जीएसएसएक्सप्शन: संदेश स्ट्रीम संशोधित (41)

Question

मैं वन वास्तुकला में एलडीएपी के साथ काम कर रहा हूं (सभी सर्वर और मेरा सर्वर विंडोज़ हैं)। मैं एनटीएलएम प्रमाणीकरण का उपयोग कर एडी को बाध्यकारी हूं।

मेरे पास एक जावा कोड है जो एलडीएपी सर्वर के खिलाफ संचालन करता है।

कोड को टोमकैट सर्वलेट के रूप में लपेटा गया है।

जब जावा कोड को सीधे चलाते हैं (केवल एलडीएपी प्रमाणीकरण कोड को एप्लिकेशन के रूप में निष्पादित करते हैं), बाइंड स्थानीय डोमेन (स्थानीय डोमेन = मैंने विंडोज़ में लॉग इन किया है, और इस प्रक्रिया के उपयोगकर्ता के साथ इस प्रक्रिया को चलाया) और विदेशी डोमेन।

जब वेवा कोड को सर्वलेट के रूप में चलाते हैं, तो बाइंड काम करता है और उपयोगकर्ताओं को एक डोमेन से प्रमाणित करता है लेकिन यदि मैं अन्य डोमेन से उपयोगकर्ताओं को प्रमाणित करने का प्रयास कर रहा हूं, तो यह काम नहीं करेगा, यह काम नहीं करेगा (यह केवल तभी काम करेगा जब मैं टॉमकैट फिर से शुरू होगा)।

मैं एक अपवाद हो रही है:

GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Message stream modified (41))]] 

मुझे लगता है कि यह एक ही कोड है, एक ही विन्यास और एक ही krb5 फ़ाइल के साथ उल्लेख करेंगे।

संपादित करें: अधिक जानकारी:

public void func(String realm, String kdc) { 
    try { 
     URL configURL = getClass().getResource("jaas_ntlm_configuration.txt"); 
     System.setProperty("java.security.auth.login.config", configURL.toString()); 

      System.setProperty("java.security.krb5.realm", realm); 
      System.setProperty("java.security.krb5.kdc",kdc); 

     // If the application is run on NT rather than Unix, use this name 
     String loginAppName = "MyConfig"; 

     // Create login context 
     LoginContext lc = new LoginContext(loginAppName, new SampleCallbackHandler()); 

     // Retrieve the information on the logged-in user 
     lc.login(); 

     // Get the authenticated subject 
     Subject subject = lc.getSubject(); 

     System.out.println(subject.toString()); 

     Subject.doAs(subject, new JndiAction(new String[] { "" })); 
    } 
    catch (LoginException e) { 
     e.printStackTrace(); 
    } 
} 

class JndiAction implements java.security.PrivilegedAction { 
    private String[] args; 

    public JndiAction(String[] origArgs) { 
     this.args = (String[])origArgs.clone(); 
    } 

    public Object run() { 
     performJndiOperation(args); 
     return null; 
    } 

    private static void performJndiOperation(String[] args) { 

     // Set up environment for creating initial context 
     Hashtable env = new Hashtable(11); 

     env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory"); 

     // Must use fully qualified hostname 
     env.put(Context.PROVIDER_URL, "ldap://server:389"); 

     // Request the use of the "GSSAPI" SASL mechanism 
     // Authenticate by using already established Kerberos credentials 
     env.put(Context.SECURITY_AUTHENTICATION, "GSSAPI"); 

     try { 
      // Create the initial context 
      DirContext ctx = new InitialLdapContext(env, null); 


      // Close the context when we're done 
      ctx.close(); 
     } catch (NamingException e) { 
      e.printStackTrace(); 
     } 
    } 
} 

और मेरे jaas_ntlm_configuration.txt फ़ाइल है:

यह मेरा कोड है

MyConfig { com.sun.security.auth.module.Krb5LoginModule required 
useTicketCache=true 
doNotPrompt=false; 
}; 

