Weblogic Server comes with an Embedded LDAP Server which acts as the Default Provider for authentication, authorization and rolemapping.Since authentication is based on JAAS ( Java Authentication and Authorization Service), we can have external providers as well.These providers can be Out Of the Box Providers provided by WLS or Custom Providers which can be plugged in. I’ll discuss that in some other article.

These are some of the providers


WLS does provide an out of the box provider for Active Directory.
These are the steps to configure it.
Step 1). Open Active Directory Console

Step 2). Create a User

Step 3). Assign it to Administrator Group. This is required as Active Directory gives connection only to Admin User.

Step 4). Go to Weblogic Server and Create an Active Directory Authentication Provider

Step 5) Under Provider Specific, provide the following values, leave the others as default.

Propagate Cause For Login Exception ( checked)
Principal :CN=aduser,CN=Users,DC=faisal,DC=bea,DC=com
User Base Dn : CN=Users,DC=faisal,DC=bea,DC=com
Credential : XXXXXX
Group Base Dn: CN=Users,DC=faisal,DC=bea,DC=com

You should see the following in the config.xml

<sec:authentication-provider xsi:type=”wls:active-directory-authenticatorType”>
<sec:name>ActiveDirectory</sec:name>
<sec:control-flag>SUFFICIENT</sec:control-flag>
<wls:propagate-cause-for-login-exception>false</wls:propagate-cause-for-login-exception>
<wls:principal>CN=aduser,CN=Users,DC=faisal,DC=bea,DC=com</wls:principal>
<wls:user-base-dn>CN=Users,DC=faisal,DC=bea,DC=com</wls:user-base-dn>
<wls:credential-encrypted>{3DES}YoOwqSH1jxsOlvUmAYOENw==</wls:credential-encrypted>
<wls:group-base-dn>CN=Users,DC=faisal,DC=bea,DC=com</wls:group-base-dn>
</sec:authentication-provider>

Step 6) Change the control flag of the Active Directory Authenticator and the Default Authenticator to SUFFICIENT

Step 7) Restart your server. Go to myrealm. You should be able to see the users and groups from the Active Directory.

Comments

comments

45 Thoughts on “Configuring Active Directory Authenticator with Weblogic Server

  1. Thanks for the post on configuring the active directory authenticator.

    I have a question: How do I determine the ‘Principal’ value for my environment? I tried using the one that worked for you and changing the values to be my username and my server, etc. but my connection failed.

    My Active Directory server is controlled by another group. I have the ability to connect to it for authentication and I can view it using the ‘Active Directory Explorer’ which I obtained from the MS site. I simply put my server name and my login creds and the tool connects and shows a huge ldap tree. I see my login username as the value of the attribute sAMAccountName, but it is not a DN type syntax. It is a DirectoryString type syntax in the ldap browser.

    Any ideas?

    Thanks.
    Bill

  2. Daniel Chasle on February 11, 2011 at 7:45 am said:

    Have you come across a way of getting AD to return more than 1000 records to Weblogic. The default MaxPageSize in AD is set to 1000, so if you have more than that many users then it only returns the first 1000 based on the date they were created. There is meant to be a way to get AD to return paged results, but I’ve not found it yet. Just wondered if you’d come across this yet?

    Regards

    Dan

    • Administrator on February 11, 2011 at 1:07 pm said:

      Hi Dan,

      I havent come across a way either.
      The only way to get AD return more that 1000 users is by increasing the MaxPageSize which you are already aware of.

      Thanks for posting.

      Cheers!
      Faisal

  3. Mangesh Khairnar on March 3, 2011 at 4:28 am said:

    Hi Faisal,

    Can we configure ADAM/AzMan with weblogic instead of Active Directory?
    If yes, do you think there will be any difference in configuration.
    Please reply me.

    Thanks,
    Mangesh Khairnar.

    • Administrator on March 3, 2011 at 5:28 am said:

      Hi Magnesh,

      We can configure ADAM with WLS using the LDAPAuthenticator. I remember doing it once for one of my customer long time back.
      We just need to use the appropriate filters.

      Let me know if you need help in configuring it.

      Cheers!
      Faisal

  4. Mangesh Khairnar on March 3, 2011 at 6:28 am said:

    Thanks Faisal,

    Can we use SPNEGO (kerberos) with LDAPAuthenticator (for ADAM)?
    I need to implement SSO with ADAM in weblogic, is it possible?
    I already have SSO working with Active Directory, now I need to do the same with ADAM, it will be great help if you guide me through this process.

    Thanks,
    Mangesh Khairnar.

    • Administrator on March 3, 2011 at 6:32 am said:

      Hi Magnesh,

      I havent done it before so wont be able to comment.
      Does your ADAM act as a domain controller?

      The best way to know if it will work is by trying out the configuration.

