kinit 在 Windows Server 2016 Active Directory + Kerberos + JDK8 下获取 TGT 返回“KrbException：标识符与预期值不匹配（906）”

尝试使 Windows Server 2016 Active Directory + Kerberos 和 Java OpenJDK 8 kinit 获得票证授予票证返回KrbException：标识符与预期值不匹配（906）

我有两台 Azure VM，我想使用 Windows Server 2016 获取 kinit 票证授予票证，一台在 10.0.1.4，另一台在 10.0.1.7。

这10.0.1.4VM 包含具有 LDAP 和 DNS 服务器的 Active Directory。计算机名称为操作系统。因此 Active Directory 域控制器是WinServer2016Fo.corp.demo.comKerberos 密钥分发中心是WINSERVER2016FO.CORP.DEMO.COM，据我理解这是域控制器名称，全部大写。

这10.0.1.7VM 包含 Java OpenJDK 8。计算机名称是演示机器。我已经通过 Telnet 验证，我可以使用端口 88（Kerberos 使用的端口）从 10.0.1.7 连接到 WinServer2016Fo.corp.demo.com（10.0.1.4）。

域名是corp.demo.com，我为该域创建了一个名为演示Http使用密码演示Http

我已经链接了用户演示Http到演示机器使用设置spn如下：

setspn -S HTTP/demoMachine.corp.demo.com demoHttp

然后我创建了 krb5.keytab，如下所示：

ktpass -out krb5.keytab -princ HTTP/[email protected] -mapUser demoHttp -mapOp set -pass demoHttp -crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL

10.0.1.7（demo.corp.demo.com VM）上的 krb5.ini：

[libdefaults]
          default_realm = CORP.DEMO.COM
          default_keytab_name = FILE:c:\Windows\krb5.keytab
          default_tkt_enctypes = rc4-hmac 
          default_tgs_enctypes = rc4-hmac 
          forwardable  = true
          renewable  = true
          noaddresses = true
          clockskew  = 300
          udp_preference_limit = 1
          allor_weak_crypto = true
[realms]
          CORP.DEMO.COM = {
                kdc = WinServer2016Fo.corp.demo.com:88
                default_domain = corp.demo.com
    }
[domain_realm]
        corp.demo.com = CORP.DEMO.COM

问题是当我尝试运行时基尼特使用 OpenJDK 8：

kinit.exe "-J-Dsun.security.krb5.debug=true" -k -t C:\Windows\krb5.keytab HTTP/demoMachine.corp.demo.com

它引发以下异常：

PS C:\Users\demoHttp> .\Downloads\openjdk-8u41-b04-windows-i586-14_jan_2020\java-se-8u41-ri\bin\kinit.exe "-J-Dsun.security.krb5.debug=true" -k -t C:\Windows\krb5.keytab HTTP/demoMachine.corp.demo.com
Java config name: null
LSA: Found Ticket
LSA: Made NewWeakGlobalRef
LSA: Found PrincipalName
LSA: Made NewWeakGlobalRef
LSA: Found DerValue
LSA: Made NewWeakGlobalRef
LSA: Found EncryptionKey
LSA: Made NewWeakGlobalRef
LSA: Found TicketFlags
LSA: Made NewWeakGlobalRef
LSA: Found KerberosTime
LSA: Made NewWeakGlobalRef
LSA: Found String
LSA: Made NewWeakGlobalRef
LSA: Found DerValue constructor
LSA: Found Ticket constructor
LSA: Found PrincipalName constructor
LSA: Found EncryptionKey constructor
LSA: Found TicketFlags constructor
LSA: Found KerberosTime constructor
LSA: Finished OnLoad processing
Native config name: C:\windows\krb5.ini
Loaded from native config
>>>KinitOptions cache name is C:\Users\demoHttp\krb5cc_demoMachineHttp
Principal is HTTP/[email protected]
>>> Kinit using keytab
>>> Kinit keytab file name: C:\Windows\krb5.keytab
>>> Kinit realm name is CORP.DEMO.COM
>>> Creating KrbAsReq
>>> KrbKdcReq local addresses for elm are:

