尝试SSO时会出现基本的身份验证框(WebSphere/Keytabs)
我正在尝试在WebSphere中托管的应用程序上通过SSO自动登录。当我导航到SSO URL时,它要求我提供一个用户名和密码 - 当我放入凭据时,这可以正常工作。我相信这个问题在键盘内,但是我在网上查看的所有内容似乎都表明这很好。
我的问题
我有一个2x应用程序服务器,该服务器托管在Azure中,域连接到 domain1.org
这两个服务器加入了Azure,但使用DNS dev-dev-domain1.org加入了负载平衡器。在
SSOWorks。
spn用户
在AD中创建:user:domain1.org \ username with spn http/env.domain1.org
创建了使用以下命令创建的键盘:
ktpass.exe -princ HTTP/[email protected] -mapuser DOMAIN1.ORG\USERNAME -pass [PASSWORD] -crypto all -kvno 0 -ptype KRB5_NT_PRINCIPAL -out "F:\PATHTOKEYTAB\.keytab "
更新的.conf文件,
~~ [libdefaults] ~~
default_realm = AD_DOMAIN
default_keytab_name = FILE:F:\IBM\WebSphere\AppServer\keytab
default_tkt_enctypes = rc4-hmac des-cbc-md5
default_tgs_enctypes = rc4-hmac des-cbc-md5
forwardable = true
renewable = true
noaddresses = true
clockskew = 300
[realms]
AD_DOMAIN = {
kdc = DC01.ad_domain:88
default_domain = ad_domain
}
[domain_realm]
.ad_domain = AD_DOMAIN
.dns_domain = AD_DOMAIN
如果我想将另一个域与AD/Internal Domain不同的URL使用另一个域,是否有人知道我应该如何设置键盘或什至WebSphere本身?
提前致谢!
I am trying to auto login via SSO on an app that is hosted within WebSphere. When i navigate to the SSO URL, it is asking me for a username and password - when i put the credentials in, this works fine. I believe that the issue is within the keytab but everything i have looked at online, seems to indicate that's fine.
The problem
I have an 2x app server that is hosted within Azure, domain joined to domain1.org
These two servers are joined to a load balancer, within Azure but using dns dev-domain1.org
Note: I have tested reverting all dns from dev-domain1.org to the AD domain domain1.org and SSO works.
SPN User
Created within AD: User: DOMAIN1.ORG\USERNAME with SPN HTTP/env.domain1.org
Created the keytab with the following command:
ktpass.exe -princ HTTP/[email protected] -mapuser DOMAIN1.ORG\USERNAME -pass [PASSWORD] -crypto all -kvno 0 -ptype KRB5_NT_PRINCIPAL -out "F:\PATHTOKEYTAB\.keytab "
Updated .conf file
~~ [libdefaults] ~~
default_realm = AD_DOMAIN
default_keytab_name = FILE:F:\IBM\WebSphere\AppServer\keytab
default_tkt_enctypes = rc4-hmac des-cbc-md5
default_tgs_enctypes = rc4-hmac des-cbc-md5
forwardable = true
renewable = true
noaddresses = true
clockskew = 300
[realms]
AD_DOMAIN = {
kdc = DC01.ad_domain:88
default_domain = ad_domain
}
[domain_realm]
.ad_domain = AD_DOMAIN
.dns_domain = AD_DOMAIN
Does anyone know how i should be setting up the keytab or even WebSphere itself if i want to use another domain for the URL that is different to the AD/internal domain?
Thanks in advance!
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
您说..如果我想将另一个域用于与广告/内部域不同的URL?
您是在询问DNS域还是广告域?
例如,我的URL带有server1.ibm.com的DNS,但是广告域是domain1.com?
如果是这样,首先您需要确保在AD域DNS中可以查找url server1.ibm.com
接下来,您需要在krb5.ini文件下使用广告domain domain1.com映射ibm.com =“ https://www.ibm.com/docs/en/was-zos/9.0.5? 。
you stated.. if I want to use another domain for the URL that is different from the AD/internal domain?
Are you asking DNS domain or an AD domain?
For example, my URL has DNS with server1.ibm.com but the AD domain is domain1.com?
If so first you need to make sure in the AD domain DNS is able to lookup the URL server1.ibm.com
Next, you need to map ibm.com with AD domain domain1.com under krb5.ini file check this URL https://www.ibm.com/docs/en/was-zos/9.0.5?topic=server-creating-kerberos-configuration-file and example -dns austin.ibm.com|raleigh.ibm.com