浏览器不断发送NTLM令牌而不是Kerberos-如何解决它?

我似乎无法正确配置系统，并要求浏览器发送 kerberos 票证.而是发送NTLM令牌.

I can't seem to correctly configure the system and have the browser send a kerberos ticket to the web-server. Instead, a NTLM token is sent.

问:我该如何解决?

下面列出了所有详细信息和配置.

All details and configurations are listed below.

基础结构:

我在域COMPANY.local中有三台计算机:

I have three machines within the domain COMPANY.local:

• PC-I7.COMPANY.local(在192.168.0.5上).它充当KDC的角色，它是Active-Directory服务器，并且在AD中注册了其他计算机(请参见下文).还为本地网络配置了DNS. Active Directory中的域为:COMPANY.local
• SOFTWARE.COMPANY.local(在192.168.0.10上)运行网站-已配置Jetty/SPNego支持的应用程序.
• OTHER.COMPANY.local(在192.168.0.9上)，只是一个客户端，所以我可以从另一台计算机访问软件服务器.

• PC-I7.COMPANY.local (on 192.168.0.5). It acts as KDC, it's an Active-Directory server with the other machines (see below) registered in the AD. Also has the DNS for the local network configured. The domain in the Active Directory is: COMPANY.local
• SOFTWARE.COMPANY.local (on 192.168.0.10) runs the web-application which has the Jetty/SPNego support configured.
• OTHER.COMPANY.local (on 192.168.0.9), just a client so I can access the software server from another machine.

最后两个实际上是运行在Intranet中linux服务器上的VM.他们可以使用自己的IP进行访问.他们在Network Configuration中的主要DNS指向192.168.0.5.

The last two are actually VMs running on a linux server in the intranet. They are reachable with their own IP. Their primary DNS in Network Configuration points to 192.168.0.5.

两者都在COMPANY.local中加入并且在AD中作为计算机存在.

Both are joined in COMPANY.local and are present as computers in the AD.

我知道客户端和服务器应保留在其他计算机上；并将它们放在两个不同的VM上应该可以避免此问题.

I know client and server should stay on different machines; and being them onto two different VM's should avoid this issue.

所有三台计算机都在DNS中注册为A主机，并在Reverse lookup zone中为其分别指定了反向指针.

All three machines are registered as A hosts in the DNS with a reverse pointer for each of them in the Reverse lookup zone.

SPN

在Active Directory中创建用户software后，我将生成密钥表文件

After having created the user software in the Active Directory, I generate the keytab file

ktpass -princ HTTP/software.company.local@COMPANY.LOCAL -mapuser software@COMPANY.LOCAL -crypto ALL -ptype KRB5_NT_PRINCIPAL -pass __PassForADUserSoftware__ -out C:/winnt/krb5.keytab

我得到以下输出，其中似乎包含错误:

I get the following output which seems to contain an error:

Targeting domain controller: PC-I7.COMPANY.local
  Failed to set property 'userPrincipalName' to 'HTTP/software.company.local@COMPANY.LOCAL' on Dn 'CN=Software SSO Kerberized WebServer,DC=COMPANY,DC=local': 0x13.
  WARNING: Failed to set UPN HTTP/software.company.local@COMPANY.LOCAL on CN=Software SSO Kerberized WebServer,DC=COMPANY,DC=local.
  kinits to 'HTTP/software.company.local@COMPANY.LOCAL' will fail.
Successfully mapped HTTP/software.company.local to software.
Password successfully set!
Key created.
Key created.
Key created.
Key created.
Key created.
Output keytab to C:/winnt/krb5.keytab:
Keytab version: 0x502 
keysize 64 HTTP/software.company.local@COMPANY.LOCAL ptype 1 (KRB5_NT_PRINCIPAL) vno 8 etype 0x1 (DES-CBC-CRC) keylength 8 (0x0bf1688040abadba)
keysize 64 HTTP/software.company.local@COMPANY.LOCAL ptype 1 (KRB5_NT_PRINCIPAL) vno 8 etype 0x3 (DES-CBC-MD5) keylength 8 (0x0bf1688040abadba)
keysize 72 HTTP/software.company.local@COMPANY.LOCAL ptype 1 (KRB5_NT_PRINCIPAL) vno 8 etype 0x17 (RC4-HMAC) keylength 16 (0x737d9811dd38e108741461ba79153192)
keysize 88 HTTP/software.company.local@COMPANY.LOCAL ptype 1 (KRB5_NT_PRINCIPAL) vno 8 etype 0x12 (AES256-SHA1) keylength 32 (0xcc8ab2939f822f9df6904a987954e0cfaa261bc36803af6c5f8d9a98f1d4f2aa)
keysize 72 HTTP/software.company.local@COMPANY.LOCAL ptype 1 (KRB5_NT_PRINCIPAL) vno 8 etype 0x11 (AES128-SHA1) keylength 16 (0xd616b814dcd1b955f125ab4de5895d39)

AD用户已选中两个This account supports the Kerbers AES-...复选框.

