KRB_AP_ERR_MODIFIED是一种常见的 Kerberos 认证失败消息。意思是在服务器上客户端发送加密的 Kerberos 身份验证数据没有被正确解密。当 Kerberos客户端为某服务请求票据时,通过SPN标识该服务,KDC授予客户端通过服务密钥加密的服务票据。通常情况下是与SPN匹配的AD帐户的密码。有些时候KDC可能会生成一个通过错误的账号信息加密的服务票据。当客户端提供该票据到服务端认证时,该服务不能解密,身份验证失败,报错KRB_AP_ERR_MODIFED。本文提供了调试该问题的通用方法,以及常用的IIS Kerberos认证的配置参考。
问题简介
KRB_AP_ERR_MODIFIED是一种常见的 Kerberos 认证失败消息。意思是在服务器上客户端发送加密的 Kerberos 身份验证数据没有被正确解密。当 Kerberos客户端为某服务请求票据时,通过SPN标识该服务,KDC授予客户端通过服务密钥加密的服务票据。通常情况下是与SPN匹配的AD帐户的密码。
有些时候KDC可能会生成一个通过错误的账号信息加密的服务票据。当客户端提供该票据到服务端认证时,该服务不能解密,身份验证失败,报错KRB_AP_ERR_MODIFED。
换句话说,因为KDC发出票证使用A帐户的密码进行加密,但在服务方尝试用B帐户的密码解密。
通常情况下造成这种问题有这么几种原因,
- 重复的SPN
- 错误的DNS设置
- 不同的域中的两台计算机具有相同名称
- 客户端请求了错误的SPN
- IIS(内核/用户模式身份验证)设置错误
问题调试
数据收集工具
数据收集步骤
- 在客户端计算机上启用 Kerberos日志。如何启用 Kerberos 事件日志记录
- 用管理员权限打开命令控制台,运行"klist purge"清除缓存的Kerberos票据。
- 运行"ipconfig /flushdns"要清除DNS缓存。
- 客户端和web服务器上的运行Network Monitor。
- 重现该问题。
- Network Monitor抓包
定位Kerberos错误
通过展开IIS返回的HTTP响应标头中的Authenticate字段,可以找到Kerberos身份验证错误的原因。
- Http: Response, HTTP/1.1, Status: Unauthorized, URL: / , Using GSS-API Authentication ProtocolVersion: HTTP/1.1 StatusCode: 401, Unauthorized Reason: Unauthorized … - WWWAuthenticate: Negotiate … - Authenticate: Negotiate oWwwaqADCgEBomMEYWBfBgkqhkiG9xIBAgIDAH5QME6gAwIBBaEDAgEepBEYDzIwMTExMDE0MDUxMDE0WqUFAgMG362mAwIBKakKGwhURVN ULkNPTaoXMBWgAwIBAaEOMAwbCmNvbnRvc29zdmM= WhiteSpace: - NegotiateAuthorization: Scheme: Negotiate - GssAPI: 0x1 - NegotiationToken: - ChoiceTag: - NegTokenResp: - ResponseToken: 0x1 - KerberosToken: 0x1 - KerberosInitToken: … - InnerContextToken: 0x1 - KerberosToken: 0x1 TokId: Krb5Error (0x300) - Error: KRB_ERROR (30) …. + ErrorCode: KRB_AP_ERR_MODIFIED (41) + Realm: TEST.COM + Sname: contososvc Date: Fri, 14 Oct 2011 05:10:14 GMT ContentLength: 341
如果通过Wireshark抓包错误更明显。
从客户端系统事件日志,可以看到以下事件。
Log Name: System Source: Microsoft-Windows-Security-Kerberos Date: 10/13/2011 10:10:05 PM Event ID: 4 Task Category: None Level: Error Keywords: Classic User: N/A Computer: IIS02.test.com Description: The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server contososvc. The target name used was HTTP/iis01.test.com. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (TEST.COM) is different from the client domain (TEST.COM), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
根据该日志信息,SPN为HTTP/iis01.test.com,用来解密的账号为contososvc,发生Kerberos认证错误的原因时加密票据的账号不是contososvc。
造成该问题可能的情况如下,
第一种情况:重复的 SPN
重复的SPN是说相同的SPN注册在至少两个帐户上。例如,对两个帐户注册SPN:A和B。KDC可能用A帐户的密码加密服务票据,当在服务端身份验证时,该服务可能实际是账户B,通过账户B信息解密就会报错.
