Details
Domain Name: BEATEST.COM
Domain Controller Name: BEAAD (This machine runs Active Directory)
WL Server Machine Name: beaiis (This machine runs Weblogic server).
For BEAAD:-
Username : beauser
Password :
For beaiis :-
Username : beaiis
Password : Secure04
Steps on Domain Controller (BEAAD)
1) Create a User beawin in Active Directory. Go to user properties > account and under account options, select Use DES encryption types for this account. After this, reset the password for this user.
2) Set the Service Principal Name.
setspn -a HTTP/ beaiis.BEATEST.COM beawin
3. Test the service principal name.
setspn –L beawin
3) Generate a key tab using ktab
ktab -k beawin.keytab –a beawin@BEATEST.COM
4) Test the keytab file
klist –k beawin.keytab
Note: klist is a jdk utility
5) Copy the generated keytab file (beawin.keytab) to the domain directory of weblogic.
D:\bea922\user_projects\domains\Kerberos_New
6) Place krb5.ini file in C:\winnt folder. Content of the file shown later in the document.
Steps on Machine Hosting Weblogic Server (beaiis)
1) Set the environment and run the kinit utility
java -Dsun.security.krb5.debug=true sun.security.krb5.internal.tools.Kinit -k -t D:\bea922\user_projects\domains\Kerberos_New\beawin.keytab beawin@BEATEST.COM
This should generate a new Kerberos key and place it in the user’s home folder.
2) Make sure you have all the parameters correctly set in
C:\WinNT\krb5.ini
krb5.ini
[libdefaults]
default_realm = BEATEST.COM
kdc_timesync = 1
ccache_type = 4
ticket_lifetime = 600
clockskew = 1200
[realms]
BEATEST.COM = {
kdc = 192.168.1.1
admin_server = BEAAD
default_domain = BEATEST.COM
}
[domain_realm]
.beatest.com = BEATEST.COM
[appdefaults]
autologin = true
forward = true
forwardable = true
encrypt = true
3) Create a krb5login.conf file with the following entries in your domain directory D:\bea922\user_projects\domains\Kerberos_New
krb5login.conf
com.sun.security.jgss.initiate {
com.sun.security.auth.module.Krb5LoginModule required
principal=”beawin@BEATEST.COM” useKeyTab=true
keyTab=beawin.keytab storeKey=true debug=false;
};
com.sun.security.jgss.accept {
com.sun.security.auth.module.Krb5LoginModule required
principal=”beawin@BEATEST.COM” useKeyTab=true
keyTab=beawin.keytab storeKey=true debug=false;
};
4) Add the following parameters in the startup script startweblogic.cmd
-Djava.security.auth.login.config=krb5Login.conf -Djavax.security.auth.useSubjectCredsOnly=false -Dweblogic.security.enableNegotiate=true
5) Configure NegotiateIdentityAsserter from the console
Home > Summary of Security Realms > myrealm > Providers > Authentication >
Create new NegotiateIdentityAsserter
Leave the default Active Types
Under Provider Specific, uncheck Form Based Negotiation Enabled
Activate the changes and restart the server.
7) Create a user beawin in Weblogic Server.
Deploy the web application
Web.xml
<web-app>
<display-name>SEC81</display-name>
<security-constraint>
<display-name>Security Constraint for SSO </display-name>
<web-resource-collection>
<web-resource-name>My webapp</web-resource-name>
<description>Group of Users</description>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>SSOrole</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>CLIENT-CERT</auth-method>
</login-config>
<security-role>
<description>Role description</description>
<role-name>SSOrole</role-name>
</security-role>
</web-app>
Weblogic.xml
<weblogic-web-app>
<security-role-assignment>
<role-name>SSOrole</role-name>
<principal-name>beawin</principal-name>
</security-role-assignment>
</weblogic-web-app>
28. Deploy the web app in weblogic.
29. Start the weblogic server.
Configuring Internet Explorer
NOTE: THIS STEPS NEEDS TO BE DONE ON EACH CLIENT MACHINE THAT BROWSES THE PROTECTED WEB APPLICATION
1. Got to Tools –> Internet Options
2. Select the “Security” tab
3. Click on “Local Intranet” Icon. This will enable the “Sites” button.
4. Click “Sites” button. This will show a “Local Intranet” Popup.
5. Make sure the option “Include all local (intranet) sites not listed in other zones” option selected. (Windows XP Only).
6. Click on “Advanced” Button. In the new popup window add the URL for the machine hosting weblogic.
7. Click OK to save your settings.
8. In the “Security” tab, Click “Custom Level” button.
9. In the “Security Settings” dialog, under “User Authentication” section, make sure “Automatic logon only in Intranet zone” option is selected.
10. Click OK to save your settings.
11. Go to “Connections” tab —> LAN Settings.
12. If you have a proxy server enabled, Click on “Advanced” button. Make sure you add the URL for the machine hosting weblogic in the “Exceptions” box.
13. In the “Internet Options —> Advanced” tab, make sure “Enable Integrated Windows Authentication (requires restart)” option is checked. Click “OK”. (If this option is not selected previously, you need to close all browser instances for the setting to take effect).
89 Comments
Another nice post…Keep it coming….
We hope you just keep such interesting/ informative articles…
Hi Faisal, great post….
Keep up the good work
Good.. though I din understnd complete… will b useful for my future reference
Thanks everone!
Faisal
Need ur assistance yet again…
This time within my project
and one more suggestion
Do update blog with your mobile number…
I need to contact you fast and how ??
Hi Faisal .. its a nice article indeed. Is it possible for you to share the sample webapp you used for it ?
Arun (shekhawataru@gmail.com)
Faisal,
In your jaas conf file, do you mean to reference beawin.keytab instead of mykeytab?
Have you tried this with WLS 10gR3 on JDK1.6? If so, did you use com.sun.security.jgss.initiate or com.sun.security.krb5.accept?
I understand JDK1.6 will look for krb5.ini in c:/windows. Can you confirm?
Did you use AD2003 or later? Have you heard of problems getting AD to create DES, rather than default RC4? Could WebLogic consume RC4 since it runs on JDK 1.6 now?
