我关注这个guide将我的系统与 Windows AD 集成。这样当有人登录windows域用户时,他就可以自动登录cas。如果用户不使用域用户,我希望系统返回正常的html登录页面。
现在我遇到一个问题,当我使用域用户时,它工作正常。但是当我使用非域用户时,chrome 向我返回 ERR_UNEXPECTED 错误页面。你可以看到tcp dump,系统已经返回401和登录页面html,但chrome显示错误。
谁能给我一些建议吗?
JVM:1.8.0_111
cas-服务器核心:3.3
cas-server-support-spnego:3.3
Chrome:55
wireshark 的 TCP Dump 流(非域用户)
GET /cas/login?service=http%3A%2F%2Fserver.ictsm.com%3A8080%2Fapp%2F&_validateRequest_=7RBrB6AIqjijhw5c4LjTBvc1vjpHJHWafif1MXGmMr8ZyI22thbzCtqTYkCUfKOn HTTP/1.1
Host: server.ictsm.com:8080
Connection: keep-alive
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
DNT: 1
Accept-Encoding: gzip, deflate, sdch
Accept-Language: zh-CN,zh;q=0.8
Cookie: JSESSIONID=3A632B243F57094E9468F972D2BE2E04A48835CCEE575DC9F8B2527FA81E23AD6D48BBF69A6D35623080096949F1FB8092F4
HTTP/1.1 401 Unauthorized
Server: nginx
Date: Mon, 16 Jan 2017 07:19:00 GMT
Content-Type: text/html;charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
WWW-Authenticate: NTLM
WWW-Authenticate: Negotiate
Content-Language: zh-CN
my login page html
GET /cas/login?service=http%3A%2F%2Fserver.ictsm.com%3A8080%2Fapp%2F&_validateRequest_=7RBrB6AIqjijhw5c4LjTBvc1vjpHJHWafif1MXGmMr8ZyI22thbzCtqTYkCUfKOn HTTP/1.1
Host: server.ictsm.com:8080
Connection: keep-alive
Cache-Control: max-age=0
Authorization: Negotiate TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
DNT: 1
Accept-Encoding: gzip, deflate, sdch
Accept-Language: zh-CN,zh;q=0.8
Cookie: JSESSIONID=3A632B243F57094E9468F972D2BE2E04A48835CCEE575DC9F8B2527FA81E23AD6D48BBF69A6D35623080096949F1FB8092F4
HTTP/1.1 401 Unauthorized
Server: nginx
Date: Mon, 16 Jan 2017 07:19:00 GMT
Content-Type: text/html;charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
WWW-Authenticate: Negotiate TlRMTVNTUAACAAAAEgASADAAAAAFAoEAAAAAAAAAAAAAAAAAAAAAADoAOgBCAAAAaQBjAHQAcwBtAC4AYwBvAG0AAgASAGkAYwB0AHMAbQAuAGMAbwBtAAEAHABKAEMASQBGAFMAMQAzAF8AMQA3ADQAXwA2AEMAAAAAAA==
Content-Language: zh-CN
my login page html
最佳答案
去掉 WWW-Authenticate: NTLM 并仅在 HTTP header 中使用 WWW-Authenticate: Negotiate。 Microsoft 多年前就已弃用 NTLM,转而使用 Kerberos。确实,没有人应该再使用 NTLM 并怀疑您的任何客户是否使用了 NTLM。网络跟踪中的这一行意味着 Chrome 客户端正在使用 NTLM:
Authorization: Negotiate TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==
关于java - 当 SPNEGO Kerberos 身份验证失败时,Chrome 显示 ERR_UNEXPECTED,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/41671800/