10 Replies Latest reply: Sep 1, 2010 1:07 AM by Faisal Khan RSS

    Kerberos authenticate problem

    qjvictor
      I followed the setup step from http://weblogic-wonders.com/weblogic/2009/11/15/configuring-kerberos-with-weblogic-server/ posted by Faisal Khan.

      when I try to access my application running in weblogic, I faced following problem (famous Error 401--Unauthorized)
      Let's say the principal user is '*principal-user*', and my windows account is '*windows-user*'

      1). the Kerberos authenticate seems fine, I got the successful information as following:
      Found key for principal-user@XXX.COM(1)
      Entered Krb5Context.acceptSecContext with state=STATE_NEW
      EType: sun.security.krb5.internal.crypto.DesCbcMd5EType
      Using builtin default etypes for permitted_enctypes
      default etypes for permitted_enctypes: 3 1 23 16 17.
      EType: sun.security.krb5.internal.crypto.DesCbcMd5EType
      Config reset default kdc XXX.COM
      replay cache for windows-user@XXX is null.
      object 0: 1282932038000/154
      object 0: 1282932038000/154
      *>>> KrbApReq: authenticate succeed.*
      Krb5Context setting peerSeqNumber to: 1113985206
      EType: sun.security.krb5.internal.crypto.DesCbcMd5EType
      Krb5Context setting mySeqNumber to: 792726776

      2). but after this, seems weblogic wants to do another authenticate with my windows account:

      <Username was found, setting up callbackhandler>
      <com.bea.common.security.internal.legacy.service.ChallengeIdentityAssertionProviderImpl$ChallengeIdentityAsserterV2Adapter$ChallengeContextV2Impl.constructor>
      <com.bea.common.security.internal.service.ChallengeIdentityAssertionTokenServiceImpl$ChallengeContextImpl.constructor>
      <com.bea.common.security.internal.service.ChallengeIdentityAssertionServiceImpl$ChallengeContextImpl.constructor>
      <com.bea.common.security.internal.service.ChallengeIdentityAssertionServiceImpl$ChallengeContextImpl.hasChallengeIdentityCompleted>
      <com.bea.common.security.internal.service.ChallengeIdentityAssertionTokenServiceImpl$ChallengeContextImpl.hasChallengeIdentityCompleted>
      <com.bea.common.security.internal.legacy.service.ChallengeIdentityAssertionProviderImpl$ChallengeIdentityAsserterV2Adapter$ChallengeContextV2Impl.hasChallengeIdentityCompleted>
      <com.bea.common.security.internal.service.ChallengeIdentityAssertionTokenServiceImpl$ChallengeContextImpl.getCallbackHandler>
      <com.bea.common.security.internal.service.ChallengeIdentityAssertionTokenServiceImpl$ChallengeContextImpl.hasChallengeIdentityCompleted>
      <com.bea.common.security.internal.legacy.service.ChallengeIdentityAssertionProviderImpl$ChallengeIdentityAsserterV2Adapter$ChallengeContextV2Impl.hasChallengeIdentityCompleted>
      <com.bea.common.security.internal.legacy.service.ChallengeIdentityAssertionProviderImpl$ChallengeIdentityAsserterV2Adapter$ChallengeContextV2Impl.getCallbackHandler>
      <com.bea.common.security.internal.legacy.service.ChallengeIdentityAssertionProviderImpl$ChallengeIdentityAsserterV2Adapter$ChallengeContextV2Impl.hasChallengeIdentityCompleted>
      <com.bea.common.security.internal.service.IdentityAssertionCallbackServiceImpl.assertIdentity>
      <com.bea.common.security.internal.service.IdentityAssertionCallbackServiceImpl.assertIdentity>
      <com.bea.common.security.internal.service.IdentityAssertionCallbackServiceImpl.assertIdentity returning windows-user>
      *<com.bea.common.security.internal.service.IdentityCacheServiceImpl.getCachedIdentity(windows-user)>*
      *<com.bea.common.security.internal.service.IdentityCacheServiceImpl.getCachedIdentity(windows-user) returning null>*
      *<com.bea.common.security.internal.service.IdentityAssertionCallbackServiceImpl.assertIdentity did not find a cached identity.>*
      <com.bea.common.security.internal.service.CallbackHandlerWrapper.constructor>
      .... (doing some LDAP lookup)
      <com.bea.common.security.internal.service.LoginModuleWrapper.commit delegated, returning false>
      *<weblogic.security.service.internal.WLSJAASLoginServiceImpl$ServiceImpl.authenticate authenticate failed for user windows-user>*

      I am not sure after Kerberos authenticate, why the weblogic uses my windows account to do another one?

      and if I create the 'windows-user' as a weblogic user, then the authenticate would be succeed and then can access my application.

      but that is not so-called 'SSO' - there is no point to create all the domain users as weblogic users.