Is there any restriction in running the AD Authentication provider instead of Default Authenticator?
In your jaas conf file, do you mean to reference beawin.keytab instead of mykeytab?
Good Catch.. yes..
Have you tried this with WLS 10gR3 on JDK1.6? If so, did you use com.sun.security.jgss.initiate or com.sun.security.krb5.accept?
Yes I have tried, and I had to use com.sun.security.krb5.accept
Did you use AD2003 or later?
I tried on AD2K3.
Have you heard of problems getting AD to create DES, rather than default RC4?
I have not come accross this problem before,you can try the option below.
In order to use RC4-HMAC, you'll need to update the Kerberos configuration file to specify the encryption type.
default_tkt_enctypes = rc4-hmac
default_tgs_enctypes = rc4-hmac
Ref: – http://java.sun.com/javase/6/docs/technotes/guides/security/jgss/jgss-features.html
Is there any restriction in running the AD Authentication provider instead of Default Authenticator?
No
Sorry it was..
com.sun.security.jgss.krb5.initiate & com.sun.security.jgss.krb5.accept
How can we make kerberos integration in weblogic portal for sso? will we have to make changes in weblogic.xml and web.xml for Weblogic portal too?
Yes, we need to modify the principal name in weblogic.xml in the same way.. for e.g. I log on the System as beawin, then the principal name should be beawin or the group to which it belongs to..
Excellent tutorial, but I am having some trouble getting this to work. On my client, I get a 401 error, and the following is displayed on the app server log.
Excellent tutorial, but I am having some trouble getting this to work. On my client, I get a 401 error, and the following is displayed on the app server log.
Feb 18, 2010 2:57:19 PM EST Debug SecurityAtn BEA-000000 com.bea.common.security.internal.legacy.service.ChallengeIdentityAssertionProviderImpl$Challen
geIdentityAsserterV2Adapter.getChallengeToken(WWW-Authenticate.Negotiate)
Hi Faisal,
Trusting SSO will work when following your detailed steps above.
Our next goal is to authorize users in MS AD to web applications on WLP according to their group and role in MS AD.
Could you please provide detailed steps about configuring AD authentication provider on WLS and WLP Entitlement etc? Also, what needs to be done to deploy WLS applications and web services to WLS and WLP?
Also, how can users access Oracle 10.1.2 ADF web applications through the current version of WLP and WLS?
Thank you in advance.
Regards,
Michael
Our next goal is to authorize users in MS AD to web applications on WLP according to their group and role in MS AD.
This can be done by specifying
principal-name as AD Group Name in the web.xml
Could you please provide detailed steps about configuring AD authentication provider on WLS and WLP Entitlement etc?
Also, what needs to be done to deploy WLS applications and web services to WLS and WLP?
Many ways u can deploy – go through weblogic documentation. U can use ant wldeploy, u can place the app in autodeploy folder, u can browse from the console and upload the app…
Run the WLST script after modifying the parameters. Its the simplest way to do. U can also do it from the console.
Also, how can users access Oracle 10.1.2 ADF web applications through the current version of WLP and WLS?
Once Kerberos Configuration is suceessful, Users can access the application directly without authenticating.
Hi Faisal,
I have just had a look at your other link about Web Center and OES. Can I assume that the SSO you described above applies to both WLP and Web Center?
Please advise.
Thanks,
Regards,
Michael
It applies for WLP, Web Centre m not sure…
Which link are u talking about?
I am talking about this link:
Configuring Kerberos with Weblogic Server
Sorry. I meant
http://fusionsecurity.blogspot.com/
Hi Faisal,
In the above description:
1) Create a User beawin in Active Directory. Go to user properties > account and under account options, select Use DES encryption types for this account. After this, reset the password for this user.
If we have a thousand users, do we need to duplicate all lines with beawin in the above description for each user?
Please advise,
Thanks,
Regards,
Michael
To me, beawin is the SPN for the WLS box, beaiis, instead for an end user.
u answered your own question
you register your service with beawin. for one service there can be only one user. beawin in this case.
Let me know if you still have any queries.
Hi, Thank you very much for your help. When we have our LDAP and WLS platforms set up, we will try out our understanding and get back to you. Regards, Michael
Hi Faisal,
I have read this article and i do have a question about authorization when using this kerberos authentication. Since the user is able to login to the app without providing userid/pwd, how can we identify the user logged into the application. After identifying the user, how to get the LDAP group of this user?
Thanks in advance.
Hi Santhoshi,
You can get the authenticated user information from the request object
request.getRemoteUser()
To get the groups, you can try this.
subject = Subject.getCurrentSubject();
Set principals = subject.getPrincipals();
Iterator it=principals.iterator();
while(it.hasNext()){
Principal pr = (Principal)it.next();
System.out.println(“Name “+pr.getName()+” String== “+pr.toString());
}
Let me know if it helps.
Thanks,
Faisal
I have done the configuration as stated above, but whenever trying to access my application I am getting following error.
Error 401–Unauthorized
From RFC 2068 Hypertext Transfer Protocol — HTTP/1.1:
10.4.2 401 Unauthorized
The request requires user authentication. The response MUST include a WWW-Authenticate header field (section 14.46) containing a challenge applicable to the requested resource. The client MAY repeat the request with a suitable Authorization header field (section 14.8). If the request already included Authorization credentials, then the 401 response indicates that authorization has been refused for those credentials. If the 401 response contains the same challenge as the prior response, and the user agent has already attempted authentication at least once, then the user SHOULD be presented the entity that was given in the response, since that entity MAY include relevant diagnostic information. HTTP access authentication is explained in section 11.
Please help me out this problem.
