Apache Kerberos 未从 Windows 客户端进行身份验证

Posted

技术标签:

【中文标题】Apache Kerberos 未从 Windows 客户端进行身份验证【英文标题】:Apache Kerberos not Authenticating from Windows Client 【发布时间】:2015-12-23 18:59:21 【问题描述】:

参考了许多很棒的网站,我在 Solaris 11 上设置了一个 Apache 2.4 环境,使用 auth_gss_module 进行 Kerberos 身份验证。我遇到的问题是无法在 Windows 7 或 Windows Server 2008 上使用 IE、Chrome 或 Firefox 访问授权页面。我已成功使用 curl 和 python 脚本以及 OS X 上的 Safari 和 Firefox 浏览器访问安全页面10.10。我列出了使用 Kerberos 身份验证的成功和失败尝试的输出。我不确定它是否可能是 AD 中需要更改的配置设置,或者可能是加密差异。我正在寻找有关下一步做什么的建议。谢谢。。

AD 管理员为我创建了一个关键选项卡,这是关键选项卡的内容

 cyoull@host0ad903.abc.def.net:/local_apps/apache4/conf/certs$ klist -k host0ad903_keytab                                                                                                              
Keytab name: FILE:host0ad903_keytab
KVNO Principal
---- --------------------------------------------------------------------------
   3 HTTP/host0ad903.abc.def.net@ABC.DEF.NET

在 OS X 上,这是来自 klist 命令的 kerberos 票证列表。

Chriss-MacBook-Air:~ chris$ klist
Credentials cache: API:EF1241C7-A883-44A8-9729-969775673BCA
        Principal: cyoull@ABC.DEF.NET

  Issued                Expires               Principal
Sep 25 07:22:52 2015  Sep 25 17:22:40 2015  krbtgt/ABC.DEF.NET@ABC.DEF.NET
Chriss-MacBook-Air:~ chris$ klist
Credentials cache: API:EF1241C7-A883-44A8-9729-969775673BCA
        Principal: cyoull@ABC.DEF.NET

  Issued                Expires               Principal
Sep 25 07:22:52 2015  Sep 25 17:22:40 2015  krbtgt/ABC.DEF.NET@ABC.DEF.NET
Sep 25 07:23:06 2015  Sep 25 17:22:40 2015  HTTP/host0ad903.abc.def.net@ABC.DEF.NET

Valid starting               Expires               Service principal
18/09/2015 10:17  18/09/2015 20:17  krbtgt/ABC.DEF.NET@ABC.DEF.NET
        renew until 25/09/2015 10:17, Etype(skey, tkt): ArcFour with HMAC/md5, AES-256 CTS mode with 96-bit SHA-1 HMAC 
18/09/2015 10:17  18/09/2015 20:17  HTTP/host0ad903.abc.def.net@ABC.DEF.NET
        renew until 25/09/2015 10:17, Etype(skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5 

这是在 OS X 上通过 Kerberos 身份验证从 Safari 成功访问安全页面后的 Apache 日志

[Fri Sep 25 07:23:06.348043 2015] [core:debug] [pid 24214:tid 18] mod_auth_gss.c(620): [client 10.93.68.187:56071] gss_authenticate: type = GSSAPI
[Fri Sep 25 07:23:06.348054 2015] [core:debug] [pid 24214:tid 18] mod_auth_gss.c(632): [client 10.93.68.187:56071] No authentication data found
[Fri Sep 25 07:23:06.348063 2015] [core:debug] [pid 24214:tid 18] mod_auth_gss.c(592): [client 10.93.68.187:56071] note_gss_auth_failure: auth_name = <undefined>
[Fri Sep 25 07:23:06.590334 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(620): [client 10.93.68.187:56073] gss_authenticate: type = GSSAPI
[Fri Sep 25 07:23:06.590347 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(334): [client 10.93.68.187:56073] authenticate_user_gss called
[Fri Sep 25 07:23:06.590362 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(373): [client 10.93.68.187:56073] Using keytab: KRB5_KTNAME=/local_apps/apache4/conf/certs/host0ad903_keytab
[Fri Sep 25 07:23:06.590508 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(411): [client 10.93.68.187:56073] Client wants GSS mech: spnego
[Fri Sep 25 07:23:06.590524 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(288): [client 10.93.68.187:56073] acquire_server_creds for HTTP@host0ad903.abc.def.net
[Fri Sep 25 07:23:06.621760 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(438): [client 10.93.68.187:56073] got server creds for: HTTP@host0ad903.abc.def.net
[Fri Sep 25 07:23:06.639432 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(549): [client 10.93.68.187:56073] Authenticated user (final result) : cyoull@ABC.DEF.NET

