single-sign-on - keycloak spnego 身份验证失败,并显示“底层机制上下文尚未初始化”、“result = ACCEPT_INCOMPLETE”
问题描述
我正在努力使用 ldap 适配器为活动目录和 spnego 支持设置 keycloak。这是一个测试设置,所有内容都在以 Windows Server 2016 作为操作系统的同一 VM 上运行。带有 kerberos 集成的 ldap 适配器似乎配置正确 - 用户同步和 kerberos 身份验证正在工作。
但是,当尝试将 Windows 集成身份验证 (spnego) 与 Chrome 一起使用时,浏览器会显示登录页面。
为了让事情正常工作,我想更好地理解我在 keycloak 中收到的以下日志消息。当然,任何其他关于可能是核心问题的建议也非常感谢!
16:50:06,194 INFO [stdout] (default task-5) Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator false KeyTab is C:\keycloak\standalone\configuration\keycloak.keytab refreshKrb5Config is false principal is HTTP/keycloak.local@KEYCLOAK.LOCAL tryFirstPass is false useFirstPass is false storePass is false clearPass is false
16:50:06,210 INFO [stdout] (default task-5) principal is HTTP/keycloak.local@KEYCLOAK.LOCAL
16:50:06,210 INFO [stdout] (default task-5) Will use keytab
16:50:06,210 INFO [stdout] (default task-5) Commit Succeeded
16:50:06,210 INFO [stdout] (default task-5)
16:50:06,225 INFO [stdout] (default task-5) Found KeyTab C:\keycloak\standalone\configuration\keycloak.keytab for HTTP/keycloak.local@KEYCLOAK.LOCAL
16:50:06,225 INFO [stdout] (default task-5) Found KeyTab C:\keycloak\standalone\configuration\keycloak.keytab for HTTP/keycloak.local@KEYCLOAK.LOCAL
16:50:06,225 INFO [stdout] (default task-5) Found KeyTab C:\keycloak\standalone\configuration\keycloak.keytab for HTTP/keycloak.local@KEYCLOAK.LOCAL
16:50:06,225 INFO [stdout] (default task-5) Found KeyTab C:\keycloak\standalone\configuration\keycloak.keytab for HTTP/keycloak.local@KEYCLOAK.LOCAL
16:50:06,225 INFO [stdout] (default task-5) Entered SpNegoContext.acceptSecContext with state=STATE_NEW
16:50:06,225 INFO [stdout] (default task-5) SpNegoContext.acceptSecContext: receiving token = a0 75 30 73 a0 30 30 2e 06 0a 2b 06 01 04 01 82 37 02 02 0a 06 09 2a 86 48 82 f7 12 01 02 02 06 09 2a 86 48 86 f7 12 01 02 02 06 0a 2b 06 01 04 01 82 37 02 02 1e a2 3f 04 3d 4e 54 4c 4d 53 53 50 00 01 00 00 00 97 b2 08 e2 08 00 08 00 35 00 00 00 0d 00 0d 00 28 00 00 00 0a 00 39 38 00 00 00 0f 50 50 4b 45 59 43 4c 4f 41 4b 32 32 30 4b 45 59 43 4c 4f 41 4b
16:50:06,225 INFO [stdout] (default task-5) SpNegoToken NegTokenInit: reading Mechanism Oid = 1.3.6.1.4.1.311.2.2.10
16:50:06,225 INFO [stdout] (default task-5) SpNegoToken NegTokenInit: reading Mechanism Oid = 1.2.840.48018.1.2.2
16:50:06,225 INFO [stdout] (default task-5) SpNegoToken NegTokenInit: reading Mechanism Oid = 1.2.840.113554.1.2.2
16:50:06,225 INFO [stdout] (default task-5) SpNegoToken NegTokenInit: reading Mechanism Oid = 1.3.6.1.4.1.311.2.2.30
16:50:06,225 INFO [stdout] (default task-5) SpNegoToken NegTokenInit: reading Mech Token
16:50:06,225 INFO [stdout] (default task-5) SpNegoContext.acceptSecContext: received token of type = SPNEGO NegTokenInit
16:50:06,225 INFO [stdout] (default task-5) SpNegoContext: negotiated mechanism = 1.2.840.113554.1.2.2
16:50:06,225 INFO [stdout] (default task-5) The underlying mechanism context has not been initialized
16:50:06,225 INFO [stdout] (default task-5) SpNegoContext.acceptSecContext: mechanism wanted = 1.2.840.113554.1.2.2
16:50:06,225 INFO [stdout] (default task-5) SpNegoContext.acceptSecContext: negotiated result = ACCEPT_INCOMPLETE
16:50:06,225 INFO [stdout] (default task-5) SpNegoContext.acceptSecContext: sending token of type = SPNEGO NegTokenTarg
16:50:06,225 INFO [stdout] (default task-5) SpNegoContext.acceptSecContext: sending token = a1 14 30 12 a0 03 0a 01 01 a1 0b 06 09 2a 86 48 86 f7 12 01 02 02
16:50:06,225 INFO [stdout] (default task-5) The underlying mechanism context has not been initialized
16:50:06,225 INFO [stdout] (default task-5) The underlying mechanism context has not been initialized
16:50:06,225 INFO [stdout] (default task-5) [Krb5LoginModule]: Entering logout
16:50:06,225 INFO [stdout] (default task-5) [Krb5LoginModule]: logged out Subject
到目前为止我的解释:
从这篇文章中,我得出结论,“接收令牌”是 NTLM 令牌。keycloak 不支持 NTLM,因此它根据“Mechanism Oid = 1.2.840.48018.1.2.2”从浏览器请求一个令牌。但随后谈判不知何故陷入僵局。
问题:
“底层机制上下文尚未初始化”是什么意思?这是否表明缺少某些配置?
