以下是我的环境详细信息:
KDC服务器:Windows Server 2012
目标计算机:Windows 7
JDK版本:Oracle 1.8.0_121(64位)
我在Windows 7计算机上运行Java的 kinit 命令时遇到以下异常:-
C:\Program Files\Java\jdk1.8.0_121\bin>kinit -k -t "C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\tomcat_ad.keytab" HTTP/[email protected]
Exception: krb_error 0 no supported default etypes for default_tkt_enctypes No error
KrbException: no supported default etypes for default_tkt_enctypes
at sun.security.krb5.Config.defaultEtype(Config.java:844)
at sun.security.krb5.internal.crypto.EType.getDefaults(EType.java:249)
at sun.security.krb5.internal.crypto.EType.getDefaults(EType.java:262)
at sun.security.krb5.KrbAsReqBuilder.build(KrbAsReqBuilder.java:261)
at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:315)
at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:361)
at sun.security.krb5.internal.tools.Kinit.<init>(Kinit.java:219)
at sun.security.krb5.internal.tools.Kinit.main(Kinit.java:113)
调试模式下的命令输出:
C:\Program Files\Java\jdk1.8.0_121\bin>kinit -J-Dsun.security.krb5.debug=true -k -t "C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\tomca
t_ad.keytab" HTTP/[email protected]
>>>KinitOptions cache name is C:\Users\devtcadmin\krb5cc_devtcadmin
Principal is HTTP/[email protected]
>>> Kinit using keytab
>>> Kinit keytab file name: C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\tomcat_ad.keytab
Java config name: null
LSA: Found Ticket
LSA: Made NewWeakGlobalRef
LSA: Found PrincipalName
LSA: Made NewWeakGlobalRef
LSA: Found DerValue
LSA: Made NewWeakGlobalRef
LSA: Found EncryptionKey
LSA: Made NewWeakGlobalRef
LSA: Found TicketFlags
LSA: Made NewWeakGlobalRef
LSA: Found KerberosTime
LSA: Made NewWeakGlobalRef
LSA: Found String
LSA: Made NewWeakGlobalRef
LSA: Found DerValue constructor
LSA: Found Ticket constructor
LSA: Found PrincipalName constructor
LSA: Found EncryptionKey constructor
LSA: Found TicketFlags constructor
LSA: Found KerberosTime constructor
LSA: Finished OnLoad processing
Native config name: C:\Windows\krb5.ini
Loaded from native config
>>> Kinit realm name is DEVDEVELOPMENT.COM
>>> Creating KrbAsReq
>>> KrbKdcReq local addresses for dev26 are:
dev26/192.168.1.229
IPv4 address
dev26/fe80:0:0:0:78ae:388f:4f63:3717%11
IPv6 address
>>> KdcAccessibility: reset
>>> KeyTabInputStream, readName(): DEVDEVELOPMENT.COM
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): dev26.devdevelopment.com
>>> KeyTab: load() entry length: 99; type: 18
Looking for keys for: HTTP/[email protected]
Added key: 18version: 3
Exception: krb_error 0 no supported default etypes for default_tkt_enctypes No error
KrbException: no supported default etypes for default_tkt_enctypes
at sun.security.krb5.Config.defaultEtype(Config.java:844)
at sun.security.krb5.internal.crypto.EType.getDefaults(EType.java:249)
at sun.security.krb5.internal.crypto.EType.getDefaults(EType.java:262)
at sun.security.krb5.KrbAsReqBuilder.build(KrbAsReqBuilder.java:261)
at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:315)
at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:361)
at sun.security.krb5.internal.tools.Kinit.<init>(Kinit.java:219)
at sun.security.krb5.internal.tools.Kinit.main(Kinit.java:113)
以下是在KDC服务器(Windows Server 2012)上 ktpass 命令的输出,以生成tomcat_ad.keytab文件:
C:\Users\Administrator>ktpass /out C:\tomcat_ad.keytab /mapuser [email protected] /princ HTTP/[email protected] /pass ****** /crypto AES256-SHA1 ptype KRB5_NT_PRINCIPAL
Targeting domain controller: dev.devdevelopment.com
Using legacy password setting method
Successfully mapped HTTP/dev26.devdevelopment.com to devtcadmin.
Key created.
