Configuring Kerberos with Weblogic Server

Details

Domain Name: BEATEST.COM
Domain Controller Name: BEAAD (This machine runs Active Directory)
WL Server Machine Name: beaiis (This machine runs Weblogic server).

For BEAAD:-

Username : beauser
Password :

For beaiis :-

Username : beaiis
Password : Secure04

Steps on Domain Controller (BEAAD)

1) Create a User beawin in Active Directory. Go to user properties > account and under account options, select Use DES encryption types for this account. After this, reset the password for this user.

2) Set the Service Principal Name.

setspn -a HTTP/ beaiis.BEATEST.COM beawin

3. Test the service principal name.

setspn –L beawin

3) Generate a key tab using ktab

ktab -k beawin.keytab –a beawin@BEATEST.COM

4) Test the keytab file

klist –k beawin.keytab

Note: klist is a jdk utility

5) Copy the generated keytab file (beawin.keytab) to the domain directory of weblogic.
D:\bea922\user_projects\domains\Kerberos_New

6) Place krb5.ini file in C:\winnt folder. Content of the file shown later in the document.

Steps on Machine Hosting Weblogic Server (beaiis)

1) Set the environment and run the kinit utility

java -Dsun.security.krb5.debug=true sun.security.krb5.internal.tools.Kinit -k -t D:\bea922\user_projects\domains\Kerberos_New\beawin.keytab beawin@BEATEST.COM

This should generate a new Kerberos key and place it in the user’s home folder.

2) Make sure you have all the parameters correctly set in

C:\WinNT\krb5.ini

krb5.ini

[libdefaults]
default_realm = BEATEST.COM
kdc_timesync = 1
ccache_type = 4
ticket_lifetime = 600
clockskew = 1200

[realms]
BEATEST.COM = {
kdc = 192.168.1.1
admin_server = BEAAD
default_domain = BEATEST.COM
}

[domain_realm]
.beatest.com = BEATEST.COM

[appdefaults]
autologin = true
forward = true
forwardable = true
encrypt = true

3) Create a krb5login.conf file with the following entries in your domain directory D:\bea922\user_projects\domains\Kerberos_New

krb5login.conf

com.sun.security.jgss.initiate {
com.sun.security.auth.module.Krb5LoginModule required
principal=”beawin@BEATEST.COM” useKeyTab=true
keyTab=beawin.keytab storeKey=true debug=false;
};
com.sun.security.jgss.accept {
com.sun.security.auth.module.Krb5LoginModule required
principal=”beawin@BEATEST.COM” useKeyTab=true
keyTab=beawin.keytab storeKey=true debug=false;
};

4) Add the following parameters in the startup script startweblogic.cmd

-Djava.security.auth.login.config=krb5Login.conf -Djavax.security.auth.useSubjectCredsOnly=false -Dweblogic.security.enableNegotiate=true

5) Configure NegotiateIdentityAsserter from the console

Home > Summary of Security Realms > myrealm > Providers > Authentication >
Create new NegotiateIdentityAsserter

Leave the default Active Types
Under Provider Specific, uncheck Form Based Negotiation Enabled

Activate the changes and restart the server.

7) Create a user beawin in Weblogic Server.

8) Deploy the web application

Web.xml

<web-app>
<display-name>SEC81</display-name>
<security-constraint>
<display-name>Security Constraint for SSO </display-name>
<web-resource-collection>
<web-resource-name>My webapp</web-resource-name>
<description>Group of Users</description>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>SSOrole</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>CLIENT-CERT</auth-method>
</login-config>
<security-role>
<description>Role description</description>
<role-name>SSOrole</role-name>
</security-role>
</web-app>

Weblogic.xml

<weblogic-web-app>
<security-role-assignment>
<role-name>SSOrole</role-name>
<principal-name>beawin</principal-name>
</security-role-assignment>
</weblogic-web-app>
28. Deploy the web app in weblogic.
29. Start the weblogic server.