Hi Faisal,
This is additional information I am providing, so that it will help you find out really cause of error
Following is the HTTP Header trace when I am trying to access my application:
GET /adamapp/ HTTP/1.1
Accept: */*
Accept-Language: en-us
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152)
Host: its37:7012
Connection: Keep-Alive
Cookie: ADMINCONSOLESESSION=M8bLMsxcCzLDPqz1Lj6tQLlKTbGGnN6YGJRhWLL7VWb7k7Qx2CF9!-1008954312; JSESSIONID=MSBnMszVF3pN6pfZ2RDlPQHmLVWgBhQjFF821qYQm1XKmvkck1DL!-1008954312
HTTP/1.1 401 Unauthorized
Cache-Control: no-cache=”Set-Cookie”
Connection: close
Date: Wed, 24 Nov 2010 11:17:11 GMT
Content-Length: 1518
Content-Type: text/html
WWW-Authenticate: Negotiate
Set-Cookie: JSESSIONID=TNT5Ms0XNZdDjtKDCQTTdXqnbRJ5Tnt28SJM9WLQJswJ8fHn2HRy!-1008954312; path=/
X-Powered-By: Servlet/2.5 JSP/2.1
GET /adamapp/ HTTP/1.1
Accept: */*
Accept-Language: en-us
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152)
Host: its37:7012
Connection: Keep-Alive
Cookie: ADMINCONSOLESESSION=M8bLMsxcCzLDPqz1Lj6tQLlKTbGGnN6YGJRhWLL7VWb7k7Qx2CF9!-1008954312; JSESSIONID=TNT5Ms0XNZdDjtKDCQTTdXqnbRJ5Tnt28SJM9WLQJswJ8fHn2HRy!-1008954312
Authorization: Negotiate TlRMTVNTUAABAAAAB7IIogkACQAtAAAABQAFACgAAAAFASgKAAAAD0lUUzM3SVRTSEFTVFJB
HTTP/1.1 401 Unauthorized
Connection: close
Date: Wed, 24 Nov 2010 11:17:11 GMT
Content-Length: 1518
Content-Type: text/html
X-Powered-By: Servlet/2.5 JSP/2.1
Thanks,
Mangesh
Hi Faisal,
As per your suggestion I checked my browser settings, but everything is alright.
As visited the url:
http://weblogic-wonders.com/weblogic/2010/01/07/troubleshooting-kerberos-issues-with-weblogic-server/
for troubleshooting but couldn’t find anything wrong with my system.
Please guide me the way to find out the issue.
Thanks,
Mangesh.
Is it compulsory to run the ktpass utility?
Can we use only ktab utility to generate keytab file?
Currently I am using only ktab utility.
Is the issue?
Thanks,
Mangesh
No its not mandatory…
Hi Faisal,
When I am running klist command its giving below details, are these details as per expectations?:
Credentials cache: C:\Documents and Settings\mangesh\krb5cc_mangesh
Default principal: beawin@ITSHASTRA.LOCAL, 1 entry found.
[1] Service Principal: krbtgt/ITSHASTRA.LOCAL@ITSHASTRA.LOCAL
Valid starting: Nov 25, 2010 12:16
Expires: Nov 25, 2010 22:16
it looks fine..
Now I think I have gained some progress.
Now the HTTP Headers are showing:
GET /adamapp/ HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Accept-Encoding: gzip, deflate
Host: its37:7015
Connection: Keep-Alive
Cookie: JSESSIONID=6pvKMnFp0pR6qLgQ2pkr1JfBwCCTyzLg9hmdpbPS1JXBmrGJvhpv!1053817966
HTTP/1.1 401 Unauthorized
Cache-Control: no-cache=”Set-Cookie”
Connection: close
Date: Thu, 25 Nov 2010 11:20:51 GMT
Content-Length: 1518
Content-Type: text/html
WWW-Authenticate: Negotiate
Set-Cookie: JSESSIONID=GjpNMnGTK1TL27DQTHLDPc5NkqXp92pvbP1WRQgkhcPCLDqpDH7H!659302533; path=/
X-Powered-By: Servlet/2.5 JSP/2.1
GET /adamapp/ HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Accept-Encoding: gzip, deflate
Host: its37:7015
Connection: Keep-Alive
Authorization: Negotiate YIIEywYGKwYBBQUCoIIEvzCCBLugJDAiBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICCqKCBJEEggSNYIIEiQYJKoZIhvcSAQICAQBuggR4MIIEdKADAgEFoQMCAQ6iBwMFACAAAACjggOkYYIDoDCCA5ygAwIBBaERGw9JVFNIQVNUUkEuTE9DQUyiKDAmoAMCAQKhHzAdGwRIVFRQGxVpdHMzNy5pdHNoYXN0cmEubG9jYWyjggNWMIIDUqADAgEDoQMCAQKiggNEBIIDQNNEgcx1rdwkt1Pu0UjWaFxtC6/igqno6LRu8Y4uLOtjoAAPYbCvthp7YTO02dpChLFaSzRKIjvdqQKOtEGr36O8HXBdf5DNAlloSAmAyGcZmc5C3dtv2KjedzvEW9HU0cHwjmtIN494kPaQ0AJhBRJFm/hgR1EgVTEnctw7x2bKmIhtcc4oJMp4eML8uH0Y2k57SqY86Rb4bUOGotlYWPQqYUkK8EjMBQYck0JmP2Z9fAAu8DM12kxg4HkbT+eNUN1H+aQdR1RCe/FeGOj3HVt6sr9VqWeMzpZ0bt7ENsP/TbFgq6Uv4T2lBg83CsWdAL+kifTOIqbLnuMry3N+0I0HGiZvEYKcbMYYZQRwAFJKmsKkqa7lUqH6/APjKlfDMV00zNF2xo0xnBEFSlRJIfHOIFUfh6fFJfJ7ya7fLU+t6OfEvr59Lh/KIY4KFI2+S/mESixopGbEfS825pVZ9PwltEfyxYfaFRgXXjDFA8FUXOtyTDe4WlUC4pRc9mjjJDI7fqNWg75Pwa9z7u4lFPMP+jaF13jhXANpt0QqdIE475VvMACFHTdNn87+N19jQpRFAC1Wh2w65avQxEi9Ab/MsRQVdER2su5VGJCPo+cULzRPgr8BMMYSSzZ6Te01xzo9RUrvPAgWPVH9cPSVJaJacvAr4Tu6adcUWR7hyyJ0D3sQBXtXz87fqXstDey1J HcI0mwaZb8aInAN9eFhQH1Oy++bjRetQ6bAFpAc7qC31INMPXNe5R0EB33F3KGHpGFuYV9e1asyCYKfmwcj9ayfnZQo7RRduPJ6s4cUkGQ3mC2UfKyiKy2+wrmBnqUFuUWjn+Xct4O7WZ7GnEuEKj3vEGv3gZx165eUcePH53W2RJclSHvFJgnp6H3NPSLST03dMEy0G2caehleWaRrR8No+MgxYr91/WPiGK4dQlGXyus7JgSWppBFPyxCFYSCUFUvPrjoNoirfjdcJUrnrmWPpxEiUI9+koq+cFHAue/f1h3i3sxNjXZIj4dT0595UqwzXGSFS0KkwS16Me7jt+cQUDPkUucJdO1Z2CdvptyCu3YxZIu7yJbqkQx9IMti3O66IbsKtRzVUFZfb8yLaz+kgbYwgbOgAwIBA6KBqwSBqPpn0RCfkjLvfw4fLHJuIhCmmoI+DUbuC5fNbcxQpxbvVvDS9+hZPvfB+S3++Hk7VapcBmPj8BBEjczMhkkgaRV6LWJEIb9FJmwvuyV9erQYmv//QbL8O5m3ZHUzSVAhcpYfLCGi94HTCFw3lKjDORV97GxqyDHZpuR+G/gBpF1n59nvgj4jOSUNAPcea4rGJmHFgEDq91HKi3tTZbtub3SLeCkBHvhXrw==
