“Defective token detected” error (NTLM not Kerberos) with Kerberos/Spring Security/IE/Active Directory

前端 未结 3 737
野的像风
野的像风 2020-11-27 13:41

We are having trouble getting Spring Security/Kerberos/AD to work for our web app. Our diagnosis is that our AD server sending an NTLM token (we can tell as it starts with \

相关标签:
3条回答
  • 2020-11-27 14:45

    I also encountered this problem. For those unlucky people who will have this problem in the future, another cause for this problem is accessing the server by ip instead of it's A record (hostname)

    0 讨论(0)
  • 2020-11-27 14:45

    I also had same problem and took me very very long time to find the culprit. So if you have done all the above and still it uses NTLM token instead of kerberos. make sure you dont have duplicate SPN. in my case I had 2 accounts mapped to same SPN and the reason was I previously run a seperate web app on same server that used a different service account but mapped to same SPN which was HTTP/

    Hope it helps

    0 讨论(0)
  • 2020-11-27 14:47

    This can happen when you are running the client and server on the same machine. When you use IE to talk to the machine running tomcat ensure that these are distinct machines.

    Additionally you need to ensure that the server machine is joined to the domain specified in the keytab (testdomain.ourcompany.co.uk) or you might drop back to NTLM. Your keytab can still work even if your server is on a machine not joined to the domain (you'll see the nice keytab decrypt that you showed), but IE can get confused and not do the correct thing.

    AD only really likes to speak arcfour-hmac for Server 2003 so you need to ensure that you set this up correctly in your krb5.ini file.

    You can correctly create the keytab like this:

    C:\>ktpass -princ HTTP/ourweb.testdomain.ourcompany.co.uk@TESTDOMAIN.OURCOMPANY.CO.UK -mapuser ourweb.testdomain.ourcompany.co.uk@TESTDOMAIN.OURCOMPANY.CO.UK -crypto RC4-HMAC-NT -ptype K
    RB5_NT_PRINCIPAL -pass * -out ourweb.keytab
    Targeting domain controller: test-dc.ourcompany.co.uk
    Using legacy password setting method
    Successfully mapped HTTP/ourweb.testdomain.ourcompany.co.uk@TESTDOMAIN.OURCOMPANY.CO.UK to ourweb.testdomain.ourcompany.co.uk.
    Key created.
    Output keytab to ourweb.keytab:
    Keytab version: 0x502
    keysize 75 HTTP/ourweb.testdomain.ourcompany.co.uk@TESTDOMAIN.OURCOMPANY.CO.UK ptype 1 (KRB5_NT_PRINCIPAL)
    vno 3 etype 0x17 (RC4-HMAC) keylength 16 (0x0fd0e500225c4fca9a63a9998b17ca32)
    

    I did not see that you had set up a krb5.ini file. You will need to have that set correctly on your server machine (default location C:\WINDOWS\krb5.ini):

    [domain_realm]  
        .testdomain.ourcompany.co.uk = TESTDOMAIN.OURCOMPANY.CO.UK
        testdomain.ourcompany.co.uk = TESTDOMAIN.OURCOMPANY.CO.UK
    
    [libdefaults]   
        default_realm = TESTDOMAIN.OURCOMPANY.CO.UK
        permitted_enctypes = aes128-cts aes256-cts arcfour-hmac-md5 
        default_tgs_enctypes = aes128-cts aes256-cts arcfour-hmac-md5 
        default_tkt_enctypes = aes128-cts aes256-cts arcfour-hmac-md5 
    
    [realms]    
    VERDAD.LOCAL = {        
        kdc = test-dc.ourcompany.co.uk  
        admin_server = test-dc.ourcompany.co.uk
        default_domain = TESTDOMAIN.OURCOMPANY.CO.UK
    }
    

    You might also need to set the following properties (if you are trying to run this from an IDE):

    <systemProperties>
      <java.security.krb5.kdc>test-dc.ourcompany.co.uk</java.security.krb5.kdc>
      <java.security.krb5.realm>TESTDOMAIN.OURCOMPANY.CO.UK</java.security.krb5.realm>
    </systemProperties>
    

    I was using the org.codehaus.mojo plugin for maven which sets these in the pom file like this:

    <build>
      <plugins>
        <plugin>
          <groupId>org.codehaus.mojo</groupId>
          <artifactId>tomcat-maven-plugin</artifactId>
          <configuration>
            <server>tomcat-development-server</server>
            <port>8080</port>
            <path>/SecurityTest</path>
            <systemProperties>
              <java.security.krb5.kdc>test-dc.ourcompany.co.uk</java.security.krb5.kdc
              <java.security.krb5.realm>TESTDOMAIN.OURCOMPANY.CO.UK</java.security.krb5.realm>
            </systemProperties>
          </configuration>
        </plugin>
      </plugins>
    </build>
    
    0 讨论(0)
提交回复
热议问题