In my test env, I'm using the MicroSoft Active Domain for both Domain User login & utlize the AD as LDAP for PeopleSoft LDAP Login, as well as the Kerberos solution for Desktop Signon. All is based on the MS AD domain structures.
Besides, by utlize the KRB_Authentication PeopleCode, we can achieve the LDAP cache user info to update PSOPRDEFN table during the Kerberos login, no need to first create an OPRID prior the first Kerberos login from End User side. (This may require more complex User Map Rules as well as some code I guess, but I didn't go far, just test if LDAP can be combine with Kerberos.)
By default if you are using MS AD each domain controller runs a KDC so you should not need to create a new domiain controller. When configuring Keberos SSO you will point the config to one of your domain controllers' IP address.
If the web server receives an invalid token it removes it from the http request so you won't have either the Authorization header (which comes from the client) or the KRB_USER header (which Weblogic extracts).
For debugging it sounds like you have added code to check the headers (I write them out to a log file for debugging) but if the web server is rejecting the token and stripping out the Authorization header then they never reach the application server.
So things to check I think:
- is there a duplicate SPN? (check via SPN -x)
- check weblogic startup, are there any errors? if not the PIA_weblogic.log file should show whcih Java system properties are loaded, look for java.security... and check the settings are as expected
- these checks should tell you if the web server is failing
for the configuration fiels
- check the request from the browser (eg using Fiddler, http headers etc) and ensure the authorization header is there and is a Kerberos negotiation header
- use klist on the client to check what tokens have been issued
- ensure that the URl in the client is the same as that expected when creating the keytab file
Hope this helps, not sure it adds anything more than the previous posts but I'd suggest double checking.