Cookie: JSESSIONID=GjpNMnGTK1TL27DQTHLDPc5NkqXp92pvbP1WRQgkhcPCLDqpDH7H!659302533
HTTP/1.1 401 Unauthorized
Connection: close
Date: Thu, 25 Nov 2010 11:20:51 GMT
Content-Length: 1518
Content-Type: text/html
X-Powered-By: Servlet/2.5 JSP/2.1
But at the server console I am getting below error:
It will be very helpfull if you provide any input for above problem
The error at background:
My start-up script contains:
@ECHO OFF
@REM WARNING: This file is created by the Configuration Wizard.
@REM Any changes to this script may be lost when adding extensions to this configuration.
SETLOCAL
set DOMAIN_HOME=C:\bea\user_projects\domains\kerberos_domain
set JAVA_OPTIONS=%JAVA_OPTIONS% -Djava.security.auth.login.config=C:\bea\user_projects\domains\kerberos_domain\krb5login.conf
set JAVA_OPTIONS=%JAVA_OPTIONS% -Djavax.security.auth.useSubjectCredsOnly=false
set JAVA_OPTIONS=%JAVA_OPTIONS% -Djava.security.krb5.realm=ITSHASTRA.LOCAL
set JAVA_OPTIONS=%JAVA_OPTIONS% -Djava.security.krb5.kdc=192.168.1.204
set JAVA_OPTIONS=%JAVA_OPTIONS% -Dweblogic.security.enableNegotiate=true
set JAVA_OPTIONS=%JAVA_OPTIONS% -Dweblogic.StdoutDebugEnabled=true
set JAVA_OPTIONS=%JAVA_OPTIONS% -Dsun.security.krb5.debug=true
call “%DOMAIN_HOME%\bin\startWebLogic.cmd” %*
ENDLOCAL
Then also I am getting below exception:
Exception com.bea.common.security.internal.utils.negotiate.NegotiateTokenException: java.lang.IllegalArgumentException: No Configuration was registered that can handle the configuration named com.sun.security.jgss.krb5.accept
Can there be any other cause.
Hi Faisal,
Is it mandatory to login with the user which we have added for wls in active directory.
For example: Should I login the server with beawin user and then start the weblogic server?
Presently I am not login with beawin user,
is it the issue?
Finally I was able to do it!!!
There was a issue of double quotes used were not supported (were having some different encoding).
As you can observe:
My krb5Login.conf file contains:
com.sun.security.jgss.krb5.initiate {
com.sun.security.auth.module.Krb5LoginModule required
principal=”beawin@ITSHASTRA.LOCAL” useKeyTab=true
keyTab=beawin.keytab storeKey=true debug=false;
};
com.sun.security.jgss.krb5.accept {
com.sun.security.auth.module.Krb5LoginModule required
principal=”beawin@ITSHASTRA.LOCAL” useKeyTab=true
keyTab=beawin.keytab storeKey=true debug=false;
};
Now I modified it to:
My krb5Login.conf file contains:
com.sun.security.jgss.krb5.initiate {
com.sun.security.auth.module.Krb5LoginModule required
principal=”beawin@ITSHASTRA.LOCAL” useKeyTab=true
keyTab=beawin.keytab storeKey=true debug=false;
};
com.sun.security.jgss.krb5.accept {
com.sun.security.auth.module.Krb5LoginModule required
principal=”beawin@ITSHASTRA.LOCAL” useKeyTab=true
keyTab=beawin.keytab storeKey=true debug=false;
};
But it was all posible only because of you.
Hats off to your knowledge and valuable support.
Will catch you soon, when I will move in next phase of role base authentication.
Hi Faisal,
I am trying to configure SSO on WebLogic 10.3 (on Windows XP, jdk 1.6) with Active Directory. I successfully added the ActiveDirectory authenticator and I am able to see the users and groups of AD.
Now if I add NegotiateIdentityAsserter and the restart the server, I am not able to log on the WLS console. If I remove the entry for NegotiateIdentityAsserter from config.xml I can logon in the WLS console.
I have followed other steps of generating keytab and .conf files and adding the startup parameters in WLS startup file.
Even the kinit test is also passed. What could be the reason? Why my console login is affected? If you need further info please tell me.
Regards,
Hi Priyankar,
Have u unchecked Form Based Negotiation Enabled under Provider Specific tab of Negotiate Identity Asserter?
Enable Security Debug (ATN) and paste the relevant part of the log file here..
Thanks,
Faisal
Hi Faisal,
Now I am facing another problem.
The kerberos authentication is not working on Windows 7 – IE 8 environment.
Is there any specific setting for Windows 7 – IE 8 support?, because my current setup is working well with Windows XP – IE 7.
As usual, waiting for your valuable input.
Thanks,
Mangesh.
