密钥

密钥

关注
发信
关注(28)粉丝(399)

密钥罩+Kerberos身份验证:机制级别:无效参数(400)-找不到适当类型的密钥,无法使用HMAC解密AP REP-RC4

本文介绍了密钥罩+Kerberos身份验证:机制级别:无效参数(400)-找不到适当类型的密钥,无法使用HMAC解密AP REP-RC4的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我有以下内容

  1. JBoss EAP 7.2.2-Machine CentOS上的Spring Web应用程序
  2. CentOS上的密钥罩3.3.4
  3. Active Directory

我们在OpenJDK 8上运行

用户使用其Active Directory帐户从Windows计算机登录。

Keycloak使用Kerberos使用联盟进行配置。在CentOS计算机上,使用

安装Kerberos客户端
yum install krb5-user krb5-doc
yum install krb5-pkinit krb5-workstation
yum install krb5-libs krb5-devel
yum install krb5-server krb5-workstation pam_krb5
在密钥罩用户联合中,密钥表文件路径和其他配置是正确的。密钥罩日志文件确认了这一点。域名:XYZ.com服务器主体HTTP/主体名称@领域

密钥表文件是使用

生成的
ktpass.exe /out file.keytab /mapuser user-name@REALM /mapop set /princ HTTP/principal-name@REALM /ptype KRB5_NT_PRINCIPAL /pass XXXXXX /crypto RC4-HMAC-NT

在krb5.conf中输入以下内容

default_tgs_enctypes = arcfour-hmac
default_tkt_enctypes = arcfour-hmac
permitted_enctypes = arcfour-hmac

问题是登录时出现异常

Looking for keys for: HTTP/principal-name@REALM
2020-02-24 09:34:06,327 WARN  [org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator] (default task-13) SPNEGO login failed: java.security.PrivilegedActionException: GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - RC4 with HMAC)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:422)
at org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator.authenticate(SPNEGOAuthenticator.java:68)
at org.keycloak.storage.ldap.LDAPStorageProvider.authenticate(LDAPStorageProvider.java:677)
at org.keycloak.credential.UserCredentialStoreManager.authenticate(UserCredentialStoreManager.java:296)
at org.keycloak.authentication.authenticators.browser.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.java:89)
at org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:200)
at org.keycloak.authentication.AuthenticationProcessor.authenticateOnly(AuthenticationProcessor.java:853)
at org.keycloak.authentication.AuthenticationProcessor.authenticate(AuthenticationProcessor.java:722)
at org.keycloak.protocol.AuthorizationEndpointBase.handleBrowserAuthenticationRequest(AuthorizationEndpointBase.java:145)

at ...
Caused by: GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - RC4 with HMAC)
at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:856)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
at sun.security.jgss.spnego.SpNegoContext.GSS_acceptSecContext(SpNegoContext.java:906)
at sun.security.jgss.spnego.SpNegoContext.acceptSecContext(SpNegoContext.java:556)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
at org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator.establishContext(SPNEGOAuthenticator.java:169)
at org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator$AcceptSecContext.run(SPNEGOAuthenticator.java:132)
at org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator$AcceptSecContext.run(SPNEGOAuthenticator.java:122)
... 72 more
Caused by: KrbException: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - RC4 with HMAC
at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:278)
at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:149)
at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:108)
at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:829)
... 81 more

2020-02-24 09:34:06,328 INFO  [stdout] (default task-13)        [Krb5LoginModule]: Entering logout
2020-02-24 09:34:06,328 INFO  [stdout] (default task-13)        [Krb5LoginModule]: logged out Subject

我已经做了很多研究,很不情愿地排除了所有可能的原因。进行了以下测试:klist-k{密钥表文件路径}-e

结果4 HTTP/主体名称@领域arcfour-hmac在Active Directory中,msDS-KeyVersionNumber=4

kinit HTTP/主体名称@领域klist-e

结果:.ETYPE(SKEY,TKT)arcfour-HMAC,AES256-CTS-HMAC-SHA1-96

总之,Keycloak可以读取密钥表,但无法查找解密密钥。

任何人都可以帮助吗?

我已经看过这篇帖子了Kerberos - Cannot find key of appropriate type to decrypt AP REP - RC4 with HMAC

和以下链接:https://bugs.openjdk.java.net/browse/JDK-8193855

和许多其他帖子,但都没有成功。

推荐答案

您正在使用以下配置:/crypto RC4-HMAC-NT

我遇到了相同的错误,因为密钥表文件是使用错误的/crypto配置生成的。

您可以尝试将/crypto ALLktpass命令配合使用来生成新的密钥表文件。

这篇关于密钥罩+Kerberos身份验证:机制级别:无效参数(400)-找不到适当类型的密钥,无法使用HMAC解密AP REP-RC4的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

05-16 20:03
Powered by LMLPHP ©2024 密钥 0.042827