文档建议反馈控制台
首页
学习
活动
专区
圈层
工具
MCP广场
文章/答案/技术大牛
发布
首页
学习
活动
专区
圈层
工具
MCP广场
返回腾讯云官网
社区首页 >问答首页 >javax.naming.AuthenticationException

javax.naming.AuthenticationException
EN

Stack Overflow用户
提问于 2012-08-19 19:06:07
回答 1查看 4.7K关注 0票数 3

我正在尝试为ActiveDirectory创建一个上下文(客户机和服务器都是窗口),使用我的Windows凭证和NTLM。

这是我的代码:

代码语言:javascript
运行
复制
public void func() {
    try {
      URL configURL = getClass().getResource("jaas_ntlm_configuration.txt");
        System.setProperty("java.security.auth.login.config", configURL.toString());

        // If the application is run on NT rather than Unix, use this name
        String loginAppName = "MyConfig";

        // Create login context
        LoginContext lc = new LoginContext(loginAppName, new SampleCallbackHandler());

        // Retrieve the information on the logged-in user
        lc.login();

        // Get the authenticated subject
        Subject subject = lc.getSubject();

        System.out.println(subject.toString());

        Subject.doAs(subject, new JndiAction(new String[] { "" }));
    }
    catch (LoginException e) {
      e.printStackTrace();
    }
}

class JndiAction implements java.security.PrivilegedAction {
    private String[] args;

    public JndiAction(String[] origArgs) {
        this.args = (String[])origArgs.clone();
    }

    public Object run() {
        performJndiOperation(args);
        return null;
    }

    private static void performJndiOperation(String[] args) {

        // Set up environment for creating initial context
        Hashtable env = new Hashtable(11);

        env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");

        // Must use fully qualified hostname
        env.put(Context.PROVIDER_URL, "ldap://server:389");

        // Request the use of the "GSSAPI" SASL mechanism
        // Authenticate by using already established Kerberos credentials
        env.put(Context.SECURITY_AUTHENTICATION, "GSSAPI");

        try {
            /* Create initial context */
//          DirContext ctx = new InitialDirContext(env);

              // Create the initial context
            DirContext ctx = new InitialLdapContext(env, null);


            // Close the context when we're done
            ctx.close();
        } catch (NamingException e) {
            e.printStackTrace();
        }
    }
}

我的jaas_ntlm_configuration.txt文件包含:

代码语言:javascript
运行
复制
MyConfig { com.sun.security.auth.module.Krb5LoginModule required
useTicketCache=true
doNotPrompt=false;
};

当我试图初始化上下文时,我得到了以下异常:

代码语言:javascript
运行
复制
javax.naming.AuthenticationException: GSSAPI [Root exception is javax.security.sasl.SaslException: Final handshake failed [Caused by GSSException: Token had invalid integrity check (Mechanism level: Corrupt checksum in Wrap token)]]
        at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(Unknown Source)
        at com.sun.jndi.ldap.LdapClient.authenticate(Unknown Source)
        at com.sun.jndi.ldap.LdapCtx.connect(Unknown Source)
        at com.sun.jndi.ldap.LdapCtx.<init>(Unknown Source)
        at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(Unknown Source)
        at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(Unknown Source)
        at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(Unknown Source)
        at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(Unknown Source)
        at javax.naming.spi.NamingManager.getInitialContext(Unknown Source)
        at javax.naming.InitialContext.getDefaultInitCtx(Unknown Source)
        at javax.naming.InitialContext.init(Unknown Source)
        at javax.naming.ldap.InitialLdapContext.<init>(Unknown Source)
        at JndiAction.performJndiOperation(JndiAction.java:204)
        at JndiAction.run(JndiAction.java:181)
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.Subject.doAs(Unknown Source)
        at MyTest.Do(MyTest.java:59)
        at MyTest.main(MyTest.java:68)
Caused by: javax.security.sasl.SaslException: Final handshake failed [Caused by GSSException: Token had invalid integrity check (Mechanism level: Corrupt checksum in Wrap token)]
        at com.sun.security.sasl.gsskerb.GssKrb5Client.doFinalHandshake(Unknown Source)
        at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(Unknown Source)
        ... 18 more
Caused by: GSSException: Token had invalid integrity check (Mechanism level: Corrupt checksum in Wrap token)
        at sun.security.jgss.krb5.WrapToken_v2.getData(Unknown Source)
        at sun.security.jgss.krb5.WrapToken_v2.getData(Unknown Source)
        at sun.security.jgss.krb5.Krb5Context.unwrap(Unknown Source)
        at sun.security.jgss.GSSContextImpl.unwrap(Unknown Source)
        ... 20 more

有人能帮我解决这个问题吗?

java
active-directory
ldap
kerberos
gssapi
EN

回答 1

Stack Overflow用户

回答已采纳

发布于 2012-09-18 17:54:06

您实际上正在使用Kerberos身份验证。如果这就是你想要做的,我可以告诉你我是如何让它工作的:

代码语言:javascript
运行
复制
- add somewhere a file called krb5.conf with inside :

[libdefaults]
default_realm = YOUR_REALM
default_tkt_enctypes = arcfour-hmac-md5
default_tgs_enctypes = arcfour-hmac-md5
permitted_enctypes = arcfour-hmac-md5

dns_lookup_kdc = true
dns_lookup_realm = false

[realms]
YOUR_REALM = {
kdc = KERBEROS_SERVER
default_domain = YOUR_REALM
}

  • 将下面这几行添加到代码中:

System.setProperty("sun.security.krb5.principal",PRINCIPAL_NAME_WITHOUT_DOMAIN); (“java.security.krb5.conf”,PATH_TO_KRB5CONF_FILE);System.setProperty

如果您不知道您的Kerberos Server,那么就不能从命令行启动klist,并使用使用LDAP协议的服务(LDAP/服务器@域->服务器)。

如果仍然不起作用,请尝试添加

代码语言:javascript
运行
复制
System.setProperty("sun.security.krb5.debug", "true");

并发布输出。

票数 4
EN
页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:

https://stackoverflow.com/questions/12025998

复制
相关文章

相似问题

领券

腾讯云开发者

扫码关注腾讯云开发者

扫码关注腾讯云开发者

领取腾讯云代金券

热门产品

热门推荐

更多推荐

Copyright © 2013 - 2025 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有 

深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 深公网安备号 44030502008569

腾讯云计算(北京)有限责任公司 京ICP证150476号 |  京ICP备11018762号 | 京公网安备号11010802020287

问题归档专栏文章快讯文章归档关键词归档开发者手册归档开发者手册 Section 归档