      Let me know if you need any help.

      If it works, we can create an article on it and post on wonders.

      Thanks,
      Faisal

  5. Mangesh Khairnar on March 3, 2011 at 6:32 am said:

    Thanks Faisal,

    Can we implement SPNEGO (kerberos) with LDAPAuthenticator (for ADAM)?
    I need to implement the SSO with ADAM in weblogic, is it possible?
    I already have SSO working with Active Directory, now I need to do it with ADAM. It will be great help if you guide me through this implementation.

    Thanks,
    Mangesh Khairnar.

  6. Mangesh Khairnar on March 4, 2011 at 4:11 am said:

    Hi Faisal,

    I am trying to configure ADAM using LDAPAuthenticator provider.
    But getting a following error while going to “Users and Groups” tab:

    LdapErr: DSID-0C090336, comment: AcceptSecurityContext error, data 2030, vece

    Following is the ADAM store I am trying to access:

    msldap://dev2:50000/CN=GPAzManStore,OU=abc,O=pqr,C=xyz

    Following is the sample Confing.xml part for this configuration, can you please suggest where exactly I am making mistake:

    LDAP-Auth
    OPTIONAL
    false
    dev2
    50000
    user
    sAMAccountName
    cn=admin, ou=abc, o=pqr, c=xyz
    ou=abc, o=pqr, c=xyz
    {3DES}Si8r8SiRQ18=
    (&(sAMAccountName=%u)(objectclass=user))
    ou=abc, o=pqr, c=xyz
    (&(member=%g)(objectclass=group))
    group
    member
    (&(member=%M)(objectclass=group))

    Thanks,
    Mangesh Khairnar.

    • Administrator on March 5, 2011 at 2:50 am said:

      Hi Magnesh,

      What is the error you are getting in the weblogic server logs?
      Can you export the ldif one user ( say admin and paste it here)
      Also paste the error you are getting in the server logs.

      Thanks,
      Faisal

  7. Mangesh Khairnar on March 5, 2011 at 4:37 am said:

    Hi Faisal,

    Thanks for your reply.
    Finally I was able to resolve the issue which I shared with you earlier, it was a issue related to wrong DN and filter. I corrected it and was able to get the ADAM users in weblogic console (I used Active Directory Authentication Provider).
    But now I am facing another problem, I am able to get the users which I newly added to ADAM, but I am still unable to get the users which I added in ADAM from Active Directory schema.
    Also I am unable to get the users from AzMan store which I added in ADAM.
    Do you have any idea around this?

    Thanks,
    Mangesh Khairnar.

    • Administrator on March 5, 2011 at 6:28 am said:

      Hi Magnesh,

      I did not get a clear picture. Mayb we can have a screehsharing session.
      Did u check the user base dn? are the users from the same base dn?

      Thanks,
      Faisal

  8. Mangesh Khairnar on March 5, 2011 at 7:29 am said:

    Hi Faisal,

    Let me give you a clear idea:

    I have a active directory with following base dn:
    DC=itshastra,DC=local

    I have created an ADAM store with following base dn:
    OU=GuardianPro,O=itshastra,C=local

    In this ADAM I have AzMan Store:
    CN=GPAzManStore,OU=GuardianPro,O=itshastra,C=local

    Now in weblogic console I am getting the users which I newly created in ADAM, but not getting the referenced users from Active Directory (in third party LDAP browser I can see those users with objeCtclass=foreignSecurityPrincipal). Also the same thing happening with the AzMan store users.

    Hope I have given you an clear idea, it will be great if you could suggest any clue or else if it is possible to you, we can have a screen sharing session on Monday.

    Thanks,
    Mangesh Khairnar.

    • Administrator on March 5, 2011 at 9:04 am said:

      Hi Mangesh,

      I got a fair idea.
      We can try out a few things on Monday.
      Looks like we might have to use a filter on WLS.

      Thanks,
      Faisal

  9. Stewart Meyer on April 15, 2011 at 9:36 am said:

    I am not a fan of WebLogic, but it came bundled with an application our company bought. When I setup LDAP authentication for any other web server/application, the application typically manages the login. I supply the LDAP server location and details. I do NOT have to provide a specific principle for login, the authenticator uses the user’s credentials to connect to LDAP, and either passes for fails.

    I do not want to embed a principle and password in WebLogic as I have to age passwords and restart the darn server everytime I update the principle’s password. Why can’t WebLogic use the person logging in to authenticate?

  10. Pradeep on May 12, 2011 at 10:23 am said:

    Hi Faisal,
    I am trying to configure eNovell directory in weblogic console. So, That users can use the same LDAP password to log into the weblogic console.
    After configuring it I can see a lot of user and groups under user and group, which belongs to the newly created Authenticator Provider. But when I am clicking on those user I am not seeing any groups associated with them and I am not seeing any option to allocate a group to them. For e.g when we create a user in weblogic, we can allocate group to that user after clicking on groups under that particular user. Groups like Admin, Monitor etc etc…..

