我寫客戶端代碼爲Windows Kerberos身份驗證與服務(日誌代碼省略):電話GSSContext.initSecContext失敗間歇性:收到超時
System.setProperty("javax.security.auth.useSubjectCredsOnly", "false");
// System.setProperty("sun.security.krb5.debug", "true");
Package thisPkg = AuthHelper.class.getPackage();
String configPath = Util.getConfigPath(thisPkg, "jaas.conf");
System.setProperty("java.security.auth.login.config", "=" + configPath);
GSSManager manager = GSSManager.getInstance();
GSSName peerName = manager.createName(spn, GSSName.NT_HOSTBASED_SERVICE);
GSSContext context = manager.createContext(peerName, null, null,
GSSContext.DEFAULT_LIFETIME);
context.requestMutualAuth(true); // required
context.requestCredDeleg(true); // required for publish
byte[] serverTokenBytes = new byte[0];
while (!context.isEstablished()) {
byte[] clientTokenBytes = context.initSecContext(serverTokenBytes, 0,
serverTokenBytes.length);
if (clientTokenBytes != null)
socket.send(createClientMessage(clientTokenBytes));
if (context.isEstablished()) break;
Message message = socket.receive();
String serverToken = message.getFirst("SERVERTOKEN").toString();
serverTokenBytes = Base64.decodeBase64(serverToken);
}
凡jaas.conf
只包含:
sp {
com.sun.security.auth.module.Krb5LoginModule required debug=true;
};
我也根據需要設置了allowtgtsessionkey
註冊表項,並安裝了JCE Unlimited Strength Jurisdiction Policy Files 7。
該代碼有時起作用(即建立了相互認證);然而,有時它被卡住了,而在第一次調用GSSContext.initSecContext
,大約一分鐘後拋出異常:
Exception in thread "main" GSSException: No valid credentials provided (Mechanism level: Receive timed out)
...
Caused by: java.net.SocketTimeoutException: Receive timed out
...
當我啓用Kerberos調試輸出(通過取消註釋上面的第二線),我可以看到該協議有時卡在行:
getKDCFromDNS using UDP
A Java Kerberos troubleshooting website表明,這是與Kerberos身份驗證服務器的問題,但我知道,服務器啓動並運行,因爲我們有在C#編寫類似的代碼(使用。 NET庫),永遠不會卡住。
如果您,您的管理員必須修復DNS。 – 2013-03-19 18:23:22