Details

Domain Name: BEATEST.COM
Domain Controller Name: BEAAD (This machine runs Active Directory)
WL Server Machine Name: beaiis (This machine runs Weblogic server).

For BEAAD:-

Username : beauser
Password :

For beaiis :-

Username : beaiis
Password : Secure04

Steps on Domain Controller (BEAAD)

1) Create a User beawin in Active Directory. Go to user properties > account and under account options, select Use DES encryption types for this account. After this, reset the password for this user.

2) Set the Service Principal Name.

setspn -a HTTP/ beaiis.BEATEST.COM beawin

3. Test the service principal name.

setspn –L beawin

3) Generate a key tab using ktab

ktab -k beawin.keytab –a beawin@BEATEST.COM

4) Test the keytab file

klist –k beawin.keytab

Note: klist is a jdk utility

5) Copy the generated keytab file (beawin.keytab) to the domain directory of weblogic.
D:\bea922\user_projects\domains\Kerberos_New

6) Place krb5.ini file in C:\winnt folder. Content of the file shown later in the document.

Steps on Machine Hosting Weblogic Server (beaiis)

1) Set the environment and run the kinit utility

java -Dsun.security.krb5.debug=true sun.security.krb5.internal.tools.Kinit -k -t D:\bea922\user_projects\domains\Kerberos_New\beawin.keytab beawin@BEATEST.COM

This should generate a new Kerberos key and place it in the user’s home folder.

2) Make sure you have all the parameters correctly set in

C:\WinNT\krb5.ini

krb5.ini

[libdefaults]
default_realm = BEATEST.COM
kdc_timesync = 1
ccache_type = 4
ticket_lifetime = 600
clockskew = 1200

[realms]
BEATEST.COM = {
kdc = 192.168.1.1
admin_server = BEAAD
default_domain = BEATEST.COM
}

[domain_realm]
.beatest.com = BEATEST.COM

[appdefaults]
autologin = true
forward = true
forwardable = true
encrypt = true

3) Create a krb5login.conf file with the following entries in your domain directory D:\bea922\user_projects\domains\Kerberos_New

krb5login.conf

com.sun.security.jgss.initiate {
com.sun.security.auth.module.Krb5LoginModule required
principal=”beawin@BEATEST.COM” useKeyTab=true
keyTab=beawin.keytab storeKey=true debug=false;
};
com.sun.security.jgss.accept {
com.sun.security.auth.module.Krb5LoginModule required
principal=”beawin@BEATEST.COM” useKeyTab=true
keyTab=beawin.keytab storeKey=true debug=false;
};

4) Add the following parameters in the startup script startweblogic.cmd

-Djava.security.auth.login.config=krb5Login.conf -Djavax.security.auth.useSubjectCredsOnly=false -Dweblogic.security.enableNegotiate=true

5) Configure NegotiateIdentityAsserter from the console

Home > Summary of Security Realms > myrealm > Providers > Authentication >
Create new NegotiateIdentityAsserter

Leave the default Active Types
Under Provider Specific, uncheck Form Based Negotiation Enabled

Activate the changes and restart the server.

7) Create a user beawin in Weblogic Server.

8) Deploy the web application

Web.xml

<web-app>
<display-name>SEC81</display-name>
<security-constraint>
<display-name>Security Constraint for SSO </display-name>
<web-resource-collection>
<web-resource-name>My webapp</web-resource-name>
<description>Group of Users</description>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>SSOrole</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>CLIENT-CERT</auth-method>
</login-config>
<security-role>
<description>Role description</description>
<role-name>SSOrole</role-name>
</security-role>
</web-app>

Weblogic.xml

<weblogic-web-app>
<security-role-assignment>
<role-name>SSOrole</role-name>
<principal-name>beawin</principal-name>
</security-role-assignment>
</weblogic-web-app>
28. Deploy the web app in weblogic.
29. Start the weblogic server.

Configuring Internet Explorer

NOTE: THIS STEPS NEEDS TO BE DONE ON EACH CLIENT MACHINE THAT BROWSES THE PROTECTED WEB APPLICATION

1. Got to Tools –> Internet Options
2. Select the “Security” tab
3. Click on “Local Intranet” Icon. This will enable the “Sites” button.
4. Click “Sites” button. This will show a “Local Intranet” Popup.
5. Make sure the option “Include all local (intranet) sites not listed in other zones” option selected. (Windows XP Only).
6. Click on “Advanced” Button. In the new popup window add the URL for the machine hosting weblogic.
7. Click OK to save your settings.
8. In the “Security” tab, Click “Custom Level” button.
9. In the “Security Settings” dialog, under “User Authentication” section, make sure “Automatic logon only in Intranet zone” option is selected.
10. Click OK to save your settings.
11. Go to “Connections” tab —> LAN Settings.
12. If you have a proxy server enabled, Click on “Advanced” button. Make sure you add the URL for the machine hosting weblogic in the “Exceptions” box.
13. In the “Internet Options —> Advanced” tab, make sure “Enable Integrated Windows Authentication (requires restart)” option is checked. Click “OK”. (If this option is not selected previously, you need to close all browser instances for the setting to take effect).

94 Thoughts on “Configuring Kerberos with Weblogic Server

  1. Another nice post…Keep it coming….

    We hope you just keep such interesting/ informative articles…

  2. Hi Faisal, great post….
    Keep up the good work

  3. BusyNut on November 15, 2009 at 5:32 pm said:

    Good.. though I din understnd complete… will b useful for my future reference ;)

  4. Faisal Khan on November 16, 2009 at 7:41 am said:

    Thanks everone! :)

  5. Faisal

    Need ur assistance yet again…

    This time within my project

    and one more suggestion

    Do update blog with your mobile number…

    I need to contact you fast and how ??

  6. Hi Faisal .. its a nice article indeed. Is it possible for you to share the sample webapp you used for it ?

    Arun (shekhawataru@gmail.com)

  7. Faisal,

    In your jaas conf file, do you mean to reference beawin.keytab instead of mykeytab?

    Have you tried this with WLS 10gR3 on JDK1.6? If so, did you use com.sun.security.jgss.initiate or com.sun.security.krb5.accept?

    I understand JDK1.6 will look for krb5.ini in c:/windows. Can you confirm?

    Did you use AD2003 or later? Have you heard of problems getting AD to create DES, rather than default RC4? Could WebLogic consume RC4 since it runs on JDK 1.6 now?

    Is there any restriction in running the AD Authentication provider instead of Default Authenticator?

  8. Faisal Khan on January 7, 2010 at 8:08 pm said:

    In your jaas conf file, do you mean to reference beawin.keytab instead of mykeytab?

    Good Catch.. yes..

    Have you tried this with WLS 10gR3 on JDK1.6? If so, did you use com.sun.security.jgss.initiate or com.sun.security.krb5.accept?