        demoMachine/10.0.1.7
IPv4 address

        demoMachine/fe80:0:0:0:fc1c:feca:403e:10f7%6
IPv6 address
>>> KdcAccessibility: reset
>>> KeyTabInputStream, readName(): WINSERVER2016FO.CORP.DEMO.COM
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): demoMachine.corp.demo.com
>>> KeyTab: load() entry length: 95; type: 23
Looking for keys for: HTTP/[email protected]
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 17 16 23.
Exception: krb_error 0 Do not have keys of types listed in default_tkt_enctypes available; only have keys of following t
ype:  No error
KrbException: Do not have keys of types listed in default_tkt_enctypes available; only have keys of following type:
        at sun.security.krb5.internal.crypto.EType.getDefaults(EType.java:280)
        at sun.security.krb5.KrbAsReqBuilder.build(KrbAsReqBuilder.java:261)
        at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:315)
        at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:361)
        at sun.security.krb5.internal.tools.Kinit.<init>(Kinit.java:219)
        at sun.security.krb5.internal.tools.Kinit.main(Kinit.java:113)
PS C:\Users\demoHttp>

另一项测试：

PS C:\Users\demoHttp> .\Downloads\openjdk-8u41-b04-windows-i586-14_jan_2020\java-se-8u41-ri\bin\kinit.exe "-J-Dsun.security.krb5.debug=true" -k -t C:\Windows\krb5.keytab H
P/[email protected]
>>>KinitOptions cache name is C:\Users\demoHttp\krb5cc_demoHttp
Principal is HTTP/[email protected]
>>> Kinit using keytab
>>> Kinit keytab file name: C:\Windows\krb5.keytab
Java config name: null
LSA: Found Ticket
LSA: Made NewWeakGlobalRef
LSA: Found PrincipalName
LSA: Made NewWeakGlobalRef
LSA: Found DerValue
LSA: Made NewWeakGlobalRef
LSA: Found EncryptionKey
LSA: Made NewWeakGlobalRef
LSA: Found TicketFlags
LSA: Made NewWeakGlobalRef
LSA: Found KerberosTime
LSA: Made NewWeakGlobalRef
LSA: Found String
LSA: Made NewWeakGlobalRef
LSA: Found DerValue constructor
LSA: Found Ticket constructor
LSA: Found PrincipalName constructor
LSA: Found EncryptionKey constructor
LSA: Found TicketFlags constructor
LSA: Found KerberosTime constructor
LSA: Finished OnLoad processing
Native config name: C:\windows\krb5.ini
Loaded from native config
>>> Kinit realm name is WINSERVER2016FO.CORP.DEMO.COM
>>> Creating KrbAsReq
>>> KrbKdcReq local addresses for elm are:

        demoMachine/10.0.1.7
IPv4 address

        demoMachine/fe80:0:0:0:fc1c:feca:403e:10f7%6
IPv6 address
>>> KdcAccessibility: reset
>>> KeyTabInputStream, readName(): WINSERVER2016FO.CORP.DEMO.COM
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): demoMachine.corp.demo.com
>>> KeyTab: load() entry length: 95; type: 23
Looking for keys for: HTTP/[email protected]
Added key: 23version: 44
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 17 16 23.
>>> KrbAsReq creating message
getKDCFromDNS using UDP
getKDCFromDNS using TCP
>>> KrbKdcReq send: kdc=WinServer2016Fo TCP:88, timeout=30000, number of retries =3, #bytes=246
>>> KDCCommunication: kdc=WinServer2016Fo TCP:88, timeout=30000,Attempt =1, #bytes=246
>>>DEBUG: TCPClient reading 140 bytes
>>> KrbKdcReq send: #bytes read=140
>>> KdcAccessibility: remove WinServer2016Fo
>>> KDCRep: init() encoding tag is 126 req type is 11
>>>KRBError:
         sTime is Wed Sep 30 20:02:17 UTC 2020 1601496137000
         suSec is 459157
         error code is 68
         error Message is null
         sname is krbtgt/[email protected]
         msgType is 30
Exception: krb_error 68 null (68) null
KrbException: null (68)
        at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:76)
        at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:316)
        at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:361)
        at sun.security.krb5.internal.tools.Kinit.<init>(Kinit.java:219)
        at sun.security.krb5.internal.tools.Kinit.main(Kinit.java:113)
Caused by: KrbException: Identifier doesn't match expected value (906)
        at sun.security.krb5.internal.KDCRep.init(KDCRep.java:140)
        at sun.security.krb5.internal.ASRep.init(ASRep.java:64)
        at sun.security.krb5.internal.ASRep.<init>(ASRep.java:59)
        at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:60)
        ... 4 more
PS C:\Users\demoHttp>