2 Replies Latest reply on Sep 5, 2012 2:33 PM by René van Wijk

    64-bit JRockit 1.6.0_33-R28.2 with WLS 10.3.5 on Windows and krb5 problem

    Audun Nes

      I have had a very strange issue with JRockit and Kerberos on Windows, which I would like some input to.

      My environment is:
      Server Operating System = Windows Server 2008 R2 x64
      Application Server = WebLogic Server Std. Edition 10.3.5 Generic
      Java = First jrockit-jdk1.6.0_29-R28.2.2-4.1.0-windows-x64, then jrockit-jdk1.6.0_33-R28.2.4-4.1.0-windows-x64
      Browsers = IE9 and Google Chrome 21
      Clients = Windows 7 and Windows XP
      Encryption = First DES, then RC4-HMAC
      Active Directory with KDC: Both on Windows 2003 and Windows 2008

      While JRockit's kinit tool successfully stored a ticket in cache when invoked from the Windows Command Prompt, it never worked in JRockit through WebLogic. With klist I could see a ticket being issued, but WebLogic console nor custom JEE apps with <auth-method>CLIENT-CERT,FORM</auth-method> caused auto-login.

      I tried with both DES and RC4-HMAC, kerberos pre-auth on and off, and played around with SPNs and user account options without getting further than WebLogic saying:
      "Commit Succeeded

      Found key for <user>@<domain>(23)
      Entered Krb5Context.acceptSecContext with state=STATE_NEW"

      It think I have tried pretty much any combination of encryption algorithms, user account options and krb5.ini options without being able to get WebLogic to log me in through Kerberos. And I have read both the official doc and various blogs on how to set it up to get various views on configurations that should work. But without any luck.

      Then after 3 weeks struggling with this, I found a post here on OTN where a user mentioned problems with Kerberos after he upgraded from JRockit-jdk1.6.0_20-R28.1.0....

      So I tried to downgrade to jrockit-jdk1.6.0_20-R28.1.0, and suddenly my setup worked !!

      So my questions are:
      1. What is the highest version of JRockit on Windows 2008 R2 x64 that is known to work with Kerberos (preferably using RC4-HMAC) ?
      2. Have anyone found a workaround to get this to work with jrockit-jdk1.6.0_33-R28.2.x on Windows 2008 R2 x64 ?

      Edited by: Audun Nes on Aug 16, 2012 7:33 AM

      Edited by: Audun Nes on Aug 16, 2012 7:34 AM
        • 1. Re: 64-bit JRockit 1.6.0_33-R28.2 with WLS 10.3.5 on Windows and krb5 problem
          Audun Nes
          It seems this is a platform dependent issue. With WebLogic 10.3.5 (x64) on RedHat Linux 5.5 (x64), Kerberos authentication with the latest JRockit (currently 28.2.4) works fine towards a Windows 2008 Active Directory.
          • 2. Re: 64-bit JRockit 1.6.0_33-R28.2 with WLS 10.3.5 on Windows and krb5 problem
            René van Wijk
            It could be related to the size of the kerberos ticket (not sure here, just a guess).

            When a user belongs to many groups, it affects the size of the ticket, some tips are provided here: http://support.microsoft.com/kb/327825
            (not related to JRockit, but to the MaxTokenSize in the Windows registry).

            Could also run into trouble when using a front-end such as Apache HTTP Server (and WebCache)
            - http://httpd.apache.org/docs/2.2/mod/core.html (set the LimitRequestFieldSize http://httpd.apache.org/docs/2.2/mod/core.html#limitrequestfieldsize appropriately)
            - WebCache: WXE-11355 Single request header length exceeds configured maximum. A forbidden error response is returned to the client. Client IP: %s error
            - Cause: One of the headers in the request exceeded the configured maximum.
            - Action: Adjust the maximum individual header size limit in the Security page of OracleAS Web Cache Manager. If the problem persists, contact Oracle Support Services.