This discussion is archived
3 Replies Latest reply: Dec 11, 2012 3:32 AM by Haakon RSS

Problem with OBIEE/WLS and MS AD Single Sign On configuration

Haakon Newbie
Currently Being Moderated
Hi all,

apologies if this should be posted in the general WebLogic Security forum rather than here, but since the Oracle support doc is titled "+Configuring Oracle BI 11g and Weblogic for Single Sign-On...+" I'd thought I'd try this forum first.

We're running OBIEE 11.1.1.6.5 on WLS 10.3.5.0 on Windows 2007 server.
Active Directory (2008) is running on Windows 2008 R2 Standard edition.

I've followed the support document ID 1274953.1 mentioned above and have managed to get AD authentication to work between the OBIEE/WLS server and the MS AD server.
That is; we're able to manually log on to BI Analytics with our AD userid's.

Now, when trying to configure Single Sign On, I'v reached the point where I'm trying to verify the Kerberos configuration (page 19-20).

This failes with the following output:
C:\Oracle\..\middleware\user_projects\domains\ourdomain>java.exe -Dsun.security.krb5.debug=true sun.security.krb5.internal.tools.Kinit -k -t keytab wlsuser@OURDOMAIN.LOCAL
KinitOptions cache name is C:\Users\oracleservice\krb5cc_oracleservice
Principal is wlsuser@OURDOMAIN.LOCAL
Kinit using keytab
Kinit keytab file name: keytab
KeyTabInputStream, readName(): OURDOMAIN.LOCAL
KeyTabInputStream, readName(): wlsuser
KeyTab: load() entry length: 44; type: 3
KeyTabInputStream, readName(): OURDOMAIN.LOCAL
KeyTabInputStream, readName(): wlsuser
KeyTab: load() entry length: 44; type: 1
KeyTabInputStream, readName(): OURDOMAIN.LOCAL
KeyTabInputStream, readName(): wlsuser
KeyTab: load() entry length: 52; type: 23
KeyTabInputStream, readName(): OURDOMAIN.LOCAL
KeyTabInputStream, readName(): wlsuser
KeyTab: load() entry length: 60; type: 16
KeyTabInputStream, readName(): OURDOMAIN.LOCAL
KeyTabInputStream, readName(): wlsuser
KeyTab: load() entry length: 52; type: 17
Added key: 17version: 5 Added key: 16version: 5 Added key: 23version: 5 Added key: 1version: 6 Added key: 3version: 5 Ordering keys wrt default_tkt_enctypes list Config name: C:\Windows\krb5.ini Using builtin default etypes for default_tkt_enctypes default etypes for default_tkt_enctypes: 3 1 23 16 17
Kinit realm name is OURDOMAIN.LOCAL
Creating KrbAsReq
KrbKdcReq local adresses for WLSSERVER are:
     WLSSERVER/10.0.0.2 IPv4 address      WLSSERVER/0:0:0:0:0:0:0:1 IPv6 address
KdcAccessibility: reset
Using builtin default etypes for default_tkt_enctypes default etypes for default_tkt_enctypes: 3 1 23 16 17
KrbAsReq calling createMessage
KrbAsReq in createMessage
Kinit: sending as_req to realm OURDOMAIN.LOCAL
Exception: krb_error 0 Cannot get kdc for realm OURDOMAIN.LOCAL No error KrbException: Cannot get kdc for realm OURDOMAIN.LOCAL      at sun.security.krb5.KrbKdcReq.send(KrbKdcReq.java:196)      at sun.security.krb5.KrbKdcReq.send(KrbKdcReq.java:175)      at sun.security.krb5.internal.tools.Kinit.sendASRequest(Kinit.java:298)      at sun.security.krb5.internal.tools.Kinit.<init>(Kinit.java:237)      at sun.security.krb5.internal.tools.Kinit.main(Kinit.java:107)
Our krb5.ini looks like this:
[libdefaults]
default_realm = OURDOMAIN.LOCAL
ticket_lifetime = 600