I have not tested it on Windows 7.
You can open a support titcket with Oracle and ask them to test.
If there is any issues they will let you know.
Cheers!!
Faisal
Hi,
Yes, Form Based Negotiation is unchecked.
Below is the ATN log, but it is not saying too much. Console login id is not an user in AD or local machine, It is just a WLS Login ID.
Control Flag is OPTIONAL for ADAuthenticator and SUFFICIENT for DefaultAuthenticator
Ordering is Negotiate, AD, Default Authenticator and Default Asserter
######ATN Log for Server Startup ######
#### Log For Console Login ######
It seems log is blocked..pasting again
######ATN Log for Server Startup ######
weblogic.security.service.internal.WLSIdentityServiceImpl.getCurrentIdentity
weblogic.security.service.internal.WLSIdentityServiceImpl.getCurrentIdentity
Beginning getServletAuthenticationFilters.
PrincipalAuthenticator.getServletAuthenticationFilters will use WLS-specific security service
weblogic.security.service.internal.ServletAuthenticationFilterServiceImpl$ServiceImpl.getServletAuthenticationFilters
Active type # 0 WWW-Authenticate.Negotiate
Active type # 1 Authorization.Negotiate
Initializing Negotiate filter
weblogic.security.service.internal.ServletAuthenticationFilterServiceImpl$ServiceImpl.getServletAuthenticationFiltersProvider[0] added 1 filters.
weblogic.security.service.internal.ServletAuthenticationFilterServiceImpl$ServiceImpl.getServletAuthenticationFilters Returning 1 filters.
weblogic.security.service.internal.WLSIdentityServiceImpl.getCurrentIdentity
weblogic.security.service.internal.WLSIdentityServiceImpl.getCurrentIdentity
weblogic.security.service.internal.WLSIdentityServiceImpl.getCurrentIdentity
weblogic.security.service.internal.WLSIdentityServiceImpl.getCurrentIdentity
weblogic.security.service.internal.WLSIdentityServiceImpl.getCurrentIdentity
weblogic.security.service.internal.WLSIdentityServiceImpl.getCurrentIdentity
weblogic.security.service.internal.WLSIdentityServiceImpl.getCurrentIdentity
weblogic.security.service.internal.WLSIdentityServiceImpl.getCurrentIdentity
weblogic.security.service.internal.WLSIdentityServiceImpl.getCurrentIdentity
weblogic.security.service.internal.WLSIdentityServiceImpl.getCurrentIdentity
weblogic.security.service.internal.WLSIdentityServiceImpl.getCurrentIdentity
weblogic.security.service.internal.WLSIdentityServiceImpl.getCurrentIdentity
weblogic.security.service.internal.WLSIdentityServiceImpl.getCurrentIdentity
Beginning getServletAuthenticationFilters.
PrincipalAuthenticator.getServletAuthenticationFilters will use WLS-specific security service
weblogic.security.service.internal.ServletAuthenticationFilterServiceImpl$ServiceImpl.getServletAuthenticationFilters
Active type # 0 WWW-Authenticate.Negotiate
Active type # 1 Authorization.Negotiate
Initializing Negotiate filter
weblogic.security.service.internal.ServletAuthenticationFilterServiceImpl$ServiceImpl.getServletAuthenticationFiltersProvider[0] added 1 filters.
weblogic.security.service.internal.ServletAuthenticationFilterServiceImpl$ServiceImpl.getServletAuthenticationFilters Returning 1 filters.
weblogic.security.service.internal.WLSIdentityServiceImpl.getCurrentIdentity
weblogic.security.service.internal.WLSIdentityServiceImpl.getCurrentIdentity
weblogic.security.service.internal.WLSIdentityServiceImpl.getCurrentIdentity
weblogic.security.service.internal.WLSIdentityServiceImpl.getCurrentIdentity
weblogic.security.service.internal.WLSIdentityServiceImpl.getCurrentIdentity
weblogic.security.service.internal.WLSIdentityServiceImpl.getCurrentIdentity
weblogic.security.service.internal.WLSIdentityServiceImpl.getCurrentIdentity
weblogic.security.service.internal.WLSIdentityServiceImpl.getCurrentIdentity
weblogic.security.service.internal.WLSIdentityServiceImpl.getCurrentIdentity
weblogic.security.service.internal.WLSIdentityServiceImpl.getCurrentIdentity
weblogic.security.service.internal.WLSIdentityServiceImpl.getCurrentIdentity
weblogic.security.service.internal.WLSIdentityServiceImpl.getCurrentIdentity
#### Log For Console Login Attempt ######
com.bea.common.security.internal.service.ChallengeIdentityAssertionServiceImpl.getChallengeToken (tokenType=WWW-Authenticate.Negotiate)
com.bea.common.security.internal.service.ChallengeIdentityAssertionTokenServiceImpl.getChallengeToken (tokenType=WWW-Authenticate.Negotiate)
com.bea.common.security.internal.legacy.service.ChallengeIdentityAssertionProviderImpl$ChallengeIdentityAsserterV2Adapter.getChallengeToken (tokenType=WWW-Authenticate.Negotiate)
Hi Faisal,
Also sending the startup parameters
-Dweblogic.Name=%SERVER_NAME%
-Djava.security.policy=%WL_HOME%\server\lib\weblogic.policy
-Djava.security.auth.login.config=C:\bea\user_projects\domains\ADDomain\krb5Login.conf
-Djava.security.krb5.realm=ABCDEV.PT
-Djava.security.krb5.kdc=ABCDEV.PT
-Djavax.security.auth.useSubjectCredsOnly=false
-Dsun.security.krb5.debug=true
-Dweblogic.security.enableNegotiate=true
-Dweblogic.StdoutDebugEnabled=true
Strangely, If I rename krb5Login.conf as krb5Login.conf1or I remove the file from mentioned directory or change the principal attribute inside krb5Login.conf, I get same log. i.e. I dont see any error message as such. ??
Regards,
Priyankar
Your krb5Login.conf file is not gettin pickd up.
Are you providing it in the java options at the rite place?
Can u check the file type of krb5Login.conf?