    Yes I have tried, and I had to use com.sun.security.krb5.accept

    Did you use AD2003 or later?

    I tried on AD2K3.

    Have you heard of problems getting AD to create DES, rather than default RC4?

    I have not come accross this problem before,you can try the option below.

    In order to use RC4-HMAC, you'll need to update the Kerberos configuration file to specify the encryption type.

    default_tkt_enctypes = rc4-hmac
    default_tgs_enctypes = rc4-hmac

    Ref: – http://java.sun.com/javase/6/docs/technotes/guides/security/jgss/jgss-features.html

    Is there any restriction in running the AD Authentication provider instead of Default Authenticator?

    No

  9. Faisal Khan on January 12, 2010 at 3:39 pm said:

    Sorry it was..

    com.sun.security.jgss.krb5.initiate & com.sun.security.jgss.krb5.accept

  10. biaymy on January 29, 2010 at 3:25 pm said:

    How can we make kerberos integration in weblogic portal for sso? will we have to make changes in weblogic.xml and web.xml for Weblogic portal too?

  11. Faisal Khan on January 30, 2010 at 10:02 am said:

    Yes, we need to modify the principal name in weblogic.xml in the same way.. for e.g. I log on the System as beawin, then the principal name should be beawin or the group to which it belongs to..

  12. haljordan5 on February 18, 2010 at 8:56 pm said:

    Excellent tutorial, but I am having some trouble getting this to work. On my client, I get a 401 error, and the following is displayed on the app server log.

  13. haljordan5 on February 18, 2010 at 8:57 pm said:

    Excellent tutorial, but I am having some trouble getting this to work. On my client, I get a 401 error, and the following is displayed on the app server log.

    Feb 18, 2010 2:57:19 PM EST Debug SecurityAtn BEA-000000 com.bea.common.security.internal.legacy.service.ChallengeIdentityAssertionProviderImpl$Challen
    geIdentityAsserterV2Adapter.getChallengeToken(WWW-Authenticate.Negotiate)

  14. Michael Chiu on May 13, 2010 at 3:50 am said:

    Hi Faisal,

    Trusting SSO will work when following your detailed steps above.

    Our next goal is to authorize users in MS AD to web applications on WLP according to their group and role in MS AD.

    Could you please provide detailed steps about configuring AD authentication provider on WLS and WLP Entitlement etc? Also, what needs to be done to deploy WLS applications and web services to WLS and WLP?

    Also, how can users access Oracle 10.1.2 ADF web applications through the current version of WLP and WLS?

    Thank you in advance.
    Regards,
    Michael

  15. Administrator on May 13, 2010 at 5:23 am said:

    Our next goal is to authorize users in MS AD to web applications on WLP according to their group and role in MS AD.

    This can be done by specifying

    principal-name as AD Group Name in the web.xml

    Could you please provide detailed steps about configuring AD authentication provider on WLS and WLP Entitlement etc?

    Also, what needs to be done to deploy WLS applications and web services to WLS and WLP?

    Many ways u can deploy – go through weblogic documentation. U can use ant wldeploy, u can place the app in autodeploy folder, u can browse from the console and upload the app…

    Run the WLST script after modifying the parameters. Its the simplest way to do. U can also do it from the console.

    Also, how can users access Oracle 10.1.2 ADF web applications through the current version of WLP and WLS?

    Once Kerberos Configuration is suceessful, Users can access the application directly without authenticating.

  16. Michael Chiu on May 13, 2010 at 7:11 am said:

    Hi Faisal,

    I have just had a look at your other link about Web Center and OES. Can I assume that the SSO you described above applies to both WLP and Web Center?

    Please advise.
    Thanks,
    Regards,
    Michael

  17. Administrator on May 13, 2010 at 2:12 pm said:

    It applies for WLP, Web Centre m not sure…
    Which link are u talking about?

  18. Michael Chiu on May 13, 2010 at 11:24 pm said:

    I am talking about this link:
    Configuring Kerberos with Weblogic Server

  19. Michael Chiu on May 17, 2010 at 1:23 am said:

    Hi Faisal,

    In the above description:

    1) Create a User beawin in Active Directory. Go to user properties > account and under account options, select Use DES encryption types for this account. After this, reset the password for this user.

    If we have a thousand users, do we need to duplicate all lines with beawin in the above description for each user?

    Please advise,
    Thanks,
    Regards,
    Michael

  20. Michael Chiu on May 17, 2010 at 1:43 am said:

    To me, beawin is the SPN for the WLS box, beaiis, instead for an end user.

  21. Administrator on May 17, 2010 at 4:04 am said:

    u answered your own question :)

    you register your service with beawin. for one service there can be only one user. beawin in this case.

    Let me know if you still have any queries.

  22. Michael Chiu on May 17, 2010 at 7:00 am said:

    Hi, Thank you very much for your help. When we have our LDAP and WLS platforms set up, we will try out our understanding and get back to you. Regards, Michael

  23. Hi Faisal,

    I have read this article and i do have a question about authorization when using this kerberos authentication. Since the user is able to login to the app without providing userid/pwd, how can we identify the user logged into the application. After identifying the user, how to get the LDAP group of this user?

    Thanks in advance.

    • Hi Santhoshi,

      You can get the authenticated user information from the request object
      request.getRemoteUser()

      To get the groups, you can try this.

      subject = Subject.getCurrentSubject();
      Set principals = subject.getPrincipals();
      Iterator it=principals.iterator();

      while(it.hasNext()){
      Principal pr = (Principal)it.next();
      System.out.println(“Name “+pr.getName()+” String== “+pr.toString());
      }

      Let me know if it helps.

      Thanks,
      Faisal

  24. Mangesh on November 23, 2010 at 7:26 am said:

    I have done the configuration as stated above, but whenever trying to access my application I am getting following error.

    Error 401–Unauthorized
    From RFC 2068 Hypertext Transfer Protocol — HTTP/1.1:
    10.4.2 401 Unauthorized
    The request requires user authentication. The response MUST include a WWW-Authenticate header field (section 14.46) containing a challenge applicable to the requested resource. The client MAY repeat the request with a suitable Authorization header field (section 14.8). If the request already included Authorization credentials, then the 401 response indicates that authorization has been refused for those credentials. If the 401 response contains the same challenge as the prior response, and the user agent has already attempted authentication at least once, then the user SHOULD be presented the entity that was given in the response, since that entity MAY include relevant diagnostic information. HTTP access authentication is explained in section 11.

    Please help me out this problem.

