Steps to configure Kerberos / SPNEGO / NTLM authentication with Weblogic Server :

* The AD machine used in this configuration is :  SLKRBTRN6-01.slkrbtrn6.bea.com ( Windows 2008 R2 )

* Weblogic Server is on machine : SLKRBTRN6-03. ( Windows XP )

-------

Step 1 :

- Create a new user say, " wlsclient " on AD for your Weblogic server instance.

Note :

- The account type should be "User", not a "Computer" in the AD.

- Check password never expires option for the user. 

- DES encryption type is disabled by default on Windows 2008 AD and hence donot check this option for the user.

- If your AD is on Windows 2003, enable DES encyption type for your user --> after enabling this option make sure you reset the password for this user.

- If you want to use AES encryption type make sure you check " This account supports AES 128 bit encryption "/ "This account supports AES 256 bit encryption " in the username --> properties --> Account Options field.

- If you want to use  AES256-SHA1 cipher strength then,

You need to download and install this bundle which provides "unlimited strength" policy files which contain no restrictions on cryptographic strengths.

* For Oracle JDK 6: Download Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 6 from 

Link : http://www.oracle.com/technetwork/java/javase/downloads/jce-6-download-429243.html.

* For Oracle JDK 7: Download Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 7 from

Link : http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html . 

Overwrite 2 jar files under “<JAVA_HOME>/jre/lib/security” directory with 2 jar files inside downloaded zip file.

* For IBM JDK 6 and above: Download Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 7.


Step 2 :

Create a krb5.ini file.

Syntax :

 *****

[libdefaults]

default_realm = <Identifies the default realm. Set its value to your Kerberos realm - all caps>

default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5

default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5

permitted_enctypes =  aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5

ticket_lifetime = 600

kdc_timesync = 1

ccache_type = 4 

[realms]

<Your Kerberos realm – remember all caps> = {

kdc = <IP address of the KDC/AD server>

(For Unix systems, you need to specify port 88, as in <IP-address>:88)

admin_server = <FQDN - host name of the KDC/AD server>

default_domain = <Windows domain name in caps>

}

[domain_realm]

.<DNS domain name suffix, starting with .> = .<Your Kerberos realm – remember all caps>

<DNS domain name suffix.> = <Your Kerberos realm – remember all caps> 

[appdefaults]

autologin = true

forward = true

forwardable = true

encrypt = true

 ***** 


Note :

* This file has to be created on the machine where Weblogic Server is installed. 

* If you have Weblogic Server installed on a Windows machines, create a file named krb5.ini  / On Unix machines, the file is called krb5.conf instead of krb5.ini. 

* See the following default Kerberos configuration files and their locations:

[Windows] The default location is c:\winnt\krb5.ini.

Note: if the krb5.ini file is not located in the c:\winnt directory it might be located in c:\windows.

[Linux] The default location is /etc/krb5.conf.

[AIX] [HP-UX] [Solaris] On other Unix platforms, the default location is /etc/krb5/krb5.conf.

Step 3 :

To check if the krb5.ini file you created is correct, run the following command :

Command : kinit wlsclient OR kinit wlsclient@<REALM>


Step 4 :

Now create a keytab file ( Run the following commands on AD machine ).

Syntax : ktpass –princ HTTP/<wls-server-name>@<REALM-NAME> -mapuser <account-name> –pass password -crypto all -ptype KRB5_NT_PRINCIPAL –out <keytab-file-name>

Command :  ktpass -princ HTTP/SLKRBTRN6-03@SLKRBTRN6.BEA.COM -mapuser wlsclient -pass Weblogic1 -crypto all -kvno 0 -ptype KRB5_NT_PRINCIPAL -out wlsclient.keytab

.

Note :

* Running ktpass will modify the account details, changing the user login name to match the service principal name – note that this is a consequence of running the above command, not something you need to do manually

* Click on the user " wlsclient " properties to see the change.

* Now copy the keytab file generated to machine where Weblogic Server is installed. 

* If you are using Windows 2003 AD then use the following command :

ktpass –princ HTTP/<wls-server-name>@<REALM-NAME> -mapuser <account-name> –pass password -crypto DES-CBC-CRC -ptype KRB5_NT_PRINCIPAL –out <keytab-file-name>

Step 5 :

After copying the keytab file to the machine where Weblogic Server is installed, run the klist command to see the contents of the keytab file.

Syntax : klist -k <keytab>

Command : klist -e -k wlsclient.keytab

If your principal was created properly, you should be able to request a TGT (ticket Granting Ticket) from Kerberos using that principal.