मेरे krb5.conf फ़ाइल है:

# 
# All rights reserved. 
# 
#pragma ident @(#)krb5.conf 1.1 00/12/08 

[libdefaults] 
    default_tkt_enctypes = des3-cbc-sha1 des-cbc-md5 des-cbc-crc 
    default_tgs_enctypes = des3-cbc-sha1 des-cbc-md5 des-cbc-crc 
    forwardable = true 
    renewable = true 
    noaddresses = true 
    clockskew = 300 

[realms] 
     SUB1.DOMAIN.COM = { 
       kdc = DDC.SUB1.DOMAIN.COM 
     default_domain=DOMAIN.COM 
     } 
    SUB2.DOMAIN.COM = { 
       kdc = DDC.SUB.DOMAIN.COM 
     default_domain=DOMAIN.COM 
     } 
    SUB3.DOMAIN.COM = { 
       kdc = DDC.SUB3.DOMAIN.COM 
     default_domain=DOMAIN.COM 
     } 

[domain_realm] 
    .DOMAIN.COM = SUB1.DOMAIN.COM 
    .DOMAIN.COM = SUB2.DOMAIN.COM 
    .DOMAIN.COM = SUB3.DOMAIN.COM 

[logging] 
     default = FILE:/var/krb5/kdc.log 
     kdc = FILE:/var/krb5/kdc.log 
    kdc_rotate = { 

# How often to rotate kdc.log. Logs will get rotated no more 
# often than the period, and less often if the KDC is not used 
# frequently. 

     period = 1d 

# how many versions of kdc.log to keep around (kdc.log.0, kdc.log.1, ...) 

     versions = 10 
    } 

[appdefaults] 
    kinit = { 
     renewable = true 
     forwardable= true 
    } 
    rlogin = { 
     forwardable= true 
    } 
    rsh = { 
     forwardable= true 
    } 
    telnet = { 
      autologin = true 
     forwardable= true 
    } 

मैं जावा पैरामीटर के रूप में निम्नलिखित कहा:

-Djavax.security.auth.useSubjectCredsOnly=false -Djava.security.krb5.conf="krb5.conf" -Dsun.security.krb5.debug=true 

अगर मैं फोन समारोह ("उप * .DOMAIN.COM", "DDC.SUB * .DOMAIN.COM") हमेशा एक ही उप डोमेन से - यह काम करेगा, लेकिन अगर मैं एक सबडोमेन के साथ कॉल करूंगा और फिर दूसरे के साथ, दूसरा असफल हो जाएगा।

अधिक जानकारी:

यहाँ = krb5.debug साथ उत्पादन होता है सच:

java -Xmx100m -cp gssapi_test.jar -Djavax.security.auth.useSubjectCredsOnly=false -Djava.security.krb5.conf="krb5.conf" -Dsun.security.krb5.debug=true gssapitest.myTest my_config.txt 
2 users provided. Performing authentication #1 
Reading configuration file my_config.txt 
kdc: DDC.SUB1.DOMAIN.COM, realm: SUB1.DOMAIN.COM 
>>>KinitOptions cache name is C:\Users\user1\krb5cc_user1 
>> Acquire default native Credentials 
>>> Obtained TGT from LSA: Credentials: 
client=user1@SUB1.DOMAIN.COM 
server=krbtgt/SUB1.DOMAIN.COM@SUB1.DOMAIN.COM 
authTime=20130422075139Z 
startTime=20130422075139Z 
endTime=20130422175139Z 
renewTill=20130429075139Z 
flags: FORWARDABLE;RENEWABLE;INITIAL;PRE-AUTHENT 
EType (int): 23 
Subject: 
    Principal: user1@SUB1.DOMAIN.COM 
    Private Credential: Ticket (hex) = 
..... 

