kerberos

问题 I am struggling to authenticate to a Java web container (I've tried both Tomcat and Jetty) when running on Windows 2012. Every time I try the Negotiate auth scheme I get an error: org.ietf.jgss.GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag) Steps to reproduce Start out by setting up a Windows Server 2012 or 2016 instance and install active directory domain services. In my example, I created: NETBIOS Domain: NICKIS Dns domain: nickis.life Create

问题 I am trying to understand what's the actual difference between SSL and Kerberos authentications, and why sometimes I have both SSL traffic and Kerberos. Or does Kerberos use SSL in any way? Anyone could help? Thank you! 回答1: SSL uses public key cryptography: You (or your browser) has a public/private keypair The server has a public/private key as well You generate a symmetric session key You encrypt with the server's public key and send this encrypted session key to the server. The server

问题 My understanding is that SSL combines an encryption algorithm (like AES, DES, etc.) with a key exchange method (like Diffier-Hellman) to provide secure encryption and identification services between two endpoints on an un-secure network (like the Internet). My understanding is that SASL is an MD5/Kerberos protocol that pretty much does the same thing. So my question: what are the pros/cons to choosing both and what scenarios make either more preferable? Basically, I'm looking for some

问题 I can't seem to correctly configure the system and have the browser send a kerberos ticket to the web-server. Instead, a NTLM token is sent. Q: How can I solve this? All details and configurations are listed below. Infrastructure: I have three machines within the domain COMPANY.local : PC-I7.COMPANY.local (on 192.168.0.5 ). It acts as KDC , it's an Active-Directory server with the other machines (see below) registered in the AD. Also has the DNS for the local network configured. The domain in

问题 In my server application I'm connecting to Kerberos secured Hadoop cluster from my java application. On the application startup I do call UserGroupInformation.loginUserFromKeytabAndReturnUGI( ... ); I'm doing basic File operations using native FileSystem API like FileSystem.exists() and FileSystem.delete() My application throws the following error after 24H. That's the expiry for Kerberos ticket. Caused by: java.io.IOException: javax.security.sasl.SaslException: GSS initiate failed [Caused by

问题 I have a working application for managing HDFS using WebHDFS. I need to be able to do this on a Kerberos secured cluster. The problem is, that there is no library or extension to negotiate the ticket for my app, I only have a basic HTTP client. Would it be possible to create a Java service which would handle the ticket exchange and once it gets the Service ticket to just pass it to the app for use in a HTTP request? In other words, my app would ask the Java service to negotiate the tickets

问题 I have met some issues while trying to consume messages from Kafka with a Spark Streaming application in a Kerberized Hadoop cluster. I tried both of the two approaches listed here : receiver-based approach : KafkaUtils.createStream direct approach (no receivers) : KafkaUtils.createDirectStream The receiver-based approach ( KafkaUtils.createStream ) throws 2 types of exceptions (different exceptions whether I am in local mode ( --master local[*] ) or in YARN mode ( --master yarn --deploy-mode

问题 I have a Java web application which do SPNEGO authentication of clients in a Windows Active Directory environment. To authenticate the user we use code from the good old SPNEGO SourceForge project. String encodedAuthToken = (String) credentials; LOG.debug("Encoded auth token: " + encodedAuthToken); byte[] authToken = B64Code.decode(encodedAuthToken); GSSManager manager = GSSManager.getInstance(); try { Oid krb5Oid = new Oid("1.3.6.1.5.5.2"); GSSName gssName = manager.createName(_targetName,

问题 I have followed numerous msdn articles and the codeplex guidance but cannot get WCF to work with Kerberos authentication and delegation and would appreciate a little help. Setup I have the WCF service in an IIS website on a remote machine IIS 6.0 on Windows 2003 R2 - SP 2 The SPN for the machine has been added (http/myserver && http/myserver:8080) An AD account has been created for the IIS app pool The AD account has the setting, allow delegation (for Kerberos), set to true I am using Brian

问题 We are having trouble getting Kerberos/AD authentication to work with a Spring webapp, and I believe the problem has to do with encryption types for the Kerberos tickets and the Active Directory domain functional level. The basic setup is: Tomcat 7 Java 1.6 (29) Windows Server 2008 R2 Spring 3.0 Spring Security Kerberos/Spnego extension M2 detailed here: http://blog.springsource.com/2009/09/28/spring-security-kerberos/ I have one environment where the Active Directory domain functional level