If the keytab file was generated properly, then you should be able to use this file instead of the password of your account. kinit tests both simultaneously. 

Syntax :  kinit –k –t <keytab-file> <account-name>

Command :

kinit -J-Dsun.security.krb5.debug=true -k -t wlsclient.keytab HTTP/SLKRBTRN6-03@SLKRBTRN6.BEA.COM

OR 

java -Dsun.security.krb5.debug=true sun.security.krb5.internal.tools.Kinit -k -t wlsclient.keytab HTTP/SLKRBTRN6-03@SLKRBTRN6.BEA.COM

.

Note :

* In UNIX use the -V switch or else there wont be any output. (  kinit -V –k –t <keytab-file> <account-name> )

*  The above debugs will not work in UNIX. It is specific to Windows.

*  When you lock and unlock your computer, you are causing Windows to request new Kerberos tickets. Another way to force Windows to request new Kerberos tickets is to run " klist purge " from the command prompt.  This explicitly asks Windows to dump your currently Kerberos tickets and thus, request new ones.

Step 6 :

Now, lets configure Weblogic Server.

Create a file called " krb5Login.conf " and place it in the Weblogic Server domain directory :

Syntax :

com.sun.security.jgss.krb5.initiate {

com.sun.security.auth.module.Krb5LoginModule required

principal="<Service principal account>@<Kerberos realm>"

useKeyTab=true

keyTab=<keytab>

storeKey=true

debug=true;

};

com.sun.security.jgss.krb5.accept {

com.sun.security.auth.module.Krb5LoginModule required

principal="<Service principal account>@<Kerberos realm>"

useKeyTab=true

keyTab= <keytab>

storeKey=true

debug=true;

};

krb5Login.conf :

com.sun.security.jgss.krb5.initiate {

com.sun.security.auth.module.Krb5LoginModule required 

principal="HTTP/SLKRBTRN6-03@SLKRBTRN6.BEA.COM" 

useKeyTab=true keyTab=wlsclient.keytab

storeKey=true debug=true;

};

com.sun.security.jgss.krb5.accept {

com.sun.security.auth.module.Krb5LoginModule required 

principal="HTTP/SLKRBTRN6-03@SLKRBTRN6.BEA.COM" 

useKeyTab=true keyTab=wlsclient.keytab 

storeKey=true debug=true;

};

Note :

* If you are using JDK 1.5 then change the following line in the above file from " com.sun.security.jgss.krb5.accept " to " com.sun.security.jgss.accept ".

i.e donot use krb5 in the accept and initiate method in the above file if you are using JDK 1.5.

* Weblogic Server domain directory is the default location of keytab file and krb5Login.conf file.

* Even an extra space in krb5Login.conf will cause errors while parsing the file.

Below is a sample file, copy this file to your machine and only change the <UPN> ( "<Service principal account>@<Kerberos realm>" ) and <keytab> entries in it. DONOT give any extra spaces ..!!

Krb5Login.conf - Right click here and select " Save link as... " to save this file..!!

Step 7 : 

Now lets add few -D parameters to Weblogic Server startup script. 

-Djava.security.auth.login.config=krb5Login.conf

-Djavax.security.auth.useSubjectCredsOnly=false

-Dweblogic.security.enableNegotiate=true

-Djava.security.debug=configfile,configparser,gssloginconfig   // This is the debug flag to check if the config files get parsed properly.

-Dsun.security.krb5.debug=true 

< Additional -D parameters that can be set >

-Djava.security.krb5.realm=<realm>

-Djava.security.krb5.kdc=<kdc> 

-Dweblogic.security.krb5.useGSSName=true  // Use this flag if you are configuring Kerberos with multiple AD domains, you also need to apply patch for Bug 14069872 ( fixed in 12.1.1 ) for this flag to work.

// for IBM JDK you can use the following debug : -Dcom.ibm.security.jgss.debug=all

-- 

In windows edit " startWebLogic.cmd " file and add the following java options :

set JAVA_OPTIONS=%JAVA_OPTIONS% -Djava.security.auth.login.config=krb5Login.conf –Djavax.security.auth.useSubjectCredsOnly=false –Dweblogic.security.enableNegotiate=true -Dsun.security.krb5.debug=true

In UNIX edit " startWebLogic.sh " file and add the following java options :

JAVA_OPTIONS=”${JAVA_OPTIONS} -Djava.security.auth.login.config=krb5Login.conf –Djavax.security.auth.useSubjectCredsOnly=false –Dweblogic.security.enableNegotiate=true -Dsun.security.krb5.debug=true”

Step 8 :

Login to weblogic console and configure Active Directory provider.

