gssapi

问题 I've been trying to work out how to use GSSAPI to authenticate with an IIS server on an Active Directory domain by working through the code for tutorials from Oracle and I'm having trouble establishing a context. The way the tutorial sends tokens is by first sending an integer, then sending the token. This works, of course, with the tutorial server, because it's expecting that. What I don't know, though, is whether this is the correct protocol for GSSAPI interaction in general? RFC4121

问题 I am writing some Java code that authenticates to Active Directory using SASL GSSAPI. Mostly this code is working fine but for one user I am getting the response: javax.naming.AuthenticationException: [LDAP: error code 49 - 8 0090304: LdapErr: DSID-0C0904D1, comment: AcceptSecurityContext error, data 568, v1772 ] I know that 49 means this is an authentication failure, and that the relevant sub code is 568, but I am only aware of the following meanings for that data: 525 - user not found 52e -

问题 I am struggling to authenticate to a Java web container (I've tried both Tomcat and Jetty) when running on Windows 2012. Every time I try the Negotiate auth scheme I get an error: org.ietf.jgss.GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag) Steps to reproduce Start out by setting up a Windows Server 2012 or 2016 instance and install active directory domain services. In my example, I created: NETBIOS Domain: NICKIS Dns domain: nickis.life Create

问题 In order to do client-side HTTP SPNEGO authentication with Java on Windows you need to set the Windows Registry key allowtgtsessionkey. This is well documented. What I do not understand is how people get around this? Most corporate sites would never accept to change this registry key in Windows for the sake of a single piece of software. Also think about the hassle if this needs to be changed on every workstation in the organization. But that's just theory because I've so far been unable to

问题 How does authentication and logon work on Windows with Kerberos? What I want to achieve is to logon a user on a server and run a process for that user. As a first step, I create a Kerberos ticket on the client and send it to the server. On the server, I do not know the API to logon the user given its ticket. Of course I can accept the security context using AcceptSecurityContext (SSPI), but that does not initiate a logon. I think that some SSH implementations for Windows do exactly that. But

问题 So I have tried and tried to get my ssh to work with kerberos on Mavericks to no avail. Here are my versions: ssh: OpenSSH_6.2p2, OSSLShim 0.9.8r 8 Dec 2011 kerberos: Heimdal 1.5.1apple1 I also tried the built in ssh with no effect as well. Here is my config: ForwardAgent yes GSSAPIAuthentication yes GSSAPIDelegateCredentials yes GSSAPIKeyExchange yes i have checked, there are no overriding settings in my user config After all of this, I still get prompted for a password when ssh'ing to a

问题 We are facing an interesting problem. Users login to application with Kerberos authentication. Few times they are successful, but suddenly they face lockout for their user login information and they see the error below on their screen Login error: com.ibm.security.krb5.KrbException, status code: 24 message: Pre-authentication information was invalid Stack Trace : javax.security.auth.login.FailedLoginException: Login error: com.ibm.security.krb5.KrbException, status code: 24 message: Pre

问题 I have a C# client based on SSPI and Java server based on GSSAPI. The flow communication flow is as below. Client creates TGT Client passes TGT to server Server uses the TGT and generates server token Server passes the server token to client Client uses that server token and generates the SGT My communication flow breaks from the 6th step. SSPI client failed to validate the server token with the error "Failed to invoke InitializeSecurityContext for a client. The specified principle is not

问题 I ran some tests on Kerberos and found out some strange behavior related to Firefox and Kerberos. I have a server running Apache + mod_auh_kerb which is configured to check kerberos credential when serving requests from clients. Kerberos authentication is performed and user without valid credentials are rejected. However, I do not understand the following: Once the first request is made, a TGS is cached on the client in /tmp/krb5ccXXXX, but a network capture revealed that firefox request a

问题 I'm trying to create a context for ActiveDirectory (client and server are both windows), using my Windows credentials with NTLM. This is my code: public void func() { try { URL configURL = getClass().getResource("jaas_ntlm_configuration.txt"); System.setProperty("java.security.auth.login.config", configURL.toString()); // If the application is run on NT rather than Unix, use this name String loginAppName = "MyConfig"; // Create login context LoginContext lc = new LoginContext(loginAppName,