Hi all,
We are trying to set up Kerberos SSO with weblogic for an internal application, so far we have been following the guide at [http://download.oracle.com/docs/cd/E12839_01/web.1111/e13707/sso.htm|http://download.oracle.com/docs/cd/E12839_01/web.1111/e13707/sso.htm].
I am trying to set this up locally on my machine (TI-C8R783J).
A new user was added to the Active Directory (AD) (TI-C8R783J@ISYS.TRACEGROUP.COM).
setspn was run on the AD server (TIDC.ISYS.TRACEGROUP.COM) as per the guide above.
Output of setspn -L TI-C8R783J@ISYS.TRACEGROUP.COM was...
Registered ServicePrincipalNames for CN=TI-C8R783J,OU=Desktops,DC=isys,DC=tracegroup,DC=com:
HTTP/TI-C8R783J.isys.tracegroup.com
HOST/TI-C8R783J
HOST/TI-C8R783J.isys.tracegroup.com
I then ran
ktpass -princ host/TI-C8R783J@ISYS.TRACEGROUP.COM -pass 12345 -mapuser TI-C8R783J -out c:\weblogic.keytab
output was...
Targeting domain controller: TIDC.isys.tracegroup.com
Using legacy password setting method
Successfully mapped host/TI-C8R783J to TI-C8R783J.
WARNING: pType and account type do not match. This might cause problems.
Key created.
Output keytab to c:\weblogic.keytab:
Keytab version: 0x502
keysize 70 host/TI-C8R783J@ISYS.TRACEGROUP.COM ptype 0 (KRB5_NT_UNKNOWN) vno 7 e
type 0x17 (RC4-HMAC) keylength 16 (0x4d001483a4958ba45bcdd01569b6fba8)
I have also run
ktab -k weblogic.keytab -a TI-C8R783J@ISYS.TRACEGROUP.COM
output was...
Password for TI-C8R783J@ISYS.TRACEGROUP.COM:12345
Done!
Service key for TI-C8R783J@ISYS.TRACEGROUP.COM is saved in C:\bea\wlserver_10.3\samples\domains\wl_server\weblogic.keytab
I created and adjusted the krb5.ini file under c:\winnt\krb5.ini
[libdefaults]
default_realm = ISYS.TRACEGROUP.COM
default_tkt_enctypes = des-cbc-crc
default_tgs_enctypes = des-cbc-crc
ticket_lifetime = 600
[realms]
ISYS.TRACEGROUP.COM = {
admin_server = TIDC.ISYS.TRACEGROUP.COM
default_domain = ISYS.TRACEGROUP.COM
kdc = TIDC.ISYS.TRACEGROUP.COM
}
[domain_realm]
.isys.tracegroup.com = ISYS.TRACEGROUP.COM
[appdefaults]
autologin = true
forward = true
forwardable = true
encrypt = true
However, when I then try to run
kinit -k -t weblogic.keytab TI-C8R783J@ISYS.TRACEGROUP.COM
I get the error...
Exception: krb_error 24 Pre-authentication information was invalid (24) Pre-aut
on was invalid
KrbException: Pre-authentication information was invalid (24)
at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:66)
at sun.security.krb5.KrbAsReq.getReply(KrbAsReq.java:449)
at sun.security.krb5.internal.tools.Kinit.sendASRequest(Kinit.java:306)
at sun.security.krb5.internal.tools.Kinit.<init>(Kinit.java:257)
at sun.security.krb5.internal.tools.Kinit.main(Kinit.java:107)
Caused by: KrbException: Identifier doesn't match expected value (906)
at sun.security.krb5.internal.KDCRep.init(KDCRep.java:133)
at sun.security.krb5.internal.ASRep.init(ASRep.java:58)
at sun.security.krb5.internal.ASRep.<init>(ASRep.java:53)
at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:50)
... 4 more
As suggested by another forum I saw I also tried
kinit -k -t weblogic.keytab HOST/TI-C8R783J@ISYS.TRACEGROUP.COM
But get the error...
Exception: krb_error 0 Do not have keys of types listed in default_tkt_enctypes available; only have
keys of following type: RC4 with HMAC No error
KrbException: Do not have keys of types listed in default_tkt_enctypes available; only have keys of
following type: RC4 with HMAC
at sun.security.krb5.internal.crypto.EType.getDefaults(EType.java:238)
at sun.security.krb5.KrbAsReq.init(KrbAsReq.java:345)
at sun.security.krb5.KrbAsReq.<init>(KrbAsReq.java:260)
at sun.security.krb5.KrbAsReq.<init>(KrbAsReq.java:219)
at sun.security.krb5.internal.tools.Kinit.<init>(Kinit.java:221)
at sun.security.krb5.internal.tools.Kinit.main(Kinit.java:107)
I haven't got a clue as to why this error is occurring. I am all very new to kerberos so any pointers in the right direction would be much appreciated.
Thanks.
George.