I have office during day time so dont get time to reply, you can expect replies after office hours.
-Faisal
Hi Faisal,
Thanks for the reply.
I found the solution of the console login problem by directly typing the full URL http://…/console/login/LoginForm.jsp. This allows me to login in console. (Reason is not yet known!!)
Server is picking the .CONF file as I am printing the startup parameters in a startup class and those are coming correctly.
File typec krb5Login.conf is .CONF.
Next I have deployed a sample application (as per config mentioned on top of the article) there I am getting Error 401–Unauthorized. It seems console login and this problem are related.
1. How else can I make sure that .CONF is correct and security realm is using it (Since effect is not coming in ATN log)?
2. AD users are defined with class ‘person’ and under group ‘ABCUsers’. I have defined principal-name in weblogic.xml as ABCUsers. Is it ok? Or should I define as ‘externally-defined’?
Regards,
Hi Faisal,
I fixed the above Windows 7 – IE 8 issue, by doing following configuration at Windows 7 client machine:
Go to Local Security Policy (By typing in run dialog)->Local Policies->Security Options->Network security: Configure encryption types allowed for Kerberos:
Here select checks against DES_CBC_CRC, DES_CBC_MD5 and RC4_HMAC_MD5.
By doing this setting I am able to run kerberos authentication at Windows 7 client.
Thanks,
Mangesh Khairnar.
Hi Faisal,
A couple of questions:-
Q1. where is the “SSOrole” defined? Within the AD, or Weblogic? or is this symbolic?
Q2. When deploying the web app in weblogic, which deployment option should be used?
DD Only:
Custom Roles:
Custom Roles and Policies:
Advanced:
Many thanks
Users belonging to SSOrole defined in the web.xml is mapped to it in the weblogic.xml.
This role doesnt exist in WLS.
You will have to select DD Only. If you are following the example.
Let me know if you have more queries.
Thanks,
Faisal
Hi Faisal,
Sorry, but I’m still not fully clear about SSOrole.
”
Users belonging to SSOrole defined in the web.xml is mapped to it in the weblogic.xml.
”
Could you explain this in more detail? Maybe the sequence of events.
Is the SSOrole defined in ActiveDirectory (BEAAD).
How does WLS determine if a user is in this role?
Thanks.
Hi Ray,
This is the mapping
web.xml
<auth-constraint>
<role-name>testrole</role-name>
</auth-constraint>
weblogic.xml
<security-role-assignment>
<role-name>testrole</role-name>
<principal-name>testuser<principal-name>
</security-role-assignment>
So resources which role testrole have access to, can be accessed by testuser present in the Authenticator( internal / external (AD) )
Let me know if you still have doubts.
Thanks,
Faisal
Hi Faisal,
This is Mangesh again.
I have a query regarding automatic authentication.
Can you please suggest which is the best way of achieving automatic authentication with less configuration at weblogic server end. Like, our client it reluctant to do the configurations related to weblogic server start-up script (JAAS file name configuration and all), also they don’t want to generate the keytab files.
Please suggest me the possible ways to achieve this.
Thanks,
Mangesh Khairnar.
Hi Magnesh,
Good to see you again
If by automatic authentication, you mean Single Singon – there are two ways it can be achieved.
Kerberos, which you have already done.
Second is SAML. Weblogic Provides out of the box Providers for SAML.
Ping me wen u r online, we can discuss more on this and what you need.
Thanks,
Faisal
This one is the best article on Kerberos with Weblogic Server I have ever seen…Thanks Sirji…
thanks Swapna
Hi Faisal,
Now I am stuck in one vague issue. As I have successfully configured kerberos with weblogic server for our application, we are in QA phase and suddenly some of users are able to access the application very incosistently. Sometimes they get access and after a short duration again access is denied to them.
Do you think this is a ticket expiration issue or is there any limitation in AD for number of users access to kerberos tokens?
Can you please share your ideas over this?
I am caught-up in this big issue, please help me out this problem.
As always, I am waiting for your valuable input.
Thanks,
Mangesh Khairnar.
Hi Mangesh,
Is there any pattern when the users are not able to access the application?
How often authentication fails? Is it always for the same set of users?
Enable SecurityATN and Kerberos Debug on WLS.
Also check for Windows Events logs
You can find some Kerberos tuning paramters here
http://support.microsoft.com/kb/837361
Please provide more information on this issue.
Thanks,
Faisal
Hi,
Thanks a lot for very helpful article! I have made it pretty much working, what I wonder about is this. After SSO user is validated I need to get to logged into Windows userA, which is different from SSO user, and get that userA’s groups from our database. How can I get currently logged into windows user?
Thank you!
Ann
I have not understood your requirement. Can you please elaborate?
Hi there
1)The last step7, referred web.xml and weblogic.xml, are they under the deployed web application, for example, I am configured the weblogic sso with IBM filenet workplace xt, they are under E:\Apps\IBM\FileNet\WebClient\WorkplaceXT\WEB-INF
IBM FileNet WorkplaceXT use Form based authentication (container mananged), do I need to uncheck the ‘Form based authentication’ as in step 5 to enable the SSO?
I tried modify web.xml and weblogic.xml under WorkplaceXT\WEB-INF, and after I restarted Weblogic, I am able to remove the web.xml file, which I assume weblogic did not really read the web.xml for application WorkplaceXT, very confused.
2) Or you are talking aboult the files under
E:\bea\wlserver_10.0\server\lib\consoleapp\webapp\WEB-INF
???
Hi Faisal,
In step 7, u have instructed to configure the user role and user role mapping in weblogic.xml.
Suppose if there are 100 users are there in my domain, then do we need to configure all users in weblogic.xml ?
For testing this SSO application, do we need to login into machine with “beawin” user, domain BEATEST.COM and test it ?
Hi Faisal,
I am working with WebLogic 10.3.2 connecting to Win2k3. I followed your guide above, the SPN (DES keytab) is validated successfully for every client browser access.
However, the log shows that WebLogic is still trying to map the client user with its user table, so I added the AD Authenticator and the AD users (including the client) can now be validated with the WebLogic.