    • Mangesh on November 24, 2010 at 6:51 am said:

      Hi Faisal,

      This is additional information I am providing, so that it will help you find out really cause of error

      Following is the HTTP Header trace when I am trying to access my application:

      GET /adamapp/ HTTP/1.1
      Accept: */*
      Accept-Language: en-us
      UA-CPU: x86
      Accept-Encoding: gzip, deflate
      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152)
      Host: its37:7012
      Connection: Keep-Alive
      Cookie: ADMINCONSOLESESSION=M8bLMsxcCzLDPqz1Lj6tQLlKTbGGnN6YGJRhWLL7VWb7k7Qx2CF9!-1008954312; JSESSIONID=MSBnMszVF3pN6pfZ2RDlPQHmLVWgBhQjFF821qYQm1XKmvkck1DL!-1008954312

      HTTP/1.1 401 Unauthorized
      Cache-Control: no-cache=”Set-Cookie”
      Connection: close
      Date: Wed, 24 Nov 2010 11:17:11 GMT
      Content-Length: 1518
      Content-Type: text/html
      WWW-Authenticate: Negotiate
      Set-Cookie: JSESSIONID=TNT5Ms0XNZdDjtKDCQTTdXqnbRJ5Tnt28SJM9WLQJswJ8fHn2HRy!-1008954312; path=/
      X-Powered-By: Servlet/2.5 JSP/2.1

      GET /adamapp/ HTTP/1.1
      Accept: */*
      Accept-Language: en-us
      UA-CPU: x86
      Accept-Encoding: gzip, deflate
      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152)
      Host: its37:7012
      Connection: Keep-Alive
      Cookie: ADMINCONSOLESESSION=M8bLMsxcCzLDPqz1Lj6tQLlKTbGGnN6YGJRhWLL7VWb7k7Qx2CF9!-1008954312; JSESSIONID=TNT5Ms0XNZdDjtKDCQTTdXqnbRJ5Tnt28SJM9WLQJswJ8fHn2HRy!-1008954312
      Authorization: Negotiate TlRMTVNTUAABAAAAB7IIogkACQAtAAAABQAFACgAAAAFASgKAAAAD0lUUzM3SVRTSEFTVFJB

      HTTP/1.1 401 Unauthorized
      Connection: close
      Date: Wed, 24 Nov 2010 11:17:11 GMT
      Content-Length: 1518
      Content-Type: text/html
      X-Powered-By: Servlet/2.5 JSP/2.1

      Thanks,
      Mangesh

  25. Mangesh on November 25, 2010 at 2:24 am said:

    Hi Faisal,

    When I am running klist command its giving below details, are these details as per expectations?:

    Credentials cache: C:\Documents and Settings\mangesh\krb5cc_mangesh

    Default principal: beawin@ITSHASTRA.LOCAL, 1 entry found.

    [1] Service Principal: krbtgt/ITSHASTRA.LOCAL@ITSHASTRA.LOCAL
    Valid starting: Nov 25, 2010 12:16
    Expires: Nov 25, 2010 22:16

  26. Mangesh on November 25, 2010 at 7:04 am said:

    Now I think I have gained some progress.

    Now the HTTP Headers are showing:

    GET /adamapp/ HTTP/1.1

    Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
    Accept-Language: en-us
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
    Accept-Encoding: gzip, deflate
    Host: its37:7015
    Connection: Keep-Alive
    Cookie: JSESSIONID=6pvKMnFp0pR6qLgQ2pkr1JfBwCCTyzLg9hmdpbPS1JXBmrGJvhpv!1053817966

    HTTP/1.1 401 Unauthorized
    Cache-Control: no-cache=”Set-Cookie”
    Connection: close

    Date: Thu, 25 Nov 2010 11:20:51 GMT

    Content-Length: 1518
    Content-Type: text/html
    WWW-Authenticate: Negotiate

    Set-Cookie: JSESSIONID=GjpNMnGTK1TL27DQTHLDPc5NkqXp92pvbP1WRQgkhcPCLDqpDH7H!659302533; path=/

    X-Powered-By: Servlet/2.5 JSP/2.1

    GET /adamapp/ HTTP/1.1

    Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
    Accept-Language: en-us
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
    Accept-Encoding: gzip, deflate
    Host: its37:7015
    Connection: Keep-Alive
    Authorization: Negotiate YIIEywYGKwYBBQUCoIIEvzCCBLugJDAiBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICCqKCBJEEggSNYIIEiQYJKoZIhvcSAQICAQBuggR4MIIEdKADAgEFoQMCAQ6iBwMFACAAAACjggOkYYIDoDCCA5ygAwIBBaERGw9JVFNIQVNUUkEuTE9DQUyiKDAmoAMCAQKhHzAdGwRIVFRQGxVpdHMzNy5pdHNoYXN0cmEubG9jYWyjggNWMIIDUqADAgEDoQMCAQKiggNEBIIDQNNEgcx1rdwkt1Pu0UjWaFxtC6/igqno6LRu8Y4uLOtjoAAPYbCvthp7YTO02dpChLFaSzRKIjvdqQKOtEGr36O8HXBdf5DNAlloSAmAyGcZmc5C3dtv2KjedzvEW9HU0cHwjmtIN494kPaQ0AJhBRJFm/hgR1EgVTEnctw7x2bKmIhtcc4oJMp4eML8uH0Y2k57SqY86Rb4bUOGotlYWPQqYUkK8EjMBQYck0JmP2Z9fAAu8DM12kxg4HkbT+eNUN1H+aQdR1RCe/FeGOj3HVt6sr9VqWeMzpZ0bt7ENsP/TbFgq6Uv4T2lBg83CsWdAL+kifTOIqbLnuMry3N+0I0HGiZvEYKcbMYYZQRwAFJKmsKkqa7lUqH6/APjKlfDMV00zNF2xo0xnBEFSlRJIfHOIFUfh6fFJfJ7ya7fLU+t6OfEvr59Lh/KIY4KFI2+S/mESixopGbEfS825pVZ9PwltEfyxYfaFRgXXjDFA8FUXOtyTDe4WlUC4pRc9mjjJDI7fqNWg75Pwa9z7u4lFPMP+jaF13jhXANpt0QqdIE475VvMACFHTdNn87+N19jQpRFAC1Wh2w65avQxEi9Ab/MsRQVdER2su5VGJCPo+cULzRPgr8BMMYSSzZ6Te01xzo9RUrvPAgWPVH9cPSVJaJacvAr4Tu6adcUWR7hyyJ0D3sQBXtXz87fqXstDey1J HcI0mwaZb8aInAN9eFhQH1Oy++bjRetQ6bAFpAc7qC31INMPXNe5R0EB33F3KGHpGFuYV9e1asyCYKfmwcj9ayfnZQo7RRduPJ6s4cUkGQ3mC2UfKyiKy2+wrmBnqUFuUWjn+Xct4O7WZ7GnEuEKj3vEGv3gZx165eUcePH53W2RJclSHvFJgnp6H3NPSLST03dMEy0G2caehleWaRrR8No+MgxYr91/WPiGK4dQlGXyus7JgSWppBFPyxCFYSCUFUvPrjoNoirfjdcJUrnrmWPpxEiUI9+koq+cFHAue/f1h3i3sxNjXZIj4dT0595UqwzXGSFS0KkwS16Me7jt+cQUDPkUucJdO1Z2CdvptyCu3YxZIu7yJbqkQx9IMti3O66IbsKtRzVUFZfb8yLaz+kgbYwgbOgAwIBA6KBqwSBqPpn0RCfkjLvfw4fLHJuIhCmmoI+DUbuC5fNbcxQpxbvVvDS9+hZPvfB+S3++Hk7VapcBmPj8BBEjczMhkkgaRV6LWJEIb9FJmwvuyV9erQYmv//QbL8O5m3ZHUzSVAhcpYfLCGi94HTCFw3lKjDORV97GxqyDHZpuR+G/gBpF1n59nvgj4jOSUNAPcea4rGJmHFgEDq91HKi3tTZbtub3SLeCkBHvhXrw==
    Cookie: JSESSIONID=GjpNMnGTK1TL27DQTHLDPc5NkqXp92pvbP1WRQgkhcPCLDqpDH7H!659302533

