Before we can start you should know the supported encryption types of your Windows Environment. For example Windows XP or Windows 2003 Domain Controller ( not SP1 ) does not support every encryption type.
I got this working with a Windows 7 client and a Windows 2008 R2 Domain Controller and my encryption type is RC4-HMAC-NT, which is also supported in Java 1.6
My Active Directory domain = ALFA.LOCAL ( always use it in uppercase )
Make sure that all server can be found in the DNS ( and reverse ) and that the time is synchronized on all machines.
We start by creating a unique service account ( it must not exists, not as computer and not as an user ), in my case is that soaps3_kerb.
I used Welcome01 as password and make sure that the password never expires.
On the Windows 2008 DC server I did the following to generate a service account called HTTP/soaps3.alfa.local and map this to soaps3_kerb AD account. soaps3 is the server name of the WebLogic Server.
First generate a keytab file for the HTTP/soaps3.alfa.local@ALFA.LOCAL account, HTTP is a container ( IIS also uses this convention ) and ALFA.LOCAL is my AD domain.
ktpass -princ HTTP/soaps3.alfa.local@ALFA.LOCAL -pass Welcome01 -mapuser soaps3_kerb@ALFA.LOCAL -out c:\soaps3.keytab -ptype KRB5_NT_PRINCIPAL -crypto RC4-HMAC-NT
my output
Targeting domain controller: AD-WIN2008R2.alfa.local
Using legacy password setting method
Successfully mapped HTTP/soaps3.alfa.local to soaps3_kerb.Key created.
Output keytab to c:\soaps3.keytab:
Keytab version: 0x502
keysize 68 HTTP/soaps3.alfa.local@ALFA.LOCAL ptype 1 (KRB5_NT_PRINCIPAL) vno 3 etype 0x17 (RC4-HMAC) keylength 16 (0x1d863479e1ab3bd62a2bfafa1abaa2dd)
copy the generated soaps3.keytab file to the WebLogic machine. I put it in the c:\oracle folder.
Now we need to modify the Service Principal Names with the SPN utility.
setSpn -A HTTP/soaps3.alfa.local@ALFA.LOCAL soaps3_kerb
my output
Registering ServicePrincipalNames for CN=soaps3_kerb,CN=Users,DC=alfa,DC=local
HTTP/soaps3.alfa.local@ALFA.LOCAL
Updated object
Now we can continue with the WebLogic Server configuration.
Start by making create a text file called krb5.ini and put it in c:\windows
ALFA.LOCAL is my AD domain and soaps3 is my WebLogic server and it exists in the alfa.local dns domain. ad-win2008r2.alfa.local is my domain controller.
-------------------
[libdefaults]
default_realm = ALFA.LOCAL
default_tkt_enctypes = rc4-hmac
default_tgs_enctypes = rc4-hmac
permitted_enctypes = rc4-hmac
[domain_realm]
.soaps3.alfa.local = ALFA.LOCAL
soaps3.alfa.local = ALFA.LOCAL
.alfa.local = ALFA.LOCAL
alfa.local = ALFA.LOCAL
[realms]
ALFA.LOCAL = {
kdc = ad-win2008r2.alfa.local
admin_server = ad-win2008r2.alfa.local
default_domain = alfa.local
}
[appdefaults]
autologin = true
forward = true
forwardable = true
encrypt = true
---------------
On the soaps3 WebLogic machine we need to create a new Kerberos ticket which will be used by WebLogic.
First let's flush the current ones
go to c:\ ( not in the java bin folder )
klist purge
go to the bin folder of your java home ( jdk )
cd c:\oracle\jrockit-jdk1.6.0_26-R28\bin
kinit HTTP/soaps3.alfa.local@ALFA.LOCAL
My output
Password for HTTP/soaps3.alfa.local@ALFA.LOCAL:
New ticket is stored in cache file C:\Users\admin\krb5cc_admin
This should work and it will use the krb5.ini located at c:\windows.
Create or change an application with ADF Security or a normal Web Application which got security enabled. Open the web.xml and change the auth-method to CLIENT-CERT
<login-config>
<auth-method>CLIENT-CERT</auth-method>
</login-config>
Deploy the application to the WebLogic Server.
Open the WebLogic console application and go to myrealm security realm -> providers -> authentication.
create a NegotiateIdentityAsserter called Microsoft.
Open the NegotiateIdentityAsserter and go to Provider Specific and de-select Form Based Negotiation Enabled.
Next step is to create a kerberos login configuration which will be read by WebLogic.
Create a text file called kerberos.login located in the c:\oracle. This is the content which will work with Java 1.6
-------
com.sun.security.jgss.krb5.initiate {
com.sun.security.auth.module.Krb5LoginModule required
principal="HTTP/soaps3.alfa.local@ALFA.LOCAL"
useKeyTab=true
keyTab="c:/oracle/soaps3.keytab"
storeKey=true
debug=true;
};
com.sun.security.jgss.krb5.accept {
com.sun.security.auth.module.Krb5LoginModule required
principal="HTTP/soaps3.alfa.local@ALFA.LOCAL"
useKeyTab=true
keyTab="c:/oracle/soaps3.keytab"
storeKey=true
debug=true;
};
-------
Add the following parameters to the EXTRA_JAVA_PROPERTIES in the setDomainEnv.bat of your domain.
-Dsun.security.krb5.debug=true
-Djavax.security.auth.useSubjectCredsOnly=false
-Djava.security.auth.login.config=C:/oracle/kerberos.login
-Djava.security.krb5.realm=ALFA.LOCAL
-Djava.security.krb5.kdc=ad-win2008r2.alfa.local
We are finished with the WebLogic and the AD configuration.
