This discussion is archived
8 Replies Latest reply: Aug 7, 2013 2:29 AM by 2ec502e6-de7d-4cb9-a5b2-5b8f18f80881 RSS

Weblogic with Active Directory SSO using WNA

2ec502e6-de7d-4cb9-a5b2-5b8f18f80881 Newbie
Currently Being Moderated

Hi,

 

i tried to configure WNA for Weblogic but it does not work.

I exactly followed the Oracle docs: Configuring Single Sign-On with Microsoft Clients

Also I have tried other resources but without success.

Example: How To Configure Browser-based SSO with Kerberos/SPNEGO and Oracle WebLogic Server

 

My main problem is that i cant really debug why it does not work.

 

Can somebody help me to point me to the logfile I can investigate the problem?

 

 

Some more info:

 

KDC is a win2k8r2

 

krb5.ini

[libdefaults]
default_realm = EXAMPLE.COM
default_tkt_enctypes = des-cbc-crc
default_tgs_enctypes = des-cbc-crc
ticket_lifetime = 600
[realms]
EXAMPLE.COM = {
kdc = 192.168.0.94
admin_server = vs-w8kr2-dc1
default_domain = EXAMPLE.COM
}
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
[appdefaults]
autologin = true
forward = true
forwardable = true
encrypt = true

 

keyfile generation

ktpass -princ HTTP/vs-ucm-cs-pro.example.com@EXAMPLE.COM -mapuser wlsuser -ptype KRB5_NT_PRINCIPAL -pass Welcome1 -out wlsuser.keytab -kvno 0 -crypto DES-CBC-CRC

 

kinit result

java -Dsun.security.krb5.debug=true sun.security.krb5.internal.tools.Kinit -k -t wlsuser.keytab HTTP/vs-ucm-cs-pro.example.com@EXAMPLE.COM
>>>KinitOptions cache name is C:\Users\Administrator.EXAMPLE\krb5cc_Administrat
or
Principal is HTTP/vs-ucm-cs-pro.example.com@EXAMPLE.COM
>>> Kinit using keytab
>>> Kinit keytab file name: wlsuser.keytab
>>> KeyTabInputStream, readName(): EXAMPLE.COM
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): vs-ucm-cs-pro.example.com
>>> KeyTab: load() entry length: 69; type: 1
Added key: 1version: 0
Ordering keys wrt default_tkt_enctypes list
Config name: C:\Windows\krb5.ini
default etypes for default_tkt_enctypes: 1.
0: EncryptionKey: keyType=1 kvno=0 keyValue (hex dump)=
0000: D3 E6 AB F1 91 B3 B0 D3
>>> Kinit realm name is EXAMPLE.COM
>>> Creating KrbAsReq
>>> KrbKdcReq local addresses for VS-UCM-CS-PRO are:
        VS-UCM-CS-PRO/192.168.0.161
IPv4 address
        VS-UCM-CS-PRO/fe80:0:0:0:48c0:4405:c018:7969%11
IPv6 address
        VS-UCM-CS-PRO/fe80:0:0:0:383e:e3d:3f57:ff5e%13
IPv6 address
        VS-UCM-CS-PRO/2001:0:5ef5:79fb:383e:e3d:3f57:ff5e
IPv6 address
>>> KdcAccessibility: reset
default etypes for default_tkt_enctypes: 1.
>>> KrbAsReq calling createMessage
>>> KrbAsReq in createMessage
>>> Kinit: sending as_req to realm EXAMPLE.COM
>>> KrbKdcReq send: kdc=192.168.0.94 UDP:88, timeout=30000, number of retries =3
, #bytes=261
>>> KDCCommunication: kdc=192.168.0.94 UDP:88, timeout=30000,Attempt =1, #bytes=
261
>>> KrbKdcReq send: #bytes read=268
>>> KrbKdcReq send: #bytes read=268
>>> KdcAccessibility: remove 192.168.0.94
>>> reading response from kdc
>>> KDCRep: init() encoding tag is 126 req type is 11
>>>KRBError:
         sTime is Mon Aug 05 10:55:20 CEST 2013 1375692920000
         suSec is 298089
         error code is 25
         error Message is Additional pre-authentication required
         realm is EXAMPLE.COM
         sname is krbtgt/EXAMPLE.COM
         eData provided.
         msgType is 30
>>>Pre-Authentication Data:
         PA-DATA type = 19
         PA-ETYPE-INFO2 etype = 1
         PA-ETYPE-INFO2 salt = EXAMPLE.COMHTTPvs-ucm-cs-pro.example.com
         PA-ETYPE-INFO2 s2kparams = null
Kinit: PREAUTH FAILED/REQ, re-send AS-REQ
Updated salt from pre-auth = EXAMPLE.COMHTTPvs-ucm-cs-pro.example.com
>>>KrbAsReq salt is EXAMPLE.COMHTTPvs-ucm-cs-pro.example.com
default etypes for default_tkt_enctypes: 1.
Pre-Authenticaton: find key for etype = 1
AS-REQ: Add PA_ENC_TIMESTAMP now
>>> EType: sun.security.krb5.internal.crypto.DesCbcCrcEType
>>>crc32: cf91be86
>>>crc32: 11001111100100011011111010000110
>>> KrbAsReq calling createMessage
>>> KrbAsReq in createMessage
>>> Kinit: sending as_req to realm EXAMPLE.COM
>>> KrbKdcReq send: kdc=192.168.0.94 UDP:88, timeout=30000, number of retries =3
, #bytes=341
>>> KDCCommunication: kdc=192.168.0.94 UDP:88, timeout=30000,Attempt =1, #bytes=
341
>>> KrbKdcReq send: #bytes read=94
>>> KrbKdcReq send: #bytes read=94
>>> KdcAccessibility: remove 192.168.0.94
>>> reading response from kdc
>>> KDCRep: init() encoding tag is 126 req type is 11
>>>KRBError:
         sTime is Mon Aug 05 10:55:21 CEST 2013 1375692921000
         suSec is 548089
         error code is 52
         error Message is Response too big for UDP, retry with TCP
         realm is EXAMPLE.COM
         sname is krbtgt/EXAMPLE.COM
         msgType is 30
>>> KrbKdcReq send: kdc=192.168.0.94 TCP:88, timeout=30000, number of retries =3
, #bytes=341
>>> KDCCommunication: kdc=192.168.0.94 TCP:88, timeout=30000,Attempt =1, #bytes=
341
>>>DEBUG: TCPClient reading 1592 bytes
>>> KrbKdcReq send: #bytes read=1592
>>> KrbKdcReq send: #bytes read=1592
>>> EType: sun.security.krb5.internal.crypto.DesCbcCrcEType
>>>crc32: 3d4ff0db
>>>crc32: 111101010011111111000011011011
>>> KrbAsRep cons in KrbAsReq.getReply HTTP/vs-ucm-cs-pro.example.com
New ticket is stored in cache file C:\Users\Administrator.EXAMPLE\krb5cc_Admini
strator