Client Principal = user1@SUB1.DOMAIN.COM 
Server Principal = krbtgt/SUB1.DOMAIN.COM@SUB1.DOMAIN.COM 
Session Key = EncryptionKey: keyType=23 keyBytes (hex dump)= 
0000: 2B 8C 97 3C 8E 83 66 F1 6D 58 6C 37 20 0E 1F 53 +..<..f.mXl7 ..S 


Forwardable Ticket true 
Forwarded Ticket false 
Proxiable Ticket false 
Proxy Ticket false 
Postdated Ticket false 
Renewable Ticket true 
Initial Ticket true 
Auth Time = Mon Apr 22 15:51:39 2013 
Start Time = Mon Apr 22 15:51:39 2013 
End Time = Tue Apr 23 01:51:39 2013 
Renew Till = Mon Apr 29 15:51:39 2013 
Client Addresses Null 

Connecting to LDAP 
Config name: krb5.conf 
Found ticket for user1@SUB1.DOMAIN.COM to go to krbtgt/SUB1.DOMAIN.COM@SUB1.DOMAIN.COM expiring on Tue Apr 23 01:51:39 2013 
Entered Krb5Context.initSecContext with state=STATE_NEW 
Service ticket not found in the subject 
>>> Credentials acquireServiceCreds: same realm 
default etypes for default_tgs_enctypes: 16 3 1. 
>>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType 
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType 
>>> KdcAccessibility: reset 
>>> KrbKdcReq send: kdc=DDC.SUB1.DOMAIN.COM UDP:88, timeout=30000, number of retries =3, #bytes=1554 
>>> KDCCommunication: kdc=DDC.SUB1.DOMAIN.COM UDP:88, timeout=30000,Attempt =1, #bytes=1554 
>>> KrbKdcReq send: #bytes read=107 
>>> KrbKdcReq send: kdc=DDC.SUB1.DOMAIN.COM TCP:88, timeout=30000, number of retries =3, #bytes=1554 
>>> KDCCommunication: kdc=DDC.SUB1.DOMAIN.COM TCP:88, timeout=30000,Attempt =1, #bytes=1554 
>>>DEBUG: TCPClient reading 1497 bytes 
>>> KrbKdcReq send: #bytes read=1497 
>>> KdcAccessibility: remove DDC.SUB1.DOMAIN.COM 
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType 
>>> KrbApReq: APOptions are 00000000 00000000 00000000 00000000 
>>> EType: sun.security.krb5.internal.crypto.DesCbcMd5EType 
Krb5Context setting mySeqNumber to: 1005735013 
Krb5Context setting peerSeqNumber to: 0 
Created InitSecContextToken: 
..... 

Krb5Context.unwrap: token=[60 33 06 09 2a 86 48 86 f7 12 01 02 02 02 01 00 00 ff ff ff ff 94 52 14 5b f6 02 28 1c a4 3c c5 8f 03 9c a2 d6 e5 f6 f1 18 ed 6f 16 ab 07 a0 00 00 04 04 04 04 ] 
Krb5Context.unwrap: data=[07 a0 00 00 ] 
Krb5Context.wrap: data=[01 01 00 00 ] 
Krb5Context.wrap: token=[60 33 06 09 2a 86 48 86 f7 12 01 02 02 02 01 00 00 ff ff ff ff 2d b6 92 0d d9 51 da aa ef 41 67 33 5c de b3 e6 ce 9a 46 31 a0 a8 0e 27 01 01 00 00 04 04 04 04 ] 
Connected 
Disconnected 
#1: Done 
Performing authentication #2 
Reading configuration file my_config.txt 
kdc: DDC.SUB2.DOMAIN.COM, realm: SUB2.DOMAIN.COM 
>>>KinitOptions cache name is C:\Users\user1\krb5cc_user1 
>> Acquire default native Credentials 
>>> Obtained TGT from LSA: Credentials: 
client=user1@SUB1.DOMAIN.COM 
server=krbtgt/SUB1.DOMAIN.COM@SUB1.DOMAIN.COM 
authTime=20130422075139Z 
startTime=20130422075139Z 
endTime=20130422175139Z 
renewTill=20130429075139Z 
flags: FORWARDABLE;RENEWABLE;INITIAL;PRE-AUTHENT 
EType (int): 23 
Subject: 
    Principal: user1@SUB1.DOMAIN.COM 
    Private Credential: Ticket (hex) = 
..... 