    HTTP/1.1 401 Unauthorized
    Connection: close

    Date: Thu, 25 Nov 2010 11:20:51 GMT

    Content-Length: 1518
    Content-Type: text/html
    X-Powered-By: Servlet/2.5 JSP/2.1

    But at the server console I am getting below error:

    It will be very helpfull if you provide any input for above problem

  27. Mangesh on November 25, 2010 at 7:05 am said:

    The error at background:

  28. Mangesh on November 25, 2010 at 7:15 am said:

    My start-up script contains:

    @ECHO OFF

    @REM WARNING: This file is created by the Configuration Wizard.
    @REM Any changes to this script may be lost when adding extensions to this configuration.

    SETLOCAL

    set DOMAIN_HOME=C:\bea\user_projects\domains\kerberos_domain

    set JAVA_OPTIONS=%JAVA_OPTIONS% -Djava.security.auth.login.config=C:\bea\user_projects\domains\kerberos_domain\krb5login.conf
    set JAVA_OPTIONS=%JAVA_OPTIONS% -Djavax.security.auth.useSubjectCredsOnly=false
    set JAVA_OPTIONS=%JAVA_OPTIONS% -Djava.security.krb5.realm=ITSHASTRA.LOCAL
    set JAVA_OPTIONS=%JAVA_OPTIONS% -Djava.security.krb5.kdc=192.168.1.204
    set JAVA_OPTIONS=%JAVA_OPTIONS% -Dweblogic.security.enableNegotiate=true
    set JAVA_OPTIONS=%JAVA_OPTIONS% -Dweblogic.StdoutDebugEnabled=true
    set JAVA_OPTIONS=%JAVA_OPTIONS% -Dsun.security.krb5.debug=true

    call “%DOMAIN_HOME%\bin\startWebLogic.cmd” %*

    ENDLOCAL

    Then also I am getting below exception:

    Exception com.bea.common.security.internal.utils.negotiate.NegotiateTokenException: java.lang.IllegalArgumentException: No Configuration was registered that can handle the configuration named com.sun.security.jgss.krb5.accept

    Can there be any other cause.

  29. Mangesh on November 25, 2010 at 8:17 am said:

    Hi Faisal,

    Is it mandatory to login with the user which we have added for wls in active directory.
    For example: Should I login the server with beawin user and then start the weblogic server?

    Presently I am not login with beawin user,
    is it the issue?

  30. Mangesh on November 25, 2010 at 9:04 am said:

    Finally I was able to do it!!!
    There was a issue of double quotes used were not supported (were having some different encoding).

    As you can observe:

    My krb5Login.conf file contains:

    com.sun.security.jgss.krb5.initiate {
    com.sun.security.auth.module.Krb5LoginModule required
    principal=”beawin@ITSHASTRA.LOCAL” useKeyTab=true
    keyTab=beawin.keytab storeKey=true debug=false;
    };
    com.sun.security.jgss.krb5.accept {
    com.sun.security.auth.module.Krb5LoginModule required
    principal=”beawin@ITSHASTRA.LOCAL” useKeyTab=true
    keyTab=beawin.keytab storeKey=true debug=false;
    };

    Now I modified it to:

    My krb5Login.conf file contains:

    com.sun.security.jgss.krb5.initiate {
    com.sun.security.auth.module.Krb5LoginModule required
    principal=”beawin@ITSHASTRA.LOCAL” useKeyTab=true
    keyTab=beawin.keytab storeKey=true debug=false;
    };
    com.sun.security.jgss.krb5.accept {
    com.sun.security.auth.module.Krb5LoginModule required
    principal=”beawin@ITSHASTRA.LOCAL” useKeyTab=true
    keyTab=beawin.keytab storeKey=true debug=false;
    };

    But it was all posible only because of you.
    Hats off to your knowledge and valuable support.
    Will catch you soon, when I will move in next phase of role base authentication.

  31. Hi Faisal,

    I am trying to configure SSO on WebLogic 10.3 (on Windows XP, jdk 1.6) with Active Directory. I successfully added the ActiveDirectory authenticator and I am able to see the users and groups of AD.

    Now if I add NegotiateIdentityAsserter and the restart the server, I am not able to log on the WLS console. If I remove the entry for NegotiateIdentityAsserter from config.xml I can logon in the WLS console.

    I have followed other steps of generating keytab and .conf files and adding the startup parameters in WLS startup file.
    Even the kinit test is also passed. What could be the reason? Why my console login is affected? If you need further info please tell me.
    Regards,

    • Administrator on November 27, 2010 at 4:45 am said:

      Hi Priyankar,

      Have u unchecked Form Based Negotiation Enabled under Provider Specific tab of Negotiate Identity Asserter?
      Enable Security Debug (ATN) and paste the relevant part of the log file here..

      Thanks,
      Faisal

      • Hi,

        Yes, Form Based Negotiation is unchecked.

        Below is the ATN log, but it is not saying too much. Console login id is not an user in AD or local machine, It is just a WLS Login ID.