 

krb5login.conf

com.sun.security.jgss.krb5.initiate {
     com.sun.security.auth.module.Krb5LoginModule required
     principal="HTTP/vs-ucm-cs-pro.example.com@EXAMPLE.COM" useKeyTab="true"
     keyTab="d:/admin/kerberos/wlsuser.keytab" storeKey="true" debug="true";
};
com.sun.security.jgss.krb5.accept {
     com.sun.security.auth.module.Krb5LoginModule required
     principal="HTTP/vs-ucm-cs-pro.example.com@EXAMPLE.COM" useKeyTab="true"
     keyTab="d:/admin/kerberos/wlsuser.keytab" storeKey="true" debug="true";
};

 

setspn -L wlsuser

Registered (SPN) for CN=wlsuser,CN=Users,DC=example,DC=com:
        HTTP/vs-ucm-cs-pro.example.com

 

Message was edited by: 2ec502e6-de7d-4cb9-a5b2-5b8f18f80881 Added setspn -L ...

  • 1. Re: Weblogic with Active Directory SSO using WNA
    Mohammed Rayan-Oracle Journeyer
    Currently Being Moderated

    Hello,

     

    I hope that you have the below kerberos debug flags added to the weblogic startup script and if yes,please check/share  the server logs

     

    -Dsun.security.krb5.debug=true



    For instance,

    D:\Oracle\10_3_5\user_projects\domains\base_domain\servers\<Server_name>\Server_name.log



  • 2. Re: Weblogic with Active Directory SSO using WNA
    2ec502e6-de7d-4cb9-a5b2-5b8f18f80881 Newbie
    Currently Being Moderated

    Hi,

     

    This options I have added already:

     

    JAVA_OPTIONS="${JAVA_OPTIONS} -Dweblogic.security.SSL.ignoreHostnameVerification=true -Djavax.security.auth.useSubjectCredsOnly=false -Djava.security.auth.login.config=D:/admin/kerberos/krb5login.conf -Djava.security.krb5.realm=EXAMPLE.COM -Djava.security.krb5.kdc=vs-w8kr2-dc1.example.com -Dweblogic.security.enableNegotiate=true"

     

    Thanks I will try the debug flag too.

  • 3. Re: Weblogic with Active Directory SSO using WNA
    Mohammed Rayan-Oracle Journeyer
    Currently Being Moderated

    Sure,Please append the debug flag along with the below one as well

     

    -Dweblogic.debug.DebugSecurityAtn=true

  • 4. Re: Weblogic with Active Directory SSO using WNA
    2ec502e6-de7d-4cb9-a5b2-5b8f18f80881 Newbie
    Currently Being Moderated

    Just another Info:

     

    The manual login is working perfectly with users from active directory.

