问题
I am using http://webmoli.com/2009/08/29/single-sign-on-in-java-platform/ for SSO in java.
I have KDC Windows server 2008, in that i have created spn by using setspn command for testsso user. And using testsso@MYDOMAIN.COM as principal in jaas.con.
I have Tomcat server in Windows 7 machine(within AD). In this i have created one servlet as of jsp(from webmoli itself).
I sending browser request for that servlet from 3rd machine Windows XP(within AD).
But i get checksum failed error. Stacktrace as follws-
Auth is :: Negotiate Token is YIIE9wYGKwYBBQUCoIIE6zCCBOegJDAiBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICCqKCBL0EggS5YIIEtQYJKoZIhvcSAQICAQBuggSkMIIEoKADAgEFoQMCAQ6iBwMFACAAAACjggPQYYIDzDCCA8igAwIBBaEKGwhDT1JFLkNPTaIkMCKgAwIBAqEbMBkbBEhUVFAbEXBjdml0YTI1LmNvcmUuY29to4IDjTCCA4mgAwIBF6EDAgEBooIDewSCA3coGnD2eNCklPBiuNkZE1ssoVPb1coS8Y1or/y8t3HEk9ME623bckx2+d2IG2tCeDylhxFz6Dy4edE9UP952TZj97YotDeME3ILm45vsN4lOzpXVOfPhVlN+KXXtdXMmKo5kLvuJNxIcT8ZbGFwo9CWcB5eYz9qTYFcE7ACogwPiydd4ibtEY4T9Zg98Pd9JGtBeG5Bxi7fYdKXKPt8X9Nb9/UeSkSDV/hDsQh/cSSPgrg9f/qiy35MvMwk930TJHxaauw7cdmBwQo9Ru66ooGxsDgyIHQXQB6GEXAh7lAvKirSRzw43Wg5Gm3S9EZA3SFd38ICf0bOT62imToOHEmO4cBtFTAbYc4v2AoH0H9ZHrtpv1ItK5EUrMduuHvvsXzuYKfgrf45Wrj7Mc6fIXij5eCmsgPxKaBYlbpMDClwdeSh0zCBkXBmbtrS5fPQwQyBjzTFMimOVQ7yLRQtoPOfGsOn0o+S1qc3SLd5q9Z7IFEafsaYwFES2b6iIYqjY6q8VGgp2mzqZAmdKk4ILeZwfHKHs59KhPaG7FC/YAMtG3TB6VH2uLmUx9dzLb+tCsx5qEETt0hKnO9oTfhgHTUb0O/QMp0eBp3lcQWKGFNvIjXZL25ugJKQW+I0kigXhuDq5gN8coH7ij51FAEfZ35A2YbddEGYzGLzQZFXn951Lkw3HlyQxMo1Qka1NDaMkTkTtECHIhW3qArucCNkXCg8N59OXduXI8z/wM0YYcBubaEMuyCxf5GmmhlxjhQ1bOvuu0CGyJk5tVqf8SOEDarN+kzle9jGNZFJetEgxKXBHbsClu+ektux5lWAwEIXboLhTLQv+h46HRru8xkgtxucCmOZYt0LCR30aD1s//U0w34T40n3fMlIEkrheJQ2bs/CigFQeUZyKMJ/oPPGwO1oleQ0q4+d8SjJL9kQzueHCOGz+/0m3LcsoInUXNaCYoF5lHaMV+qVZRJvdfVhCeHKL9uXLRKsjPHMJdOQTqNYoyAxOJ/N16UnJOsIu1feRK0ipzO9VNPuJI5ulcZqzOS+44i9BhYV6QY1oXZ3xVYLIOsQoZIVYOudfn68A+yO+LNsNsRRuXV+ZNWKW6C+SvRuIhqZcBBAS8AfVmzbxxqwpsgv4Z8un+W7t8tus+rqoy8RqjmeQ+8P3APGG20b1gah4BipAvZKhaSBtjCBs6ADAgEXooGrBIGoQ15WbDD8EQZKsUVM1rJuR5lu3EMiS5itx9pDddgBALaSrf+75w9/XfgyuXnzfXdmZgvZ9nE+AINPfmyY14yp2+tys5LsgOOncfvCaXEjR4Xr07E4JQWhTOT8ecsCLNObggVpxNGCfwxN7YlvHwBVaxPAbrOTrWAbIdfMe042ThBWWRLew048z5Il1iLxemJ10IyLsn3vakdnnz57uzM4PvaOLu57Bfic
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 17 16 23 1 3.