      I think I might make some mistake in my weblogic env, any idea?

      many thanks.
        • 1. Re: Kerberos authenticate problem
          Faisal Khan
          can u mail me your server log files??

          weblogicwonders@yahoo.com
          • 2. Re: Kerberos authenticate problem
            qjvictor
            Thanks, Email sent.


            ---------

            Come on, why keeps giving me the Mail Delivery problem:

            Delivery to the following recipient failed permanently:

            weblogicwonders@yahoo.com

            Technical details of permanent failure:
            Google tried to deliver your message, but it was rejected by the recipient domain. ...


            I tried with my 3 different email account, same problem.

            Edited by: qjvictor on Aug 30, 2010 7:37 AM
            • 3. Re: Kerberos authenticate problem
              Faisal Khan
              Victor, I am extremely sorry... its weblogicwonders@yahoo.in
              • 4. Re: Kerberos authenticate problem
                qjvictor
                just sent. thanks.
                • 5. Re: Kerberos authenticate problem
                  Faisal Khan
                  Hi Victor,

                  I observed the following in your server logs

                  <LDAP Atn Login username: windows.user>
                  <userExists? user:windows.user>
                  <Aug 30, 2010 10:04:25 AM EDT> <Debug> <SecurityAtn> <BEA-000000> <getConnection return conn:LDAPConnection {ldaps://xxx.xxx.xxx.xxx:389 ldapVersion:3 bindDN:"principal.user@xxx.xxx"}>
                  <Aug 30, 2010 10:04:25 AM EDT> <Debug> <SecurityAtn> <BEA-000000> <getDNForUser search("dc=xxx,dc=xxx", "(&(&(cn=windows.user)(objectclass=user))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))", base DN & below)>
                  <user does not exist, user:windows.user>
                  <Aug 30, 2010 10:04:25 AM EDT> <Debug> <SecurityAtn> <BEA-000000> <[Security:090300]Identity Assertion Failed: User windows.user does not exist>
                  <Aug 30, 2010 10:04:25 AM EDT> <Debug> <SecurityAtn> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.commit>
                  <Aug 30, 2010 10:04:25 AM EDT> <Debug> <SecurityAtn> <BEA-000000> <LDAP Atn Abort>

                  We need to have the user in Weblogic Server ( either in DefaulAuthenticator or ActiveDirectoryAuthenticator) who is trying to log in to the application for kerberos based authentication to work.

                  Single Sign On means that the client ( end user) does not have to provide the creadentials all over again and his domain credentials be used instead.
                  Put simple, a kerberos token is passed to WLS and WLS Decrpts the token, retrieves the username and tries to verify it against some store. So the user has to b present and this in accordance to the Kerberos protocol.

                  Hope the helps.

                  Let me know if you have further queries!!

                  Thanks,
                  Faisal
                  • 6. Re: Kerberos authenticate problem
                    qjvictor
                    Thanks.

                    So you think in my case, after Kerberos authenticate, I still need to setup some Authenticators( like ActiveDirectoryAuthenticator ) to verify this user?

                    Is there anyway to bypass it?
                    • 7. Re: Kerberos authenticate problem
                      Faisal Khan
                      So you think in my case, after Kerberos authenticate, I still need to setup some Authenticators( like ActiveDirectoryAuthenticator ) to verify this user?
                      YES

                      Is there anyway to bypass it?
                      YES, higly UNRECOMMENDED!
                      Create a custom authenticator that authentcates everyone. And none of the authenticator have CONTROL flag as REQUIRED>

                      If you feel your question has been answered, please mark the reply as answered for the benefit of others.

                      Thanks,
                      Faisal
                      http://www.weblogic-wonders.com
                      • 8. Re: Kerberos authenticate problem
                        qjvictor
                        sure. thanks.
                        • 9. Re: Kerberos authenticate problem
                          696488
                          Hi Faisal,

                          How the authorization part work here. How to determine the logged in user? For ex: if the user "XYZ" logged into the application, then how it determines what are all the functionalities that the user can access?

                          I hope you understand my question.

                          Thanks
                          • 10. Re: Kerberos authenticate problem
                            Faisal Khan
                            kindly post a new query