    Also, the user which are from Novell edirectory can not log in using their LDAP password.

    Could you please help me in solving these 2 problems.

    Thanks in Advance !!!!!

    • Administrator on May 14, 2011 at 3:48 am said:

      Hi Pradeep,

      You need to modify the default roles and policies so that novel users can log in.

      This should help

      http://weblogic-wonders.com/weblogic/2010/06/04/how-to-modify-weblogic-default-roles-and-policies/

      Secondly, you dont have the option to allocate groups to external ldap users from the weblogic console.

      It depends on the DN where the users are for its group information to appear in the WLS Console.

      Create a ou in your present user base dn and keep the users there and specify the user base dn pointing to that ou.

      I can help you if you can let me know your directory structure…

      Thanks,
      Faisal

  11. Pradeep on May 16, 2011 at 10:37 am said:

    Thanks Faisal !!!! Thanks a Bunch !!!!

    Your views are really helpful to me, I will do some work and definitely ask you for further help. Can I have your email ID where I can send you the details .

  12. sally on May 31, 2011 at 5:33 am said:

    really thanks alot for this post, its help me alooooooot :)

  13. Sonnet on June 7, 2011 at 12:33 pm said:

    Excellent aritcle. Thank you very much for sharing this.

    I was able to confirgure LDAP/Active Directory, but can you expalin, how do i add AD users to Weblogic built in Administrators, Deployers or Monitors roles?

    Would really appreciate if you can explain how.

    Thanks & Regards
    Sonnet

  14. Sonnet on June 9, 2011 at 9:00 am said:

    Thank you very much, Faisal. I was able to modify the Admin “role condition” and add a particular user from the Active Directory, and I am able to login as the AD user. However, it won’t recognize a group. for example, I have a group setup as WSL_Admin, which I am a member of. I can edit the condition as (“WLS_Admin” or “Administrator”), but I can’t log in. I have verified the user is not locked and the group exists. I am a bit baffled.

    Have you verified whether a member of a group can login as an Admin or Deployer role?

    Thanks once again for such great knowledge articles. Much appreciated.

    Sonnet

  15. Very helpful article!

    One question if you can help:
    I have 2 AD providers that totally have more than 1000 groups. In one of them I have already set the maxpagesize = 5000 using NTDSUtil.exe
    Why in the console I see total 1000 groups when for sure I have more? Any idea?

    Thanx in advance!

    Spyros

    • Administrator on July 22, 2011 at 2:27 pm said:

      Not sure, you need to capture the network packets and check what ldap query is being fired and what response is sent. That will give you an idea.

  16. thanks for this wonderful article,
    i have followed your steps and was able to get the users defined in Active Directory,but i failed to retrieve the group information from Active Directory.In weblogic admin console groups tab of users i am getting an exception as below

