SpNego：检测到有缺陷的令牌

发布于 2024-12-14 20:23:00 字数 888 浏览 4 评论 0原文

我有一个连接到 WCF 服务的 java 客户端。该服务配置为作为单独的域用户在主机上运行（即不是作为本地服务或网络服务）。该服务在其 WSDL 中发布 userPrincipalName。

在 SpNego 令牌交换期间，我在客户端中遇到以下异常

Defective token detected (Mechanism level: AP_REP token id does not match!)
This is the call stack:
    at sun.security.jgss.spnego.SpNegoContext.initSecContext(SpNegoContext.java:450)
    at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:230)
    at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:162)

如果我将 WCF 服务配置为在本地系统帐户下运行，则 SpNego 令牌交换可以正常工作。我是否需要修改不在本地系统帐户下运行的服务的代码？

Update-1

通过让 C# 客户端连接 WCF 服务进行一些调试后，我发现 C# 客户端正在使用名为 MS-SPNG。 Java 6 支持这个吗？当我检查令牌时，我收到有关不受支持的机制 1.2.840.113554.1.2.2.3 的错误。

原文

I have a java client connecting to a WCF service. This service is configured to run on the host as a separate domain user (i.e. not as Local Service or Network Service). The Service publishes a userPrincipalName in its WSDL.

During the SpNego token exchange I get the following exception in the client

Defective token detected (Mechanism level: AP_REP token id does not match!)
This is the call stack:
    at sun.security.jgss.spnego.SpNegoContext.initSecContext(SpNegoContext.java:450)
    at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:230)
    at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:162)

If I configure the WCF service to run under Local System account the SpNego token exchange works.
Do I need to modify the code for services not running under Local system account?

Update-1

After some debugging by getting a C# client to connect with the WCF service, I found that the C# client is using a modified version of SpNego protocol called MS-SPNG. Does Java 6 support this? When I inspect the token I get an error about unsupported mechanism 1.2.840.113554.1.2.2.3.

分享到QQ

分享到微博