Forum Stats

  • 3,758,245 Users
  • 2,251,359 Discussions
  • 7,870,124 Comments

Discussions

SSODiag Error 401 - Unauthorized when testing Kerberos for EPM 11.1.2.4

User_AAD34
User_AAD34 Member Posts: 43 Red Ribbon
edited Mar 1, 2019 7:06AM in EPM System Infrastructure

Hi All,

I am in the middle of setting up Kerberos SSO for EPM 11.1.2.4. Following are my references:

https://www.oracle.com/technetwork/middleware/bi-foundation/config-epm-foundation-kerberos-303841.pdf

https://docs.oracle.com/cd/E57185_01/OPUSC/OPUSC.pdf

http://www.ateam-oracle.com/kerberos-and-weblogic-server-on-windows-step-by-step/

The issue I faced was during the Kerberos testing with SSODiag i.e.

Error 401--UnauthorizedFrom RFC 2068 Hypertext Transfer Protocol -- HTTP/1.1:10.4.2 401 UnauthorizedThe request requires user authentication. The response MUST include a WWW-Authenticate header field (section 14.46) containing a challenge applicable to the requested resource. The client MAY repeat the request with a suitable Authorization header field (section 14.8). If the request already included Authorization credentials, then the 401 response indicates that authorization has been refused for those credentials. If the 401 response contains the same challenge as the prior response, and the user agent has already attempted authentication at least once, then the user SHOULD be presented the entity that was given in the response, since that entity MAY include relevant diagnostic information. HTTP access authentication is explained in section 11. 

And was not be able to see: Retrieving Kerberos User principal name... Success

Following are the detail step-by-step that I have done in each server:

  • AD (e.g. ADserver)

          1. Create new AD user as Kerberos service ID with following options ticked:

               - User cannot change password

               - Password never expires

               - This account supports Kerberos AES 128 bit encryption

               - This account supports Kerberos AES 256 bit encryption

          2. Set Principal name

               - Set SPN with: setspn -A HTTP/APPserver ADuser

               - Check principal with: setspn -l ADuser -> Registered for ADuser: HTTP/APPserver

  • EPM (App server - Weblogic, HFM, FDMEE, RA, etc - e.g. APPserver)

          1. Create C:\Windows\krb5.ini

          [libdefaults]
          default_realm = REALM.COM
          default_tkt_enctypes = des-cbc-crc des-cbc-md5 aes128-cts aes256-cts rc4-hmac
          default_tgs_enctypes = des-cbc-crc des-cbc-md5 aes128-cts aes256-cts rc4-hmac
          ticket_lifetime = 600
          [realms]
          REALM.COM = {
          kdc = 123.123.123.123
          admin_server = ADserver
          default_domain = REALM.COM
          }
          [domain_realm]
          .realm.com = REALM.COM
          [appdefaults]
          autologin = true
          forward = true
          forwardable = true
          encrypt = true   

          2. Generate keytab: ktab -a HTTP/[email protected]

          3. Verify keytab:

               - klist -k krb5.keytab

               - java -Dsun.security.krb5.debug=true sun.security.krb5.internal.tools.Kinit -k -t krbr5.keytab HTTP/[email protected] -> New ticket is stored in cache file C:\Users\xxxxx\krb5cc_xxxxx

          4. Configure LDAP in Weblogic (ActiveDirectoryAuthenticator) -> control flag: OPTIONAL

          5. Configure Negotiate Identity Assertion (NegotiateIdentityAsserter) -> unticked “Form Based Negotiation Enabled”

          6. Configure LDAP in Shared Service

          7. Create C:\Oracle\Middleware\user_projects\domain\EPMServer\krb5Login.conf and copy krb5.keytab to the same folder

          com.sun.security.jgss.initiate {
           com.sun.security.auth.module.Krb5LoginModule required
           principal="HTTP/[email protected]"
           useKeyTab=true
           keyTab=krb5.keytab
           storeKey=true
           debug=true;
          };

          com.sun.security.jgss.accept {
           com.sun.security.auth.module.Krb5LoginModule required
           principal="HTTP/[email protected]"
           useKeyTab=true
           keyTab=krb5.keytab
           storeKey=true
           debug=true;
          };

          com.sun.security.jgss.krb5.accept {
           com.sun.security.auth.module.Krb5LoginModule required
           principal="HTTP/[email protected]"
           useKeyTab=true
           keyTab=krb5.keytab
           storeKey=true
           debug=true;
          };

          8. Add below JAVA_OPTIONS parameter in startWebLogic.cmd:

          -Djava.security.krb5.realm=REALM.COM          -Djava.security.krb5.kdc=ADserver          -Djava.security.auth.login.config=krb5Login.conf          -Djavax.security.auth.useSubjectCredsOnly=false          -Dsun.security.krb5.debug=true

          9. Add the same parameter in regedit with new JVMOptions and change JVMOptionCount.

          10. Since I have IIS with HFM deployed, in Authentication for each web sites, disabled "Anonymous Authentication" and enabled "Windows Authentication"

          11. Deploy SSODiag.war and create authorization policies on / and /index.jsp -> NOTE: If I removed the authorization policies, the SSODiag showing the page but Retrieving Kerberos User principal name... Failed

  • EPM (Web Server - OHS - e.g. OHSserver)

          1. Setup mod_wl_ohs.conf

          <LocationMatch ^/SSODiag/>
              SetHandler weblogic-handler
              WeblogicCluster APPserver:9000
          </LocationMatch>

          2. Restart OHS

  • Client (used APP server but login as the new AD user - IE 11)

          1. Enabled "Integrated Windows Authentication" in internet options

          2. Add OHS server site to "Local intranet"

          3. Set user authentication logon to "Automatic logon only in Intranet zone"

          4. Access "https://OHSserver:19443/SSODiag/krbssodiag"

Anyone could help to review if I have set up correctly or did I miss any steps somewhere in between?

Thanks for the help!

setspn –A HTTP/

Answers