{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 Juvenile、少年° 的问题《Enable detailed logging for kerberos in java》','https://www.manongdao.com/q-759346.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I have a java-based web application that takes the contents of a web form containing a username and password and authenticates using kerberos to a Windows-based domain.
The KDC address is apparently configured to map to different IP addresses at each lookup and this can be confirmed by using the ping command from the command line.
The call responds immediately for most requests but the response is slow (5-10 seconds or even longer) intermittently. I think this may be due to which domain controller is used.
I've tried to turn on kerberos logging but the IP address of the domain controller is not shown. How can I turn on more detailed logging to try to identify dodgy domain controllers please?
The code extract sources the kerb.conf and kerb_context.conf from the filesystem.
The kerb.conf is:
[libdefaults]
default_realm = EXAMPLE.COM
[realms]
CYMRU.NHS.UK = {
kdc = example.com:88
admin_server = example.com
kpasswd_server = example.com
}
The kerb_context.conf is:
primaryLoginContext {
com.sun.security.auth.module.Krb5LoginModule required
useTicketCache=false
refreshKrb5Config=true
debug=true;
};
The example source is:
static NadexUser executePerformLogin(String username, String password) throws LoginException {
char[] passwd = password.toCharArray();
String kerbConf = ERXFileUtilities.pathForResourceNamed("nadex/kerb.conf", "RSCorp", null);
String kerbContextConf = ERXFileUtilities.pathURLForResourceNamed("nadex/kerb_context.conf", "RSCorp", null).toExternalForm();
System.setProperty("java.security.krb5.conf", kerbConf);
System.setProperty("java.security.auth.login.config", kerbContextConf);
try {
LoginContext lc = new LoginContext("primaryLoginContext", new UserNamePasswordCallbackHandler(username, password));
lc.login();
return new _NadexUser(lc.getSubject());
}
catch (javax.security.auth.login.LoginException le) {
throw new LoginException("Failed to login : " + le.getLocalizedMessage(), le);
}
}
I did not find a way to turn on such detailed logging, but instead decided to adopt a different approach. The code below is a self-contained application that simply needs a jaas.conf configuration file in the same directory.
An example jaas.conf for use with this short test application is shown:
This code is careful to set the system property sun.net.inetaddr.ttl to avoid java caching the results of the DNS lookup. For my case, the DNS lookup changes at each request. It's a fairly crude piece of code, but will demonstrate any poorly configured or performing KDCs within the network.
You can enable logging by setting system property
sun.security.krb5.debugtotrue.See Oracle documentation