But now it stucks at the RoleMapping part, it tries to map the client to a WebLogic role but even I assign a role to them, it still tries to match the role with the “SSOrole” in web.xml and weblogic.xml (WebLogic simply can’t map the user to “SSOrole” every I added a condition for it).
Is it normal to be able to map the client user to the “SSOrole”? Should any of the above steps be removed? Please advice.
Thanks in advance!
Regards,
Zero
Hi Faisal,
I have followed the steps which u have provided above except Step1, I did not enable DES encryption for that user, because ‘kinit’ is throwing unsupported encryption type exception. So i did not enable DES and carried remaining steps.
(1) here, domain controller and ADS running in Windows 2008 R2. Is this causing the problem of encryption type. I have not specified any default_tkt_enctypes = des-cbc-crc, default_tgs_enctypes = des-cbc-crc properties in krb5.ini file.
(2)Browser is showing Error 401–Unauthorized response when i tried to access my sample application and this is the exception from WL server log…
com.bea.security.utils.kerberos.KerberosException: No valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT credentials failed!).
I am trying from 2 days to solve this problem. can you please tell me what is the problem.
(3)Do we need to run the Weblogic server under “beawin” user?
(4) Do we need to run the client (browser) under “beawin” user? or [can we run under ant user who are in BEATEST.COM domain ? if yes, do we need to add that user also in weblogic.xml file and in console application ?]
Hi,
I have explained the cause of the following exception in this article
http://weblogic-wonders.com/weblogic/2010/01/07/troubleshooting-kerberos-issues-with-weblogic-server/
com.bea.security.utils.kerberos.KerberosException: No valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT credentials failed!).
Kindly follow all the suggestions provided.
Ideally you should provide the supported encryption types in krb5.ini file
Weblogic Server does not need to run under beawin user
It can be any user who can access the application. But that user needs to exist in the authentication provider, that is why usually customer integrate their active directory with Weblogic. Also we need to do the rolemapping in weblogic.xml file.
Let me know if you have furthur queries.
Thanks,
Faisal
Its not very clear what exactly you are asking.
Whatever users you map to SSORole in weblogic.xml they will have access to the application.
If you want users belonging to a group to have acceess, provide group name in the pricipal name. It will work.
If you want to define custome roles n policies ( adding roles from weblogic console), deploy the application and use custom roles n policies.
Let me know if I have answered your question.
Thanks,
Faisal
You can provide the group name in principal-name tag of weblogic.xml and make all users whom you want to give access to a part of that group. It will work. I have answered the second question earlier.
it should work for other encryption too… you can debug your issue following this post
http://weblogic-wonders.com/weblogic/2010/01/07/troubleshooting-kerberos-issues-with-weblogic-server/
Hi Faisal,
I’m trying to configure SSO on a quite simple application on my WebLogic Server.
The application can found on the tutorial page I followed : http://weblogic-wonders.com/weblogic/2009/11/15/configuring-kerberos-with-weblogic-server/
Here’s my architecture :
– AD
OS:Windows 2008R2
hostname: XXXXXX
domain : XXXX
– WLS
OS : RedHat 5.4
hostname 1 : XXXX
hostname 2 : XXXX
WLS Domain: P8WLAEDom (which has one cluster (xxxx) with two servers (xxxx deployed on xxxxxx and xxxxx deployed on xxxxxx)
I created the following users in AD to represent the WLS: xxx and xxxxxx
I created the SPNs for those users, then generate the keytab, customized the krb5.conf on WLS machines.
The following commands works properly on each WLS machine (each has itw own keytab):
frdevfln11 > kinit -V -k HTTP/xxxxxxx
Authenticated to Kerberos v5
frdevfln21 > kinit -V -k HTTP/xxxxxxxx
Authenticated to Kerberos v5
Then I have followed all the steps descibed in the tutorial and deployed my testssowebapplication, but I’m still having a “401″ error when trying to access it.
I’m not sure I have a good kerberos configuration with my WLS machines, can you tell me if you think I have to change it in order to have only on keytab for all machines, which SPNs to create for which users…
Thanks for all!!
Hi Nicolas,
Can you please enable SecurityATn and ATZ debug on Weblogic and share the log files.
khan.faysal6@gmail.com
Also capture the http headers and see if kerberos token is passed on..
Which users have access to application
Hi Faisal, seems that your mail adress is not valid.
Best regards,
Nicolas
Hi Nicolas,
What address are you trying
Let me send you test mail.
Thanks,
Faisal
Hi Faisal,
I was trying to implement SSO using kerberos for peoplesoft applications where the webserver used is weblogic. I have this strange issue which I have been facing and unable to debug any further. With the JRockit JDK provided in the weblogic configuration I get the following error.
Could not load user defined filter in web.xml: com.peoplesoft.pt.desktopsso.kerberos.KerberosSSOFilter.
java.lang.IllegalArgumentException: No Configuration was registered that can handle the configuration named krbServer
at com.bea.common.security.jdkutils.JAASConfiguration.getAppConfigurationEntry(JAASConfiguration.java:130)
However when I change the JAVA_HOME parameter to LINUX JDK present in /usr/java/jdk it runs fine and I am able to login to the peoplesoft application. So is there any specific setting relating to jrockit that the krb5Login.conf is not being picked up the code.
I would appreciate your help
Thanks
Anirudha
Hi Anirudha,
Where have you kept the krb5Login.conf file?
You can consider giving the full path.
You are able to log in without providing credentials? SSO working?
Kindly let me know.
Thanks,
Faisal
Hi Faisal,
Thanks for your reply.
Yes I have given the complete path too.
