0 Replies Latest reply: Nov 23, 2010 6:11 AM by 817828 RSS

    Error 401 for CLIENT-CERT authentication

    817828
      I have done the following configuration:

      krb5.ini placed in Windows directory.

      [libdefaults]
      default_realm = ITSHASTRA.LOCAL
      kdc_timesync = 1
      ccache_type = 4
      ticket_lifetime = 600
      clockskew = 1200
      default_tgs_enctypes = des-cbc-crc
      default_tkt_enctypes = des-cbc-crc
      default etypes = des-cbc-crc
      default_etypes_des = des-cbc-crc
      forwardable = true
      proxiable = true
      noaddresses = true
      dns_lookup_kdc = false
      dns_lookup_realm = false


      [realms]
      ITSHASTRA.LOCAL = {
      kdc = 192.168.1.202
      admin_server = dev2
      default_domain = ITSHASTRA.LOCAL
      }

      [domain_realm]
      .itshastra.local = ITSHASTRA.LOCAL
      itshastra.local = ITSHASTRA.LOCAL

      [appdefaults]
      autologin = true
      forward = true
      forwardable = true
      encrypt = true

      Configured Internet Explorer (version 7) on the domain controller, 'DC' as per the instructions given for single sign on operation


      Created user 'beawin'
      Reset password for 'beawin to 'password'
      Selected 'Use DES encryption types for this account' and ensured everything else was unticked
      Reset password again for 'beawin to 'password'

      setspn -a HOST/its37.itshastra.local beawin
      setspn -a HTTP/its37.itshastra.local beawin

      setspn -L beawin
      HTTP/its37.itshastra.local
      host/its37.itshastra.local


      ktab.exe -k mykeytab -a beawin@ITSHASTRA.LOCAL
      Entered the password of 'password' when prompted

      kinit.exe -k -t mykeytab beawin@ITSHASTRA.LOCAL
      New ticket is stored in cache file C:\Users\theuser\krb5cc_beawin

      Created the file 'krb5Login.conf' and stored in the 'C:\bea\user_projects\domains\sso', 'C:\bea\user_projects\domains\sso\bin' directories (mykeytab file was copied into these directories also):
      com.sun.security.jgss.krb5.initiate {
      com.sun.security.auth.module.Krb5LoginModule required
      principal=”beawin@ITSHASTRA.LOCAL” useKeyTab=true
      keyTab=mykeytab storeKey=true debug=false;
      };
      com.sun.security.jgss.krb5.accept {
      com.sun.security.auth.module.Krb5LoginModule required
      principal=”beawin@ITSHASTRA.LOCAL” useKeyTab=true
      keyTab=mykeytab storeKey=true debug=false;
      };


      New project called SSO-Test-WEB in new domain 'sso' and within WebContent / WEB-INF configured the following two .xml files:

      web.xml file:
      <?xml version="1.0" encoding="UTF-8"?>
      <web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web- app_2_5.xsd" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" id="WebApp_ID" version="2.5">
      <security-constraint>
      <display-name>Security Constraint for SSO</display-name>
      <web-resource-collection>
      <web-resource-name>Kerberos</web-resource-name>
      <description>Group of Users</description>
      <url-pattern>/*</url-pattern>
      </web-resource-collection>
      <auth-constraint>
      <role-name>SSOrole</role-name>
      </auth-constraint>
      </security-constraint>


      <login-config>
      <auth-method>CLIENT-CERT</auth-method>
      </login-config>
      <security-role>
      <description>Role description</description>
      <role-name>SSOrole</role-name>
      </security-role>

      <display-name>SSO-Test-WEB</display-name>
      <welcome-file-list>
      <welcome-file>index.html</welcome-file>
      <welcome-file>index.htm</welcome-file>
      <welcome-file>index.jsp</welcome-file>
      <welcome-file>default.html</welcome-file>
      <welcome-file>default.htm</welcome-file>
      <welcome-file>default.jsp</welcome-file>
      </welcome-file-list>
      </web-app>


      weblogic.xml file:
      <?xml version="1.0" encoding="UTF-8"?>
      <wls:weblogic-web-app xmlns:wls="http://www.bea.com/ns/weblogic/weblogic-web-app" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd http://www.bea.com/ns/weblogic/weblogic-web-app http://www.bea.com/ns/weblogic/weblogic-web-app/1.0/weblogic-web-app.xsd">
      <wls:weblogic-version>10.3</wls:weblogic-version>
      <wls:context-root>SSO-Test-WEB</wls:context-root>

      <security-role-assignment>
      <role-name>SSOrole</role-name>
      <principal-name>HOST/beawin@ITSHASTRA.LOCAL</principal-name>
      </security-role-assignment>
      </wls:weblogic-web-app>


      Created the following index.jsp file in WebContent:
      <%@ page language="java" contentType="text/html; charset=ISO-8859-1" pageEncoding="ISO-8859-1"%>
      <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
      <html>
      <head>
      <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
      <title>Insert title here</title>
      </head>
      <body>
      <% request.getRemoteUser(); %>


      Test

      </body>
      </html>

      Used the following switches in the C:\bea\user_projects\domains\sso\bin\startWeblogic.cmd file:
      -Djava.security.krb5.realm=DOMAIN.LOCAL
      -Djava.security.krb5.kdc=DC.DOMAIN.LOCAL
      -Djava.security.auth.login.config=krb5Login.conf
      -Djavax.security.auth.useSubjectCredsOnly=false
      -Dweblogic.security.enableNegotiate=true
      -DDebugSecurityAdjudicator=true
      -Dweblogic.StdoutDebugEnabled=true
      -Dweblogic.StdoutSeverityLevel=64
      -Dweblogic.Debug.DebugSecurityAtz=true
      -Dweblogic.Debug.DebugSecurityAtn=true
      -Dsun.security.krb5.debug=true


      Restarted the server.

      And tried to access the app and getting below error on browser:

      Error 401--Unauthorized
      From RFC 2068 Hypertext Transfer Protocol -- HTTP/1.1:
      10.4.2 401 Unauthorized
      The request requires user authentication. The response MUST include a WWW-Authenticate header field (section 14.46) containing a challenge applicable to the requested resource. The client MAY repeat the request with a suitable Authorization header field (section 14.8). If the request already included Authorization credentials, then the 401 response indicates that authorization has been refused for those credentials. If the 401 response contains the same challenge as the prior response, and the user agent has already attempted authentication at least once, then the user SHOULD be presented the entity that was given in the response, since that entity MAY include relevant diagnostic information. HTTP access authentication is explained in section 11.

      Please help me out.