Apache Kerberos 未从 Windows 客户端进行身份验证

Question

参考了许多很棒的网站，我在 Solaris 11 上设置了一个 Apache 2.4 环境，使用 auth_gss_module 进行 Kerberos 身份验证。我遇到的问题是无法在 Windows 7 或 Windows Server 2008 上使用 IE、Chrome 或 Firefox 访问授权页面。我已成功使用 curl 和 python 脚本以及 OS X 上的 Safari 和 Firefox 浏览器访问安全页面10.10。我列出了使用 Kerberos 身份验证的成功和失败尝试的输出。我不确定它是否可能是 AD 中需要更改的配置设置，或者可能是加密差异。我正在寻找有关下一步做什么的建议。谢谢。。

AD 管理员为我创建了一个关键选项卡，这是关键选项卡的内容

 cyoull@host0ad903.abc.def.net:/local_apps/apache4/conf/certs$ klist -k host0ad903_keytab                                                                                                              
Keytab name: FILE:host0ad903_keytab
KVNO Principal
---- --------------------------------------------------------------------------
   3 HTTP/host0ad903.abc.def.net@ABC.DEF.NET

在 OS X 上，这是来自 klist 命令的 kerberos 票证列表。

Chriss-MacBook-Air:~ chris$ klist
Credentials cache: API:EF1241C7-A883-44A8-9729-969775673BCA
        Principal: cyoull@ABC.DEF.NET

  Issued                Expires               Principal
Sep 25 07:22:52 2015  Sep 25 17:22:40 2015  krbtgt/ABC.DEF.NET@ABC.DEF.NET
Chriss-MacBook-Air:~ chris$ klist
Credentials cache: API:EF1241C7-A883-44A8-9729-969775673BCA
        Principal: cyoull@ABC.DEF.NET

  Issued                Expires               Principal
Sep 25 07:22:52 2015  Sep 25 17:22:40 2015  krbtgt/ABC.DEF.NET@ABC.DEF.NET
Sep 25 07:23:06 2015  Sep 25 17:22:40 2015  HTTP/host0ad903.abc.def.net@ABC.DEF.NET

Valid starting               Expires               Service principal
18/09/2015 10:17  18/09/2015 20:17  krbtgt/ABC.DEF.NET@ABC.DEF.NET
        renew until 25/09/2015 10:17, Etype(skey, tkt): ArcFour with HMAC/md5, AES-256 CTS mode with 96-bit SHA-1 HMAC 
18/09/2015 10:17  18/09/2015 20:17  HTTP/host0ad903.abc.def.net@ABC.DEF.NET
        renew until 25/09/2015 10:17, Etype(skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5 

这是在 OS X 上通过 Kerberos 身份验证从 Safari 成功访问安全页面后的 Apache 日志

[Fri Sep 25 07:23:06.348043 2015] [core:debug] [pid 24214:tid 18] mod_auth_gss.c(620): [client 10.93.68.187:56071] gss_authenticate: type = GSSAPI
[Fri Sep 25 07:23:06.348054 2015] [core:debug] [pid 24214:tid 18] mod_auth_gss.c(632): [client 10.93.68.187:56071] No authentication data found
[Fri Sep 25 07:23:06.348063 2015] [core:debug] [pid 24214:tid 18] mod_auth_gss.c(592): [client 10.93.68.187:56071] note_gss_auth_failure: auth_name = <undefined>
[Fri Sep 25 07:23:06.590334 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(620): [client 10.93.68.187:56073] gss_authenticate: type = GSSAPI
[Fri Sep 25 07:23:06.590347 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(334): [client 10.93.68.187:56073] authenticate_user_gss called
[Fri Sep 25 07:23:06.590362 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(373): [client 10.93.68.187:56073] Using keytab: KRB5_KTNAME=/local_apps/apache4/conf/certs/host0ad903_keytab
[Fri Sep 25 07:23:06.590508 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(411): [client 10.93.68.187:56073] Client wants GSS mech: spnego
[Fri Sep 25 07:23:06.590524 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(288): [client 10.93.68.187:56073] acquire_server_creds for HTTP@host0ad903.abc.def.net
[Fri Sep 25 07:23:06.621760 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(438): [client 10.93.68.187:56073] got server creds for: HTTP@host0ad903.abc.def.net
[Fri Sep 25 07:23:06.639432 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(549): [client 10.93.68.187:56073] Authenticated user (final result) : cyoull@ABC.DEF.NET