通过setspn工具检测重复SPN
Windows 2008及以上版本的系统,本身提供setspn可以用来检测重复SPN。
除了HTTP/SPN,也要检查Host/SPN。如果HTTP/SPN不存在HOST/SPN将作为默认SPN。错误的HOST/SPN同样会导致Kerberos认证失败。
以下是setspn的关于Windows Server 2008 SP2提供示例输出。
通过ldifde查找重复SPN
Windows 2003 和 XP,我们可以使用ldifde工具搜索重复SPN。以下是HTTP/contoso的示例。
SPN是目录林范围(forrest-wide)的对象,它必须在整个域内唯一。对于复杂的环境中,使用按照命令要搜索整个森林,像这样:
Ldifde -s GCName -t 3268 -f d:\spn.ldf -d "dc=test, dc=com" –l ServicePrincipleName –r "(ServicePrincipalName=HTTP/contoso)"
此外,我们可以使用通配符搜索:
Ldifde -s GCName -t 3268 –f d:\spn.ldf -d "dc=test, dc=com" -l servicePrincipalName -r (servicePrincipalName=*contoso*)
第二种情况:客户端发送错的SPN请求票据
定位问题
这种情况与客户端行为相关。如果Web站点使用CNAME资源记录在域名系统(DNS)中,将出现此问题。
例如,DNS 设置如下所示:
Contoso CNAME iis01.test.com
iis01.test.com A 10.0.5.2
使用IE浏览器访问 Web 站点时,IE浏览器使用服务器的主机名(IIS01)而不是CNAME(Contoso)与服务器联系。身份验证可能会失败,报错KRB_AP_ERR_MODIFIED。
HTTP/Contoso.test.com test\contososvc
HOST/IIS01.test.com test\iis01(machine account)
Network Monitor跟踪失败请求
IE 发送请求到http://contoso,发送contoso的DNS查询。
+ Ipv4: Src = 10.0.5.3, Dest = 10.0.5.1, Next Protocol = UDP, Packet ID = 9717, Total IP Length = 62 + Udp: SrcPort = 64506, DstPort = DNS(53), Length = 42 - Dns: QueryId = 0x4BB1, QUERY (Standard query), Query for contoso.test.com of type Host Addr on class Internet
Contoso的DNS响应
+ Ipv4: Src = 10.0.5.1, Dest = 10.0.5.3, Next Protocol = UDP, Packet ID = 6526, Total IP Length = 98 + Udp: SrcPort = DNS(53), DstPort = 64506, Length = 78 - Dns: QueryId = 0x4BB1, QUERY (Standard query), Response - Success, 49, 0 QueryIdentifier: 19377 (0x4BB1) … - ARecord: contoso.test.com of type CNAME on class Internet: iis01.test.com - ARecord: iis01.test.com of type Host Addr on class Internet: 10.0.5.2 …
TGS票据请求,IE请求的SPN是HTTP/iis01.test.com而不是预期的HTTP/contoso.test.com
+ Ipv4: Src = 10.0.5.3, Dest = 10.0.5.1, Next Protocol = TCP, Packet ID = 9728, Total IP Length = 0 + Tcp: Flags=...AP..., SrcPort=50044, DstPort=Kerberos(88), PayloadLen=1488, Seq=4106960882 - 4106962370, Ack=354586390, Win=513 (scale factor 0x8) = 131328 - Kerberos: TGS Request Realm: TEST.COM Sname: HTTP/iis01.test.com …
解决方案
- 如果客户端是 IE, KB911149描述了此问题的解决方案。
- 如果客户端应用程序中使用System.Net.HttpWebRequest,需要使用CustomTargetNameDictionary.AuthenticationManager.CustomTargetNameDictionary
- DNS 服务器端,配置IIS服务器到主机记录(A),不要配制Alias(CNAME)。
第三种情况:SPN设置为错误帐户(IIS 7身份验证设置错误)
IIS 7.0默认情况下启用内核模式身份验证。内核模式身份验证机无论哪个帐户用来运行该应用程序池帐户下运行。机器帐户用于解密的Kerberos票据。
但是有些情况下,需要域帐户而不是主机账户作为解密账户。例如启用了Web Farm。对于这种情况,您可以通过设置useAppPoolCredentials="true"配置IIS以使用Web应用程序池标识进行身份验证,而不用禁用内核模式身份验证。
IIS 7,我们有三种Windows身份验证配置。不同情况需要SPN注册在不同帐户上。如果注册不当,则可能导致身份验证失败,从而报错KRB_AP_ERR_MODIFIED。
- 禁用内核模式身份验证
- 启用了内核模式身份验证 useAppPoolCredentials
- 启用内核模式身份验证
注:机器帐户包括所有在网络中代表本机的账户,包括Network Service, Local System, Local Service and ApplicationPoolIdentity for IIS7。服务帐户代表应用程序池标识使用的域帐户。
可能会导致Kerberos身份验证失败(KRB_AP_ERR_MODIFIED)的情况如下,
情况1
|
Kernel Mode Authentication |
Enabled(default) |
|
useAppPoolCredentials |
False(default) |
|
Application Pool Identity |
Service Account like (domain\contosoService) |
|
Web Site Binding To |
IIS server’s NetBIOS Name. Access like this way: http(s)://IIS_Server_NetBIOS_Name http(s)://IIS_Server_FQDN
|
|
SPN |
HTTP/ SPN registered on service account |
|
Comments |
For this scenario, the Kerberos ticket is encrypted by service account, and is decrypted by IIS server’s computer account. |
情况2
|
Kernel Mode Authentication |
Enabled(default) |
|
useAppPoolCredentials |
False(default) |
|
Application Pool Identity |
Service Account like (domain\contosoService) |
|
Web Site Binding To |
A customized host header. Access like this way: http(s)://Contoso
|
|
SPN |
HTTP/ SPN registered on service account |
|
Comments |
For this scenario, the Kerberos ticket is encrypted by service account, and decrypted by IIS server’s computer account. |
情况3
|
Kernel Mode Authentication |
Enabled(default) |
|
useAppPoolCredentials |
True |
|
Application Pool Identity |
Service Account like (domain\contosoService) |
