1 Reply Latest reply: Nov 20, 2010 11:57 AM by 816967 RSS

    SPNEGO and WebLogic Cluster

    843810
      Hi:

      I've searched this forum, and didn't quite find an answer for my issue.

      My problem:

      I have two servers running Red-Hat AS 5.2 and WebLogic 10.3, namely server swl1 e swl2. There is an external load balancer with the name swlcluster that loads balance the http trafic for these two nodes.

      I've configured three SPN's, namely HTTP/swl1.domain.local, HTTP/swl2.domain.local and HTTP/swlcluster.domain.local.

      I've configured the keytab for both servers: swl1 has HTTP/swl1.domain.local and HTTP/swlcluster.domain.local. The second server has the keytab with HTTP/swl2.domain.local and HTTP/swlcluster.domain.local.

      Now if I go to my client, and use the URL http://swl1.domain.local/web-aplication, SSO works without any problem. SPNEGO token is generated on the client, and validated by weblogic on the swl1 node.
      The same happens for the other node.

      But IF I use the http://swl1cluster.domain.local/web-aplication, it fails with error: GSSException: Failure unspecified at GSS-API level (Mechanism level: Integrity check on decrypted field failed (31))

      EType: sun.security.krb5.internal.crypto.DesCbcMd5EType
      KrbAsRep cons in KrbAsReq.getReply sufln101
      Found key for swl1@DOMAIN.LOCAL(23)
      Found key for swl1@DOMAIN.LOCAL(16)
      Found key for swl1@DOMAIN.LOCAL(1)
      Found key for swl1@DOMAIN.LOCAL(17)
      Found key for swl1@DOMAIN.LOCAL(3)
      Entered Krb5Context.acceptSecContext with state=STATE_NEW
      EType: sun.security.krb5.internal.crypto.DesCbcMd5EType
      <Aug 12, 2010 5:08:35 PM WEST> <Debug> <SecurityAtn> <BEA-000000> <Exception com.bea.common.security.internal.utils.negotiate.NegotiateTokenException: GSSException: Failure unspecified at GSS-API level (Mechanism level: Integrity check on decrypted field failed (31))
      com.bea.common.security.internal.utils.negotiate.NegotiateTokenException: GSSException: Failure unspecified at GSS-API level (Mechanism level: Integrity check on decrypted field failed (31))
      at com.bea.common.security.internal.utils.negotiate.SPNEGONegotiateToken.getUsername(SPNEGONegotiateToken.java:180)

      Keytab has entrys for both the node and the cluster name.

      So my questions:

      - It's mandatory that the url must match the server name, and hence the SPN and keytab entries? So using http://swlcluster.domain.local will never work for SPNEGO?

      - Or is this a problem with the SPN, user account for swlcluster?

      - The principal on the kerberos login configuration is the swl1 principal and not swlcluster. If is the later case is used all SPNEGO fails due to the above error 31.

      Any ideas?

      Thanks for the help!

      Edited by: Thx1011_2 on Aug 13, 2010 9:12 AM