Output keytab to C:\tomcat_ad.keytab:
Keytab version: 0x502
keysize 99 HTTP/[email protected] ptype 1 (KRB5_NT_PRINCIPAL) vno 3 etype 0x12 (AES256-SHA1) keylength 32 (0xf20788d7c6f99c385fc91b53c7d9ef55591d314e5340ca1fb9acac1b178c8861)
以下是Windows 7计算机中 C:\ Windows 中 krb5.ini 文件的内容:
[libdefaults]
default_realm=DEVDEVELOPMENT.COM
default_keytab_name=“C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\tomcat_ad.keytab"
default_tkt_enctypes=aes256-cts-hmac-shal-96
default_tgs_enctypes=aes256-cts-hmac-shal-96
permitted_enctypes=aes256-cts-hmac-shal-96
udp_preference_limit=1
forwardable=true
[realms]
DEVDEVELOPMENT.COM={
kdc=dev.devdevelopment.com:88
}
[domain_realm]
devdevelopment.com=DEVDEVELOPMENT.COM
.devdevelopment.com=DEVDEVELOPMENT.COM
以下是Windows 7计算机上Java的 ktab 命令的输出:
C:\Program Files\Java\jdk1.8.0_121\bin>ktab -l -e -t -k "C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\tomcat_ad.keytab"
Keytab name: C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\tomcat_ad.keytab
KVNO Timestamp Principal
---- -------------- ---------------------------------------------------------------------------------------
3 1/1/70 5:30 AM HTTP/[email protected] (18:AES256 CTS mode with HMAC SHA1-96)
我还更新了 C:\ Program Files \ Java \ jre1.8.0_121 \ lib \ security 和 C:\ Program Files \ Java \ jdk1.8.0_121 \ jre \ lib \ security 下的 JCE jar文件文件夹。
应该采取什么措施来克服此异常?
编辑1 (续我的第三条评论):-
以下是第一个 knit 命令的输出,以及 C:\ Program Files \ Java \ jre1.8.0_121 \ bin 文件夹中的 tomcat_ad.keytab 文件:-
C:\Program Files\Java\jdk1.8.0_121\bin>kinit -k -t tomcat_ad.keytab HTTP/dev26.devdevelopment.com
New ticket is stored in cache file C:\Users\devtcadmin\krb5cc_devtcadmin
并且,以下是 kinit 命令的输出,以及 C:\ Program Files \ Apache Software Foundation \ Tomcat 8.0 \ conf \ tomcat_ad.keytab 文件夹中的 tomcat_ad.keytab 文件,并在附加了 C之后: \ Program Files \ Java \ jdk1.8.0_121 \ bin; path环境变量中的:-
C:\Users\devtcadmin>kinit -k -t "C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\tomcat_ad.keytab" HTTP/[email protected]
New ticket is stored in cache file C:\Users\devtcadmin\krb5cc_devtcadmin
但是这次在调试模式下, kinit 命令发出以下异常:
C:\Users\devtcadmin>kinit -J-Dsun.security.krb5.debug=true -k -t "C:\Program Files\Apache Software Foundation\Tomcat 8.5\conf\tomcat_ad.keytab" HTTP/[email protected]
>>>KinitOptions cache name is C:\Users\devtcadmin\krb5cc_devtcadmin
Principal is HTTP/[email protected]
>>> Kinit using keytab
>>> Kinit keytab file name: C:\Program Files\Apache Software Foundation\Tomcat 8.5\conf\tomcat_ad.keytab
Java config name: null
LSA: Found Ticket
LSA: Made NewWeakGlobalRef
LSA: Found PrincipalName
LSA: Made NewWeakGlobalRef
LSA: Found DerValue
LSA: Made NewWeakGlobalRef
LSA: Found EncryptionKey
LSA: Made NewWeakGlobalRef
LSA: Found TicketFlags
LSA: Made NewWeakGlobalRef
LSA: Found KerberosTime
LSA: Made NewWeakGlobalRef
LSA: Found String
LSA: Made NewWeakGlobalRef
LSA: Found DerValue constructor
LSA: Found Ticket constructor
LSA: Found PrincipalName constructor
LSA: Found EncryptionKey constructor
LSA: Found TicketFlags constructor
LSA: Found KerberosTime constructor
LSA: Finished OnLoad processing
Native config name: C:\Windows\krb5.ini
Loaded from native config
>>> Kinit realm name is DEVDEVELOPMENT.COM
>>> Creating KrbAsReq
>>> KrbKdcReq local addresses for dev26 are:
dev26/192.168.1.229
IPv4 address
dev26/fe80:0:0:0:78ae:388f:4f63:3717%11
IPv6 address
>>> KdcAccessibility: reset
Looking for keys for: HTTP/[email protected]
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 18 17 16 23.