The AD user has the two This account supports the Kerbers AES-... checkboxes checked.

OTHER.COMPANY.local服务器

The OTHER.COMPANY.local server

我通过RDP使用凭据登录到该计算机:

I login to this machine via RDP with the credentials:

user: Administrator
pass: ARandomPass

使用从OTHER服务器请求票证时

When asking for a ticket from OTHER server with

kinit HTTP/software.company.local@COMPANY.LOCAL

我可以用wireshark

Internet Explorer(因此还有Chrome)在Internet Options中具有以下设置:

Internet explorer (and therefore Chrome) have the following settings in Internet Options:

Security > Local Intranet > Sites > *.company.local
Security > Custom level > Automatic logon only in Intranet area

当我在http://software.company.local:8998/software/login

我可以看到浏览器发送了NTLM请求

I can see the browser sends a NTLM request

，我可以在服务器端看到有缺陷的令牌异常

and I can see the Defective Token exception on the server side

WARN:oejs.SpnegoLoginService:qtp506835709-28: 
GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)
at sun.security.jgss.GSSHeader.<init>(GSSHeader.java:97)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:306)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
at org.eclipse.jetty.security.SpnegoLoginService.login(SpnegoLoginService.java:138)
at org.eclipse.jetty.security.authentication.LoginAuthenticator.login(LoginAuthenticator.java:61)
at org.eclipse.jetty.security.authentication.SpnegoAuthenticator.validateRequest(SpnegoAuthenticator.java:99)
at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:483)
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:134)
at org.eclipse.jetty.server.Server.handle(Server.java:524)
at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:319)
at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:253)
at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:273)
at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:95)
at org.eclipse.jetty.io.SelectChannelEndPoint$2.run(SelectChannelEndPoint.java:93)
at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.executeProduceConsume(ExecuteProduceConsume.java:303)
at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.produceConsume(ExecuteProduceConsume.java:148)
at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.run(ExecuteProduceConsume.java:136)
at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:671)
at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:589)
at java.lang.Thread.run(Thread.java:748)

此信息还会显示在java日志中:

Also this info appears in the java log:

Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt false 
ticketCache is null isInitiator false 
KeyTab is C:/software/inst/modules/common-config/auth/krb5.keytab refreshKrb5Config is false 
principal is HTTP/software.company.local@COMPANY.LOCAL tryFirstPass is false 
useFirstPass is false storePass is false clearPass is false

我可以从链接的答案中收集信息:

Information I can gather from the linked answer:

• 要点1:HTTP服务的SPN与浏览器输入的URL匹配.我在浏览器中输入了与SPN HTTP/software.company.local@COMPANY.LOCAL

第2点:*.company.local已添加到受信任的站点.

Point 2: *.company.local is added to the trusted sites.

要点3:我不将密码限制为DES-CBC-MD5

Point 3: I'm not restricting the encrpytion to DES-CBC-MD5

要点3:我已经检查了AES-128和AES-256 ...，但没有检查DES，因为我正在使用的Windows Server版本具有复选框Use only Kerberos DES encryption types for this account，这不是我想要的.我应该检查一下吗?

Point 3: I have checked AES-128 and AES-256 ... but not DES because the Windows Server version I am working with has the checkbox saying Use only Kerberos DES encryption types for this account, which is not what I want. Should I check it?

SOFTWARE.COMPANY.local服务器

The SOFTWARE.COMPANY.local server

Web应用程序已注册为Windows Server.

The web-application is registered as a Windows Server.