    weblogic.security.providers.authentication.LDAPAtnDelegateException: [Security:090278]Error listing member groups Saiju S at weblogic.security.providers.authentication.LDAPAtnDelegate.listMemberGroups(LDAPAtnDelegate.java:2181) at weblogic.security.providers.authentication.LDAPAuthenticatorImpl.listMemberGroups(LDAPAuthenticatorImpl.java:168) at weblogic.security.providers.authentication.ActiveDirectoryAuthenticatorMBeanImpl.listMemberGroups(ActiveDirectoryAuthenticatorMBeanImpl.java:206) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at weblogic.management.jmx.modelmbean.WLSModelMBean.invoke(WLSModelMBean.java:437) at com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.invoke(DefaultMBeanServerInterceptor.java:836) at com.sun.jmx.mbeanserver.JmxMBeanServer.invoke(JmxMBeanServer.java:761) at weblogic.management.jmx.mbeanserver.WLSMBeanServerInterceptorBase$16.run(WLSMBeanServerInterceptorBase.java:449) at java.security.AccessController.doPrivileged(Native Method) at weblogic.management.jmx.mbeanserver.WLSMBeanServerInterceptorBase.invoke(WLSMBeanServerInterceptorBase.java:447) at weblogic.management.mbeanservers.internal.JMXContextInterceptor.invoke(JMXContextInterceptor.java:263) at weblogic.management.jmx.mbeanserver.WLSMBeanServerInterceptorBase$16.run(WLSMBeanServerInterceptorBase.java:449) at java.security.AccessController.doPrivileged(Native Method) at weblogic.management.jmx.mbeanserver.WLSMBeanServerInterceptorBase.invoke(WLSMBeanServerInterceptorBase.java:447) at weblogic.management.mbeanservers.internal.SecurityInterceptor.invoke(SecurityInterceptor.java:444) at weblogic.management.jmx.mbeanserver.WLSMBeanServer.invoke(WLSMBeanServer.java:323) at weblogic.management.mbeanservers.internal.JMXConnectorSubjectForwarder$11$1.run(JMXConnectorSubjectForwarder.java:663) at java.security.AccessController.doPrivileged(Native Method) at weblogic.management.mbeanservers.internal.JMXConnectorSubjectForwarder$11.run(JMXConnectorSubjectForwarder.java:661) at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:363) at weblogic.management.mbeanservers.internal.JMXConnectorSubjectForwarder.invoke(JMXConnectorSubjectForwarder.java:654) at javax.management.remote.rmi.RMIConnectionImpl.doOperation(RMIConnectionImpl.java:1427) at javax.management.remote.rmi.RMIConnectionImpl.access$200(RMIConnectionImpl.java:72) at javax.management.remote.rmi.RMIConnectionImpl$PrivilegedOperation.run(RMIConnectionImpl.java:1265) at java.security.AccessController.doPrivileged(Native Method) at javax.management.remote.rmi.RMIConnectionImpl.doPrivilegedOperation(RMIConnectionImpl.java:1367) at javax.management.remote.rmi.RMIConnectionImpl.invoke(RMIConnectionImpl.java:788) at javax.management.remote.rmi.RMIConnectionImpl_WLSkel.invoke(Unknown Source) at weblogic.rmi.internal.ServerRequest.sendReceive(ServerRequest.java:174) at weblogic.rmi.internal.BasicRemoteRef.invoke(BasicRemoteRef.java:222) at javax.management.remote.rmi.RMIConnectionImpl_1035_WLStub.invoke(Unknown Source) at javax.management.remote.rmi.RMIConnector$RemoteMBeanServerConnection.invoke(RMIConnector.java:993) at weblogic.management.jmx.MBeanServerInvocationHandler.doInvoke(MBeanServerInvocationHandler.java:544) at weblogic.management.jmx.MBeanServerInvocationHandler.invoke(MBeanServerInvocationHandler.java:380) at $Proxy354.listMemberGroups(Unknown Source) at com.bea.console.utils.security.UserUtils.getParentGroupNames(UserUtils.java:271) at com.bea.console.actions.security.users.UserGroupsAction.execute(UserGroupsAction.java:74) at org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:431) at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor.access$201(PageFlowRequestProcessor.java:97) at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor$ActionRunner.execute(PageFlowRequestProcessor.java:2044) at org.apache.beehive.netui.pageflow.interceptor.action.internal.ActionInterceptors.wrapAction(ActionInterceptors.java:91) at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor.processActionPerform(PageFlowRequestProcessor.java:2116) at com.bea.console.internal.ConsolePageFlowRequestProcessor.processActionPerform(ConsolePageFlowRequestProcessor.java:261) at org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:236) at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor.processInternal(PageFlowRequestProcessor.java:556) at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor.process(PageFlowRequestProcessor.java:853) at org.apache.beehive.netui.pageflow.AutoRegisterActionServlet.process(AutoRegisterActionServlet.java:631) at org.apache.beehive.netui.pageflow.PageFlowActionServlet.process(PageFlowActionServlet.java:158) at com.bea.console.internal.ConsoleActionServlet.process(ConsoleActionServlet.java:262) at org.apache.struts.action.ActionServlet.doGet(ActionServlet.java:414) at com.bea.console.internal.ConsoleActionServlet.doGet(ConsoleActionServlet.java:134) at org.apache.beehive.netui.pageflow.PageFlowUtils.strutsLookup(PageFlowUtils.java:1199) at com.bea.portlet.adapter.scopedcontent.ScopedContentCommonSupport.executeAction(ScopedContentCommonSupport.java:686) at com.bea.portlet.adapter.scopedcontent.ScopedContentCommonSupport.renderInternal(ScopedContentCommonSupport.java:266) at com.bea.portlet.adapter.scopedcontent.StrutsStubImpl.render(StrutsStubImpl.java:107) at com.bea.netuix.servlets.controls.content.NetuiContent.preRender(NetuiContent.java:292) at com.bea.netuix.nf.ControlLifecycle$6.visit(ControlLifecycle.java:428) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:727) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walk(ControlTreeWalker.java:146) at com.bea.netuix.nf.Lifecycle.processLifecycles(Lifecycle.java:395) at com.bea.netuix.nf.Lifecycle.processLifecycles(Lifecycle.java:361) at com.bea.netuix.nf.Lifecycle.runOutbound(Lifecycle.java:208) at com.bea.netuix.nf.Lifecycle.run(Lifecycle.java:162) at com.bea.netuix.servlets.manager.UIServlet.runLifecycle(UIServlet.java:388) at com.bea.netuix.servlets.manager.UIServlet.doPost(UIServlet.java:258) at com.bea.netuix.servlets.manager.UIServlet.doGet(UIServlet.java:211) at com.bea.netuix.servlets.manager.UIServlet.service(UIServlet.java:196) at com.bea.netuix.servlets.manager.SingleFileServlet.service(SingleFileServlet.java:251) at javax.servlet.http.HttpServlet.service(HttpServlet.java:820) at com.bea.console.utils.MBeanUtilsInitSingleFileServlet.service(MBeanUtilsInitSingleFileServlet.java:47) at weblogic.servlet.AsyncInitServlet.service(AsyncInitServlet.java:130) at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227) at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125) at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:300) at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:26) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56) at weblogic.servlet.internal.RequestEventsFilter.doFilter(RequestEventsFilter.java:27) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56) at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.wrapRun(WebAppServletContext.java:3715) at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3681) at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321) at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120) at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2277) at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2183) at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1454) at weblogic.work.ExecuteThread.execute(ExecuteThread.java:209) at weblogic.work.ExecuteThread.run(ExecuteThread.java:178) Caused by: netscape.ldap.LDAPException: Referral connect failed: failed to connect to server ldap://cop.oracle.com/CN=Users,DC=cop,DC=oracle,DC=com (91); Cannot connect to the LDAP server; Failed to follow referral at netscape.ldap.LDAPConnection.referralConnect(LDAPConnection.java:4946) at netscape.ldap.LDAPConnection.performReferrals(LDAPConnection.java:5127) at netscape.ldap.LDAPConnection.checkSearchMsg(LDAPConnection.java:2644) at netscape.ldap.LDAPConnection.search(LDAPConnection.java:2607) at weblogic.security.providers.authentication.LDAPAtnDelegate.listMemberGroups(LDAPAtnDelegate.java:2167) … 116 more

