Posted in问题解决

收到KDC的错误:-1765328318/证书不匹配

No Comments

症状

部分用户无法登录,因为无法创建单点登录凭据。

awingu-worker-smc.service.log文件中,可以看到类似的错误:


2023-09-27 12:50:25.060193+00:00 awingu-acc awingu-worker-smc.service[manage.py:2852706]: Using specified cache: /etc/awingu/domains/SOMEDOMAIN/b60cc05c-df5c-4564-b30b-850a5bff9eb3/kerberos/kerberos_credentials_cache
Using principal: someusere\@SOMEDOMAIN.ORG@SOMEDOMAIN.ORG
PA Option X509_user_identity = FILE:/etc/awingu/domains/SOMEDOMAIN/b60cc05c-df5c-4564-b30b-850a5bff9eb3/certificate.pem,/etc/awingu/domains/SOMEDOMAIN/b60cc05c-df5c-4564-b30b-850a5bff9eb3/private_key.pem
[2915407] 1695819024.671381: Getting initial credentials for someusere\@SOMEDOMAIN.ORG@SOMEDOMAIN.ORG
[2915407] 1695819024.671383: Sending unauthenticated request
[2915407] 1695819024.671384: Sending request (240 bytes) to SOMEDOMAIN.ORG
[2915407] 1695819024.671385: Resolving hostname AD-01.SOMEDOMAIN.ORG
[2915407] 1695819024.671386: Sending initial UDP request to dgram 10.246.111.251:88
[2915407] 1695819024.671387: Received answer (246 bytes) from dgram 10.246.111.251:88
[2915407] 1695819024.671388: Sending DNS URI query for _kerberos.SOMEDOMAIN.ORG.
[2915407] 1695819024.671389: No URI records found
[2915407] 1695819024.671390: Sending DNS SRV query for _kerberos-master._udp.SOMEDOMAIN.ORG.
[2915407] 1695819024.671391: Sending DNS SRV query for _kerberos-master._tcp.SOMEDOMAIN.ORG.
[2915407] 1695819024.671392: No SRV records found
[2915407] 1695819024.671393: Response was not from master KDC
[2915407] 1695819024.671394: Received error from KDC: -1765328359/Additional pre-authentication required
[2915407] 1695819024.671397: Preauthenticating using KDC method data
[2915407] 1695819024.671398: Processing preauth types: PA-PK-AS-REQ (16), PA-PK-AS-REP_OLD (15), PA-ETYPE-INFO2 (19), PA-ENC-TIMESTAMP (2)
[2915407] 1695819024.671399: Selected etype info: etype aes256-cts, salt "SOMEDOMAIN.ORGsomeusere", params ""
[2915407] 1695819024.671400: PKINIT loading CA certs and CRLs from FILE
[2915407] 1695819024.671401: PKINIT client computed kdc-req-body checksum 9/CCA5CEA6F7BF4177460CAE81752BEAD95FC8CEB1
[2915407] 1695819024.671403: PKINIT client making DH request
[2915407] 1695819025.31886: Preauth module pkinit (16) (real) returned: 0/Success
[2915407] 1695819025.31887: Produced preauth for next request: PA-PK-AS-REQ (16)
[2915407] 1695819025.31888: Sending request (5308 bytes) to SOMEDOMAIN.ORG
[2915407] 1695819025.31889: Resolving hostname AD-01.SOMEDOMAIN.ORG
[2915407] 1695819025.31890: Initiating TCP connection to stream 10.246.111.251:88
[2915407] 1695819025.31891: Sending TCP request to stream 10.246.111.251:88
[2915407] 1695819025.31892: Received answer (134 bytes) from stream 10.246.111.251:88
[2915407] 1695819025.31893: Terminating TCP connection to stream 10.246.111.251:88
[2915407] 1695819025.31894: Sending DNS URI query for _kerberos.SOMEDOMAIN.ORG.
[2915407] 1695819025.31895: No URI records found
[2915407] 1695819025.31896: Sending DNS SRV query for _kerberos-master._udp.SOMEDOMAIN.ORG.
[2915407] 1695819025.31897: Sending DNS SRV query for _kerberos-master._tcp.SOMEDOMAIN.ORG.
[2915407] 1695819025.31898: No SRV records found
[2915407] 1695819025.31899: Response was not from master KDC
[2915407] 1695819025.31900: Received error from KDC: -1765328318/Certificate mismatch
[2915407] 1695819025.31901: Retrying AS request with master KDC
[2915407] 1695819025.31902: Getting initial credentials for someusere\@SOMEDOMAIN.ORG@SOMEDOMAIN.ORG
[2915407] 1695819025.31904: Sending unauthenticated request
[2915407] 1695819025.31905: Sending request (240 bytes) to SOMEDOMAIN.ORG (master)
[2915407] 1695819025.31906: Sending DNS URI query for _kerberos.SOMEDOMAIN.ORG.
[2915407] 1695819025.31907: No URI records found
[2915407] 1695819025.31908: Sending DNS SRV query for _kerberos-master._udp.SOMEDOMAIN.ORG.
[2915407] 1695819025.31909: Sending DNS SRV query for _kerberos-master._tcp.SOMEDOMAIN.ORG.
[2915407] 1695819025.31910: No SRV records found
kinit: Certificate mismatch while getting initial credentials

在域控制器的Windows事件查看器中,可以看到与下面类似的错误:

密钥分发中心(KDC)遇到了一份有效的用户证书,但其SID与其映射的用户不同。因此,涉及证书的请求失败了。详情请参见 https://go.microsoft.com/fwlink/?linkid=2189925

病因

自5.5.1版本起,单点登录(SSO)机制变得更加安全,以符合Microsoft加强的安全标准。因此,用户证书现在也包含用户账户的 objectSid。

objectSid 在首次登录时被缓存在 Parallels 安全工作区中。

然而,当用户账户使用与之前用户账户相同的 sAMAccountName 时;Parallels Secure Workspace 会把这个用户当作同一个用户,不会自动更新 objectSid。这是设计出的,作为一种安全措施(TOFU——首次使用信任),以避免欺骗。

结局

选项1(需要版本5.6或更高)

Parallels Secure Workspace 的版本至少必须是 5.6。

然后,可以通过从系统设置中删除用户>管理>用户来重置 objectSid。

对于订阅用户来说,这意味着用户只会被标记为删除对象。当用户再次登录时,新的 objectSid 将被接受。

选项2(也适用于5.5版本)

如果启用了Active Directory的回收站,可能可以恢复使用原始objectSid的账户。

在这种情况下:

  1. 删除新用户,使用与之前用户相同的 sAMAccountName 。
  2. 改为从回收站恢复原始用户的原始 objectSid。

更多信息请见:https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/retore-deleted-accounts-and-groups-in-ad

Comments

No comments yet. Why don’t you start the discussion?

发表回复

您的邮箱地址不会被公开。 必填项已用 * 标注