我正在从 Java 6 迁移到 Java 7,但遇到了 Kerberos 身份验证问题。在我看来,底层加密类型顺序已切换,因此使用了不同的加密类型。在这种情况下,当 Java 7 运行时,Aes128CtsHmacSha1EType 被用于部分事务。 ArcFourHmacEType 在运行 Java 6 时使用,并用于运行 Java 7 的其他部分。
其他详细信息:针对 Windows Active Directory 服务器在 Linux (Fedora 16) 上运行。
我知道,如果我在 krb5.conf 文件中设置 default_tkt_enctypes、default_tgs_enctypes、permitted_enctypes 参数,我就可以进行身份验证;但是,我想让它在没有文件的情况下工作,理想情况下不必强制使用一个或两个 enctypes。
这是我收到的错误消息:
java.security.PrivilegedActionException: javax.naming.AuthenticationException: GSSAPI [Root exception is javax.security.sasl.SaslException: Final handshake failed [Caused by GSSException: Token had invalid integrity check (Mechanism level: Corrupt checksum in Wrap token)]]
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:415)
at *internal.code*.LDAPAuthenticator.authenticate(LDAPAuthenticator.java:46)
at *internal.code*.LDAPAuthenticatorTest.testUpdateUser(LDAPAuthenticatorTest.java:30)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:601)
at junit.framework.TestCase.runTest(TestCase.java:154)
at junit.framework.TestCase.runBare(TestCase.java:127)
at junit.framework.TestResult$1.protect(TestResult.java:106)
at junit.framework.TestResult.runProtected(TestResult.java:124)
at junit.framework.TestResult.run(TestResult.java:109)
at junit.framework.TestCase.run(TestCase.java:118)
at junit.framework.TestSuite.runTest(TestSuite.java:208)
at junit.framework.TestSuite.run(TestSuite.java:203)
at junit.textui.TestRunner.doRun(TestRunner.java:116)
at com.intellij.junit3.JUnit3IdeaTestRunner.doRun(JUnit3IdeaTestRunner.java:139)
at junit.textui.TestRunner.doRun(TestRunner.java:109)
at com.intellij.junit3.JUnit3IdeaTestRunner.startRunnerWithArgs(JUnit3IdeaTestRunner.java:52)
at com.intellij.rt.execution.junit.JUnitStarter.prepareStreamsAndStart(JUnitStarter.java:182)
at com.intellij.rt.execution.junit.JUnitStarter.main(JUnitStarter.java:62)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:601)
at com.intellij.rt.execution.application.AppMain.main(AppMain.java:120)
Caused by: javax.naming.AuthenticationException: GSSAPI [Root exception is javax.security.sasl.SaslException: Final handshake failed [Caused by GSSException: Token had invalid integrity check (Mechanism level: Corrupt checksum in Wrap token)]]
at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(LdapSasl.java:168)
at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:232)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2740)
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:316)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84)
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:307)
at javax.naming.InitialContext.init(InitialContext.java:242)
at javax.naming.InitialContext.<init>(InitialContext.java:216)
at javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:101)
at *internal.code*.LDAPAuthenticator.getAttributeFor(LDAPAuthenticator.java:156)
at *internal.code*.user.LDAPAuthenticator.access$000(LDAPAuthenticator.java:27)
at *internal.code*.user.LDAPAuthenticator$1.run(LDAPAuthenticator.java:49)
... 27 more
Caused by: javax.security.sasl.SaslException: Final handshake failed [Caused by GSSException: Token had invalid integrity check (Mechanism level: Corrupt checksum in Wrap token)]
at com.sun.security.sasl.gsskerb.GssKrb5Client.doFinalHandshake(GssKrb5Client.java:328)
at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:187)
at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(LdapSasl.java:132)
... 42 more
Caused by: GSSException: Token had invalid integrity check (Mechanism level: Corrupt checksum in Wrap token)
at sun.security.jgss.krb5.WrapToken_v2.getData(WrapToken_v2.java:151)
at sun.security.jgss.krb5.WrapToken_v2.getData(WrapToken_v2.java:105)
at sun.security.jgss.krb5.Krb5Context.unwrap(Krb5Context.java:983)
at sun.security.jgss.GSSContextImpl.unwrap(GSSContextImpl.java:403)
at com.sun.security.sasl.gsskerb.GssKrb5Client.doFinalHandshake(GssKrb5Client.java:234)
... 44 more
是否可以在此设置中使用 AES128?
如果我无法让 AES128 工作,有没有办法通过系统参数(而不是使用 krb5.conf)设置默认 enctypes?
最佳答案
听 James Cape 说,安装无限安全文件。由于美国的管辖权,JRE 不能与该 JAR 一起运送。
关于Java 7 Kerberos 问题 - AES128 损坏的校验和,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/9534540/