среда, 12 октября 2016 г.

WNA Authentication. Потери UDP пакетов.

Решение проблемы с медленной аутентификацией (у нас доходило до  1 минуты) пользователей, использующих WNA.

Окружение:
Несколько доменом Windows.
Master Keytab для всех доменов.
Очень "большая" сеть.


В логах OAM-сервера WLS_OAM1.out:

KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
default etypes for default_tkt_enctypes: 17 23.
Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 17 23.
Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 17 23.
default etypes for default_tkt_enctypes: 17 23.
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=uaad1sm.smua.local UDP:88, timeout=30000, number of retries =3, #bytes=236
>>> KDCCommunication: kdc=uaad1sm.smua.local UDP:88, timeout=30000,Attempt =1, #bytes=236
SocketTimeOutException with attempt: 1
>>> KDCCommunication: kdc=uaad1sm.smua.local UDP:88, timeout=30000,Attempt =2, #bytes=236
SocketTimeOutException with attempt: 2
>>> KDCCommunication: kdc=uaad1sm.smua.local UDP:88, timeout=30000,Attempt =3, #bytes=236
SocketTimeOutException with attempt: 3
>>> KrbKdcReq send: error trying uaad1sm.smua.local
java.net.SocketTimeoutException: Receive timed out
        at java.net.PlainDatagramSocketImpl.receive0(Native Method)
        at java.net.AbstractPlainDatagramSocketImpl.receive(AbstractPlainDatagramSocketImpl.java:146)
        at java.net.DatagramSocket.receive(DatagramSocket.java:817)
        at sun.security.krb5.internal.UDPClient.receive(NetClient.java:207)
        at sun.security.krb5.KdcComm$KdcCommunication.run(KdcComm.java:390)
        at sun.security.krb5.KdcComm$KdcCommunication.run(KdcComm.java:343)
        at java.security.AccessController.doPrivileged(Native Method)
        at sun.security.krb5.KdcComm.send(KdcComm.java:327)
        at sun.security.krb5.KdcComm.send(KdcComm.java:219)
        at sun.security.krb5.KdcComm.send(KdcComm.java:191)
        at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:319)
        at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:364)
        at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:735)
        at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:584)
        at sun.reflect.GeneratedMethodAccessor1782.invoke(Unknown Source)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:606)
        at javax.security.auth.login.LoginContext.invoke(LoginContext.java:762)

Необходимо добавить в конфиг krb5.conf:
[libdefaults]
udp_preference_limit = 1


Что это такое:
udp_preference_limit
When sending a message to the KDC, the library will try using TCP before UDP if the size of the message is above udp_preference_limit. If the message is smaller thanudp_preference_limit, then UDP will be tried before TCP. Regardless of the size, both protocols will be tried if the first attempt fails.

После этого в логах всё ок:
default etypes for default_tkt_enctypes: 17 23.
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=uaad1sm.smua.local TCP:88, timeout=30000, number of retries =3, #bytes=153
>>> KDCCommunication: kdc=uaad1sm.smua.local TCP:88, timeout=30000,Attempt =1, #bytes=153
>>>DEBUG: TCPClient reading 177 bytes
>>> KrbKdcReq send: #bytes read=177
>>>Pre-Authentication Data:
         PA-DATA type = 11
         PA-ETYPE-INFO etype = 23, salt =
Автор: на

Комментариев нет:

Отправить комментарий

Подписаться на: Комментарии к сообщению (Atom)