Recently one of my colleague pointed out that I did not cover few aspects of Kerberos configurations in an earlier post. He had few queries such as how should he set the service principal name if a proxy is there in front of Weblogic Server. Or for that matter if there is a cluster of Weblogic Server.
Here are the answers.
If the proxy server is on the same machine as WLS, then the steps remain the same (outlined in an earlier post). The Kerberos ticket will be propagated to WLS.
If it’s in a different machine, then both the proxy url and the WLS url should be registered with WLS.
e.g.
WLS Server Machine: beaiis
Proxy Server Machine: beaproxy
setspn -a HTTP/ beaiis.BEATEST.COM beawin
setspn -a HTTP/ beaproxy.BEATEST.COM beawin
And then configure your client browser with the proxy server url.
For a cluster of Managed servers running on different machine.
WLS Server Machine1 : beaiisone
WLS Server Machine2 : beaiistwo
WLS Server Machine3 : beaiisthree
Proxy Server Machine :beaproxy
Then we have to register all the urls with the KDC
setspn -a HTTP/ beaiisone.BEATEST.COM beawin
setspn -a HTTP/ beaiistwo.BEATEST.COM beawin
setspn -a HTTP/ beaiisthree.BEATEST.COM beawin
setspn -a HTTP/ beaproxy.BEATEST.COM beawin
And then verify
setspn -L beawin
Registered ServicePrincipalNames for CN=beawin,CN=Users,DC=BEATEST,DC=COM
HTTP/beaproxy.BEATEST.COM
HTTP/beaiisone.BEATEST.COM
HTTP/beaiistwo.BEATEST.COM
HTTP/beaiisthree.BEATEST.COM
Each Server will have the same keytab and krb5Login.conf file, preferably copied to the domains directory on all machines. And in the Client browser the local internet setting should have the proxy url.
2 Comments
Hi,
I have followed the above instructions.
My user has registered spn of the managed servers and the load balancers
The server setup is exactly the same
If I access the server I sso in
If I go via the load balancer I can not sso in
Any ideas/pointers?
James
Can you please share the detailed configuration you have and what issues you are facing?
Post a Comment