lnatalya Archive

Multiple Users Forest SSO

In our lab we created 3 new forests with 3 domains, with 3 DNS servers to simulate complex  environment.
Forest DomainA.com
Domain Controller: DCNL01.domainA.com
WorkStation: DSKNL01
Test user : userA pass:Pumpkin1
sso binding user: ssoA pass: Pumpkin1App
LDAP principal :  WLSAdminA@domaina.com pass:Pumpkin1
Forest DomainB.com
DC: DCNL02.domainB.com
WorkStation: DSKNL02
Test user: userB pass:Pumpkin1
sso binding user: ssoB pass:Pumpkin1App
LDAP principal :WLSAdminB@domainb.com pass:Pumpkin1

Forest DomainApp.com
DC: DCNL03.domainApp.com
WorkStation: DSKNL03
Test user: userApp pass:Pumpkin1
sso binding user: ssoApp pass:Pumpkin1App
V11CON01.domainApp.com – Weblogic  server
LDAP: WLSAdminApp pass:Pumpkin1

Application (Weblogic)  server installed in DomainApp.com
Application  Users created in all 3 domains.
Service users for LDAP and SSO created in each domain.
Important:   KRB Principal should all have the same passwords, key version numbers, and encryption types.
sso user: ssoApp@domainapp.com pass:Pumpkin1App
sso user: ssoB@domainb.com pass:Pumpkin1App
sso user: ssoA@domaina.com pass: Pumpkin1App

DNS resolution need to be in place.


Weblogic configured with 3 LDAP authentications. Order is important. If you put asserter before DomainB, domainB will do only LDAP.


SSO command run on each DC:
Setspn:  setspn -A HTTP/v11con01.domainapp.com ssoApp
Ktpass run: ktpass   -out SSOKeyTabFile  -kvno 0 -princ HTTP/v11con01@DOMAINAPP.COM -mapuser ssoApp -pass Pumpkin1App  -crypto RC4-HMAC-NT
Ssokeytab collected (out SSOKeyTab) and we will use it for our Weblogic.
Full output of ktpass command :

Setspn:  setspn -A HTTP/v11con01.domainapp.com ssoa
Ktpass run: ktpass   -kvno 0 -princ HTTP/v11con01@DOMAINAPP.COM -mapuser domain\ssoa -pass Pumpkin1App  -crypto RC4-HMAC-NT

Setspn:  setspn -A HTTP/v11con01.domainapp.com ssob
Ktpass run: ktpass   -kvno 0 -princ HTTP/v11con01@DOMAINAPP.COM -mapuser domainb\ssob -pass Pumpkin1App  -crypto RC4-HMAC-NT

Files for SSO created on application server

Krb5.ini (Located in C:\Winnt)



SSOKeyTabFile (generated on the first DC)

After deploying our application we can test sso:

Tickets from workstation in domaina.com


Tickets from workstation in domainApp.com


Tickets from workstation in domainB

Natalya (natalya.luke@gmail.com)