这是在 Windows Server 2008 上使用 Python 脚本成功尝试后的 Apache 日志文件

[Thu Sep 17 16:29:48.890889 2015] [core:debug] [pid 32125:tid 21] mod_auth_gss.c(620): [client 10.115.2.117:50526] gss_authenticate: type = GSSAPI
[Thu Sep 17 16:29:48.890900 2015] [core:debug] [pid 32125:tid 21] mod_auth_gss.c(632): [client 10.115.2.117:50526] No authentication data found
[Thu Sep 17 16:29:48.890909 2015] [core:debug] [pid 32125:tid 21] mod_auth_gss.c(592): [client 10.115.2.117:50526] note_gss_auth_failure: auth_name = <undefined>
[Thu Sep 17 16:29:48.908047 2015] [core:debug] [pid 32125:tid 21] mod_auth_gss.c(620): [client 10.115.2.117:50526] gss_authenticate: type = GSSAPI
[Thu Sep 17 16:29:48.908056 2015] [core:debug] [pid 32125:tid 21] mod_auth_gss.c(334): [client 10.115.2.117:50526] authenticate_user_gss called
[Thu Sep 17 16:29:48.908080 2015] [core:debug] [pid 32125:tid 21] mod_auth_gss.c(373): [client 10.115.2.117:50526] Using keytab: KRB5_KTNAME=/local_apps/apache4/conf/certs/host0ad903_keytab
[Thu Sep 17 16:29:48.908188 2015] [core:debug] [pid 32125:tid 21] mod_auth_gss.c(411): [client 10.115.2.117:50526] Client wants GSS mech: kerberos_v5
[Thu Sep 17 16:29:48.908203 2015] [core:debug] [pid 32125:tid 21] mod_auth_gss.c(288): [client 10.115.2.117:50526] acquire_server_creds for HTTP@host0ad903.abc.def.net
[Thu Sep 17 16:29:48.910360 2015] [core:debug] [pid 32125:tid 21] mod_auth_gss.c(438): [client 10.115.2.117:50526] got server creds for: HTTP/host0ad903.abc.def.net@ABC.DEF.NET
[Thu Sep 17 16:29:48.917847 2015] [core:debug] [pid 32125:tid 21] mod_auth_gss.c(524): [client 10.115.2.117:50526] Authenticated user before AuthGSSStripDomainAT: cyoull@ABC.DEF.NET
[Thu Sep 17 16:29:48.917863 2015] [core:debug] [pid 32125:tid 21] mod_auth_gss.c(533): [client 10.115.2.117:50526] Authenticated user before AuthGSSForceCase: coy
[Thu Sep 17 16:29:48.917873 2015] [core:debug] [pid 32125:tid 21] mod_auth_gss.c(549): [client 10.115.2.117:50526] Authenticated user (final result) : cyoull@ABC.DEF.NET

这是 Windows 7 客户端上的 Kerberos 票证

U:\>klist
Current LogonId is 0:0xa84757
Cached Tickets: (2)
#0>     Client: cyoull @ ABC.DEF.NET
        Server: krbtgt/ABC.DEF.NET @ ABC.DEF.NET
        KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
        Ticket Flags 0x40e00000 -> forwardable renewable initial pre_authent
        Start Time: 9/25/2015 9:19:28 (local)
        End Time:   9/25/2015 19:19:28 (local)
        Renew Time: 10/2/2015 9:19:28 (local)
        Session Key Type: AES-256-CTS-HMAC-SHA1-96

#1>     Client: cyoull @ ABC.DEF.NET
        Server: HTTP/host0ad903.abc.def.net @ ABC.DEF.NET
        KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
        Ticket Flags 0x40a00000 -> forwardable renewable pre_authent
        Start Time: 9/25/2015 9:19:30 (local)
        End Time:   9/25/2015 19:19:28 (local)
        Renew Time: 10/2/2015 9:19:28 (local)
        Session Key Type: RSADSI RC4-HMAC(NT)

使用 Firefox 中的开发人员工具,我看到三个 GET 请求,在 apache 日志文件中,似乎 kerberos 协商尝试了多次,然后以 401 Unauthorized 失败