    Can you help me in solving this and get the groups infromation as well from Active Directory

  17. Do you have any further instrux on connecting WL to AD LDS? I’ve tried creating to authenticators but neither are working. Below are my config.xml entries along with the error from WL when trying to login to the application.

    DugActiveDirectoryAuthenticator
    SUFFICIENT
    SRV07
    CN=weblogic,CN=Users,O=NEOSYS,C=US
    CN=Users,O=NEOSYS,C=US
    {AES}68Xd572ui1xuNwVa/hEml8l8lGWcr1oXP8l4YuQqZgg=
    CN=Users,O=NEOSYS,C=US

    -
    DugLDAPAuthenticator
    SUFFICIENT
    SRV07
    users
    CN
    CN=weblogic,CN=Users,O=NEOSYS,C=US
    CN=Users,O=NEOSYS,C=US
    {AES}wvGfvUgwAaSfuXmvf6bMw4OqDS5n1Yqe0kvoSNFQ0AY=
    (&(uid=%u)(objectclass=users))
    CN=Users,O=NEOSYS,C=US

  18. natalya.luke on July 20, 2012 at 12:00 pm said:

    Hi Guys
    I saw you have great discussion on topic we need. Have you got an answer can Weblogic sso (snego) be configured with ADAM?
    Have you make it work in the end?
    Thanks
    Natalya

    • Administrator on August 21, 2012 at 3:49 pm said:

      Hi Natalya,

      I havent configured ADAM for SPNEGO authentication yet.
      Do you log in to your client machine from users in ADAM? Is it acting as a domain controller?

      What is your architechture like?

      Thanks,
      Faisal

  19. neeraj gang on September 10, 2012 at 3:57 am said:

    Hi Faisal,
    Thanks for the above post.
    In my company we have a build in AD.
    I am doing a POC in which i need to configure this AD in weblogic.
    But when i am creating a new provider as ActiveDirectoryAuthenticator, weblogic asks me to restart the server. Upon doing this i am getting below error :

    “All of the servers selected are currently in a state which is incompatible with this operation or are not associated with a running Node Manager or you are not authorized to perform the action requested. No action will be performed”

    Please let me know if you need any more information.

    • Administrator on September 29, 2012 at 10:58 am said:

      Hi Neeraj,

      I guess you don’t have the permission to restart the server.
      How are you logged in as? Do you use node manager to start stop servers?

  20. we have set up a APEX application that is presented from weblogic we folloewd the Oracle documentation and all works we now want to add CAC authentication to the application we have forms and reports running from the weblogic instance with SSL and CAC (WLS-FORMS and WLS-REPORTS) but the APEX is not (WLS-APEX) i have set them up each with their own server

  21. Rajesh on February 5, 2013 at 9:50 am said:

    Hi Faysal,
    The post is useful. I have a similar error as listed above by Saiju. I enabled the debug. I am able to connect to the LDAP server through an open source tool called LDAP Admin. I am concerned that Weblogic is unable to connect.
    Could you please help me.