Exception: krb_error 0 Do not have keys of types listed in default_tkt_enctypes available; only have keys of following type: No error
KrbException: Do not have keys of types listed in default_tkt_enctypes available; only have keys of following type:
at sun.security.krb5.internal.crypto.EType.getDefaults(EType.java:280)
at sun.security.krb5.KrbAsReqBuilder.build(KrbAsReqBuilder.java:261)
at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:315)
at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:361)
at sun.security.krb5.internal.tools.Kinit.<init>(Kinit.java:219)
at sun.security.krb5.internal.tools.Kinit.main(Kinit.java:113)
在 C:\ Windows \ krb5.ini 文件中的那些行注释后,上述命令为什么起作用?以及为什么在调试模式下的 kinit 命令输出上述异常?
参考方案
我以前看过试试这个。将密钥表复制到C:\ Program Files \ Java \ jdk1.8.0_121 \ bin目录,然后从该目录中使用下面显示的更简单的命令重试。您不需要将Kerberos领域附加到SPN,因为您已经在krb5.conf中定义了领域,因此我将其删除。
kinit -k -t tomcat_ad.keytab HTTP/dev26.devdevelopment.com
如果仍然不起作用,请确保您确实在\ lib \ security目录中具有无限强度的JCE jar文件。尽管您说过做到了,但是Java JRE升级可以覆盖它们。
编辑:在AD用户帐户 devtcadmin 的“帐户”选项卡上,确保选中“此帐户支持Kerberos AES 256位加密”框。
如果仍然无法使用,请在Windows 7计算机上的C:\ Windows \ krb5.conf中,注释掉下面的四行,如图所示。不需要它们,因为Kerberos仍将使用尽可能高的加密类型,并且在Windows 7/2008及更高版本中,默认情况下使用TCP,因此您无需设置UDP首选项限制。
#default_tkt_enctypes=aes256-cts-hmac-shal-96
#default_tgs_enctypes=aes256-cts-hmac-shal-96
#permitted_enctypes=aes256-cts-hmac-shal-96
#udp_preference_limit=1
快速浏览一下我的TechNet文章,以获取有关此内容的更多参考:Kerberos Keytabs – Explained
我真的需要在Java中定义默认构造函数吗? - java当未定义构造函数时,它可以正常工作,但是如果我定义了一个参数化的构造函数而不是默认的一个,并且在创建对象时不传递任何值,则会出错。我认为构造函数是预定义的。如果定义了参数化构造函数,为什么需要定义默认构造函数?默认构造函数不是预定义的吗? 参考方案 仅当您自己未定义任何构造函数时,才会自动创建默认(无参数)构造函数。如果需要两个构造函数,一个带有参数,另一个…
JLS如何指定术语“抽象方法”,“具体方法”和“默认方法”? - java在某些StackOverflow答案中,我已经看到术语抽象方法,具体方法和默认方法的“不同”定义。Java语言规范给出的真正定义是什么?请在您的答案中包括相关的支持JLS参考。 参考方案 根据JLS 8.4.3.1: “ abstract方法声明将方法引入为成员,提供其签名(第8.4.2节),结果(第8.4.5节)和throws子句(如有)(第8.4.6节)…
从Java接口中的默认方法调用方法 - java这可能是愚蠢的问题。但我想知道这样做的可能性。假设我有类似的界面public interface GroupIdentifier { Integer getRevision(); } 我需要另一个名为getNextRevision的方法。所以我能做的是,在同一接口内实现默认方法并返回下一个数字。例如:public interface GroupIdentif…
Java开头带有default子句的switch语句 - java以下代码打印出1,2,3,如果我更改int i = 3;,它将打印出3。我想知道背后的原因。我使用了调试器,看来i = 3进入情况3并打印出3然后程序终止了。我相信当i=5进入default时,这是否意味着case 1,case 2 and case 3都属于default条款?int i = 5; switch(i){ default: case 1: S…
从超类继承方法而不是从Java 8中实现接口继承默认方法的重要性 - java我从here阅读有关Java 8默认方法时遇到了以下段落: 如果层次结构中的任何类都具有具有相同签名的方法,则默认方法将变得无关紧要。缺省方法不能覆盖java.lang.Object中的方法。推理非常简单,这是因为Object是所有java类的基类。因此,即使我们将Object类方法定义为接口中的默认方法,也将是无用的,因为将始终使用Object类方法。因此…