尝试使 Windows Server 2016 Active Directory + Kerberos 和 Java OpenJDK 8 kinit 获得票证授予票证返回KrbException:标识符与预期值不匹配(906)
我有两台 Azure VM,我想使用 Windows Server 2016 获取 kinit 票证授予票证,一台在 10.0.1.4,另一台在 10.0.1.7。
这10.0.1.4VM 包含具有 LDAP 和 DNS 服务器的 Active Directory。计算机名称为操作系统。因此 Active Directory 域控制器是WinServer2016Fo.corp.demo.comKerberos 密钥分发中心是WINSERVER2016FO.CORP.DEMO.COM,据我理解这是域控制器名称,全部大写。
这10.0.1.7VM 包含 Java OpenJDK 8。计算机名称是演示机器。我已经通过 Telnet 验证,我可以使用端口 88(Kerberos 使用的端口)从 10.0.1.7 连接到 WinServer2016Fo.corp.demo.com(10.0.1.4)。
域名是corp.demo.com,我为该域创建了一个名为演示Http使用密码演示Http
我已经链接了用户演示Http到演示机器使用设置spn如下:
setspn -S HTTP/demoMachine.corp.demo.com demoHttp
然后我创建了 krb5.keytab,如下所示:
ktpass -out krb5.keytab -princ HTTP/[email protected] -mapUser demoHttp -mapOp set -pass demoHttp -crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL
10.0.1.7(demo.corp.demo.com VM)上的 krb5.ini:
[libdefaults]
default_realm = CORP.DEMO.COM
default_keytab_name = FILE:c:\Windows\krb5.keytab
default_tkt_enctypes = rc4-hmac
default_tgs_enctypes = rc4-hmac
forwardable = true
renewable = true
noaddresses = true
clockskew = 300
udp_preference_limit = 1
allor_weak_crypto = true
[realms]
CORP.DEMO.COM = {
kdc = WinServer2016Fo.corp.demo.com:88
default_domain = corp.demo.com
}
[domain_realm]
corp.demo.com = CORP.DEMO.COM
问题是当我尝试运行时基尼特使用 OpenJDK 8:
kinit.exe "-J-Dsun.security.krb5.debug=true" -k -t C:\Windows\krb5.keytab HTTP/demoMachine.corp.demo.com
它引发以下异常:
PS C:\Users\demoHttp> .\Downloads\openjdk-8u41-b04-windows-i586-14_jan_2020\java-se-8u41-ri\bin\kinit.exe "-J-Dsun.security.krb5.debug=true" -k -t C:\Windows\krb5.keytab HTTP/demoMachine.corp.demo.com
Java config name: null
LSA: Found Ticket
LSA: Made NewWeakGlobalRef
LSA: Found PrincipalName
LSA: Made NewWeakGlobalRef
LSA: Found DerValue
LSA: Made NewWeakGlobalRef
LSA: Found EncryptionKey
LSA: Made NewWeakGlobalRef
LSA: Found TicketFlags
LSA: Made NewWeakGlobalRef
LSA: Found KerberosTime
LSA: Made NewWeakGlobalRef
LSA: Found String
LSA: Made NewWeakGlobalRef
LSA: Found DerValue constructor
LSA: Found Ticket constructor
LSA: Found PrincipalName constructor
LSA: Found EncryptionKey constructor
LSA: Found TicketFlags constructor
LSA: Found KerberosTime constructor
LSA: Finished OnLoad processing
Native config name: C:\windows\krb5.ini
Loaded from native config
>>>KinitOptions cache name is C:\Users\demoHttp\krb5cc_demoMachineHttp
Principal is HTTP/[email protected]
>>> Kinit using keytab
>>> Kinit keytab file name: C:\Windows\krb5.keytab
>>> Kinit realm name is CORP.DEMO.COM
>>> Creating KrbAsReq
>>> KrbKdcReq local addresses for elm are:
demoMachine/10.0.1.7
IPv4 address
demoMachine/fe80:0:0:0:fc1c:feca:403e:10f7%6
IPv6 address
>>> KdcAccessibility: reset
>>> KeyTabInputStream, readName(): WINSERVER2016FO.CORP.DEMO.COM
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): demoMachine.corp.demo.com
>>> KeyTab: load() entry length: 95; type: 23
Looking for keys for: HTTP/[email protected]
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 17 16 23.