        Control Flag is OPTIONAL for ADAuthenticator and SUFFICIENT for DefaultAuthenticator

        Ordering is Negotiate, AD, Default Authenticator and Default Asserter

        ######ATN Log for Server Startup ######

        #### Log For Console Login ######

        • It seems log is blocked..pasting again
          ######ATN Log for Server Startup ######
          weblogic.security.service.internal.WLSIdentityServiceImpl.getCurrentIdentity
          weblogic.security.service.internal.WLSIdentityServiceImpl.getCurrentIdentity
          Beginning getServletAuthenticationFilters.
          PrincipalAuthenticator.getServletAuthenticationFilters will use WLS-specific security service
          weblogic.security.service.internal.ServletAuthenticationFilterServiceImpl$ServiceImpl.getServletAuthenticationFilters
          Active type # 0 WWW-Authenticate.Negotiate
          Active type # 1 Authorization.Negotiate
          Initializing Negotiate filter
          weblogic.security.service.internal.ServletAuthenticationFilterServiceImpl$ServiceImpl.getServletAuthenticationFiltersProvider[0] added 1 filters.
          weblogic.security.service.internal.ServletAuthenticationFilterServiceImpl$ServiceImpl.getServletAuthenticationFilters Returning 1 filters.
          weblogic.security.service.internal.WLSIdentityServiceImpl.getCurrentIdentity
          weblogic.security.service.internal.WLSIdentityServiceImpl.getCurrentIdentity
          weblogic.security.service.internal.WLSIdentityServiceImpl.getCurrentIdentity
          weblogic.security.service.internal.WLSIdentityServiceImpl.getCurrentIdentity
          weblogic.security.service.internal.WLSIdentityServiceImpl.getCurrentIdentity
          weblogic.security.service.internal.WLSIdentityServiceImpl.getCurrentIdentity
          weblogic.security.service.internal.WLSIdentityServiceImpl.getCurrentIdentity
          weblogic.security.service.internal.WLSIdentityServiceImpl.getCurrentIdentity
          weblogic.security.service.internal.WLSIdentityServiceImpl.getCurrentIdentity
          weblogic.security.service.internal.WLSIdentityServiceImpl.getCurrentIdentity
          weblogic.security.service.internal.WLSIdentityServiceImpl.getCurrentIdentity
          weblogic.security.service.internal.WLSIdentityServiceImpl.getCurrentIdentity
          weblogic.security.service.internal.WLSIdentityServiceImpl.getCurrentIdentity
          Beginning getServletAuthenticationFilters.
          PrincipalAuthenticator.getServletAuthenticationFilters will use WLS-specific security service
          weblogic.security.service.internal.ServletAuthenticationFilterServiceImpl$ServiceImpl.getServletAuthenticationFilters
          Active type # 0 WWW-Authenticate.Negotiate
          Active type # 1 Authorization.Negotiate
          Initializing Negotiate filter
          weblogic.security.service.internal.ServletAuthenticationFilterServiceImpl$ServiceImpl.getServletAuthenticationFiltersProvider[0] added 1 filters.
          weblogic.security.service.internal.ServletAuthenticationFilterServiceImpl$ServiceImpl.getServletAuthenticationFilters Returning 1 filters.
          weblogic.security.service.internal.WLSIdentityServiceImpl.getCurrentIdentity
          weblogic.security.service.internal.WLSIdentityServiceImpl.getCurrentIdentity
          weblogic.security.service.internal.WLSIdentityServiceImpl.getCurrentIdentity
          weblogic.security.service.internal.WLSIdentityServiceImpl.getCurrentIdentity
          weblogic.security.service.internal.WLSIdentityServiceImpl.getCurrentIdentity
          weblogic.security.service.internal.WLSIdentityServiceImpl.getCurrentIdentity
          weblogic.security.service.internal.WLSIdentityServiceImpl.getCurrentIdentity
          weblogic.security.service.internal.WLSIdentityServiceImpl.getCurrentIdentity
          weblogic.security.service.internal.WLSIdentityServiceImpl.getCurrentIdentity
          weblogic.security.service.internal.WLSIdentityServiceImpl.getCurrentIdentity
          weblogic.security.service.internal.WLSIdentityServiceImpl.getCurrentIdentity
          weblogic.security.service.internal.WLSIdentityServiceImpl.getCurrentIdentity

          #### Log For Console Login Attempt ######

          com.bea.common.security.internal.service.ChallengeIdentityAssertionServiceImpl.getChallengeToken (tokenType=WWW-Authenticate.Negotiate)
          com.bea.common.security.internal.service.ChallengeIdentityAssertionTokenServiceImpl.getChallengeToken (tokenType=WWW-Authenticate.Negotiate)
          com.bea.common.security.internal.legacy.service.ChallengeIdentityAssertionProviderImpl$ChallengeIdentityAsserterV2Adapter.getChallengeToken (tokenType=WWW-Authenticate.Negotiate)

          • Hi Faisal,

            Also sending the startup parameters

            -Dweblogic.Name=%SERVER_NAME%
            -Djava.security.policy=%WL_HOME%\server\lib\weblogic.policy
            -Djava.security.auth.login.config=C:\bea\user_projects\domains\ADDomain\krb5Login.conf
            -Djava.security.krb5.realm=ABCDEV.PT
            -Djava.security.krb5.kdc=ABCDEV.PT
            -Djavax.security.auth.useSubjectCredsOnly=false
            -Dsun.security.krb5.debug=true
            -Dweblogic.security.enableNegotiate=true
            -Dweblogic.StdoutDebugEnabled=true

            Strangely, If I rename krb5Login.conf as krb5Login.conf1or I remove the file from mentioned directory or change the principal attribute inside krb5Login.conf, I get same log. i.e. I dont see any error message as such. ??

            Regards,
            Priyankar

          • Administrator on November 29, 2010 at 12:54 pm said:

            Your krb5Login.conf file is not gettin pickd up.
            Are you providing it in the java options at the rite place?

            Can u check the file type of krb5Login.conf?

            I have office during day time so dont get time to reply, you can expect replies after office hours.

            -Faisal

  32. Mangesh on November 29, 2010 at 4:14 am said:

    Hi Faisal,

    Now I am facing another problem.
    The kerberos authentication is not working on Windows 7 – IE 8 environment.
    Is there any specific setting for Windows 7 – IE 8 support?, because my current setup is working well with Windows XP – IE 7.

    As usual, waiting for your valuable input.
    Thanks,
    Mangesh.

    • Administrator on November 29, 2010 at 4:29 am said:

      I have not tested it on Windows 7.
      You can open a support titcket with Oracle and ask them to test.

      If there is any issues they will let you know.

      Cheers!!
      Faisal

      • Mangesh on November 30, 2010 at 5:30 am said:

        Hi Faisal,

        I fixed the above Windows 7 – IE 8 issue, by doing following configuration at Windows 7 client machine:

        Go to Local Security Policy (By typing in run dialog)->Local Policies->Security Options->Network security: Configure encryption types allowed for Kerberos:
        Here select checks against DES_CBC_CRC, DES_CBC_MD5 and RC4_HMAC_MD5.

        By doing this setting I am able to run kerberos authentication at Windows 7 client.

        Thanks,
        Mangesh Khairnar.

  33. Hi Faisal,

    Thanks for the reply.

