I have had a very strange issue with JRockit and Kerberos on Windows, which I would like some input to.
My environment is:
Server Operating System = Windows Server 2008 R2 x64
Application Server = WebLogic Server Std. Edition 10.3.5 Generic
Java = First jrockit-jdk1.6.0_29-R28.2.2-4.1.0-windows-x64, then jrockit-jdk1.6.0_33-R28.2.4-4.1.0-windows-x64
Browsers = IE9 and Google Chrome 21
Clients = Windows 7 and Windows XP
Encryption = First DES, then RC4-HMAC
Active Directory with KDC: Both on Windows 2003 and Windows 2008
While JRockit's kinit tool successfully stored a ticket in cache when invoked from the Windows Command Prompt, it never worked in JRockit through WebLogic. With klist I could see a ticket being issued, but WebLogic console nor custom JEE apps with <auth-method>CLIENT-CERT,FORM</auth-method> caused auto-login.
I tried with both DES and RC4-HMAC, kerberos pre-auth on and off, and played around with SPNs and user account options without getting further than WebLogic saying:
Found key for <user>@<domain>(23)
Entered Krb5Context.acceptSecContext with state=STATE_NEW"
It think I have tried pretty much any combination of encryption algorithms, user account options and krb5.ini options without being able to get WebLogic to log me in through Kerberos. And I have read both the official doc and various blogs on how to set it up to get various views on configurations that should work. But without any luck.
Then after 3 weeks struggling with this, I found a post here on OTN where a user mentioned problems with Kerberos after he upgraded from JRockit-jdk1.6.0_20-R28.1.0....
So I tried to downgrade to jrockit-jdk1.6.0_20-R28.1.0, and suddenly my setup worked !!
So my questions are:
1. What is the highest version of JRockit on Windows 2008 R2 x64 that is known to work with Kerberos (preferably using RC4-HMAC) ?
2. Have anyone found a workaround to get this to work with jrockit-jdk1.6.0_33-R28.2.x on Windows 2008 R2 x64 ?
Edited by: Audun Nes on Aug 16, 2012 7:33 AM
Edited by: Audun Nes on Aug 16, 2012 7:34 AM
It seems this is a platform dependent issue. With WebLogic 10.3.5 (x64) on RedHat Linux 5.5 (x64), Kerberos authentication with the latest JRockit (currently 28.2.4) works fine towards a Windows 2008 Active Directory.
It could be related to the size of the kerberos ticket (not sure here, just a guess).
When a user belongs to many groups, it affects the size of the ticket, some tips are provided here: http://support.microsoft.com/kb/327825
(not related to JRockit, but to the MaxTokenSize in the Windows registry).
Could also run into trouble when using a front-end such as Apache HTTP Server (and WebCache)
- http://httpd.apache.org/docs/2.2/mod/core.html (set the LimitRequestFieldSize http://httpd.apache.org/docs/2.2/mod/core.html#limitrequestfieldsize appropriately)
- WebCache: WXE-11355 Single request header length exceeds configured maximum. A forbidden error response is returned to the client. Client IP: %s error
- Cause: One of the headers in the request exceeded the configured maximum.
- Action: Adjust the maximum individual header size limit in the Security page of OracleAS Web Cache Manager. If the problem persists, contact Oracle Support Services.