Change the control flags of all the providers to " Optional ".

If you have set control flag as sufficient then reorder the providers and make sure Active Directory providers is the first provider in the list.

.

Step 9 :

Now, create a " NegotiateIdentityAsserter " as shown below :

So now, the security provider configuration should look like :

.

Step 10 :

Setup your browser for Kerberos Authentication.

* No special configuration needed for Chrome Browser.

* For Mozilla Firefox browser :

1. Start Firefox.

2. Enter about:config in the Location Bar.

3. Enter the filter string network.negotiate.

4. Double click on network.negotitate-auth.delegation-uris  and enter " http://,https:// "

5. Double click on network.negotitate-auth.trusted-uris and enter " http://,https:// " 

* For Internet Explorer :

Configure Local Intranet Domains

   1. In Internet Explorer, select Tools > Internet Options.

   2. Select the Security tab.

   3. Select Local intranet and click Sites.

   4. In the Local intranet popup, ensure that the Include all sites that bypass the proxy server and Include all local (intranet) sites not listed in other zones options are checked.

   5. Click Advanced.

   6. In the Local intranet (Advanced) dialog box, add all relative domain names that will be used for Oracle WebLogic Server instances participating in the SSO configuration (for example, myhost.example.com) and click OK.

Configure Intranet Authentication

   1. Select Tools > Internet Options.

   2. Select the Security tab.

   3. Select Local intranet and click Custom Level... .

   4. In the Security Settings dialog box, scroll to the User Authentication section.

   5. Select Automatic logon only in Intranet zone. This option prevents users from having to re-enter logon credentials, which is a key piece to this solution.

   6. Click OK.

Verify Proxy Settings

If you have a proxy server enabled:

   1. Select Tools > Internet Options.

   2. Select the Connections tab and click LAN Settings.

   3. Verify that the proxy server address and port number are correct.

   4. Click Advanced.

   5. In the Proxy Settings dialog box, ensure that all desired domain names are entered in the Exceptions field.

   6. Click OK to close the Proxy Settings dialog box.

Now, when you access your Weblogic Admin Console, you should be able to login to it without entering a username / password.



Comments:

great tutorial, thanks!

have you ever tried to call the [negotiate identity asserter] from a javaSE client instead of a browser?

this seems only to work with oracle jdk on serverside. if we set up the same weblogic environment on aix with ibm jdk only browser spnego calls are processed correctly.

calls from "oracle javaSE clients" are causing a GSSException in weblogic's negotiation handler:

org.ietf.jgss.GSSException, major code: 16, minor code: 0
major string: Operation unavailable or not implemented
minor string: Mechanism context not found

what's wrong with ibm jdk?
or what's wrong with oracle jdk's clienside spnego token creation?

kind regards

Posted by guest on November 14, 2013 at 07:43 PM IST #

WebLogic Server: Example - How to Configure Kerberos on an AIX Machine That Uses the IBM JDK (Doc ID 1498079.1)

// for IBM JDK you can use the following debug :

-Dcom.ibm.security.jgss.debug=all

Posted by Puneeth on December 06, 2013 at 09:28 PM IST #

Has anyone a clue on why we shouldn't disable "-Dsun.security.krb5.debug=false" in server startup parameters?!

I understand it is needed during initial setup for testing & confirming everything is fine. But doesn't leaving it to "true" would impact performance - for every HTTP request?!

Posted by Prateek Mohan on December 12, 2013 at 06:20 PM IST #

Other tools / commands which might be helpful while troubleshooting :

1) To list the currently registered SPN for computer.

Usage: setspn –l accountname

Eg :

C:\Users\Administrator>setspn -l up_user
Registered ServicePrincipalNames for CN=up_user,CN=Users,DC=UP,DC=COM:
HTTP/SLKRBTRN6-03

2) To delete a specified SPN for a computer :

Usage: setspn –d SPN accountname

Eg:

C:\Users\Administrator>setspn -d HTTP/SLKRBTRN6-03 up_user
Unregistering ServicePrincipalNames for CN=up_user,CN=Users,DC=UP,DC=COM
HTTP/SLKRBTRN6-03
Updated object

C:\Users\Administrator>setspn -l up_user
Registered ServicePrincipalNames for CN=up_user,CN=Users,DC=UP,DC=COM:

3) To add a specified SPN for the computer, after verifying that no duplicates
exist.