    I found the solution of the console login problem by directly typing the full URL http://…/console/login/LoginForm.jsp. This allows me to login in console. (Reason is not yet known!!)

    Server is picking the .CONF file as I am printing the startup parameters in a startup class and those are coming correctly.
    File typec krb5Login.conf is .CONF.

    Next I have deployed a sample application (as per config mentioned on top of the article) there I am getting Error 401–Unauthorized. It seems console login and this problem are related.

    1. How else can I make sure that .CONF is correct and security realm is using it (Since effect is not coming in ATN log)?

    2. AD users are defined with class ‘person’ and under group ‘ABCUsers’. I have defined principal-name in weblogic.xml as ABCUsers. Is it ok? Or should I define as ‘externally-defined’?

    Regards,

  34. Hi Faisal,

    A couple of questions:-

    Q1. where is the “SSOrole” defined? Within the AD, or Weblogic? or is this symbolic?

    Q2. When deploying the web app in weblogic, which deployment option should be used?
    DD Only:
    Custom Roles:
    Custom Roles and Policies:
    Advanced:

    Many thanks

    • Administrator on December 2, 2010 at 6:38 am said:

      Users belonging to SSOrole defined in the web.xml is mapped to it in the weblogic.xml.
      This role doesnt exist in WLS.

      You will have to select DD Only. If you are following the example.

      Let me know if you have more queries.

      Thanks,
      Faisal

  35. Hi Faisal,

    Sorry, but I’m still not fully clear about SSOrole.


    Users belonging to SSOrole defined in the web.xml is mapped to it in the weblogic.xml.

    Could you explain this in more detail? Maybe the sequence of events.

    Is the SSOrole defined in ActiveDirectory (BEAAD).
    How does WLS determine if a user is in this role?

    Thanks.

    • Administrator on December 4, 2010 at 3:56 am said:

      Hi Ray,

      This is the mapping

      web.xml

      <auth-constraint>
      <role-name>testrole</role-name>
      </auth-constraint>

      weblogic.xml

      <security-role-assignment>
      <role-name>testrole</role-name>
      <principal-name>testuser<principal-name>
      </security-role-assignment>

      So resources which role testrole have access to, can be accessed by testuser present in the Authenticator( internal / external (AD) )

      Let me know if you still have doubts.

      Thanks,
      Faisal

  36. Mangesh Khairnar on February 5, 2011 at 7:57 am said:

    Hi Faisal,
    This is Mangesh again.
    I have a query regarding automatic authentication.
    Can you please suggest which is the best way of achieving automatic authentication with less configuration at weblogic server end. Like, our client it reluctant to do the configurations related to weblogic server start-up script (JAAS file name configuration and all), also they don’t want to generate the keytab files.

    Please suggest me the possible ways to achieve this.

    Thanks,
    Mangesh Khairnar.

    • Administrator on February 7, 2011 at 1:13 pm said:

      Hi Magnesh,

      Good to see you again :)

      If by automatic authentication, you mean Single Singon – there are two ways it can be achieved.
      Kerberos, which you have already done.
      Second is SAML. Weblogic Provides out of the box Providers for SAML.

      Ping me wen u r online, we can discuss more on this and what you need.

      Thanks,
      Faisal

  37. swapna on March 9, 2011 at 3:46 am said:

    This one is the best article on Kerberos with Weblogic Server I have ever seen…Thanks Sirji…

  38. Mangesh Khairnar on March 29, 2011 at 6:14 am said:

    Hi Faisal,

    Now I am stuck in one vague issue. As I have successfully configured kerberos with weblogic server for our application, we are in QA phase and suddenly some of users are able to access the application very incosistently. Sometimes they get access and after a short duration again access is denied to them.

    Do you think this is a ticket expiration issue or is there any limitation in AD for number of users access to kerberos tokens?

    Can you please share your ideas over this?
    I am caught-up in this big issue, please help me out this problem.
    As always, I am waiting for your valuable input.

    Thanks,
    Mangesh Khairnar.

    • Administrator on March 29, 2011 at 11:45 am said:

      Hi Mangesh,

      Is there any pattern when the users are not able to access the application?
      How often authentication fails? Is it always for the same set of users?

      Enable SecurityATN and Kerberos Debug on WLS.
      Also check for Windows Events logs

      You can find some Kerberos tuning paramters here

      http://support.microsoft.com/kb/837361

      Please provide more information on this issue.

      Thanks,
      Faisal

  39. Hi,

    Thanks a lot for very helpful article! I have made it pretty much working, what I wonder about is this. After SSO user is validated I need to get to logged into Windows userA, which is different from SSO user, and get that userA’s groups from our database. How can I get currently logged into windows user?

    Thank you!
    Ann

  40. Hi there
    1)The last step7, referred web.xml and weblogic.xml, are they under the deployed web application, for example, I am configured the weblogic sso with IBM filenet workplace xt, they are under E:\Apps\IBM\FileNet\WebClient\WorkplaceXT\WEB-INF

    IBM FileNet WorkplaceXT use Form based authentication (container mananged), do I need to uncheck the ‘Form based authentication’ as in step 5 to enable the SSO?
    I tried modify web.xml and weblogic.xml under WorkplaceXT\WEB-INF, and after I restarted Weblogic, I am able to remove the web.xml file, which I assume weblogic did not really read the web.xml for application WorkplaceXT, very confused.

    2) Or you are talking aboult the files under
    E:\bea\wlserver_10.0\server\lib\consoleapp\webapp\WEB-INF
    ???

  41. Venkat on August 29, 2011 at 3:03 am said:

    Hi Faisal,

    In step 7, u have instructed to configure the user role and user role mapping in weblogic.xml.
    Suppose if there are 100 users are there in my domain, then do we need to configure all users in weblogic.xml ?

    For testing this SSO application, do we need to login into machine with “beawin” user, domain BEATEST.COM and test it ?

    • Administrator on September 17, 2011 at 4:43 pm said:

      You can provide the group name in principal-name tag of weblogic.xml and make all users whom you want to give access to a part of that group. It will work. I have answered the second question earlier.

  42. Hi Faisal,

    I am working with WebLogic 10.3.2 connecting to Win2k3. I followed your guide above, the SPN (DES keytab) is validated successfully for every client browser access.

    However, the log shows that WebLogic is still trying to map the client user with its user table, so I added the AD Authenticator and the AD users (including the client) can now be validated with the WebLogic.

    But now it stucks at the RoleMapping part, it tries to map the client to a WebLogic role but even I assign a role to them, it still tries to match the role with the “SSOrole” in web.xml and weblogic.xml (WebLogic simply can’t map the user to “SSOrole” every I added a condition for it).

    Is it normal to be able to map the client user to the “SSOrole”? Should any of the above steps be removed? Please advice.

    Thanks in advance!

