1. 技术文章
  2. SSO authentication, response is always NTLM

SSO authentication, response is always NTLM

偶尔善良 提交于 2019-12-22 13:51:32

问题


I'm trying to implement SSO on an intranet application we are developing. I am using SPNEGO for this. Now I'm having some trouble configuring the SSO and hope someone here is able to help me.

The setup is like this:

  1. Linux server with tomcat to serve the intranet application
  2. Windows Server 2008 as domain controller (Active Directory)
  3. Windows 7 client with IE9 and Firefox

When I open the intranet application I see a GET request going from the client to the tomcat server. The first response of the tomcat server and the SpnegoFilter is a 401 unauthorized which is right, cause the client needs to be authenticated.

806 6.117724    192.168.65.50   192.168.65.50   HTTP    284 HTTP/1.1 401 Unauthorized 
WWW-Authenticate: Negotiate\r\n

The response of the client then is a GET request with a flag NTLMSSP_NEGOTIATE. Here it breaks. I don't expect a NTLM response, but a kerberos/spnego response. Somehow I just can't figure out how to send the correct response to the tomcat server.

808 6.123277    192.168.65.50   192.168.65.50   HTTP    637 GET / HTTP/1.1 , NTLMSSP_NEGOTIATE

By default NTLM isn't supported by SPNEGO so I get the following entry in my log:

java.lang.UnsupportedOperationException: NTLM specified. Downgraded to Basic Auth (and/or SSL) but downgrade not supported.

So I'm doing something wrong, but aftert a day fiddling with configurations and policies I just can't figure out what it is.

Hoping for some response.


回答1:


Kerberos does not work on IPs, use fully qualified domain names.




回答2:


Have you registered the SPN and is the client domain joined? The WWW-Authenticate: Negotiate will tell the web browser to try kerberos. The browser hands of that request to the OS (SSPI) based on URL in the address bar. There must be a SPN in AD for the URL. As others noted above, using an IP in your URL is more complicated, but can be done. If your client is not domain joined, there is extra config work to get it to contact your AD KDC. Firefox takes extra setup as well. Solve ths with IE, to eliminate that and them come back to FF when the issue is resolved.



来源:https://stackoverflow.com/questions/13936243/sso-authentication-response-is-always-ntlm

标签
java
kerberos
spnego
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!