相关问题

 相关问题