2 Replies Latest reply: Jul 7, 2009 7:25 AM by 843810 RSS

    Regarding Single Sign-on

      Hello everybody :

      I am trying to incorporate Single-Signon Using MS Active Directory and these are the steps that i followed :

      To create a kerberos identification for weblogic server :

      1.In the Active directory i created a new user called "Metilda".(I have a virtual server installed in my computer).

      2.Configured the new user account to comply with the Kerberos protocol by checking the box "Use DES encryption types for this account".

      3.Used the setspn utility to create the Service Principal names(SPN's) for the user account "Metilda" by entering the following commands :

      C:\Program Files\Resource Kit>setspn -a host/@track.local metilda
      Registering ServicePrincipalNames for CN=Metilda B. Johnson,CN=Users,DC=track,DC
      Updated object

      C:\Program Files\Resource Kit>setspn -a http/@track.local metilda
      Registering ServicePrincipalNames for CN=Metilda B. Johnson,CN=Users,DC=track,DC
      Updated object

      C:\Program Files\Resource Kit>setspn -l metilda
      Registered ServicePrincipalNames for CN=Metilda B. Johnson,CN=Users,DC=track,DC=

      4.The next step was to create a user mapping using the ktpass utility :

      C:\Program Files\Support Tools>ktpass -ptype KRB5_NT_PRINCIPAL -crypto DES-CBC-C
      RC -princ host/metilda@TRACKSERV -pass Saibaba2007 -mapuser metilda@TRACK.LOCAL
      -out c:\metilda.host.keytab
      Targeting domain controller: trackserv.track.local
      Using legacy password setting method
      Successfully mapped host/metilda to metilda.
      Key created.
      Output keytab to c:\metilda.host.keytab:
      Keytab version: 0x502
      keysize 49 host/metilda@TRACKSERV ptype 1 (KRB5_NT_PRINCIPAL) vno 7 etype 0x1 (D
      ES-CBC-CRC) keylength 8 (0x8c31204f4ca2f75b)

      5.Created the keytab(ktab) file on the host on which WebLogic Server is running .

      C:\Program Files\Java\jre1.5.0_10\bin>ktab -k keytab-metilda -a metilda@TRACKSER
      Password for metilda@TRACKSERV:saibaba2007
      Service key for metilda@TRACKSERV is saved in C:\Program Files\Java\jre1.5.0_10\

      6.The next step was i copied keytab-metilda from C:\Program Files\Java\jre1.5.0_10\bin to the startup directory in the weblogic server domain
      which is "C:\BEA\user_projects\domains\workshop".

      7.In order to verify whether kerberos authentication was working properly or not, i run the "kinit" utility.

      In this step i just used the keytab name and the account name and i get this error message :
      C:\Program Files\Java\jre1.5.0_10\bin>kinit -k -t keytab-metilda metilda@TRACK.L
      Exception: krb_error 0 Cannot get kdc for realm TRACK.LOCAL No error
      KrbException: Cannot get kdc for realm TRACK.LOCAL
      at sun.security.krb5.KrbKdcReq.send(Unknown Source)
      at sun.security.krb5.KrbKdcReq.send(Unknown Source)
      at sun.security.krb5.internal.tools.Kinit.sendASRequest(Unknown Source)
      at sun.security.krb5.internal.tools.Kinit.<init>(Unknown Source)
      at sun.security.krb5.internal.tools.Kinit.main(Unknown Source)

      -The kinit command is very essential to work to verify whether kerberos works properly. Since this important step is not working i am not able to proceed
      to the next steps´┐Ż.PLease someone, help...