Configuring Internet Explorer

NOTE: THIS STEPS NEEDS TO BE DONE ON EACH CLIENT MACHINE THAT BROWSES THE PROTECTED WEB APPLICATION

1. Got to Tools –> Internet Options
2. Select the “Security” tab
3. Click on “Local Intranet” Icon. This will enable the “Sites” button.
4. Click “Sites” button. This will show a “Local Intranet” Popup.
5. Make sure the option “Include all local (intranet) sites not listed in other zones” option selected. (Windows XP Only).
6. Click on “Advanced” Button. In the new popup window add the URL for the machine hosting weblogic.
7. Click OK to save your settings.
8. In the “Security” tab, Click “Custom Level” button.
9. In the “Security Settings” dialog, under “User Authentication” section, make sure “Automatic logon only in Intranet zone” option is selected.
10. Click OK to save your settings.
11. Go to “Connections” tab —> LAN Settings.
12. If you have a proxy server enabled, Click on “Advanced” button. Make sure you add the URL for the machine hosting weblogic in the “Exceptions” box.
13. In the “Internet Options —> Advanced” tab, make sure “Enable Integrated Windows Authentication (requires restart)” option is checked. Click “OK”. (If this option is not selected previously, you need to close all browser instances for the setting to take effect).

Latest Comments

  1. Ajay November 15, 2009
  2. Anand November 15, 2009
  3. BusyNut November 15, 2009
  4. Faisal Khan November 16, 2009
  5. Ajay November 17, 2009
  6. Arun December 22, 2009
  7. Chew January 2, 2010
  8. Faisal Khan January 7, 2010
  9. Faisal Khan January 12, 2010
  10. biaymy January 29, 2010
  11. Faisal Khan January 30, 2010
  12. haljordan5 February 18, 2010
  13. haljordan5 February 18, 2010
  14. Michael Chiu May 13, 2010
  15. Administrator May 13, 2010
  16. Michael Chiu May 13, 2010
  17. Administrator May 13, 2010
  18. Michael Chiu May 13, 2010
  19. Michael Chiu May 14, 2010
  20. Michael Chiu May 17, 2010
  21. Michael Chiu May 17, 2010
  22. Administrator May 17, 2010
  23. Michael Chiu May 17, 2010
  24. deepu September 1, 2010
    • admin September 1, 2010
  25. Mangesh November 23, 2010
    • Mangesh November 24, 2010
      • Mangesh November 24, 2010
        • Mangesh November 24, 2010
          • Administrator November 24, 2010
  26. Mangesh November 25, 2010
    • Administrator November 25, 2010
  27. Mangesh November 25, 2010
  28. Mangesh November 25, 2010
  29. Mangesh November 25, 2010
  30. Mangesh November 25, 2010
  31. Mangesh November 25, 2010
  32. Das November 26, 2010
    • Administrator November 27, 2010
      • Das November 29, 2010
        • Das November 29, 2010
          • Das November 29, 2010
          • Administrator November 29, 2010
  33. Mangesh November 29, 2010
    • Administrator November 29, 2010
      • Mangesh November 30, 2010
  34. Das November 29, 2010
  35. rap November 30, 2010
    • Administrator December 2, 2010
  36. RAP December 2, 2010
    • Administrator December 4, 2010
  37. Mangesh Khairnar February 5, 2011
    • Administrator February 7, 2011
  38. swapna March 9, 2011
    • Administrator March 9, 2011
  39. Mangesh Khairnar March 29, 2011
    • Administrator March 29, 2011
  40. Ann May 12, 2011
    • Administrator May 14, 2011
  41. Hui August 7, 2011
  42. Venkat August 29, 2011
    • Administrator September 17, 2011
  43. Zero August 30, 2011
    • Administrator September 17, 2011
  44. Venkat September 2, 2011
    • Administrator September 17, 2011
  45. Ra December 11, 2011
  46. Epistole June 1, 2012
    • Administrator June 5, 2012
  47. Epistole June 5, 2012
    • Administrator June 9, 2012
  48. anirudha August 14, 2012
    • Administrator August 16, 2012
  49. anirudha August 17, 2012
    • Administrator August 21, 2012
  50. Pranjal Bathia September 4, 2012
    • Administrator September 6, 2012
  51. Pranjal Bathia September 7, 2012
    • Administrator November 4, 2012
  52. Pranjal Bathia September 7, 2012
    • Administrator September 29, 2012
  53. Jeo Yu September 15, 2012
    • Administrator September 29, 2012
  54. sandeep September 26, 2012
    • Administrator September 29, 2012
  55. sandeep September 27, 2012
  56. Ankur November 1, 2012
    • Administrator November 4, 2012
  57. Janardhan July 18, 2013
    • Administrator July 24, 2013
  58. zeo August 9, 2013
    • Administrator August 13, 2013
  59. Administrator March 23, 2012

Leave a Reply