这是在 Windows Server 2008 上使用 Python 脚本成功尝试后的 Apache 日志文件

[Thu Sep 17 16:29:48.890889 2015] [core:debug] [pid 32125:tid 21] mod_auth_gss.c(620): [client 10.115.2.117:50526] gss_authenticate: type = GSSAPI
[Thu Sep 17 16:29:48.890900 2015] [core:debug] [pid 32125:tid 21] mod_auth_gss.c(632): [client 10.115.2.117:50526] No authentication data found
[Thu Sep 17 16:29:48.890909 2015] [core:debug] [pid 32125:tid 21] mod_auth_gss.c(592): [client 10.115.2.117:50526] note_gss_auth_failure: auth_name = <undefined>
[Thu Sep 17 16:29:48.908047 2015] [core:debug] [pid 32125:tid 21] mod_auth_gss.c(620): [client 10.115.2.117:50526] gss_authenticate: type = GSSAPI
[Thu Sep 17 16:29:48.908056 2015] [core:debug] [pid 32125:tid 21] mod_auth_gss.c(334): [client 10.115.2.117:50526] authenticate_user_gss called
[Thu Sep 17 16:29:48.908080 2015] [core:debug] [pid 32125:tid 21] mod_auth_gss.c(373): [client 10.115.2.117:50526] Using keytab: KRB5_KTNAME=/local_apps/apache4/conf/certs/host0ad903_keytab
[Thu Sep 17 16:29:48.908188 2015] [core:debug] [pid 32125:tid 21] mod_auth_gss.c(411): [client 10.115.2.117:50526] Client wants GSS mech: kerberos_v5
[Thu Sep 17 16:29:48.908203 2015] [core:debug] [pid 32125:tid 21] mod_auth_gss.c(288): [client 10.115.2.117:50526] acquire_server_creds for HTTP@host0ad903.abc.def.net
[Thu Sep 17 16:29:48.910360 2015] [core:debug] [pid 32125:tid 21] mod_auth_gss.c(438): [client 10.115.2.117:50526] got server creds for: HTTP/host0ad903.abc.def.net@ABC.DEF.NET
[Thu Sep 17 16:29:48.917847 2015] [core:debug] [pid 32125:tid 21] mod_auth_gss.c(524): [client 10.115.2.117:50526] Authenticated user before AuthGSSStripDomainAT: cyoull@ABC.DEF.NET
[Thu Sep 17 16:29:48.917863 2015] [core:debug] [pid 32125:tid 21] mod_auth_gss.c(533): [client 10.115.2.117:50526] Authenticated user before AuthGSSForceCase: coy
[Thu Sep 17 16:29:48.917873 2015] [core:debug] [pid 32125:tid 21] mod_auth_gss.c(549): [client 10.115.2.117:50526] Authenticated user (final result) : cyoull@ABC.DEF.NET

这是 Windows 7 客户端上的 Kerberos 票证

U:\>klist
Current LogonId is 0:0xa84757
Cached Tickets: (2)
#0>     Client: cyoull @ ABC.DEF.NET
        Server: krbtgt/ABC.DEF.NET @ ABC.DEF.NET
        KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
        Ticket Flags 0x40e00000 -> forwardable renewable initial pre_authent
        Start Time: 9/25/2015 9:19:28 (local)
        End Time:   9/25/2015 19:19:28 (local)
        Renew Time: 10/2/2015 9:19:28 (local)
        Session Key Type: AES-256-CTS-HMAC-SHA1-96