|
Web Site Binding To |
IIS server’s NetBIOS Name. Access like this way: http(s)://IIS_Server_NetBIOS_Name http(s)://IIS_Server_FQDN
|
|
SPN |
HTTP/ IIS_Server_NetBIOS_Name doesn’t registered on any account Or, registered on IIS server’s computer account |
|
Comments |
For this scenario, the Kerberos ticket is encrypted by IIS server’s computer account, and decrypted by service account. |
SPN,IIS 配制参考
配制 1
|
Kernel Mode Authentication |
Enabled(default) |
|
useAppPoolCredentials |
False(default) |
|
Application Pool Identity |
No Matter |
|
URL used to access web site |
http(s)://IIS_Server_NetBIOS_Name http(s)://IIS_Server_FQDN
|
|
SPN requirement |
No HTTP/ SPN required. By default, the HOST/ IIS_Server_NetBIOS_Name will be used. If you want, you can register HTTP/ IIS_Server_NetBIOS_Name on the server name. |
|
Comments |
This is the default scenario for IIS 7+ when using IIS server’s computer name to access the web application. |
配制 2
|
Kernel Mode Authentication |
Enabled(default) |
|
useAppPoolCredentials |
False(default) |
|
Application Pool Identity |
No Matter |
|
URL used to access web site |
http(s)://Customer_Host_Name |
|
SPN requirement |
Need register SPN on IIS server’s computer account, like: SetSPN -a HTTP/Customer_Host_NAME IIS_SRV_NetBIOS |
|
Comments |
Some application requires this when they need special permission for application pool identity. |
配制 3
|
Kernel Mode Authentication |
Enabled(default) |
|
useAppPoolCredentials |
True |
|
Application Pool Identity |
Service Account like (domain\contosoService) |
|
URL used to access web site |
http(s)://Customer_Host_Name |
|
SPN requirement |
Need register SPN on service account, like: SetSPN -a HTTP/Customer_Host_NAME domain\contosoService |
|
Comments |
|
配制 4
|
Kernel Mode Authentication |
Enabled(default) |
|
useAppPoolCredentials |
True |
|
Application Pool Identity |
Service Account like (domain\contosoService) |
|
URL used to access web site |
http(s)://IIS_Server_NetBIOS_Name http(s)://IIS_Server_FQDN |
|
SPN requirement |
Need register SPN on service account, like: SetSPN -a HTTP/IIS_SERVER_FQDN domain\contosoService |
|
Comments |
You need select this scenario if you want web site binding to IIS server’s computer name and running the site with a domain account. |
配制 5
|
Kernel Mode Authentication |
Disabled |
|
useAppPoolCredentials |
No Matter |
|
Application Pool Identity |
Service Account like (domain\contosoService) |
|
URL used to access web site |
http(s)://Customer_Host_Name |
|
SPN requirement |
Need register SPN on service account, like: SetSPN -a HTTP/Customer_Host_NAME domain\contosoService |
|
Comments |
This is same for IIS 6 scenario. |
配制 6
|
Kernel Mode Authentication |
Disabled |
|
useAppPoolCredentials |
No Matter |
|
Application Pool Identity |
Service Account like (domain\contosoService) |
|
URL used to access web site |
http(s)://IIS_SERVER_NetBIOS_NAME |
|
SPN requirement |
Need register SPN on service account, like: SetSPN -a HTTP/ IIS_SERVER_NetBIOS_NAMEdomain\contosoService |
|
Comments |
This is same for IIS 6 scenario. |
配制 7
|
Kernel Mode Authentication |
Disabled |
|
useAppPoolCredentials |
No Matter |
|
Application Pool Identity |
Machine Account |
|
URL used to access web site |
http(s)://Customer_Host_Name |
|
SPN requirement |
Need register SPN on IIS server’s computer account, like: SetSPN -a HTTP/Customer_Host_NAME IIS_SRV_NetBIOS |
|
Comments |
This is same for IIS 6 scenario. |
配制 8
|
Kernel Mode Authentication |
Disabled |
|
useAppPoolCredentials |
No Matter |
|
Application Pool Identity |
Machine Account |
|
URL used to access web site |
http(s)://IIS_SERVER_NetBIOS_NAME |
|
SPN requirement |
No HTTP/ SPN required. By default, the HOST/ IIS_Server_NetBIOS_Name will be used. If you want, you can register HTTP/ IIS_Server_NetBIOS_Name on the server name. |
|
Comments |
This is similar to the default scenario of IIS 6. |
weizhao