    Regards,
    Zero

    • Administrator on September 17, 2011 at 4:40 pm said:

      Its not very clear what exactly you are asking.

      Whatever users you map to SSORole in weblogic.xml they will have access to the application.
      If you want users belonging to a group to have acceess, provide group name in the pricipal name. It will work.

      If you want to define custome roles n policies ( adding roles from weblogic console), deploy the application and use custom roles n policies.

      Let me know if I have answered your question.

      Thanks,
      Faisal

  43. Hi Faisal,
    I have followed the steps which u have provided above except Step1, I did not enable DES encryption for that user, because ‘kinit’ is throwing unsupported encryption type exception. So i did not enable DES and carried remaining steps.
    (1) here, domain controller and ADS running in Windows 2008 R2. Is this causing the problem of encryption type. I have not specified any default_tkt_enctypes = des-cbc-crc, default_tgs_enctypes = des-cbc-crc properties in krb5.ini file.
    (2)Browser is showing Error 401–Unauthorized response when i tried to access my sample application and this is the exception from WL server log…
    com.bea.security.utils.kerberos.KerberosException: No valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT credentials failed!).
    I am trying from 2 days to solve this problem. can you please tell me what is the problem.
    (3)Do we need to run the Weblogic server under “beawin” user?
    (4) Do we need to run the client (browser) under “beawin” user? or [can we run under ant user who are in BEATEST.COM domain ? if yes, do we need to add that user also in weblogic.xml file and in console application ?]

    • Administrator on September 17, 2011 at 4:36 pm said:

      Hi,

      I have explained the cause of the following exception in this article

      http://weblogic-wonders.com/weblogic/2010/01/07/troubleshooting-kerberos-issues-with-weblogic-server/

      com.bea.security.utils.kerberos.KerberosException: No valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT credentials failed!).

      Kindly follow all the suggestions provided.

      Ideally you should provide the supported encryption types in krb5.ini file

      Weblogic Server does not need to run under beawin user

      It can be any user who can access the application. But that user needs to exist in the authentication provider, that is why usually customer integrate their active directory with Weblogic. Also we need to do the rolemapping in weblogic.xml file.

      Let me know if you have furthur queries.

      Thanks,
      Faisal

  44. Hi,

    Thanks for the good post.

    I am trying the same for AD 2008 with WLs 11g with DES encryption.It is failing while running kinit command with “Client not found in Kerberos database while getting initial credentials” error though the principal name is corrent.

    So,Is WNA supported for AD 2008 with WLS 11g.

    Thanks

  45. Epistole on June 1, 2012 at 11:29 am said:

    Hi Faisal,

    I’m trying to configure SSO on a quite simple application on my WebLogic Server.

    The application can found on the tutorial page I followed : http://weblogic-wonders.com/weblogic/2009/11/15/configuring-kerberos-with-weblogic-server/

    Here’s my architecture :

    – AD
    OS:Windows 2008R2
    hostname: XXXXXX
    domain : XXXX

    – WLS
    OS : RedHat 5.4
    hostname 1 : XXXX
    hostname 2 : XXXX
    WLS Domain: P8WLAEDom (which has one cluster (xxxx) with two servers (xxxx deployed on xxxxxx and xxxxx deployed on xxxxxx)

    I created the following users in AD to represent the WLS: xxx and xxxxxx
    I created the SPNs for those users, then generate the keytab, customized the krb5.conf on WLS machines.

    The following commands works properly on each WLS machine (each has itw own keytab):

    frdevfln11 > kinit -V -k HTTP/xxxxxxx
    Authenticated to Kerberos v5

    frdevfln21 > kinit -V -k HTTP/xxxxxxxx
    Authenticated to Kerberos v5

    Then I have followed all the steps descibed in the tutorial and deployed my testssowebapplication, but I’m still having a “401″ error when trying to access it.

    I’m not sure I have a good kerberos configuration with my WLS machines, can you tell me if you think I have to change it in order to have only on keytab for all machines, which SPNs to create for which users…

    Thanks for all!!

    • Administrator on June 5, 2012 at 12:51 am said:

      Hi Nicolas,

      Can you please enable SecurityATn and ATZ debug on Weblogic and share the log files.
      khan.faysal6@gmail.com

      Also capture the http headers and see if kerberos token is passed on..

      Which users have access to application

  46. Epistole on June 5, 2012 at 8:05 am said:

    Hi Faisal, seems that your mail adress is not valid.

    Best regards,

    Nicolas

  47. anirudha on August 14, 2012 at 9:40 am said:

    Hi Faisal,

    I was trying to implement SSO using kerberos for peoplesoft applications where the webserver used is weblogic. I have this strange issue which I have been facing and unable to debug any further. With the JRockit JDK provided in the weblogic configuration I get the following error.

    Could not load user defined filter in web.xml: com.peoplesoft.pt.desktopsso.kerberos.KerberosSSOFilter.
    java.lang.IllegalArgumentException: No Configuration was registered that can handle the configuration named krbServer
    at com.bea.common.security.jdkutils.JAASConfiguration.getAppConfigurationEntry(JAASConfiguration.java:130)

    However when I change the JAVA_HOME parameter to LINUX JDK present in /usr/java/jdk it runs fine and I am able to login to the peoplesoft application. So is there any specific setting relating to jrockit that the krb5Login.conf is not being picked up the code.

    I would appreciate your help
    Thanks
    Anirudha

    • Administrator on August 16, 2012 at 4:06 pm said:

      Hi Anirudha,

      Where have you kept the krb5Login.conf file?
      You can consider giving the full path.

      You are able to log in without providing credentials? SSO working?

      Kindly let me know.

      Thanks,
      Faisal

  48. anirudha on August 17, 2012 at 1:44 am said:

    Hi Faisal,

    Thanks for your reply.
    Yes I have given the complete path too.
    This is the full command line of the weblogic server. I had modifed it to test if it is trying to pick it up from any default location.

    java -jrockit -XnoOpt -XXnoJITInline -Xms512m -Xmx512m -Dtoplink.xml.platform=oracle.toplink.platform.xml.jaxp.JAXPPlatform -Dcom.sun.xml.namespace.QName.useCompatibleSerialVersionUID=1.0 -Djava.security.krb5.conf=/etc/krb5.conf -Djava.security.auth.login.config=/etc/krbLogin.conf -Dsun.security.krb5.debug=true -Djavax.security.auth.useSubjectCredsOnly=false -Dweblogic.security.enableNegotiate=true -Dweblogic.Chunksize=65536 -Djava.util.logging.config.file=/u01/app/psoft89/webserv/PREFRESH/piaconfig/properties/logging.properties -Dorg.apache.commons.logging.Log=org.apache.commons.logging.impl.Jdk14Logger -Dweblogic.Name=PIA -Dps_vault=/u01/app/psoft89/webserv/PREFRESH/piaconfig/properties/psvault -Djavax.net.ssl.trustStore=/u01/app/psoft89/webserv/PREFRESH/piaconfig/keystore/pskey -Dweblogic.ProductionModeEnabled=true -Djava.security.policy=/u01/app/psoft89/weblogic/wlserver_10.3/server/lib/weblogic.policy -Dssl.debug=false -Dps_home=/u01/app/psoft89 weblogic.Server

    The file is located in /etc folder and has 777 permissions.
    Yes the SSO works with Oracle JDK and I am able to login directly using AD credentials. But I am not able to do it using JRockit JDK which is currently used by the weblogic web server.