    #### <Administration Console encountered the following error: weblogic.security.providers.authentication.LDAPAtnDelegateException: [Security:090294]could not get connection
    at weblogic.security.providers.authentication.LDAPAtnDelegate.getConnection(LDAPAtnDelegate.java:3492)
    at weblogic.security.providers.authentication.LDAPAtnDelegate.getConnection(LDAPAtnDelegate.java:3479)
    at weblogic.security.providers.authentication.LDAPAtnDelegate.listUsers(LDAPAtnDelegate.java:2267)
    at weblogic.security.providers.authentication.LDAPAuthenticatorImpl.listUsers(LDAPAuthenticatorImpl.java:178)
    at weblogic.security.providers.authentication.ActiveDirectoryAuthenticatorMBeanImpl.listUsers(ActiveDirectoryAuthenticatorMBeanImpl.java:227)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:601)
    at weblogic.management.jmx.modelmbean.WLSModelMBean.invoke(WLSModelMBean.java:437)
    at com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.invoke(DefaultMBeanServerInterceptor.java:819)
    at com.sun.jmx.mbeanserver.JmxMBeanServer.invoke(JmxMBeanServer.java:791)
    at weblogic.management.jmx.mbeanserver.WLSMBeanServerInterceptorBase$16.run(WLSMBeanServerInterceptorBase.java:449)
    at java.security.AccessController.doPrivileged(Native Method)
    at weblogic.management.jmx.mbeanserver.WLSMBeanServerInterceptorBase.invoke(WLSMBeanServerInterceptorBase.java:447)
    at weblogic.management.mbeanservers.internal.JMXContextInterceptor.invoke(JMXContextInterceptor.java:263)
    at weblogic.management.jmx.mbeanserver.WLSMBeanServerInterceptorBase$16.run(WLSMBeanServerInterceptorBase.java:449)
    at java.security.AccessController.doPrivileged(Native Method)
    at weblogic.management.jmx.mbeanserver.WLSMBeanServerInterceptorBase.invoke(WLSMBeanServerInterceptorBase.java:447)
    at weblogic.management.mbeanservers.internal.SecurityInterceptor.invoke(SecurityInterceptor.java:444)
    at weblogic.management.jmx.mbeanserver.WLSMBeanServer.invoke(WLSMBeanServer.java:323)
    at weblogic.management.mbeanservers.internal.JMXConnectorSubjectForwarder$11$1.run(JMXConnectorSubjectForwarder.java:663)
    at java.security.AccessController.doPrivileged(Native Method)
    at weblogic.management.mbeanservers.internal.JMXConnectorSubjectForwarder$11.run(JMXConnectorSubjectForwarder.java:661)
    at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:363)
    at weblogic.management.mbeanservers.internal.JMXConnectorSubjectForwarder.invoke(JMXConnectorSubjectForwarder.java:654)
    at javax.management.remote.rmi.RMIConnectionImpl.doOperation(RMIConnectionImpl.java:1486)
    at javax.management.remote.rmi.RMIConnectionImpl.access$300(RMIConnectionImpl.java:96)
    at javax.management.remote.rmi.RMIConnectionImpl$PrivilegedOperation.run(RMIConnectionImpl.java:1327)
    at java.security.AccessController.doPrivileged(Native Method)
    at javax.management.remote.rmi.RMIConnectionImpl.doPrivilegedOperation(RMIConnectionImpl.java:1426)
    at javax.management.remote.rmi.RMIConnectionImpl.invoke(RMIConnectionImpl.java:847)
    at javax.management.remote.rmi.RMIConnectionImpl_WLSkel.invoke(Unknown Source)
    at weblogic.rmi.internal.ServerRequest.sendReceive(ServerRequest.java:201)
    at weblogic.rmi.internal.BasicRemoteRef.invoke(BasicRemoteRef.java:299)
    at javax.management.remote.rmi.RMIConnectionImpl_1211_WLStub.invoke(Unknown Source)
    at javax.management.remote.rmi.RMIConnector$RemoteMBeanServerConnection.invoke(RMIConnector.java:1017)
    at weblogic.management.jmx.MBeanServerInvocationHandler.doInvoke(MBeanServerInvocationHandler.java:544)
    at weblogic.management.jmx.MBeanServerInvocationHandler.invoke(MBeanServerInvocationHandler.java:380)
    at $Proxy72.listUsers(Unknown Source)
    at com.bea.console.utils.security.UserUtils.getUsers(UserUtils.java:78)
    at com.bea.console.actions.security.users.UserTableAction.getCollection(UserTableAction.java:100)
    at com.bea.console.actions.security.ManagementBaseTableAction.execute(ManagementBaseTableAction.java:82)
    at org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:431)
    at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor.access$201(PageFlowRequestProcessor.java:97)
    at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor$ActionRunner.execute(PageFlowRequestProcessor.java:2044)
    at org.apache.beehive.netui.pageflow.interceptor.action.internal.ActionInterceptors.wrapAction(ActionInterceptors.java:91)
    at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor.processActionPerform(PageFlowRequestProcessor.java:2116)
    at com.bea.console.internal.ConsolePageFlowRequestProcessor.processActionPerform(ConsolePageFlowRequestProcessor.java:261)
    at org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:236)
    at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor.processInternal(PageFlowRequestProcessor.java:556)
    at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor.process(PageFlowRequestProcessor.java:853)
    at org.apache.beehive.netui.pageflow.AutoRegisterActionServlet.process(AutoRegisterActionServlet.java:631)
    at org.apache.beehive.netui.pageflow.PageFlowActionServlet.process(PageFlowActionServlet.java:158)
    at com.bea.console.internal.ConsoleActionServlet.process(ConsoleActionServlet.java:262)
    at org.apache.struts.action.ActionServlet.doGet(ActionServlet.java:414)
    at com.bea.console.internal.ConsoleActionServlet.doGet(ConsoleActionServlet.java:134)
    at org.apache.beehive.netui.pageflow.PageFlowUtils.strutsLookup(PageFlowUtils.java:1199)
    at org.apache.beehive.netui.pageflow.PageFlowUtils.strutsLookup(PageFlowUtils.java:1129)
    at com.bea.portlet.adapter.scopedcontent.framework.internal.PageFlowUtilsBeehiveDelegate.strutsLookupInternal(PageFlowUtilsBeehiveDelegate.java:43)
    at com.bea.portlet.adapter.scopedcontent.framework.PageFlowUtils.strutsLookup(PageFlowUtils.java:108)
    at com.bea.portlet.adapter.scopedcontent.ScopedContentCommonSupport.executeAction(ScopedContentCommonSupport.java:707)
    at com.bea.portlet.adapter.scopedcontent.ScopedContentCommonSupport.renderInternal(ScopedContentCommonSupport.java:265)
    at com.bea.portlet.adapter.scopedcontent.StrutsStubImpl.render(StrutsStubImpl.java:103)
    at com.bea.netuix.servlets.controls.content.NetuiContent.preRender(NetuiContent.java:292)
    at com.bea.netuix.nf.ControlLifecycle$6.visit(ControlLifecycle.java:428)
    at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:727)