Client Principal = user1@SUB1.DOMAIN.COM 
Server Principal = krbtgt/SUB1.DOMAIN.COM@SUB1.DOMAIN.COM 
Session Key = EncryptionKey: keyType=23 keyBytes (hex dump)= 
0000: 2B 8C 97 3C 8E 83 66 F1 6D 58 6C 37 20 0E 1F 53 +..<..f.mXl7 ..S 


Forwardable Ticket true 
Forwarded Ticket false 
Proxiable Ticket false 
Proxy Ticket false 
Postdated Ticket false 
Renewable Ticket true 
Initial Ticket true 
Auth Time = Mon Apr 22 15:51:39 2013 
Start Time = Mon Apr 22 15:51:39 2013 
End Time = Tue Apr 23 01:51:39 2013 
Renew Till = Mon Apr 29 15:51:39 2013 
Client Addresses Null 

Connecting to LDAP 
Found ticket for user1@SUB1.DOMAIN.COM to go to krbtgt/SUB1.DOMAIN.COM@SUB1.DOMAIN.COM expiring on Tue Apr 23 01:51:39 2013 
Entered Krb5Context.initSecContext with state=STATE_NEW 
Service ticket not found in the subject 
>>> Credentials acquireServiceCreds: same realm 
default etypes for default_tgs_enctypes: 16 3 1. 
>>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType 
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType 
>>> KrbKdcReq send: kdc=DDC.SUB1.DOMAIN.COM UDP:88, timeout=30000, number of retries =3, #bytes=1554 
>>> KDCCommunication: kdc=DDC.SUB1.DOMAIN.COM UDP:88, timeout=30000,Attempt =1, #bytes=1554 
>>> KrbKdcReq send: #bytes read=107 
>>> KrbKdcReq send: kdc=DDC.SUB1.DOMAIN.COM TCP:88, timeout=30000, number of retries =3, #bytes=1554 
>>> KDCCommunication: kdc=DDC.SUB1.DOMAIN.COM TCP:88, timeout=30000,Attempt =1, #bytes=1554 
>>>DEBUG: TCPClient reading 1482 bytes 
>>> KrbKdcReq send: #bytes read=1482 
>>> KdcAccessibility: remove DDC.SUB1.DOMAIN.COM 
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType 
KrbException: Message stream modified (41) 
    at sun.security.krb5.KrbKdcRep.check(Unknown Source) 
    at sun.security.krb5.KrbTgsRep.<init>(Unknown Source) 
    at sun.security.krb5.KrbTgsReq.getReply(Unknown Source) 
    at sun.security.krb5.KrbTgsReq.sendAndGetCreds(Unknown Source) 
    at sun.security.krb5.internal.CredentialsUtil.serviceCreds(Unknown Source) 
    at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(Unknown Source) 
    at sun.security.krb5.Credentials.acquireServiceCreds(Unknown Source) 
    at sun.security.jgss.krb5.Krb5Context.initSecContext(Unknown Source) 
    at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source) 
    at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source) 
    at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(Unknown Source) 
    at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(Unknown Source) 
    at com.sun.jndi.ldap.LdapClient.authenticate(Unknown Source) 
    at com.sun.jndi.ldap.LdapCtx.connect(Unknown Source) 
    at com.sun.jndi.ldap.LdapCtx.<init>(Unknown Source) 
    at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(Unknown Source) 
    at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(Unknown Source) 
    at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(Unknown Source) 
    at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(Unknown Source) 
    at javax.naming.spi.NamingManager.getInitialContext(Unknown Source) 
    at javax.naming.InitialContext.getDefaultInitCtx(Unknown Source) 
    at javax.naming.InitialContext.init(Unknown Source) 
    at javax.naming.ldap.InitialLdapContext.<init>(Unknown Source) 
    at gssapitest.JndiAction.performJndiOperation(myTest.java:603) 
