8 Replies Latest reply: Aug 7, 2013 4:29 AM by 1016617 RSS

    Weblogic with Active Directory SSO using WNA

    1016617

      Hi,

       

      i tried to configure WNA for Weblogic but it does not work.

      I exactly followed the Oracle docs: Configuring Single Sign-On with Microsoft Clients

      Also I have tried other resources but without success.

      Example: How To Configure Browser-based SSO with Kerberos/SPNEGO and Oracle WebLogic Server

       

      My main problem is that i cant really debug why it does not work.

       

      Can somebody help me to point me to the logfile I can investigate the problem?

       

       

      Some more info:

       

      KDC is a win2k8r2

       

      krb5.ini

      [libdefaults]
      default_realm = EXAMPLE.COM
      default_tkt_enctypes = des-cbc-crc
      default_tgs_enctypes = des-cbc-crc
      ticket_lifetime = 600
      
      [realms]
      EXAMPLE.COM = {
      kdc = 192.168.0.94
      admin_server = vs-w8kr2-dc1
      default_domain = EXAMPLE.COM
      }
      
      [domain_realm]
      .example.com = EXAMPLE.COM
      example.com = EXAMPLE.COM
      
      [appdefaults]
      autologin = true
      forward = true
      forwardable = true
      encrypt = true
      
      
      

       

      keyfile generation

      ktpass -princ HTTP/vs-ucm-cs-pro.example.com@EXAMPLE.COM -mapuser wlsuser -ptype KRB5_NT_PRINCIPAL -pass Welcome1 -out wlsuser.keytab -kvno 0 -crypto DES-CBC-CRC
      
      
      

       

      kinit result

      java -Dsun.security.krb5.debug=true sun.security.krb5.internal.tools.Kinit -k -t wlsuser.keytab HTTP/vs-ucm-cs-pro.example.com@EXAMPLE.COM
      >>>KinitOptions cache name is C:\Users\Administrator.EXAMPLE\krb5cc_Administrat
      or
      Principal is HTTP/vs-ucm-cs-pro.example.com@EXAMPLE.COM
      >>> Kinit using keytab
      >>> Kinit keytab file name: wlsuser.keytab
      >>> KeyTabInputStream, readName(): EXAMPLE.COM
      >>> KeyTabInputStream, readName(): HTTP
      >>> KeyTabInputStream, readName(): vs-ucm-cs-pro.example.com
      >>> KeyTab: load() entry length: 69; type: 1
      Added key: 1version: 0
      Ordering keys wrt default_tkt_enctypes list
      Config name: C:\Windows\krb5.ini
      default etypes for default_tkt_enctypes: 1.
      0: EncryptionKey: keyType=1 kvno=0 keyValue (hex dump)=
      0000: D3 E6 AB F1 91 B3 B0 D3
      
      >>> Kinit realm name is EXAMPLE.COM
      >>> Creating KrbAsReq
      >>> KrbKdcReq local addresses for VS-UCM-CS-PRO are:
      