    Thanks and Regards
    Anirudha Singh

    • Administrator on August 21, 2012 at 3:46 pm said:

      Hi Anirudha,

      Please raise a support request with oracle and let us know the solution as well.
      Insist them to reproduce the issue locally.

      Regards,
      Faisal

  49. Pranjal Bathia on September 4, 2012 at 2:58 am said:

    Hi Faisal,

    I am trying to configure SSO for my web application.
    My architecture is as below:
    Active Directory : on Windows server 2008 R2
    Weblogic server 10.3.3.0 : on OEL 5

    I created keytab file and shared on linux for weblogic domain.
    Kinit is successful by saying message as Authenticated to Kerberos v5.
    AD authentication was successful before configuring kerberoes.

    But when i try to access application from windows client it says:
    Error 401–Unauthorized
    From RFC 2068 Hypertext Transfer Protocol — HTTP/1.1:
    10.4.2 401 Unauthorized
    The request requires user authentication. The response MUST include a WWW-Authenticate header field (section 14.46) containing a challenge applicable to the requested resource. The client MAY repeat the request with a suitable Authorization header field (section 14.8). If the request already included Authorization credentials, then the 401 response indicates that authorization has been refused for those credentials. If the 401 response contains the same challenge as the prior response, and the user agent has already attempted authentication at least once, then the user SHOULD be presented the entity that was given in the response, since that entity MAY include relevant diagnostic information. HTTP access authentication is explained in section 11.

    Would you please help me on this.
    Thank you in advance.

    Regards,
    Pranjal

  50. Pranjal Bathia on September 7, 2012 at 2:12 am said:

    Hi Faisal,

    I resolved the problem. Problem was with setting SPN.
    I resolved this and now it is working as expected.
    Thanks for your response.

  51. Pranjal Bathia on September 7, 2012 at 2:14 am said:

    Hi Faisal,

    I resolved the problem. Issue was with setting the SPN.
    Thank you for your response.

    Regards,
    Pranjal

  52. try to configure SSO on windows 2k8 R2, AD 2k3, BIEE version 11.1.1.6.2 BP1,
    Got Error 401–Unauthorized
    Check bi_server.out log, saw the following and no more, any idea? Please help.

    Thanks
    Yu

    …..
    Commit Succeeded

    Found key for *****.COM(1)
    Found key for *****.COM(3)
    Found key for *****.COM(23)
    Entered Krb5Context.acceptSecContext with state=STATE_NEW

  53. Hi,

    I tried this approach and this works. But the issue am facing with this approach is the user data has to be entered in multiple places like weblogic.xm and for weblogic internal ldap which uses default authenticators.

    SO for adding new users i need to changes all these. xml changes means restart of the server.

    Mentioning the user data in multiple places in not feasible. is there any work around ?

    Also for a intranet domain user, password will expire after say every 90 days. Then the same has to be updated in weblogic user setup. So maintainance is also an issue if am not wrong.

    Also we have done a lil extension to this approach like if the SSO auth fails then application should redirect to login page where we do application specific authentication.

    But for this approach, weblogic is intecepting the request and if auth fails then am getting 401 error. I tried other JAAS control flags but was not much of help.

    Any suggstions for this ?

    Thanks
    Sandeep

    • Administrator on September 29, 2012 at 10:51 am said:

      Hi Sandeep,

      Thanks for posting on our site.

      If you have configured AD, then the policies on AD will hold try.
      In principal name you can specify the name of the group in AD.
      For the third question I have replied you in the forum..

      Please let me know if you have furthur question.

      -Faisal

  54. Hi Faisal,

    I am glad i found this site. This is very informative and solved most of my issues of configuring SSO with weblogic.

    For SSO using kerberos the token will be generated only when the user in logged in within the domain/intranet. But for a public URL say access through internet, no token exchange will happen and weblogic is throwing 401 error. But i need the control to be transferred to the application in case the kerberose auth is failed.

    Is it possible to that ?

    Thanks,
    Sandeep

  55. Faisal,

    I am deploying the Documentum application ‘webtop’ as a war file in WLS 10.3.3.

    Now I am setting up Kerberos and I need to add certain parameters in start-up script.

    Here are the parameters I am adding :-

    _____________________________________________________

    JAVA_OPTIONS=”${JAVA_OPTIONS} -Djava.security.krb5.conf=”/etc/krb5/krb5.conf”
    -Djava.security.auth.login.config=”/webtop/WEB-INF/krb5Login.conf”
    -Djavax.security.auth.useSubjectCredsOnly=false”
    export JAVA_OPTIONS

    _____________________________________________________

    The line Djava.security.auth.login.config is referring to file krb5Login.conf that resides inside the web-inf folder of the war file. Kerberos application is not able to recognise this path inside the war file.

    am getting this error :-
    No Configuration was registered that can handle the configuration named HTTP-Appserver-test-company-com
    java.lang.IllegalArgumentException: No Configuration was registered that can handle the configuration named HTTP-Appserver-test-company-com
    at com.bea.common.security.jdkutils.JAASConfiguration.getAppConfigurationEntry(JAASConfiguration.java:130)

    Any help appreciated.

    • Administrator on November 4, 2012 at 1:31 pm said:

      Why don’t you place the krb5Login.conf at some other location and give the full path instead of keeping it in the war file?

  56. Janardhan on July 18, 2013 at 7:43 am said:

    Hi,

    I tried to set up SSO for standalone its working fine, But when I tried to configure SSO in Cluster environment its not working
    Not able to debug also, no errors is captured in server logs.
    Please let me know how to configure for cluster?
    Atleast how to trace?

  57. Hi Faisal,
    Great article.
    But i’m having problems with my webapp, based on the logs, the provider is sucesfull authenticating, but the application does not recognizes and redirects to the login page, my application is a Webcenter Portal application, using ADF. Can you share your sample application? my email is: zeorjj@gmail.com

    Thanks

  58. Administrator on March 23, 2012 at 3:07 am said:

    it should work for other encryption too… you can debug your issue following this post

    http://weblogic-wonders.com/weblogic/2010/01/07/troubleshooting-kerberos-issues-with-weblogic-server/

Leave a Reply

Post Navigation