    at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739)
    at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739)
    at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739)
    at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739)
    at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739)
    at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739)
    at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739)
    at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739)
    at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739)
    at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739)
    at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739)
    at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739)
    at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739)
    at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739)
    at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739)
    at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739)
    at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739)
    at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739)
    at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739)
    at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739)
    at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739)
    at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739)
    at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739)
    at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739)
    at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739)
    at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739)
    at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739)
    at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739)
    at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739)
    at com.bea.netuix.nf.ControlTreeWalker.walk(ControlTreeWalker.java:146)
    at com.bea.netuix.nf.Lifecycle.processLifecycles(Lifecycle.java:399)
    at com.bea.netuix.nf.Lifecycle.processLifecycles(Lifecycle.java:361)
    at com.bea.netuix.nf.Lifecycle.runOutbound(Lifecycle.java:208)
    at com.bea.netuix.nf.Lifecycle.run(Lifecycle.java:162)
    at com.bea.netuix.servlets.manager.UIServlet.runLifecycle(UIServlet.java:465)
    at com.bea.netuix.servlets.manager.UIServlet.doPost(UIServlet.java:291)
    at com.bea.netuix.servlets.manager.UIServlet.doGet(UIServlet.java:231)
    at com.bea.netuix.servlets.manager.UIServlet.service(UIServlet.java:216)
    at com.bea.netuix.servlets.manager.SingleFileServlet.service(SingleFileServlet.java:275)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:844)
    at com.bea.console.utils.MBeanUtilsInitSingleFileServlet.service(MBeanUtilsInitSingleFileServlet.java:64)
    at weblogic.servlet.AsyncInitServlet.service(AsyncInitServlet.java:125)
    at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:242)
    at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:216)
    at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:132)
    at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:338)
    at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:25)
    at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:74)
    at weblogic.servlet.internal.RequestEventsFilter.doFilter(RequestEventsFilter.java:27)
    at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:74)
    at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.wrapRun(WebAppServletContext.java:3288)
    at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3254)
    at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
    at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120)
    at weblogic.servlet.provider.WlsSubjectHandle.run(WlsSubjectHandle.java:57)
    at weblogic.servlet.internal.WebAppServletContext.doSecuredExecute(WebAppServletContext.java:2163)
    at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2089)
    at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2074)
    at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1513)
    at weblogic.servlet.provider.ContainerSupportProviderImpl$WlsRequestExecutor.run(ContainerSupportProviderImpl.java:254)
    at weblogic.work.ExecuteThread.execute(ExecuteThread.java:256)
    at weblogic.work.ExecuteThread.run(ExecuteThread.java:221)
    Caused by: java.lang.reflect.InvocationTargetException
    at weblogic.security.providers.authentication.LDAPAtnDelegate$LDAPFactory.newInstance(LDAPAtnDelegate.java:4166)
    at weblogic.security.utils.Pool.newInstance(Pool.java:37)
    at weblogic.security.utils.Pool.getInstance(Pool.java:33)
    at weblogic.security.providers.authentication.LDAPAtnDelegate.getConnection(LDAPAtnDelegate.java:3487)
    … 128 more
    Caused by: netscape.ldap.LDAPException: Connection refused: connect (91); Cannot connect to the LDAP server
    at weblogic.security.providers.authentication.LDAPAtnDelegate$AtnLDAPSocketFactory.makeSocket(LDAPAtnDelegate.java:4702)
    at netscape.ldap.LDAPConnSetupMgr.connectServer(Unknown Source)
    at netscape.ldap.LDAPConnSetupMgr.openSerial(Unknown Source)
    at netscape.ldap.LDAPConnSetupMgr.connect(Unknown Source)
    at netscape.ldap.LDAPConnSetupMgr.openConnection(Unknown Source)
    at netscape.ldap.LDAPConnThread.connect(Unknown Source)
    at netscape.ldap.LDAPConnection.connect(Unknown Source)
    at netscape.ldap.LDAPConnection.connect(Unknown Source)
    at netscape.ldap.LDAPConnection.connect(Unknown Source)
    at weblogic.security.providers.authentication.LDAPAtnDelegate$LDAPFactory.newInstance(LDAPAtnDelegate.java:4141)
    … 131 more
    Caused by: java.net.ConnectException: Connection refused: connect
    at java.net.DualStackPlainSocketImpl.connect0(Native Method)
    at java.net.DualStackPlainSocketImpl.socketConnect(DualStackPlainSocketImpl.java:69)
    at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:339)
    at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:200)
    at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:182)
    at java.net.PlainSocketImpl.connect(PlainSocketImpl.java:157)
    at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:391)
    at java.net.Socket.connect(Socket.java:579)
    at java.net.Socket.connect(Socket.java:528)
    at java.net.Socket.(Socket.java:425)
    at java.net.Socket.(Socket.java:208)
    at weblogic.security.providers.authentication.LDAPAtnDelegate$AtnLDAPSocketFactory.makeSocket(LDAPAtnDelegate.java:4691)
    … 140 more
    >