    I configured an AD Provider and I added the NegotiateIdentityAsserter

     

    Providers order:

    1. NegotiateIdentityAsserter
    2. AD provider
    3. DefaultAuthenticator
    4. DefaultIdentityAsserter

     

    Message was edited by: 2ec502e6-de7d-4cb9-a5b2-5b8f18f80881 Added Provider Order

  • 5. Re: Weblogic with Active Directory SSO using WNA
    2ec502e6-de7d-4cb9-a5b2-5b8f18f80881 Newbie
    Currently Being Moderated

    I couldn't find a real error ...

     

    AdminServer.log:

    ####<06.08.2013 08:18 Uhr MESZ> <Debug> <SecurityAtn> <VS-UCM-CS-PRO> <AdminServer> <[ACTIVE] ExecuteThread: '4' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <58dc55bc4e3ef1f9:ffc1530:1405230c986:-8000-00000000000000b2> <1375769901387> <BEA-000000> <NegotiateIdentityAsserterServiceImpl.process() called>
    ####<06.08.2013 08:18 Uhr MESZ> <Debug> <SecurityAtn> <VS-UCM-CS-PRO> <AdminServer> <[ACTIVE] ExecuteThread: '4' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <58dc55bc4e3ef1f9:ffc1530:1405230c986:-8000-00000000000000b2> <1375769901387> <BEA-000000> <Auth type found for webapp didn't match known types: CLIENT_CERT,FORM>
    ####<06.08.2013 08:18 Uhr MESZ> <Debug> <SecurityAtn> <VS-UCM-CS-PRO> <AdminServer> <[ACTIVE] ExecuteThread: '4' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <58dc55bc4e3ef1f9:ffc1530:1405230c986:-8000-00000000000000b2> <1375769901387> <BEA-000000> <All request headers:>
    ####<06.08.2013 08:18 Uhr MESZ> <Debug> <SecurityAtn> <VS-UCM-CS-PRO> <AdminServer> <[ACTIVE] ExecuteThread: '4' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <58dc55bc4e3ef1f9:ffc1530:1405230c986:-8000-00000000000000b2> <1375769901387> <BEA-000000> <  Header: Accept : image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*>
    ####<06.08.2013 08:18 Uhr MESZ> <Debug> <SecurityAtn> <VS-UCM-CS-PRO> <AdminServer> <[ACTIVE] ExecuteThread: '4' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <58dc55bc4e3ef1f9:ffc1530:1405230c986:-8000-00000000000000b2> <1375769901387> <BEA-000000> <  Header: Accept-Language : de-DE>
    ####<06.08.2013 08:18 Uhr MESZ> <Debug> <SecurityAtn> <VS-UCM-CS-PRO> <AdminServer> <[ACTIVE] ExecuteThread: '4' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <58dc55bc4e3ef1f9:ffc1530:1405230c986:-8000-00000000000000b2> <1375769901387> <BEA-000000> <  Header: User-Agent : Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)>
    ####<06.08.2013 08:18 Uhr MESZ> <Debug> <SecurityAtn> <VS-UCM-CS-PRO> <AdminServer> <[ACTIVE] ExecuteThread: '4' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <58dc55bc4e3ef1f9:ffc1530:1405230c986:-8000-00000000000000b2> <1375769901387> <BEA-000000> <  Header: Accept-Encoding : gzip, deflate>
    ####<06.08.2013 08:18 Uhr MESZ> <Debug> <SecurityAtn> <VS-UCM-CS-PRO> <AdminServer> <[ACTIVE] ExecuteThread: '4' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <58dc55bc4e3ef1f9:ffc1530:1405230c986:-8000-00000000000000b2> <1375769901387> <BEA-000000> <  Header: Host : vs-ucm-cs-pro:7001>
    ####<06.08.2013 08:18 Uhr MESZ> <Debug> <SecurityAtn> <VS-UCM-CS-PRO> <AdminServer> <[ACTIVE] ExecuteThread: '4' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <58dc55bc4e3ef1f9:ffc1530:1405230c986:-8000-00000000000000b2> <1375769901387> <BEA-000000> <  Header: Connection : Keep-Alive>
    ####<06.08.2013 08:18 Uhr MESZ> <Debug> <SecurityAtn> <VS-UCM-CS-PRO> <AdminServer> <[ACTIVE] ExecuteThread: '4' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <58dc55bc4e3ef1f9:ffc1530:1405230c986:-8000-00000000000000b2> <1375769901387> <BEA-000000> <  Header: Cookie : ADMINCONSOLESESSION=FxlNSQVJl0JlZZmH0bMxSyYWtQzWXnBhQJ0pQ9K17QsMBHWQVX1J!-861377066>
    ####<06.08.2013 08:18 Uhr MESZ> <Debug> <SecurityAtn> <VS-UCM-CS-PRO> <AdminServer> <[ACTIVE] ExecuteThread: '4' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <58dc55bc4e3ef1f9:ffc1530:1405230c986:-8000-00000000000000b2> <1375769901387> <BEA-000000> <Negotiate filter: existing session, negotiation was started>
    ####<06.08.2013 08:18 Uhr MESZ> <Debug> <SecurityAtn> <VS-UCM-CS-PRO> <AdminServer> <[ACTIVE] ExecuteThread: '4' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <58dc55bc4e3ef1f9:ffc1530:1405230c986:-8000-00000000000000b2> <1375769901387> <BEA-000000> <Request doesn't have Negotiate response, Negotiate filter ignoring>
    ####<06.08.2013 08:18 Uhr MESZ> <Debug> <SecurityAtn> <VS-UCM-CS-PRO> <AdminServer> <[ACTIVE] ExecuteThread: '4' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <58dc55bc4e3ef1f9:ffc1530:1405230c986:-8000-00000000000000b2> <1375769901387> <BEA-000000> <Passing to next filter in the chain>