“SpNegoContext.acceptSecContext:协商结果 = ACCEPT_INCOMPLETE”是什么意思?这是否意味着谈判失败,或者需要更多信息?
附加信息:
Keycloak 版本是 7.0.0
Chrome、Firefox 和 IE 的行为相同,所以我认为它们将 spnego 协商委托给操作系统。
我在运行 keycloak 的主机上启动浏览器。有帖子1、2表明在同一台机器上拥有客户端和服务器可能会导致 NTLM 令牌。
上面的日志是我通过 localhost 访问 keycloak 时得到的。当我使用 IP 地址或完全限定的主机名时,我得到了一个异常:
16:44:08,698 INFO [stdout] (default task-2) Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator false KeyTab is C:\keycloak\standalone\configuration\keycloak.keytab refreshKrb5Config is false principal is HTTP/keycloak.local@KEYCLOAK.LOCAL tryFirstPass is false useFirstPass is false storePass is false clearPass is false
16:44:08,704 INFO [stdout] (default task-2) principal is HTTP/keycloak.local@KEYCLOAK.LOCAL
16:44:08,705 INFO [stdout] (default task-2) Will use keytab
16:44:08,705 INFO [stdout] (default task-2) Commit Succeeded
16:44:08,705 INFO [stdout] (default task-2)
16:44:08,706 INFO [stdout] (default task-2) Found KeyTab C:\keycloak\standalone\configuration\keycloak.keytab for HTTP/keycloak.local@KEYCLOAK.LOCAL
16:44:08,707 INFO [stdout] (default task-2) Found KeyTab C:\keycloak\standalone\configuration\keycloak.keytab for HTTP/keycloak.local@KEYCLOAK.LOCAL
16:44:08,709 INFO [stdout] (default task-2) Found KeyTab C:\keycloak\standalone\configuration\keycloak.keytab for HTTP/keycloak.local@KEYCLOAK.LOCAL
16:44:08,711 INFO [stdout] (default task-2) Found KeyTab C:\keycloak\standalone\configuration\keycloak.keytab for HTTP/keycloak.local@KEYCLOAK.LOCAL
16:44:08,712 WARN [org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator] (default task-2) SPNEGO login failed: java.security.PrivilegedActionException: GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Unknown Source)
at org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator.authenticate(SPNEGOAuthenticator.java:68)
at org.keycloak.storage.ldap.LDAPStorageProvider.authenticate(LDAPStorageProvider.java:692)
[...]
解决方案
我意识到将“sspi”切换为 false 对 Firefox 有效,但我想这只是对抗症状和解决方法,因为 Chrome 和 IE 仍然遇到同样的问题。
推荐阅读
- xamarin - 在弹出菜单中,如何随换页改变图片来源
- android - 在安卓手机上持续采集用户位置
- php - 试图存储图像
- java - 在智能手机上使用 Dart (Flutter) 设置洋葱服务器
- macos - 空格键在 Mac 上的 Visual Studio Code 中工作异常
- python - 带有参数可选矩阵的 scipy.linalg.eigh 的 java 等效项
- javascript - 从更改事件更改复选框状态
- r - geom_boxplot 中不显示垂直线
- python - 如何在 Windows 上安装 Python 的 `ipcqueue` 依赖项?
- reactjs - 错误:无法读取未定义的属性(读取“地图”)