    Thanks,
    Rajesh

    • Administrator on February 17, 2013 at 4:50 am said:

      issue resolved after the call with Rajesh.

      • ashish patil on September 30, 2014 at 2:45 am said:

        Hi Faysal/Rajesh,

        I am getting the same issue when i configured iPlanet coustm provider. could you please let me the solutions for the same.

        issue:
        <Console encountered the following error weblogic.security.providers.authentication.LDAPAtnDelegateException: [Security:090294]could not get connection
        Caused by: java.lang.reflect.InvocationTargetException
        at weblogic.security.providers.authentication.LDAPAtnDelegate$LDAPFactory.newInstance(LDAPAtnDelegate.java:4166)

  22. Hi,

    Is it mandatory to assign the AD user to Administrator Group? We have some limitation regarding the company security policies that prevent us to do this.
    Please let me know if there is any alternative.

    Thanks in advance.

  23. Garima Dubey on June 2, 2014 at 1:50 am said:

    I have an ADF application ,which I want to authenticate using Active Directory. I have been able to configure the ActiveDirectory Provider successfully in the Integrated Weblogic server for Jdev ,due which I can list all the roles and the Users in the weblogic console. But when i run the application and try to login using any of those AD users,it gives a pop-up stating “Specify correct username and password”. The AD users are active and password has been reset for them

    • Administrator on June 2, 2014 at 8:14 am said:

      Hi Garima,

      I am not sure how ADF roles map to Weblogic server roles.
      You will have to get in touch with and ADF expert.

      If you want to see what is going wrong on Weblogic, you can go to Server > Debug > expand weblogic > expand security > check ATN and ATZ

      The logs will give you an idea..

      Hope this helps.

      Regards,
      Faisal

  24. Angeliki on August 5, 2014 at 11:42 am said:

    Hello

    I have another issue. I should authenticate the users of my application through Active Directory (user existence and pasword validation) but I want to ignore the user group returned by Active Directory and obtain the group of the user through a call to a web service. How can I do this throug an Active Directory Authenticator? What else can I do?

    Thank you in advance for your help

    Regards,
    Angeliki

Leave a Reply

Post Navigation