Pages

Friday, August 26, 2011

Single Sign On with windows / kerberos on WebLogic

In this blogspot I will show you the steps I did to achieve SSO kerberos windows authentication on an ADF or a Web Application deployed on a WebLogic application server.

Before we can start you should know the supported encryption types of your Windows Environment. For example Windows XP or Windows 2003 Domain Controller ( not SP1 ) does not support every encryption type.

I got this working with a Windows 7 client and a Windows 2008 R2 Domain Controller and my encryption type is RC4-HMAC-NT, which is also supported in Java 1.6

My Active Directory domain = ALFA.LOCAL  ( always use it in uppercase )

Make sure that all server can be found in the DNS ( and reverse )  and that the time is synchronized on all machines.

We start by creating a unique service account ( it must not exists, not as computer and not as an user ), in my case is that soaps3_kerb.


I used Welcome01 as password and make sure that the password never expires.


On the Windows 2008 DC server I did the following to generate a service account called HTTP/soaps3.alfa.local and map this to soaps3_kerb AD account. soaps3 is the server name of the WebLogic Server.


First generate a keytab file for the HTTP/soaps3.alfa.local@ALFA.LOCAL account,  HTTP is a container ( IIS also uses this convention ) and ALFA.LOCAL is my AD domain.

ktpass -princ HTTP/soaps3.alfa.local@ALFA.LOCAL -pass Welcome01 -mapuser soaps3_kerb@ALFA.LOCAL -out c:\soaps3.keytab -ptype KRB5_NT_PRINCIPAL -crypto RC4-HMAC-NT

my output
Targeting domain controller: AD-WIN2008R2.alfa.local

Using legacy password setting method
Successfully mapped HTTP/soaps3.alfa.local to soaps3_kerb.Key created.
Output keytab to c:\soaps3.keytab:
Keytab version: 0x502
keysize 68 HTTP/soaps3.alfa.local@ALFA.LOCAL ptype 1 (KRB5_NT_PRINCIPAL) vno 3 etype 0x17 (RC4-HMAC) keylength 16 (0x1d863479e1ab3bd62a2bfafa1abaa2dd)


copy the generated soaps3.keytab file to the WebLogic machine. I put it in the c:\oracle folder.

Now we need to modify the Service Principal Names with the SPN utility.
setSpn -A HTTP/soaps3.alfa.local@ALFA.LOCAL soaps3_kerb

my output
Registering ServicePrincipalNames for CN=soaps3_kerb,CN=Users,DC=alfa,DC=local
        HTTP/soaps3.alfa.local@ALFA.LOCAL
Updated object



Now we can continue with the WebLogic Server configuration.

Start by making create a text file called krb5.ini and put it in c:\windows
ALFA.LOCAL is my AD domain and soaps3 is my WebLogic server and it exists in the alfa.local dns domain.  ad-win2008r2.alfa.local is my domain controller.
-------------------

[libdefaults]
default_realm = ALFA.LOCAL
default_tkt_enctypes = rc4-hmac
default_tgs_enctypes = rc4-hmac
permitted_enctypes = rc4-hmac

[domain_realm]
.soaps3.alfa.local = ALFA.LOCAL
soaps3.alfa.local = ALFA.LOCAL
.alfa.local = ALFA.LOCAL
alfa.local = ALFA.LOCAL

[realms]
ALFA.LOCAL = {
kdc = ad-win2008r2.alfa.local
admin_server = ad-win2008r2.alfa.local
default_domain = alfa.local
}
[appdefaults]
autologin = true
forward = true
forwardable = true
encrypt = true

---------------

On the soaps3 WebLogic machine we need to create a new Kerberos ticket which will be used by WebLogic.

First let's flush the current ones
go to c:\ ( not in the java bin folder )
klist purge

go to the bin folder of your java home ( jdk )
cd c:\oracle\jrockit-jdk1.6.0_26-R28\bin

kinit HTTP/soaps3.alfa.local@ALFA.LOCAL

My output
Password for HTTP/soaps3.alfa.local@ALFA.LOCAL:
New ticket is stored in cache file C:\Users\admin\krb5cc_admin


This should work and it will use the krb5.ini located at c:\windows.