              VS-UCM-CS-PRO/192.168.0.161
      IPv4 address
      
              VS-UCM-CS-PRO/fe80:0:0:0:48c0:4405:c018:7969%11
      IPv6 address
      
              VS-UCM-CS-PRO/fe80:0:0:0:383e:e3d:3f57:ff5e%13
      IPv6 address
      
              VS-UCM-CS-PRO/2001:0:5ef5:79fb:383e:e3d:3f57:ff5e
      IPv6 address
      >>> KdcAccessibility: reset
      default etypes for default_tkt_enctypes: 1.
      >>> KrbAsReq calling createMessage
      >>> KrbAsReq in createMessage
      >>> Kinit: sending as_req to realm EXAMPLE.COM
      >>> KrbKdcReq send: kdc=192.168.0.94 UDP:88, timeout=30000, number of retries =3
      , #bytes=261
      >>> KDCCommunication: kdc=192.168.0.94 UDP:88, timeout=30000,Attempt =1, #bytes=
      261
      >>> KrbKdcReq send: #bytes read=268
      >>> KrbKdcReq send: #bytes read=268
      >>> KdcAccessibility: remove 192.168.0.94
      >>> reading response from kdc
      >>> KDCRep: init() encoding tag is 126 req type is 11
      >>>KRBError:
               sTime is Mon Aug 05 10:55:20 CEST 2013 1375692920000
               suSec is 298089
               error code is 25
               error Message is Additional pre-authentication required
               realm is EXAMPLE.COM
               sname is krbtgt/EXAMPLE.COM
               eData provided.
               msgType is 30
      >>>Pre-Authentication Data:
               PA-DATA type = 19
               PA-ETYPE-INFO2 etype = 1
               PA-ETYPE-INFO2 salt = EXAMPLE.COMHTTPvs-ucm-cs-pro.example.com
               PA-ETYPE-INFO2 s2kparams = null
      Kinit: PREAUTH FAILED/REQ, re-send AS-REQ
      Updated salt from pre-auth = EXAMPLE.COMHTTPvs-ucm-cs-pro.example.com
      >>>KrbAsReq salt is EXAMPLE.COMHTTPvs-ucm-cs-pro.example.com
      default etypes for default_tkt_enctypes: 1.
      Pre-Authenticaton: find key for etype = 1
      AS-REQ: Add PA_ENC_TIMESTAMP now
      >>> EType: sun.security.krb5.internal.crypto.DesCbcCrcEType
      >>>crc32: cf91be86
      >>>crc32: 11001111100100011011111010000110
      >>> KrbAsReq calling createMessage
      >>> KrbAsReq in createMessage
      >>> Kinit: sending as_req to realm EXAMPLE.COM
      >>> KrbKdcReq send: kdc=192.168.0.94 UDP:88, timeout=30000, number of retries =3
      , #bytes=341
      >>> KDCCommunication: kdc=192.168.0.94 UDP:88, timeout=30000,Attempt =1, #bytes=
      341
      >>> KrbKdcReq send: #bytes read=94
      >>> KrbKdcReq send: #bytes read=94
      >>> KdcAccessibility: remove 192.168.0.94
      >>> reading response from kdc
      >>> KDCRep: init() encoding tag is 126 req type is 11
      >>>KRBError:
               sTime is Mon Aug 05 10:55:21 CEST 2013 1375692921000
               suSec is 548089
               error code is 52
               error Message is Response too big for UDP, retry with TCP
               realm is EXAMPLE.COM
               sname is krbtgt/EXAMPLE.COM
               msgType is 30
      >>> KrbKdcReq send: kdc=192.168.0.94 TCP:88, timeout=30000, number of retries =3
      , #bytes=341
      >>> KDCCommunication: kdc=192.168.0.94 TCP:88, timeout=30000,Attempt =1, #bytes=
      341
      >>>DEBUG: TCPClient reading 1592 bytes
      >>> KrbKdcReq send: #bytes read=1592
      >>> KrbKdcReq send: #bytes read=1592
      >>> EType: sun.security.krb5.internal.crypto.DesCbcCrcEType
      >>>crc32: 3d4ff0db
      >>>crc32: 111101010011111111000011011011
      >>> KrbAsRep cons in KrbAsReq.getReply HTTP/vs-ucm-cs-pro.example.com
      New ticket is stored in cache file C:\Users\Administrator.EXAMPLE\krb5cc_Admini
      strator
      
      
      

       

      krb5login.conf

      com.sun.security.jgss.krb5.initiate {
           com.sun.security.auth.module.Krb5LoginModule required
           principal="HTTP/vs-ucm-cs-pro.example.com@EXAMPLE.COM" useKeyTab="true"
           keyTab="d:/admin/kerberos/wlsuser.keytab" storeKey="true" debug="true";
      };
      
      com.sun.security.jgss.krb5.accept {
           com.sun.security.auth.module.Krb5LoginModule required
           principal="HTTP/vs-ucm-cs-pro.example.com@EXAMPLE.COM" useKeyTab="true"
           keyTab="d:/admin/kerberos/wlsuser.keytab" storeKey="true" debug="true";
      };
      
      
      

       

      setspn -L wlsuser

      Registered (SPN) for CN=wlsuser,CN=Users,DC=example,DC=com:
              HTTP/vs-ucm-cs-pro.example.com
      

       

      Message was edited by: 2ec502e6-de7d-4cb9-a5b2-5b8f18f80881 Added setspn -L ...

        • 1. Re: Weblogic with Active Directory SSO using WNA
          Mohammed Rayan-Oracle

          Hello,

           

          I hope that you have the below kerberos debug flags added to the weblogic startup script and if yes,please check/share  the server logs

           

          -Dsun.security.krb5.debug=true



          For instance,

          D:\Oracle\10_3_5\user_projects\domains\base_domain\servers\<Server_name>\Server_name.log



          • 2. Re: Weblogic with Active Directory SSO using WNA
            1016617

            Hi,

             

            This options I have added already:

             

            JAVA_OPTIONS="${JAVA_OPTIONS} -Dweblogic.security.SSL.ignoreHostnameVerification=true -Djavax.security.auth.useSubjectCredsOnly=false -Djava.security.auth.login.config=D:/admin/kerberos/krb5login.conf -Djava.security.krb5.realm=EXAMPLE.COM -Djava.security.krb5.kdc=vs-w8kr2-dc1.example.com -Dweblogic.security.enableNegotiate=true"
            

             

            Thanks I will try the debug flag too.