    at gssapitest.JndiAction.run(myTest.java:577) 
    at java.security.AccessController.doPrivileged(Native Method) 
    at javax.security.auth.Subject.doAs(Unknown Source) 
    at gssapitest.myTest.Do(myTest.java:59) 
    at gssapitest.myTest.main(myTest.java:513) 
javax.naming.AuthenticationException: GSSAPI [Root exception is javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Message stream modified (41))]] 
    at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(Unknown Source) 
    at com.sun.jndi.ldap.LdapClient.authenticate(Unknown Source) 
    at com.sun.jndi.ldap.LdapCtx.connect(Unknown Source) 
    at com.sun.jndi.ldap.LdapCtx.<init>(Unknown Source) 
    at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(Unknown Source) 
    at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(Unknown Source) 
    at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(Unknown Source) 
    at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(Unknown Source) 
    at javax.naming.spi.NamingManager.getInitialContext(Unknown Source) 
    at javax.naming.InitialContext.getDefaultInitCtx(Unknown Source) 
    at javax.naming.InitialContext.init(Unknown Source) 
    at javax.naming.ldap.InitialLdapContext.<init>(Unknown Source) 
    at gssapitest.JndiAction.performJndiOperation(myTest.java:603) 
    at gssapitest.JndiAction.run(myTest.java:577) 
    at java.security.AccessController.doPrivileged(Native Method) 
    at javax.security.auth.Subject.doAs(Unknown Source) 
    at gssapitest.myTest.Do(myTest.java:59) 
    at gssapitest.myTest.main(myTest.java:513) 
Caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Message stream modified (41))] 
    at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(Unknown Source) 
    ... 18 more 
Caused by: GSSException: No valid credentials provided (Mechanism level: Message stream modified (41)) 
    at sun.security.jgss.krb5.Krb5Context.initSecContext(Unknown Source) 
    at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source) 
    at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source) 
    ... 19 more 
Caused by: KrbException: Message stream modified (41) 
    at sun.security.krb5.KrbKdcRep.check(Unknown Source) 
    at sun.security.krb5.KrbTgsRep.<init>(Unknown Source) 
    at sun.security.krb5.KrbTgsReq.getReply(Unknown Source) 
    at sun.security.krb5.KrbTgsReq.sendAndGetCreds(Unknown Source) 
    at sun.security.krb5.internal.CredentialsUtil.serviceCreds(Unknown Source) 
    at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(Unknown Source) 
    at sun.security.krb5.Credentials.acquireServiceCreds(Unknown Source) 
    ... 22 more 
FAILED 

मैं क्या कर सकता है? क्या मैं कुछ गलत करता हूँ?

धन्यवाद।

Answer 1

एनटीएलएम! = केर्बेरोस। जावा एसएएसएल एनटीएलएम का समर्थन नहीं करता है। Kerberos ठीक से कॉन्फ़िगर करें और यह काम करेगा।

Answer 2

इसके लिए धन्यवाद! संदर्भ के लिए, दायरे के अपरकेस (यानी दायरे 100% सही और अपरकेस में होना चाहिए) "अपवाद: krb_error 41 संदेश स्ट्रीम संशोधित (41)" से बचने के लिए बहुत महत्वपूर्ण है।

[libdefaults] 
default_realm = EXAMPLE.COM 

[realms] 
EXAMPLE.COM = { 
kdc = domaincontroller.example.com 
admin_server = domaincontroller.example.com 
default_domain = EXAMPLE.COM 
} 

[domain_realm] 
.example.com = EXAMPLE.COM 
example.com = EXAMPLE.COM 

सादर,

Nika:

यहाँ सही अंकन का एक उदाहरण है।