Exception: krb_error 0 Do not have keys of types listed in default_tkt_enctypes available; only have keys of following t
ype: No error
KrbException: Do not have keys of types listed in default_tkt_enctypes available; only have keys of following type:
at sun.security.krb5.internal.crypto.EType.getDefaults(EType.java:280)
at sun.security.krb5.KrbAsReqBuilder.build(KrbAsReqBuilder.java:261)
at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:315)
at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:361)
at sun.security.krb5.internal.tools.Kinit.<init>(Kinit.java:219)
at sun.security.krb5.internal.tools.Kinit.main(Kinit.java:113)
PS C:\Users\demoHttp>
另一项测试:
PS C:\Users\demoHttp> .\Downloads\openjdk-8u41-b04-windows-i586-14_jan_2020\java-se-8u41-ri\bin\kinit.exe "-J-Dsun.security.krb5.debug=true" -k -t C:\Windows\krb5.keytab H
P/[email protected]
>>>KinitOptions cache name is C:\Users\demoHttp\krb5cc_demoHttp
Principal is HTTP/[email protected]
>>> Kinit using keytab
>>> Kinit keytab file name: C:\Windows\krb5.keytab
Java config name: null
LSA: Found Ticket
LSA: Made NewWeakGlobalRef
LSA: Found PrincipalName
LSA: Made NewWeakGlobalRef
LSA: Found DerValue
LSA: Made NewWeakGlobalRef
LSA: Found EncryptionKey
LSA: Made NewWeakGlobalRef
LSA: Found TicketFlags
LSA: Made NewWeakGlobalRef
LSA: Found KerberosTime
LSA: Made NewWeakGlobalRef
LSA: Found String
LSA: Made NewWeakGlobalRef
LSA: Found DerValue constructor
LSA: Found Ticket constructor
LSA: Found PrincipalName constructor
LSA: Found EncryptionKey constructor
LSA: Found TicketFlags constructor
LSA: Found KerberosTime constructor
LSA: Finished OnLoad processing
Native config name: C:\windows\krb5.ini
Loaded from native config
>>> Kinit realm name is WINSERVER2016FO.CORP.DEMO.COM
>>> Creating KrbAsReq
>>> KrbKdcReq local addresses for elm are:
demoMachine/10.0.1.7
IPv4 address
demoMachine/fe80:0:0:0:fc1c:feca:403e:10f7%6
IPv6 address
>>> KdcAccessibility: reset
>>> KeyTabInputStream, readName(): WINSERVER2016FO.CORP.DEMO.COM
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): demoMachine.corp.demo.com
>>> KeyTab: load() entry length: 95; type: 23
Looking for keys for: HTTP/[email protected]
Added key: 23version: 44
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 17 16 23.
>>> KrbAsReq creating message
getKDCFromDNS using UDP
getKDCFromDNS using TCP
>>> KrbKdcReq send: kdc=WinServer2016Fo TCP:88, timeout=30000, number of retries =3, #bytes=246
>>> KDCCommunication: kdc=WinServer2016Fo TCP:88, timeout=30000,Attempt =1, #bytes=246
>>>DEBUG: TCPClient reading 140 bytes
>>> KrbKdcReq send: #bytes read=140
>>> KdcAccessibility: remove WinServer2016Fo
>>> KDCRep: init() encoding tag is 126 req type is 11
>>>KRBError:
sTime is Wed Sep 30 20:02:17 UTC 2020 1601496137000
suSec is 459157
error code is 68
error Message is null
sname is krbtgt/[email protected]
msgType is 30
Exception: krb_error 68 null (68) null
KrbException: null (68)
at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:76)
at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:316)
at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:361)
at sun.security.krb5.internal.tools.Kinit.<init>(Kinit.java:219)
at sun.security.krb5.internal.tools.Kinit.main(Kinit.java:113)
Caused by: KrbException: Identifier doesn't match expected value (906)
at sun.security.krb5.internal.KDCRep.init(KDCRep.java:140)
at sun.security.krb5.internal.ASRep.init(ASRep.java:64)
at sun.security.krb5.internal.ASRep.<init>(ASRep.java:59)
at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:60)
... 4 more
PS C:\Users\demoHttp>