kerberos | 易学教程

HttpClient check Kerberos secured webpage. NTLM login didn't work

阅读更多关于 HttpClient check Kerberos secured webpage. NTLM login didn't work

问题 I have to write a program which checks a Kerberos secured site of our company. I try it with HttpClient and get following error: KrbException: Server not found in Kerberos database (7) at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:61) at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:185) ... I have written a NTLM login 5 months ago, but it doesn't work for this Kerberos secured site. I think Nego2 is activated, so it doesn't fall back to NTLM if Kerberos fails. I read the

Kerberos authorization doesn't work on Chrome and FireFox, but works on IE

阅读更多关于 Kerberos authorization doesn't work on Chrome and FireFox, but works on IE

问题 I follow this guide to integrate cas with Windows AD. It works fine on every browser few days ago. But not it only works on IE, when I use firefox browser only send "Negotiate TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==" to server, then browser return to cas login page. This problem only have been found on production environment recently. I have a test environment with same configuration, but it works fine until now. I know when kerberos ticket is not cached on local, browser

javax.naming.AuthenticationException in GSSAPI

阅读更多关于 javax.naming.AuthenticationException in GSSAPI

问题 I'm trying to perform NTLM bind using JAVA GSSAPI. I'm receiving this error: javax.naming.AuthenticationException: GSSAPI [Root exception is javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Invalid option setting in ticket request. (101))]] I think (not sure) it worked in the past. To solve other problem, I tried "kinit". From that point is stopped working. I even deleted the cache file (couldn't find kclear in

How does keytab work exactly?

阅读更多关于 How does keytab work exactly?

问题 i have some questions on using keytab for Authentication hope the kind people here can enlightend me Say, i have userA who is going to use a service running at port 1010. First, userA will login to Active Directory to authenticate himself. After login, userA will try to connect to the server to use its service 1010. In order for the server to verify that UserA is who he is, I need to use setspn to register SPN at the Active Directory. eg setspn -s service1010/mydomain.com serviceaccount1 Then

Functional test for Kerberos Ticket Validation

阅读更多关于 Functional test for Kerberos Ticket Validation

问题 I have written some code to validate a client's kerberos ticket on my server. I have also written unit tests for my classes. The unit tests are written by mocking the calls to the GSS library classes. This does not give me enough confidence though since the actual GSS calls are mocked. From my research so far, I have gathered that in order for me to validate the client's token I'll need to decrypt it with the shared key I have with KDC, which I can get from the keytab file. So in order to

Connecting to Hive via Beeline using Kerberos keytab

阅读更多关于 Connecting to Hive via Beeline using Kerberos keytab

问题 Is it possible to connect to Hive via beeline using (kerberos) keytab file similar to the approach used for JDBC at https://cwiki.apache.org/confluence/display/Hive/HiveServer2+Clients#HiveServer2Clients-UsingKerberoswithaPre-AuthenticatedSubject PS : beeline does support connecting on a kerberos secured hive server with username and password. But I am looking for a way to connect it with a keytab file. http://doc.mapr.com/display/MapR40x/Configuring+Hive+on+a+Secure+Cluster

运维守护神——数十万线上机器的守护【门神】

阅读更多关于运维守护神——数十万线上机器的守护【门神】

随着京东云业务的飞速发展，其需要管理的物理机、虚机以及各类容器已经达到了数十万之巨，在如此数量如此庞大资源机如何管理的课题面前，京东云意识到必须开发自己的高效、安全、稳定的资源机管理系统，为京东云乃至整个京东集团各项业务的发展提供坚实可靠的后盾，“门神”系统在这种情况下应运而生，并在经过多次京东618、11.11等诸多重大活动的检验后，变得愈发成熟稳定。 “门神”顾名思义，就是守护整个京东资源机云安全的守护神，是京东云平台自主研发的一套基于服务树角色授权的线上机器运维平台，该平台支持认证登录、系统运维和安全审计，可以对京东云平台所有的主机进行统一的访问控制、操作历史记录等，是符合4A的专业运维审计系统，构建统一、高效、安全运维通道，保障云端运维工作遵循法律法规要求、降低人为安全风险，提高运维效率。设计目标为了适应京东云业务快速发展、所需管理的物理机、虚机和容器数量指数级增加的现状，满足公司安全认证、高效运维、操作审计、职权管控的要求，门神设计初期就制定了如下目标：安全认证支持双因子认证机制，通过二维码、动态令牌等技术，控制账号密码泄露风险，防止运维人员身份冒用和复用。高效运维自研SSH交互界面，简洁易用，方便管理大量主机，简化运维和安全操作，提升运维效率；门神登录成功后支持资源机之间的无密码穿梭。操作审计全程记录运维人员的操作行为，操作内容支持各种维度信息查询

运维守护神——数十万线上机器的守护【门神】

阅读更多关于运维守护神——数十万线上机器的守护【门神】

Kerberos authentication between Java on Linux and Exchange Web Services (EWS)

阅读更多关于 Kerberos authentication between Java on Linux and Exchange Web Services (EWS)

Is it possible to have a Java process running on linux access EWS using kerberos only without the need of a pre-defined username/password combination? My current system architecture consists of a Java process that accesses EWS using a stored username/password combination. Requirement is to ensure that the credentials under which the Java process runs are authenticated on Exchange using Kerberos. Is it possible to have this setup? You ticket a TGT in the ticket cache or a keytab for that account. yes, it should be possible to authenticate to EWS using Kerberos. You can Java GSSAPI to get the

“No common protection layer between client and server” while trying to communicate with kerberized Hadoop cluster

阅读更多关于 “No common protection layer between client and server” while trying to communicate with kerberized Hadoop cluster

问题 I'm trying to communicate programmatically to a Hadoop cluster which is kerberized (CDH 5.3/HDFS 2.5.0). I have a valid Kerberos token on the client side. But I'm getting an error as below, "No common protection layer between client and server". What does this error mean and are there any ways to fix or work around it? Is this something related to HDFS-5688? The ticket seems to imply that the property "hadoop.rpc.protection" must be set, presumably to "authentication" (also per e.g. this).

订阅 kerberos