Usage: setspn –s SPN accountname

Eg :

C:\Users\Administrator>setspn -s HTTP/SLKRBTRN6-03 up_user
Checking domain DC=UP,DC=COM

Registering ServicePrincipalNames for CN=up_user,CN=Users,DC=UP,DC=COM
HTTP/SLKRBTRN6-03
Updated object

4) To query an existance of an SPN

Usage: setspn -Q SPN

Eg :

C:\Users\Administrator>setspn -Q HTTP/SLKRBTRN6-03
Checking domain DC=UP,DC=COM
CN=up_user,CN=Users,DC=UP,DC=COM
HTTP/SLKRBTRN6-03

Existing SPN found!

5) To search for duplicate SPN's

Usage: setspn -X

Eg :

C:\Users\Administrator>setspn -X
Checking domain DC=UP,DC=COM
Processing entry 0
found 0 group of duplicate SPNs.

6) To check for duplicate SPN's across a forest

Usage: setspn -T domain (switches and other parameters). Use "" or *
to indicate the current domain or forest.

Eg :

C:\Users\Administrator>setspn -T * -T DOWN.COM -X
Checking domain DC=UP,DC=COM
Checking domain DC=DOWN,DC=COM

Currently processing domain ""
Processing entry 0

Currently processing domain "DOWN.COM"
Processing entry 0
HTTP/SLKRBTRN6-03 is registered on these accounts:
CN=down_user,CN=Users,DC=DOWN,DC=COM
CN=up_user,CN=Users,DC=UP,DC=COM

kadmin/changepw is registered on these accounts:
CN=krbtgt,CN=Users,DC=DOWN,DC=COM
CN=krbtgt,CN=Users,DC=UP,DC=COM

found 2 groups of duplicate SPNs.

Remove the SPN associated with down_user and try the command again :

C:\Users\Administrator>setspn -T * -T DOWN.COM -X
Checking domain DC=UP,DC=COM
Checking domain DC=DOWN,DC=COM

Currently processing domain ""
Processing entry 0

Currently processing domain "DOWN.COM"
Processing entry 0
kadmin/changepw is registered on these accounts:
CN=krbtgt,CN=Users,DC=DOWN,DC=COM
CN=krbtgt,CN=Users,DC=UP,DC=COM

Posted by Puneeth on January 31, 2014 at 10:21 PM IST #

Anyone has experience with Kerberos / SPNEGO / NTLM authentication with Weblogic Server access through IPlanet ?

I search on internet and most of the instruction is for the client directly access one weblogic server, but if you have a cluster, there will be a web server in front of it. Anyone has experiences about such scenario ?

Posted by guest on March 14, 2014 at 08:31 PM IST #

Hi,

You need to add multiple SPNs to an account

Eg :

Add the SPNs to the account
a. For each additional cluster node run:
setspn -A HTTP/<Additional node> <account>
b. For each web server run:
setspn -A HTTP/<web server> <account>
c. For the Load Balancer run:
setspn -A HTTP/<LB> <account>

Have a look at this Note for an example :

How To Configure Kerberos for Clustered Webcenter Content Servers (Doc ID 1540944.1)

Regards,
Puneeth

Posted by Puneeth on March 22, 2014 at 05:55 PM IST #

Hi Puneeth,

I tried to follow up your instructions, but still could not login without entering the weblogic credential. However, my question is :

will it work if the client is windows 2008 R2, where I have installed the weblogic server? or do we strictly need a client ( win 7/xp ) for proper SSO?

- John

Posted by guest on March 28, 2014 at 09:35 PM IST #

Hi,

Are you able to get the Kerberos token in WLS ?

Say you have logged in with a user " aaa ".

Try logging into the machine with a user " bbb " and check if you are able to login to console without credentials. ( Make sure " bbb " user is displayed in " Users and Groups " tab and assign Admin role to that user in WLS console ).

Posted by Puneeth on March 28, 2014 at 11:58 PM IST #

You can use the DEBUG app attached to the following Oracle Note to troubleshoot the issues with Kerberos configuration :

OBIEE 11g: How To Check each Configuration Step when Configuring Authentication and SSO with Active Directory and Windows Native Authentication (Doc ID 1390127.1)

-- Puneeth

Posted by Puneeth on April 01, 2014 at 07:32 PM IST #

Post a Comment:
  • HTML Syntax: NOT allowed
About

Oracle Fussion Middleware - WebLogic

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today