0 Replies Latest reply: Mar 26, 2012 10:11 PM by 899368 RSS

    Configuring SSO with Microsoft Clients

    899368
      Hello all,

      Products involved:

      1. Weblogic 10.3.5, UCM 11.1.1.5.0 running on RHEL 5.5 64-bit (wlshostname@mydomain.com)
      2. Active Directory running on Windows 2008 server with KDC configured and enabled (DOMAIN: mydomain.com)

      I am trying to implement desktop integration, where the user logs onto their desktop PC using their microsoft AD account and then launches UCM 11g using MS IE. The user should not be prompted to log into UCM as Kerberos integration would have kicked in and automatically signed into UCM.

      I have followed the steps in the OFM Securing Oracle Weblogic Server 11g Release 1 (10.3.5) which can be access here. This is the latest documentation I can find for 10.3.5 weblogic and it refers to Windows 2000 KDC/AD server, I don't think it matters, as most of the steps required to set up Kerberos is out of the box in Windows 2008. Correct me if I am wrong.

      It didn't work... and I have pinpointed the problem to the keytab that was generated - I have checked that the command line to produce this keytab file from the KDC server and it is correct, I'll step through it below:

      I ran the ktpass command on the KDC server, since Weblogic is running on Linux, ktpass is the command I need to run:

      +ktpass -princ HTTP/wlshostname.mydomain.com@mydomain.com -mapuser adaccountname -pass abc123 -out c:\scripts\WebLogic_KeyTab -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL+

      Where the mapuser is the AD user created that will be mapped to the SPN created for Weblogic (wlshostname.mydomain.com) and the AD domain is mydomain.com

      Again, does Windows 2008 generate a KeyTab that is not supported by the crypto/cipher algorithms used by Weblogic 10.3.5? I am ensuring I use AES256 which is supported with W2k8 R2 (KDC/AD) and above and JDK 1.6 (Weblogic 10.3.5)

      I then uploaded this keytab file onto the weblogic server and ran kinit to check it:

      +kinit -k -t /u01/oracle/Weblogic_KeyTab adaccountname+

      I got the following error message:

      kinit(v5): Cannot find KDC for requested realm while getting initial credentials

      Googling this message - I get many results telling me I need a DNS entry for the KDC in the /etc/hosts file on the Weblogic linux server, I did this and running the kinit command still gives this error message.

      I then created a SPNEGO Identity Asserter from the Weblogic Console, krb5Login.conf and also put in the following startup parameters for the UCM Managed Server:

      -Djavax.security.auth.useSubjectCredsOnly=false
      -Djava.security.auth.login.config=/u01/oracle/krb5Login.conf
      -Djava.security.krb5.realm=mydomain.com
      -Djava.security.krb5.kdc=kdc.mydomain.com

      Contents of the krb5Login.conf file:

      +com.sun.security.jgss.krb5.initiate {+

      com.sun.security.auth.module.Krb5LoginModule required
      principal="wlshostname.mydomain.com@mydomain.com" useKeyTab="true"
      keyTab="/u01/oracle/WebLogic_KeyTab" storeKey="true";
      +};+

      +com.sun.security.jgss.krb5.accept {+

      com.sun.security.auth.module.Krb5LoginModule required
      principal="wlshostname.mydomain.com@mydomain.com" useKeyTab="true"
      keyTab="/u01/oracle/WebLogic_KeyTab" storeKey="true";

      +};+

      Any ideas? Is this what is causing the desktop integration to not work?


      Thanks
      Stanley