[Fri Sep 25 08:54:28.205356 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(620): [client 10.211.8.122:52459] gss_authenticate: type = GSSAPI
[Fri Sep 25 08:54:28.205366 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(632): [client 10.211.8.122:52459] No authentication data found
[Fri Sep 25 08:54:28.205374 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(592): [client 10.211.8.122:52459] note_gss_auth_failure: auth_name = <undefined>
[Fri Sep 25 08:54:28.471160 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(620): [client 10.211.8.122:52459] gss_authenticate: type = GSSAPI
[Fri Sep 25 08:54:28.471170 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(334): [client 10.211.8.122:52459] authenticate_user_gss called
[Fri Sep 25 08:54:28.471187 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(373): [client 10.211.8.122:52459] Using keytab: KRB5_KTNAME=/local_apps/apache4/conf/certs/host0ad903_keytab
[Fri Sep 25 08:54:28.471290 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(411): [client 10.211.8.122:52459] Client wants GSS mech: spnego
[Fri Sep 25 08:54:28.471307 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(288): [client 10.211.8.122:52459] acquire_server_creds for HTTP@host0ad903.abc.def.net
[Fri Sep 25 08:54:28.474953 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(438): [client 10.211.8.122:52459] got server creds for: HTTP@host0ad903.abc.def.net
[Fri Sep 25 08:54:28.475143 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(650): [client 10.211.8.122:52459] Authentication failed.
[Fri Sep 25 08:54:28.475157 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(592): [client 10.211.8.122:52459] note_gss_auth_failure: auth_name = <undefined>
[Fri Sep 25 08:54:28.540288 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(620): [client 10.211.8.122:52459] gss_authenticate: type = GSSAPI
[Fri Sep 25 08:54:28.540296 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(334): [client 10.211.8.122:52459] authenticate_user_gss called
[Fri Sep 25 08:54:28.540310 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(373): [client 10.211.8.122:52459] Using keytab: KRB5_KTNAME=/local_apps/apache4/conf/certs/host0ad903_keytab
[Fri Sep 25 08:54:28.540344 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(411): [client 10.211.8.122:52459] Client wants GSS mech: <unknown>
[Fri Sep 25 08:54:28.540353 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(288): [client 10.211.8.122:52459] acquire_server_creds for HTTP@host0ad903.abc.def.net
[Fri Sep 25 08:54:28.543031 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(438): [client 10.211.8.122:52459] got server creds for: HTTP/host0ad903.abc.def.net@abc.def.net
[Fri Sep 25 08:54:28.543188 2015] [core:error] [pid 24150:tid 24] [client 10.211.8.122:52459] gss_accept_sec_context() failed: Invalid token was supplied (Unknown error)
[Fri Sep 25 08:54:28.543336 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(650): [client 10.211.8.122:52459] Authentication failed.
[Fri Sep 25 08:54:28.543349 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(592): [client 10.211.8.122:52459] note_gss_auth_failure: auth_name = <undefined>

【问题讨论】:

【参考方案1】:

您是否已将 Windows 上的 Web 浏览器配置为实际与该服务器进行 HTTP 协商?例如,在 Firefox 中你需要设置:

network.negotiate-auth.trusted-uris = abc.def.net

或其他与 URL 匹配的模式。同样必须告知 Chrome 愿意对特定服务器进行身份验证,例如与:

--auth-server-whitelist="*.foo.com"

或通过组策略。

如果这不是问题,那么请这样做:

    ipconfig /flushdns klist purge 运行 Wireshark 并在故障期间捕获 HTTP、DNS 和 Kerberos 流量(端口 80、53 和 88)。 发布生成的 pcap 文件。

【讨论】:

您好,理查德,感谢您的建议。在发布之前,我已将 Firefox 设置为进行 HTTP 协商。我能够获得 Wireshark 捕获,但由于安全原因,我无法在无法更改主机和域字符串的情况下发布 pcap 文件。如果您可以建议在捕获中寻找任何具体内容,我将不胜感激。 无法查看数据,我无能为力。我只能说查找涉及相关 DNS 查找、Kerberos 与 KDC 交换以及 HTTP 连接中的 WWW-Authenticate 交换的错误。当然,您可能不清楚什么是错误,或者正确的交换是什么样子。 通常,您应该看到: > HTTP GET HTTP GET(这次使用 Authenticate: Negotiate 标头)

以上是关于Apache Kerberos 未从 Windows 客户端进行身份验证的主要内容,如果未能解决你的问题,请参考以下文章

Apache Commons FTPClient未从源文件中检索所有字节[重复]

Apache Drill 与 Kerberos

Apache shiro + kerberos 身份验证

Apache向Kerberos发送错误的服务器主体名称

大数据安全Apache Kylin 安全配置(Kerberos)

Apache HttpComponents HttpClient 5.0 - Kerberos SPNEGO 客户端