Create or change an application with ADF Security or a normal Web Application which got security enabled. Open the web.xml and change the auth-method to CLIENT-CERT


  <login-config>
    <auth-method>CLIENT-CERT</auth-method>
  </login-config>


Deploy the application to the WebLogic Server.

Open the WebLogic console application and go to myrealm security realm -&gt; providers -&gt; authentication.

create a NegotiateIdentityAsserter called Microsoft.


Open the NegotiateIdentityAsserter and go to Provider Specific and de-select Form Based Negotiation Enabled.

Next step is to create a kerberos login configuration which will be read by WebLogic.
Create a text file called kerberos.login located in the c:\oracle. This is the content which will work with Java 1.6
-------

com.sun.security.jgss.krb5.initiate {
     com.sun.security.auth.module.Krb5LoginModule required
     principal="HTTP/soaps3.alfa.local@ALFA.LOCAL"
     useKeyTab=true
     keyTab="c:/oracle/soaps3.keytab"
     storeKey=true
     debug=true;
};

com.sun.security.jgss.krb5.accept {
     com.sun.security.auth.module.Krb5LoginModule required
     principal="HTTP/soaps3.alfa.local@ALFA.LOCAL"
     useKeyTab=true
     keyTab="c:/oracle/soaps3.keytab"
     storeKey=true
     debug=true;
};
-------

Add the following parameters to the EXTRA_JAVA_PROPERTIES in the setDomainEnv.bat of your domain.
-Dsun.security.krb5.debug=true 
-Djavax.security.auth.useSubjectCredsOnly=false 
-Djava.security.auth.login.config=C:/oracle/kerberos.login 
-Djava.security.krb5.realm=ALFA.LOCAL 
-Djava.security.krb5.kdc=ad-win2008r2.alfa.local 


We are finished with the WebLogic and the AD configuration.

Just add the login name of the window user and its groups to the myrealm security realm, so you can test the Web Application.

Log on a machine which is part of your AD domain.

use Internet Explorer and trust the weblogic site and enable authentication in the advanced options of IE.
or
use Google Chrome and start chrome.exe with the following parameter --args --auth-server-whitelist="*alfa.local" This allows SSO with chrome.


22 comments:

  1. Will this setup work on Weblogic deployed on SOLARIS?

    ReplyDelete
  2. will this setup work on Weblogic deployed on SOLARIS or does it require Weblogic running on Windows machine

    ReplyDelete
  3. Hi,

    It will work on Linux and also think on Solaris, only some files got different names but the contents are the same.

    Thanks

    ReplyDelete
  4. Hello,
    We want to use the embedded LDAP of the WLS to authenticate 'community users' (from the internet) and use SSO for the 'corporate (internal) users', and this for the same web application. ( The WLS is deployed on a Linux machine)
    Is this feasible with your instructions?
    How will the authentication of the 'console' application occur (is this embedded LDAP or SSO or can we choose)?

    ReplyDelete
  5. This comment has been removed by the author.

    ReplyDelete
  6. I have done all the steps precisely but i have got this(Error 401--Unauthorized
    From RFC 2068 Hypertext Transfer Protocol -- HTTP/1.1:
    10.4.2 401 Unauthorized
    ) on the page
    Environment :
    -JDeveloper 11g R2
    -Fusion Web Application(ADF) with ADF security Enabled
    - Active Directory Authenticator Added to Security Realms throug weblogic 10.3.5

    ReplyDelete
    Replies
    1. Hi,

      Do you see all the users in the Weblogic security realm and have all the authenticators sufficient as control flag

      and does this work

      go to the bin folder of your java home ( jdk )
      cd c:\oracle\jrockit-jdk1.6.0_26-R28\bin

      kinit HTTP/soaps3.alfa.local@ALFA.LOCAL

      My output
      Password for HTTP/soaps3.alfa.local@ALFA.LOCAL:
      New ticket is stored in cache file C:\Users\admin\krb5cc_admin

      thanks

      Delete
  7. Hi Edwin,

    I'm also getting:

    Error 401--Unauthorized
    From RFC 2068 Hypertext Transfer Protocol -- HTTP/1.1:
    10.4.2 401

    - I can see all users and groups in myrealm > Users and Groups
    - All Authenticators have 'Sufficent' as the control flag
    - I'm able to create a new ticket via kinit to C:\Users\admin\krb5cc_admin

    With debug level logging on security, I see the following in the server log:

    com.bea.security.utils.kerberos.KerberosException: No valid credentials provided (Mechanism level: Failed to find any Kerberos Key)

    Any ideas?

    Thanks,
    Anthony

    ReplyDelete
    Replies
    1. Hi,

      Did you see some logging on the AD site and did you use the right username or at the domainname to the username. like user1@alfa.local

      good luck

      Delete
  8. Hi,

    I don't see anything in the AD event viewer.

    When you ask did I use the right domainname for the username, for which part are you referencing specifically?

    I followed the guide pretty much word for word, specifying the domain as above when required, matching the case of your guide also.

    Thanks,
    Anthony

    ReplyDelete
    Replies
    1. Hi,

      so the klist purge & kinit is working and you did this with the user and jvm under which weblogic is also running.

      Try to set weblogic security on debug and set all log levels to trace.

      what I mean is you maybe need to use xxxx@domain as login for your webapp. This user should also exists as that name in the myrealm security.

      What you also can do, is this
      http://biemond.blogspot.com/2011/09/using-owsm-kerberos-policies.html

      Create a wls domain with Enterprise Manager,
      create a simple jax-ws service with a kerberos policy.
      And now the most important part, a client with -Dsun.security.krb5.debug=true , This way you can get more info on the client side.

      hope this helps.

      Delete
  9. We got this working with a single node. Thanks for the Article above the documentation we were using omitted the part where you needed to add the Realm and KDC to the Java init parameters.

    We are now trying to set this up with a load balancer and two web servers. It stopped working once we moved the SPN BI.INTRANET.COM from a host file on a single server to the load balancer. Do we need to register an SPN for both physical servers and the Load balancer VIP?

    Ex:
    HTTP/BI.INTRANET.COM@ALFA.LOCAL
    HTTP/server1@ALFA.LOCAL
    HTTP/server2@ALFA.LOCAL

    ReplyDelete
    Replies
    1. Hi,

      the load balancer does not do much and you only need to do same for server 1 and 2.

      Thanks

      Delete
  10. Hi there,

    I know this is a windows guide but I'm trying this on linux making the allowances for differing directories etc... I've completed the steps but it's not working. I get a 401 error with nothign written to the logs on the AD server.

    One question is when I run the following:
    kinit HTTP/soaps3.alfa.local@ALFA.LOCAL

    For my output I do get this, but nothing after such as your New Ticket message:
    Password for HTTP/soaps3.alfa.local@ALFA.LOCAL:

    That right?

    ReplyDelete
  11. Hi,

    Did you also do a klist purge and then kinit HTTP/soaps3.alfa.local@ALFA.LOCAL
    maybe your krb5.conf can't be found, is not valid or some firewall issue

    thanks

    ReplyDelete
  12. Hi,

    Thank very much for this guide, kerberos authentication is working everywhere (console, sbconsole, compose, worklistapp, custom ADF) except for "/em", do you have any idea ?

    Thanks,
    Adrien

    ReplyDelete
    Replies
    1. Hi,

      I heard this before and I think the EM got it's own cookie path or it's own authentication mechanism.

      thanks

      Delete
  13. soaps3 is your MACHINE NAME in which your weblogic is running "?

    ReplyDelete
  14. Hello Edwin,

    Can we use CAS(Central Autentication Service) SSO with ADF Application in Weblogic 10.3.6?

    Note :- We are using SOA/BPM 11.1.1.7

    ReplyDelete