1 Reply Latest reply on Mar 29, 2011 8:23 AM by Faisal WebLogic Wonders

    error on implementing SSO using kerberos in Weblogic

    user526495
      Hi,
      We are trying to implement SSO for a J2EE(ADF) application deployed in Weblogic Server 10.3 using kerberos authentication(WNA/WIA). On trying to access the application im getting a Error:401 Unauthorized.

      Im listing the steps done till now, if im missing something can someone please let me know what has to be fixed.

      1. Created user in Microsoft AD. New user has same name as the server hostname hosting weblogic.
      2. Generated a keytab file for the new user.
      3. Copied the keytab file to the linux server hosting WLS.
      4. Tested the keytab file using klist and kinit tools.
      5. Added new Security Providers namely, AD Authenticator and Negotiate Identity Asserter.
      6. Modified the flag to OPTIONAL for AD Authenticator and Default Authenticator, removed FORM flag for Negotiate Identity Asserter.
      7. Reordered the Providers, making ADAuthenticator as first and Negotiate Identity Asserter as second.
      8. Created the krb5.conf file in /etc directory.
      9. Created krb5Login.conf in the Domain directory.
      10. Modified startWeblogic.sh with start parameters to use krb5.conf, krb5Login.conf and some debugging.
      11. On trying to access the protected appliation, im getting a Error:401 Unauthorized.
      On checking the logs, i see the below error

      ****************************************************************************************
      Found key for HTTP/username@domain.com(23)
      Entered Krb5Context.acceptSecContext with state=STATE_NEW
      EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
      Checksum failed !
      <Mar 28, 2011 1:08:11 AM EDT> <Debug> <SecurityAtn> <BEA-000000> <Exception com.bea.common.security.internal.utils.negotiate.NegotiateTokenException: GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)
      com.bea.common.security.internal.utils.negotiate.NegotiateTokenException: GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)
           at com.bea.common.security.internal.utils.negotiate.SPNEGONegotiateToken.getUsername(SPNEGONegotiateToken.java:180)
           at weblogic.security.providers.authentication.NegotiateIdentityAsserterProviderImpl.assertChallengeIdentity(NegotiateIdentityAsserterProviderImpl.java:213)
           at com.bea.common.security.internal.legacy.service.ChallengeIdentityAssertionProviderImpl$ChallengeIdentityAsserterV2Adapter.assertChallengeIdentity(ChallengeIdentityAssertionProviderImpl.java:130)
           at com.bea.common.security.internal.service.ChallengeIdentityAssertionTokenServiceImpl.assertChallengeIdentity(ChallengeIdentityAssertionTokenServiceImpl.java:120)

      ****************************************************************************************

      WLS version      : *10.3.3.0*
      JDK          : *1.6.0_18 (also tried with 1.6.0_11, 1.6.0_24)*

      If someone has faced this issue or have any clues on this, kindly suggest.

      Thanks,