            • 3. Re: Weblogic with Active Directory SSO using WNA
              Mohammed Rayan-Oracle

              Sure,Please append the debug flag along with the below one as well

               

              -Dweblogic.debug.DebugSecurityAtn=true

              • 4. Re: Weblogic with Active Directory SSO using WNA
                1016617

                Just another Info:

                 

                The manual login is working perfectly with users from active directory.

                I configured an AD Provider and I added the NegotiateIdentityAsserter

                 

                Providers order:

                1. NegotiateIdentityAsserter
                2. AD provider
                3. DefaultAuthenticator
                4. DefaultIdentityAsserter

                 

                Message was edited by: 2ec502e6-de7d-4cb9-a5b2-5b8f18f80881 Added Provider Order

                • 5. Re: Weblogic with Active Directory SSO using WNA
                  1016617

                  I couldn't find a real error ...

                   

                  AdminServer.log:

                  ####<06.08.2013 08:18 Uhr MESZ> <Debug> <SecurityAtn> <VS-UCM-CS-PRO> <AdminServer> <[ACTIVE] ExecuteThread: '4' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <58dc55bc4e3ef1f9:ffc1530:1405230c986:-8000-00000000000000b2> <1375769901387> <BEA-000000> <NegotiateIdentityAsserterServiceImpl.process() called>
                  ####<06.08.2013 08:18 Uhr MESZ> <Debug> <SecurityAtn> <VS-UCM-CS-PRO> <AdminServer> <[ACTIVE] ExecuteThread: '4' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <58dc55bc4e3ef1f9:ffc1530:1405230c986:-8000-00000000000000b2> <1375769901387> <BEA-000000> <Auth type found for webapp didn't match known types: CLIENT_CERT,FORM>
                  ####<06.08.2013 08:18 Uhr MESZ> <Debug> <SecurityAtn> <VS-UCM-CS-PRO> <AdminServer> <[ACTIVE] ExecuteThread: '4' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <58dc55bc4e3ef1f9:ffc1530:1405230c986:-8000-00000000000000b2> <1375769901387> <BEA-000000> <All request headers:>
                  ####<06.08.2013 08:18 Uhr MESZ> <Debug> <SecurityAtn> <VS-UCM-CS-PRO> <AdminServer> <[ACTIVE] ExecuteThread: '4' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <58dc55bc4e3ef1f9:ffc1530:1405230c986:-8000-00000000000000b2> <1375769901387> <BEA-000000> <  Header: Accept : image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*>
                  ####<06.08.2013 08:18 Uhr MESZ> <Debug> <SecurityAtn> <VS-UCM-CS-PRO> <AdminServer> <[ACTIVE] ExecuteThread: '4' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <58dc55bc4e3ef1f9:ffc1530:1405230c986:-8000-00000000000000b2> <1375769901387> <BEA-000000> <  Header: Accept-Language : de-DE>
                  ####<06.08.2013 08:18 Uhr MESZ> <Debug> <SecurityAtn> <VS-UCM-CS-PRO> <AdminServer> <[ACTIVE] ExecuteThread: '4' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <58dc55bc4e3ef1f9:ffc1530:1405230c986:-8000-00000000000000b2> <1375769901387> <BEA-000000> <  Header: User-Agent : Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)>
                  ####<06.08.2013 08:18 Uhr MESZ> <Debug> <SecurityAtn> <VS-UCM-CS-PRO> <AdminServer> <[ACTIVE] ExecuteThread: '4' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <58dc55bc4e3ef1f9:ffc1530:1405230c986:-8000-00000000000000b2> <1375769901387> <BEA-000000> <  Header: Accept-Encoding : gzip, deflate>
                  ####<06.08.2013 08:18 Uhr MESZ> <Debug> <SecurityAtn> <VS-UCM-CS-PRO> <AdminServer> <[ACTIVE] ExecuteThread: '4' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <58dc55bc4e3ef1f9:ffc1530:1405230c986:-8000-00000000000000b2> <1375769901387> <BEA-000000> <  Header: Host : vs-ucm-cs-pro:7001>
                  ####<06.08.2013 08:18 Uhr MESZ> <Debug> <SecurityAtn> <VS-UCM-CS-PRO> <AdminServer> <[ACTIVE] ExecuteThread: '4' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <58dc55bc4e3ef1f9:ffc1530:1405230c986:-8000-00000000000000b2> <1375769901387> <BEA-000000> <  Header: Connection : Keep-Alive>
                  ####<06.08.2013 08:18 Uhr MESZ> <Debug> <SecurityAtn> <VS-UCM-CS-PRO> <AdminServer> <[ACTIVE] ExecuteThread: '4' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <58dc55bc4e3ef1f9:ffc1530:1405230c986:-8000-00000000000000b2> <1375769901387> <BEA-000000> <  Header: Cookie : ADMINCONSOLESESSION=FxlNSQVJl0JlZZmH0bMxSyYWtQzWXnBhQJ0pQ9K17QsMBHWQVX1J!-861377066>
                  ####<06.08.2013 08:18 Uhr MESZ> <Debug> <SecurityAtn> <VS-UCM-CS-PRO> <AdminServer> <[ACTIVE] ExecuteThread: '4' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <58dc55bc4e3ef1f9:ffc1530:1405230c986:-8000-00000000000000b2> <1375769901387> <BEA-000000> <Negotiate filter: existing session, negotiation was started>
                  ####<06.08.2013 08:18 Uhr MESZ> <Debug> <SecurityAtn> <VS-UCM-CS-PRO> <AdminServer> <[ACTIVE] ExecuteThread: '4' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <58dc55bc4e3ef1f9:ffc1530:1405230c986:-8000-00000000000000b2> <1375769901387> <BEA-000000> <Request doesn't have Negotiate response, Negotiate filter ignoring>
                  ####<06.08.2013 08:18 Uhr MESZ> <Debug> <SecurityAtn> <VS-UCM-CS-PRO> <AdminServer> <[ACTIVE] ExecuteThread: '4' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <58dc55bc4e3ef1f9:ffc1530:1405230c986:-8000-00000000000000b2> <1375769901387> <BEA-000000> <Passing to next filter in the chain>
                  

