问题
I setup Tomcat to use SPNEGO authentication, so the users can Single-Sign-On to our web applications without typing their password and everything worked fine. Yesterday i changed the password of the service account and i recreated the keytab file but after a Tomcat restart the SSO sopped to work. In the logs i found:
exception [GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)] with root cause
java.security.GeneralSecurityException: Checksum failed
at sun.security.krb5.internal.crypto.dk.ArcFourCrypto.decrypt(ArcFourCrypto.java:388)
at sun.security.krb5.internal.crypto.ArcFourHmac.decrypt(ArcFourHmac.java:74)
at sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(ArcFourHmacEType.java:83)
at sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(ArcFourHmacEType.java:77)
at sun.security.krb5.EncryptedData.decrypt(EncryptedData.java:168)
at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:267)
at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:134)
at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:79)
at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:724)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:323)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:267)
at sun.security.jgss.spnego.SpNegoContext.GSS_acceptSecContext(SpNegoContext.java:874)
at sun.security.jgss.spnego.SpNegoContext.acceptSecContext(SpNegoContext.java:541)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:323)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:267)
at net.sourceforge.spnego.SpnegoAuthenticator.doSpnegoAuth(SpnegoAuthenticator.java:444)
at net.sourceforge.spnego.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.java:283)
Since the configuration should be ok i don't know why i'm getting this error...Could be something related to the Ticket Granting Ticket that wasn't refreshed?
回答1:
One possibility is people who had outstanding service tickets issued with the old password. If you regenerated the keytab but did not retain the old key in the keytab, you'd expect anyone who did not log out and log in to refresh their tickets and who had service tickets for your services to generate that error. If it works if you get an entirely new TGT on the client side (say by logging entirely out of Windows and logging back in), that's what's going on. If that doesn't work, edit your question to add details and I'll explore others failures in another answer.
来源:https://stackoverflow.com/questions/20247702/kerberos-spnego-authentication-issue-after-password-change