     

    This messages appear when calling the AdminServer url.

  • 6. Re: Weblogic with Active Directory SSO using WNA
    Mohammed Rayan-Oracle Journeyer
    Currently Being Moderated


    <1375769901387> <BEA-000000> <Request doesn't have Negotiate response, Negotiate filter ignoring>


    This is a very common error. It means that the WebLogic Server was ready to extract a SPNEGO token but could not find one in the request sent by the browser. So the problem is "Why didn't the browser send a SPNEGO token"? A few possible explanations are:



     

     

    The browser is not set up correctly to send a SPNEGO token, go back to the client configuration, and double check the browser configuration as following:

     

     

    Go to Tools -> Internet Options.

    Select the "Security" tab.

    Click on "Local Intranet" Icon. This will enable the "Sites" button.

    Click "Sites" button. This will show a "Local Intranet" Popup.

    Make sure the option "Include all local (intranet) sites not listed in other zones" option selected (Windows XP Only).

    Click on "Advanced" Button. In the new popup window, add the URL for the machine hosting WebLogic.

    Click "OK" to save your settings.

    In the "Security" tab, Click "Custom Level" button.

    In the "Security Settings" dialog, under "User Authentication" section, make sure "Automatic logon only in Intranet zone" option is selected.

    Click "OK" to save your settings.

    Go to "Connections" tab -> LAN Settings.

    If you have a proxy server enabled, Click on "Advanced" button. Make sure you add the URL for the machine hosting WebLogic in the "Exceptions" box.

    In the "Internet Options -> Advanced" tab, make sure "Enable Integrated Windows Authentication (requires restart)" option is checked. Click "OK" (If this option is not selected previously, you need to close all browser instances for the setting to take effect).

     

    or/and

     

     

    Something is wrong in your SPN definition. Either no SPN is defined for this service or you have duplicate SPNs, which means that the SPN resolved in more than one principal associated with it.

     

    In order to confirm the same,

     

    For confirming whether the SPN(that you intend to use) is not already linked to some other user account please follow the steps:

    a. use following command to export the AD data to some file:

            ldifde –f  <filename> –s <domain_controller>

     

    or


    You can execute  following flavor of Windows "setspn" command to detect already existing SPNs:

            setspn -Q <SPN>


    Hope this helps





  • 7. Re: Weblogic with Active Directory SSO using WNA
    2ec502e6-de7d-4cb9-a5b2-5b8f18f80881 Newbie
    Currently Being Moderated

    Checked Browser settings. Seems to be fine.

    All the points you mentioned are configured.

     

    SPN

    C:\Users\Administrator>setspn -Q HTTP/vs-ucm-cs-pro.example.com

    Die Domäne "DC=example,DC=com" wird überprüft. (=> Domain example.com will be checked)

    CN=wlsuser,CN=Users,DC=example,DC=com

            HTTP/vs-ucm-cs-pro.example.com

     

    Bestehender SPN wurde gefunden. (=> Existing SPN found ...)

     

    I read about not to test the sso from the Weblogic Server. I'm setting up a third win-machine at the moment to test the sso from a seperate client.

  • 8. Re: Weblogic with Active Directory SSO using WNA
    2ec502e6-de7d-4cb9-a5b2-5b8f18f80881 Newbie
    Currently Being Moderated

    Hi, it works!!

     

    thanks to your debug flags and a new machine!

    The SSO works perfect on another machine. So please don't test SSO on the weblogic machine ...

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points