#1>     Client: cyoull @ ABC.DEF.NET
        Server: HTTP/host0ad903.abc.def.net @ ABC.DEF.NET
        KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
        Ticket Flags 0x40a00000 -> forwardable renewable pre_authent
        Start Time: 9/25/2015 9:19:30 (local)
        End Time:   9/25/2015 19:19:28 (local)
        Renew Time: 10/2/2015 9:19:28 (local)
        Session Key Type: RSADSI RC4-HMAC(NT)

使用 Firefox 中的开发人员工具，我看到三个 GET 请求，在 apache 日志文件中，似乎 kerberos 协商尝试了多次，然后以 401 Unauthorized 失败

[Fri Sep 25 08:54:28.205356 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(620): [client 10.211.8.122:52459] gss_authenticate: type = GSSAPI
[Fri Sep 25 08:54:28.205366 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(632): [client 10.211.8.122:52459] No authentication data found
[Fri Sep 25 08:54:28.205374 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(592): [client 10.211.8.122:52459] note_gss_auth_failure: auth_name = <undefined>
[Fri Sep 25 08:54:28.471160 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(620): [client 10.211.8.122:52459] gss_authenticate: type = GSSAPI
[Fri Sep 25 08:54:28.471170 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(334): [client 10.211.8.122:52459] authenticate_user_gss called
[Fri Sep 25 08:54:28.471187 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(373): [client 10.211.8.122:52459] Using keytab: KRB5_KTNAME=/local_apps/apache4/conf/certs/host0ad903_keytab
[Fri Sep 25 08:54:28.471290 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(411): [client 10.211.8.122:52459] Client wants GSS mech: spnego
[Fri Sep 25 08:54:28.471307 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(288): [client 10.211.8.122:52459] acquire_server_creds for HTTP@host0ad903.abc.def.net
[Fri Sep 25 08:54:28.474953 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(438): [client 10.211.8.122:52459] got server creds for: HTTP@host0ad903.abc.def.net
[Fri Sep 25 08:54:28.475143 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(650): [client 10.211.8.122:52459] Authentication failed.
[Fri Sep 25 08:54:28.475157 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(592): [client 10.211.8.122:52459] note_gss_auth_failure: auth_name = <undefined>
[Fri Sep 25 08:54:28.540288 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(620): [client 10.211.8.122:52459] gss_authenticate: type = GSSAPI
[Fri Sep 25 08:54:28.540296 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(334): [client 10.211.8.122:52459] authenticate_user_gss called
[Fri Sep 25 08:54:28.540310 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(373): [client 10.211.8.122:52459] Using keytab: KRB5_KTNAME=/local_apps/apache4/conf/certs/host0ad903_keytab
[Fri Sep 25 08:54:28.540344 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(411): [client 10.211.8.122:52459] Client wants GSS mech: <unknown>
[Fri Sep 25 08:54:28.540353 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(288): [client 10.211.8.122:52459] acquire_server_creds for HTTP@host0ad903.abc.def.net
[Fri Sep 25 08:54:28.543031 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(438): [client 10.211.8.122:52459] got server creds for: HTTP/host0ad903.abc.def.net@abc.def.net
[Fri Sep 25 08:54:28.543188 2015] [core:error] [pid 24150:tid 24] [client 10.211.8.122:52459] gss_accept_sec_context() failed: Invalid token was supplied (Unknown error)
[Fri Sep 25 08:54:28.543336 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(650): [client 10.211.8.122:52459] Authentication failed.
[Fri Sep 25 08:54:28.543349 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(592): [client 10.211.8.122:52459] note_gss_auth_failure: auth_name = <undefined>

Answer 1

您是否已将 Windows 上的 Web 浏览器配置为实际与该服务器进行 HTTP 协商？例如，在 Firefox 中你需要设置：

network.negotiate-auth.trusted-uris = abc.def.net

或其他与 URL 匹配的模式。同样必须告知 Chrome 愿意对特定服务器进行身份验证，例如与：

--auth-server-whitelist="*.foo.com"

或通过组策略。

如果这不是问题，那么请这样做：

1. ipconfig /flushdns
2. klist purge
3. 运行 Wireshark 并在故障期间捕获 HTTP、DNS 和 Kerberos 流量（端口 80、53 和 88）。
4. 发布生成的 pcap 文件。