这些是配置文件:

krb5.ini文件:

[libdefaults]
default_realm = COMPANY.LOCAL
permitted_enctypes = rc4-hmac,aes128-cts,aes256-cts,arcfour-hmac-md5,aes256-cts-hmac-sha1-96    
default_tgs_enctypes = rc4-hmac,aes128-cts,aes256-cts,arcfour-hmac-md5,aes256-cts-hmac-sha1-96
default_tkt_enctypes = rc4-hmac,aes128-cts,aes256-cts,arcfour-hmac-md5,aes256-cts-hmac-sha1-96
default_keytab_name = FILE:C:/software/inst/modules/common-config/krb5.keytab

[domain_realm]
COMPANY.local = COMPANY.LOCAL
.company.local = COMPANY.LOCAL

[realms]
COMPANY.LOCAL = {
    admin_server = PC-I7.COMPANY.local
    kdc = PC-I7.COMPANY.local:88
}

spnego.conf文件:

com.sun.security.jgss.initiate {
    com.sun.security.auth.module.Krb5LoginModule required
    principal = "HTTP/software.company.local@COMPANY.LOCAL"
    keyTab = "C:/software/inst/modules/common-config/auth/krb5.keytab"
    useKeyTab = true
    storeKey = true
    debug = true
    isInitiator = false;
};

com.sun.security.jgss.accept {
    com.sun.security.auth.module.Krb5LoginModule required
    principal = "HTTP/software.company.local@COMPANY.LOCAL"
    useKeyTab = true
    keyTab = "C:/software/inst/modules/common-config/auth/krb5.keytab"
    storeKey=true
    debug=true
    isInitiator=false;
};

这是spnego.properties文件:

targetName = HTTP/software.company.local

我的jetty-web.xml配置文件包含:

<Get name="securityHandler">
    <Set name="loginService">
        <New class="org.eclipse.jetty.security.SpnegoLoginService">
            <Set name="name">Company Realm</Set>
            <Set name="config">
                <SystemProperty name="jetty.home" default="."/>/modules/common-config/auth/spnego.properties</Set>
        </New>
    </Set>
    <Set name="checkWelcomeFiles">true</Set>
</Get>

这是我以编程方式在Java中注册spnego配置的方式:

This is how I programmatically register the spnego configuration in Java:

private SecurityHandler wrapEnableSSOAuthHandlers(final Handler collection) {

    // ini file
    System.setProperty(
            "java.security.krb5.conf",
            _config.getString("authentication.win_sso.spnego.krb5") // the krb5.ini file
    );
    System.setProperty(
            "java.security.auth.login.config",
            _config.getString("authentication.win_sso.spnego.login") // the spnego.conf file
    );
    System.setProperty(
            "javax.security.auth.useSubjectCredsOnly",
            "false"
    );

    final Constraint spnegoConstraint = new Constraint();
    spnegoConstraint.setName(Constraint.__SPNEGO_AUTH);

    final String domainRealm = _config.getString("authentication.win_sso.domain.realm");    // resolves to COMPANY.LOCAL

    spnegoConstraint.setRoles(new String[]{domainRealm});
    spnegoConstraint.setAuthenticate(true);

    final ConstraintMapping mapping = new ConstraintMapping();
    mapping.setConstraint(spnegoConstraint);
    mapping.setPathSpec("/*");

    final String spnegoProperties = _config.getString("authentication.win_sso.spnego.properties");      // the spnego.properties file

    final SpnegoLoginService loginService = new SpnegoLoginService();
    loginService.setConfig(spnegoProperties);
    loginService.setName(domainRealm);

    final ConstraintSecurityHandler securityHandler = new ConstraintSecurityHandler();
    securityHandler.setLoginService(loginService);
    securityHandler.setConstraintMappings(new ConstraintMapping[]{mapping});
    securityHandler.setRealmName(domainRealm);
    securityHandler.setAuthenticator(new SpnegoAuthenticator());
    securityHandler.setHandler(collection);
    return securityHandler;
}

和

// here I disable the TRACE method for all calls 
Handler wrappedSecurityHandler = wrapDisableTraceHandlers(handlers);
wrappedSecurityHandler = wrapEnableSSOAuthHandlers(wrappedSecurityHandler);
_server.setHandler(wrappedSecurityHandler);

---

其他信息

我已经下载了 Kerberos身份验证测试器工具，当从KDC服务器(192.168.0.5)运行它并针对http://software.company.local:8998进行测试时，它会显示正确的Kerberos身份验证.

I have downloaded the Kerberos Authentication Tester Tool and when running it from the KDC server (192.168.0.5) and testing against http://software.company.local:8998 it shows a correct Kerberos authentication.

从192.168.0.10服务器(在浏览器所在的位置)运行它时，它会显示:

When running it from the 192.168.0.10 server (where the browser is) it says:

意外的授权标头

Unexpected authorization header

和身份验证方法:NTLM.

我想这可能是DNS问题，还是它们在同一服务器上是两个VM的事实.

I guess it's either a DNS issue or the fact that they are two VM on the same server.