This is the full command line of the weblogic server. I had modifed it to test if it is trying to pick it up from any default location.
java -jrockit -XnoOpt -XXnoJITInline -Xms512m -Xmx512m -Dtoplink.xml.platform=oracle.toplink.platform.xml.jaxp.JAXPPlatform -Dcom.sun.xml.namespace.QName.useCompatibleSerialVersionUID=1.0 -Djava.security.krb5.conf=/etc/krb5.conf -Djava.security.auth.login.config=/etc/krbLogin.conf -Dsun.security.krb5.debug=true -Djavax.security.auth.useSubjectCredsOnly=false -Dweblogic.security.enableNegotiate=true -Dweblogic.Chunksize=65536 -Djava.util.logging.config.file=/u01/app/psoft89/webserv/PREFRESH/piaconfig/properties/logging.properties -Dorg.apache.commons.logging.Log=org.apache.commons.logging.impl.Jdk14Logger -Dweblogic.Name=PIA -Dps_vault=/u01/app/psoft89/webserv/PREFRESH/piaconfig/properties/psvault -Djavax.net.ssl.trustStore=/u01/app/psoft89/webserv/PREFRESH/piaconfig/keystore/pskey -Dweblogic.ProductionModeEnabled=true -Djava.security.policy=/u01/app/psoft89/weblogic/wlserver_10.3/server/lib/weblogic.policy -Dssl.debug=false -Dps_home=/u01/app/psoft89 weblogic.Server
The file is located in /etc folder and has 777 permissions.
Yes the SSO works with Oracle JDK and I am able to login directly using AD credentials. But I am not able to do it using JRockit JDK which is currently used by the weblogic web server.
Thanks and Regards
Anirudha Singh
Hi Anirudha,
Please raise a support request with oracle and let us know the solution as well.
Insist them to reproduce the issue locally.
Regards,
Faisal
Hi Faisal,
I am trying to configure SSO for my web application.
My architecture is as below:
Active Directory : on Windows server 2008 R2
Weblogic server 10.3.3.0 : on OEL 5
I created keytab file and shared on linux for weblogic domain.
Kinit is successful by saying message as Authenticated to Kerberos v5.
AD authentication was successful before configuring kerberoes.
But when i try to access application from windows client it says:
Error 401–Unauthorized
From RFC 2068 Hypertext Transfer Protocol — HTTP/1.1:
10.4.2 401 Unauthorized
The request requires user authentication. The response MUST include a WWW-Authenticate header field (section 14.46) containing a challenge applicable to the requested resource. The client MAY repeat the request with a suitable Authorization header field (section 14.8). If the request already included Authorization credentials, then the 401 response indicates that authorization has been refused for those credentials. If the 401 response contains the same challenge as the prior response, and the user agent has already attempted authentication at least once, then the user SHOULD be presented the entity that was given in the response, since that entity MAY include relevant diagnostic information. HTTP access authentication is explained in section 11.
Would you please help me on this.
Thank you in advance.
Regards,
Pranjal
Hi Pranjal,
Can you capture the http headers and paste it here?
You can use fiddler or iehttpheaders.
Thanks,
Faisal
Hi Faisal,
I resolved the problem. Problem was with setting SPN.
I resolved this and now it is working as expected.
Thanks for your response.
Hi Faisal,
I resolved the problem. Issue was with setting the SPN.
Thank you for your response.
Regards,
Pranjal
try to configure SSO on windows 2k8 R2, AD 2k3, BIEE version 11.1.1.6.2 BP1,
Got Error 401–Unauthorized
Check bi_server.out log, saw the following and no more, any idea? Please help.
Thanks
Yu
…..
Commit Succeeded
Found key for *****.COM(1)
Found key for *****.COM(3)
Found key for *****.COM(23)
Entered Krb5Context.acceptSecContext with state=STATE_NEW
Hi,
I tried this approach and this works. But the issue am facing with this approach is the user data has to be entered in multiple places like weblogic.xm and for weblogic internal ldap which uses default authenticators.
SO for adding new users i need to changes all these. xml changes means restart of the server.
Mentioning the user data in multiple places in not feasible. is there any work around ?
Also for a intranet domain user, password will expire after say every 90 days. Then the same has to be updated in weblogic user setup. So maintainance is also an issue if am not wrong.
Also we have done a lil extension to this approach like if the SSO auth fails then application should redirect to login page where we do application specific authentication.
But for this approach, weblogic is intecepting the request and if auth fails then am getting 401 error. I tried other JAAS control flags but was not much of help.
Any suggstions for this ?
Thanks
Sandeep
Hi Faisal,
I am glad i found this site. This is very informative and solved most of my issues of configuring SSO with weblogic.
For SSO using kerberos the token will be generated only when the user in logged in within the domain/intranet. But for a public URL say access through internet, no token exchange will happen and weblogic is throwing 401 error. But i need the control to be transferred to the application in case the kerberose auth is failed.
Is it possible to that ?
Thanks,
Sandeep
Hi Sandeep,
I believe I answered it here.
https://forums.oracle.com/forums/thread.jspa?threadID=2445209&tstart=0
Thanks,
Faisal
Hi Sandeep,
Thanks for posting on our site.
If you have configured AD, then the policies on AD will hold try.
In principal name you can specify the name of the group in AD.
For the third question I have replied you in the forum..
Please let me know if you have furthur question.
-Faisal
capture http trace, enable securityATN debug on WLS and mail me the log file at khan.faysal06@gmail.com
thanks Pranjal!
Faisal,
I am deploying the Documentum application ‘webtop’ as a war file in WLS 10.3.3.
Now I am setting up Kerberos and I need to add certain parameters in start-up script.
Here are the parameters I am adding :-
_____________________________________________________
JAVA_OPTIONS=”${JAVA_OPTIONS} -Djava.security.krb5.conf=”/etc/krb5/krb5.conf”
-Djava.security.auth.login.config=”/webtop/WEB-INF/krb5Login.conf”
-Djavax.security.auth.useSubjectCredsOnly=false”
export JAVA_OPTIONS
_____________________________________________________
The line Djava.security.auth.login.config is referring to file krb5Login.conf that resides inside the web-inf folder of the war file. Kerberos application is not able to recognise this path inside the war file.
am getting this error :-
No Configuration was registered that can handle the configuration named HTTP-Appserver-test-company-com
java.lang.IllegalArgumentException: No Configuration was registered that can handle the configuration named HTTP-Appserver-test-company-com
at com.bea.common.security.jdkutils.JAASConfiguration.getAppConfigurationEntry(JAASConfiguration.java:130)
Any help appreciated.
Why don’t you place the krb5Login.conf at some other location and give the full path instead of keeping it in the war file?
thanks for letting us know Pranjal!
Post a Comment