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=192.168.10.84 UDP:88, timeout=30000, number of retries =3, #bytes=151
>>> KDCCommunication: kdc=192.168.10.84 UDP:88, timeout=30000,Attempt =1, #bytes=151
>>> KrbKdcReq send: #bytes read=245
>>>Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 17, salt = MYDOMAIN.COMHTTPMYDOMAIN.com, s2kparams = null
PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
PA-ETYPE-INFO2 etype = 3, salt = MYDOMAIN.COMHTTPMYDOMAIN.com, s2kparams = null
PA-ETYPE-INFO2 etype = 1, salt = MYDOMAIN.COMHTTPMYDOMAIN.com, s2kparams = null
>>>Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
PA-DATA type = 16
>>>Pre-Authentication Data:
PA-DATA type = 15
>>> KdcAccessibility: remove 192.168.10.84
>>> KDCRep: init() encoding tag is 126 req type is 11
>>>KRBError:
sTime is Wed May 28 17:39:33 IST 2014 1401278973000
suSec is 896308
error code is 25
error Message is Additional pre-authentication required
realm is MYDOMAIN.COM
sname is krbtgt/MYDOMAIN.COM
eData provided.
msgType is 30
>>>Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 17, salt = MYDOMAIN.COMHTTPMYDOMAIN.com, s2kparams = null
PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
PA-ETYPE-INFO2 etype = 3, salt = MYDOMAIN.COMHTTPMYDOMAIN.com, s2kparams = null
PA-ETYPE-INFO2 etype = 1, salt = MYDOMAIN.COMHTTPMYDOMAIN.com, s2kparams = null
>>>Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
PA-DATA type = 16
>>>Pre-Authentication Data:
PA-DATA type = 15
KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 17 16 23 1 3.
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 17 16 23 1 3.
>>> EType: sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=192.168.10.84 UDP:88, timeout=30000, number of retries =3, #bytes=233
>>> KDCCommunication: kdc=192.168.10.84 UDP:88, timeout=30000,Attempt =1, #bytes=233
>>> KrbKdcReq send: #bytes read=1404
>>> KdcAccessibility: remove 192.168.10.84
>>> EType: sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType
>>> KrbAsRep cons in KrbAsReq.getReply testsso
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 17 16 23 1 3.
Found KerberosKey for testsso@MYDOMAIN.COM
Found KerberosKey for testsso@MYDOMAIN.COM
Found KerberosKey for testsso@MYDOMAIN.COM
Found KerberosKey for testsso@MYDOMAIN.COM
Found KerberosKey for testsso@MYDOMAIN.COM
Entered Krb5Context.acceptSecContext with state=STATE_NEW
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)
at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
at sun.security.jgss.spnego.SpNegoContext.GSS_acceptSecContext(Unknown Source)
at sun.security.jgss.spnego.SpNegoContext.acceptSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
at one.TEST$2.run(TEST.java:357)
at one.TEST$2.run(TEST.java:1)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Unknown Source)
at one.TEST.acceptSecurityContext(TEST.java:279)
at one.TEST.authenticate(TEST.java:146)
at one.TEST.doGet(TEST.java:103)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:621)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:304)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:240)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:164)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:462)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:164)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:100)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:562)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:395)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:250)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:188)
at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:302)
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
Caused by: KrbException: Checksum failed
at sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(Unknown Source)
at sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(Unknown Source)
at sun.security.krb5.EncryptedData.decrypt(Unknown Source)
at sun.security.krb5.KrbApReq.authenticate(Unknown Source)
at sun.security.krb5.KrbApReq.<init>(Unknown Source)
at sun.security.jgss.krb5.InitSecContextToken.<init>(Unknown Source)
... 32 more
Caused by: java.security.GeneralSecurityException: Checksum failed
at sun.security.krb5.internal.crypto.dk.ArcFourCrypto.decrypt(Unknown Source)
at sun.security.krb5.internal.crypto.ArcFourHmac.decrypt(Unknown Source)
... 38 more
Please help me...
回答1:
If I remember correctly this error is thrown when the service ticket is decrypted with a different key as it had been encrypted.
ktpass /out c:\tomcat.keytab /mapuser tc01@DEV.LOCAL
/princ HTTP/win-tc01.dev.local@DEV.LOCAL
/pass tc01pass /kvno 0
as described at http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html is only correct if you have a virgin account 'tc01'... AD will automatically increment key version number stored within AD when 'ktpass' is used consecutively.
来源:https://stackoverflow.com/questions/23911563/java-security-exception-checksum-failed