This discussion is archived
2 Replies Latest reply: Feb 8, 2013 10:34 AM by 962905 RSS

Kerberos/SPNEGO in a heterogeneous environment, avoiding 401?

Jaap Spiering Explorer
Currently Being Moderated
Hi, we are using WebLogic Server 11g PS5.
We have just configured Single-Sign On for Microsoft Clients, using Kerberos and a SPNEGO identity asserter, as described here:

http://docs.oracle.com/cd/E23943_01/web.1111/e13707/sso.htm#i1106670

works like a charm when using IE or Chrome and authenticated to Windows, but when someone accesses our application using a different browser (Firefox) or a different operating system (say, on the iPad), he will be presented with a 401 - Not Authorized:

Error 401--Unauthorized
From RFC 2068 Hypertext Transfer Protocol -- HTTP/1.1:
10.4.2 401 Unauthorized

The request requires user authentication. The response MUST include a WWW-Authenticate header field (section 14.46) containing a challenge applicable to the requested resource. The client MAY repeat the request with a suitable Authorization header field (section 14.8). If the request already included Authorization credentials, then the 401 response indicates that authorization has been refused for those credentials. If the 401 response contains the same challenge as the prior response, and the user agent has already attempted authentication at least once, then the user SHOULD be presented the entity that was given in the response, since that entity MAY include relevant diagnostic information. HTTP access authentication is explained in section 11.

A refresh then is sufficient to send the user to our login screen anyway, but is there any way to avoid the 401 response when the client that is accessing the application is not configured for Windows Integrated Authentication?

Also, we have a scenario where the user that is authenticated to Windows is a generic account, while we want users to logon to our application using a personal account, can we cover this too?
  • 1. Re: Kerberos/SPNEGO in a heterogeneous environment, avoiding 401?
    Jaap Spiering Explorer
    Currently Being Moderated
    A partial workaround is to add a meta refresh tag on the resulting 401 paqe. Browsers that are not confgiured to send a Kerberos token will automatically refresh then.
    See the following support note:
    After Configuration Of Windows Based SSO, Non SSO Configured Browsers Give Error Page [ID 1468495.1]

    The only issue remaining is for users that have a browser configured for Kerberos (such as IE or Chrome), but are not on the configured domain. These will get a popup prompting for credentials upon the 401 request, but these credentials are sent as an NLTM token and not processed by WebLogic. The only way around this is cancelling this prompt and then you are taken to the login screen.

    Any ideas how to avoid the credentials popup for users outside of the configured domain?
  • 2. Re: Kerberos/SPNEGO in a heterogeneous environment, avoiding 401?
    962905 Newbie
    Currently Being Moderated
    Assuming that you have configured AD and have created a Negotiate Provider in weblogic console.

    Try giving just BASIC in web.xml in your war file.

    ie <login-config>
    <auth-method>BASIC</auth-method>
    </login-config>

    Deploy the war file with different name like obi.ear instead of analytics.ear. In order to deploy with different name you might require to change the names in the ear file from analytics to obi.

    This way first Request should receive both WWW-Authenticate: Negotiate and WWW-Authenticate: Basic. And the client will choose the auth mech.

    Let us know your results!

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points