Just add the login name of the window user and its groups to the myrealm security realm, so you can test the Web Application.
Log on a machine which is part of your AD domain.
use Internet Explorer and trust the weblogic site and enable authentication in the advanced options of IE.
or
use Google Chrome and start chrome.exe with the following parameter --args --auth-server-whitelist="*alfa.local" This allows SSO with chrome.
Will this setup work on Weblogic deployed on SOLARIS?
ReplyDeletewill this setup work on Weblogic deployed on SOLARIS or does it require Weblogic running on Windows machine
ReplyDeleteHi,
ReplyDeleteIt will work on Linux and also think on Solaris, only some files got different names but the contents are the same.
Thanks
Hello,
ReplyDeleteWe want to use the embedded LDAP of the WLS to authenticate 'community users' (from the internet) and use SSO for the 'corporate (internal) users', and this for the same web application. ( The WLS is deployed on a Linux machine)
Is this feasible with your instructions?
How will the authentication of the 'console' application occur (is this embedded LDAP or SSO or can we choose)?
Did you ever got this to work?
DeleteThis comment has been removed by the author.
ReplyDeleteI have done all the steps precisely but i have got this(Error 401--Unauthorized
ReplyDeleteFrom RFC 2068 Hypertext Transfer Protocol -- HTTP/1.1:
10.4.2 401 Unauthorized
) on the page
Environment :
-JDeveloper 11g R2
-Fusion Web Application(ADF) with ADF security Enabled
- Active Directory Authenticator Added to Security Realms throug weblogic 10.3.5
Hi,
DeleteDo you see all the users in the Weblogic security realm and have all the authenticators sufficient as control flag
and does this work
go to the bin folder of your java home ( jdk )
cd c:\oracle\jrockit-jdk1.6.0_26-R28\bin
kinit HTTP/soaps3.alfa.local@ALFA.LOCAL
My output
Password for HTTP/soaps3.alfa.local@ALFA.LOCAL:
New ticket is stored in cache file C:\Users\admin\krb5cc_admin
thanks
Hi Edwin,
ReplyDeleteI'm also getting:
Error 401--Unauthorized
From RFC 2068 Hypertext Transfer Protocol -- HTTP/1.1:
10.4.2 401
- I can see all users and groups in myrealm > Users and Groups
- All Authenticators have 'Sufficent' as the control flag
- I'm able to create a new ticket via kinit to C:\Users\admin\krb5cc_admin
With debug level logging on security, I see the following in the server log:
com.bea.security.utils.kerberos.KerberosException: No valid credentials provided (Mechanism level: Failed to find any Kerberos Key)
Any ideas?
Thanks,
Anthony
Hi,
DeleteDid you see some logging on the AD site and did you use the right username or at the domainname to the username. like user1@alfa.local
good luck
Hi,
ReplyDeleteI don't see anything in the AD event viewer.
When you ask did I use the right domainname for the username, for which part are you referencing specifically?
I followed the guide pretty much word for word, specifying the domain as above when required, matching the case of your guide also.
Thanks,
Anthony
Hi,
Deleteso the klist purge & kinit is working and you did this with the user and jvm under which weblogic is also running.
Try to set weblogic security on debug and set all log levels to trace.
what I mean is you maybe need to use xxxx@domain as login for your webapp. This user should also exists as that name in the myrealm security.
What you also can do, is this
http://biemond.blogspot.com/2011/09/using-owsm-kerberos-policies.html
Create a wls domain with Enterprise Manager,
create a simple jax-ws service with a kerberos policy.
And now the most important part, a client with -Dsun.security.krb5.debug=true , This way you can get more info on the client side.
hope this helps.
We got this working with a single node. Thanks for the Article above the documentation we were using omitted the part where you needed to add the Realm and KDC to the Java init parameters.
ReplyDeleteWe are now trying to set this up with a load balancer and two web servers. It stopped working once we moved the SPN BI.INTRANET.COM from a host file on a single server to the load balancer. Do we need to register an SPN for both physical servers and the Load balancer VIP?
Ex:
HTTP/BI.INTRANET.COM@ALFA.LOCAL
HTTP/server1@ALFA.LOCAL
HTTP/server2@ALFA.LOCAL
Hi,
Deletethe load balancer does not do much and you only need to do same for server 1 and 2.
Thanks
Hi there,
ReplyDeleteI know this is a windows guide but I'm trying this on linux making the allowances for differing directories etc... I've completed the steps but it's not working. I get a 401 error with nothign written to the logs on the AD server.
One question is when I run the following:
kinit HTTP/soaps3.alfa.local@ALFA.LOCAL
For my output I do get this, but nothing after such as your New Ticket message:
Password for HTTP/soaps3.alfa.local@ALFA.LOCAL:
That right?
Hi,
ReplyDeleteDid you also do a klist purge and then kinit HTTP/soaps3.alfa.local@ALFA.LOCAL
maybe your krb5.conf can't be found, is not valid or some firewall issue
thanks
Hi,
ReplyDeleteThank very much for this guide, kerberos authentication is working everywhere (console, sbconsole, compose, worklistapp, custom ADF) except for "/em", do you have any idea ?
Thanks,
Adrien
Hi,
DeleteI heard this before and I think the EM got it's own cookie path or it's own authentication mechanism.
thanks
soaps3 is your MACHINE NAME in which your weblogic is running "?
ReplyDeleteindeed :-)
DeleteHello Edwin,
ReplyDeleteCan we use CAS(Central Autentication Service) SSO with ADF Application in Weblogic 10.3.6?
Note :- We are using SOA/BPM 11.1.1.7