                   

                  This messages appear when calling the AdminServer url.

                  • 6. Re: Weblogic with Active Directory SSO using WNA
                    Mohammed Rayan-Oracle


                    <1375769901387> <BEA-000000> <Request doesn't have Negotiate response, Negotiate filter ignoring>


                    This is a very common error. It means that the WebLogic Server was ready to extract a SPNEGO token but could not find one in the request sent by the browser. So the problem is "Why didn't the browser send a SPNEGO token"? A few possible explanations are:



                     

                     

                    The browser is not set up correctly to send a SPNEGO token, go back to the client configuration, and double check the browser configuration as following:

                     

                     

                    Go to Tools -> Internet Options.

                    Select the "Security" tab.

                    Click on "Local Intranet" Icon. This will enable the "Sites" button.

                    Click "Sites" button. This will show a "Local Intranet" Popup.

                    Make sure the option "Include all local (intranet) sites not listed in other zones" option selected (Windows XP Only).

                    Click on "Advanced" Button. In the new popup window, add the URL for the machine hosting WebLogic.

                    Click "OK" to save your settings.

                    In the "Security" tab, Click "Custom Level" button.

                    In the "Security Settings" dialog, under "User Authentication" section, make sure "Automatic logon only in Intranet zone" option is selected.

                    Click "OK" to save your settings.

                    Go to "Connections" tab -> LAN Settings.

                    If you have a proxy server enabled, Click on "Advanced" button. Make sure you add the URL for the machine hosting WebLogic in the "Exceptions" box.

                    In the "Internet Options -> Advanced" tab, make sure "Enable Integrated Windows Authentication (requires restart)" option is checked. Click "OK" (If this option is not selected previously, you need to close all browser instances for the setting to take effect).

                     

                    or/and

                     

                     

                    Something is wrong in your SPN definition. Either no SPN is defined for this service or you have duplicate SPNs, which means that the SPN resolved in more than one principal associated with it.

                     

                    In order to confirm the same,

                     

                    For confirming whether the SPN(that you intend to use) is not already linked to some other user account please follow the steps:

                    a. use following command to export the AD data to some file:

                            ldifde –f  <filename> –s <domain_controller>

                     

                    or


                    You can execute  following flavor of Windows "setspn" command to detect already existing SPNs:

                            setspn -Q <SPN>


                    Hope this helps





                    • 7. Re: Weblogic with Active Directory SSO using WNA
                      1016617

                      Checked Browser settings. Seems to be fine.

                      All the points you mentioned are configured.

                       

                      SPN

                      C:\Users\Administrator>setspn -Q HTTP/vs-ucm-cs-pro.example.com

                      Die Domäne "DC=example,DC=com" wird überprüft. (=> Domain example.com will be checked)

                      CN=wlsuser,CN=Users,DC=example,DC=com

                              HTTP/vs-ucm-cs-pro.example.com

                       

                      Bestehender SPN wurde gefunden. (=> Existing SPN found ...)

                       

                      I read about not to test the sso from the Weblogic Server. I'm setting up a third win-machine at the moment to test the sso from a seperate client.

                      • 8. Re: Weblogic with Active Directory SSO using WNA
                        1016617

                        Hi, it works!!

                         

                        thanks to your debug flags and a new machine!

                        The SSO works perfect on another machine. So please don't test SSO on the weblogic machine ...