[realms]
OURDOMAIN.LOCAL = {
kdc = 10.0.0.1
admin_server = adserver.ourdomain.local
default_domain = OURDOMAIN.LOCAL
}

[domain_realm]
.ourdomain.local = OURDOMAIN.LOCAL

[appdefaults]
autologin = true
forward = true
forwardable = true
encrypt = true
The above test is done with a keytab generated on the WLS server as per documentation.
I've also tried using "ktpass" on the AD server to generate a keytab there, then placing the keytab on the WLS server.
This fails with "Exception: krb_error 0 No supported key found in keytab".

I'm able to run a ping between the servers, and have checked that there's no firewalls running on any of the servers (they're virtual servers in a closed network). So the AD server should be able to receive TCP/UDP traffic on Kerberos port 88.

I'm pretty much stuck here, and I'm unable to see what we have different from the Metalink support document in our configuration.
Any good tips and pointers on how to solve this would be highly appreciated.

Regards,
-Haakon-
  • 1. Re: Problem with OBIEE/WLS and MS AD Single Sign On configuration
    Turbokat Pro
    Currently Being Moderated
    Hello,

    This is an error in the krb5.ini or krb5.conf :

    > kinit HTTP/ukpsrv016.bah.com
    Password for HTTP/ukpsrv016.bah.com@BAH.COM:welcome1
    Exception: krb_error 0 Cannot get kdc for realm BAH.COM No error
    KrbException: Cannot get kdc for realm BAH.COM
    at sun.security.krb5.KrbKdcReq.send(Unknown Source)
    at sun.security.krb5.KrbKdcReq.send(Unknown Source)
    at sun.security.krb5.KrbAsReq.send(Unknown Source)
    at sun.security.krb5.internal.tools.Kinit.(Unknown Source)
    at sun.security.krb5.internal.tools.Kinit.main(Unknown Source)

    - Check the krb5.ini (Windows) or krb5.conf (Linux, Unix) for syntax errors.
    - The example above was due to missing spaces either side of the "=".
    - Look for missing parameters, missing spaces, uppercase or lowercase discrepancies
    spelling errors, unbalanced or missing parentheses.

    Refer to :
    http://docs.oracle.com/javase/1.5.0/docs/guide/security/jgss/tutorials/KerberosReq.html#SetProps

    Also if this dint solve the issue , could you let us know how you created the keytabs and also the commands for setspn ( with WLS user account as an administrator account in AD).?

    Hope this helps.Pls mark if it does.

    Thanks,
    SVS
  • 2. Re: Problem with OBIEE/WLS and MS AD Single Sign On configuration
    Haakon Newbie
    Currently Being Moderated
    Thank you for your input.

    As you see, I've listed our krb5.ini, and I'm unable to find any errors in the file. I have spaces both sides of the equal sign, all capitalization seems to be correct etc.
    I've checked the document you referred to, but can't find anything that we're missing there.

    Keytab is generated as described in the support document; I run the ktab.exe on the Weblogic server like this:
    C:\..\jdk\bin\ktab.exe –k C:\Oracle\..\middleware\user_projects\domains\ourdomain\keytab –a  wlsuser@OURDOMAIN.LOCAL
    As stated, I've also tried generating a keytab file on the AD server with the ktpass utility, but this one also fails (it only creates a keytab file of less than 1kb).

    Setsnp is run on the AD server also according to support document as:
    setspn -a HTTP/wlsserver.ourdomain.local wlsuser
    setspn -a HTTP/wlsserver wlsuser
    I've tried saving the krb5.ini file both with and without spaces everywhere, with tabs, with and without capitalization, as DOS- and as Unix-formatted file. Nothing has any effect, still same error.
    I get the same error (Cannot get kdc for realm) if I generate a keytab for a non existent user and test that with kinit, so it would seem to me that my WLS server is not communicating with the AD server at all - it fails before any actual user lookup is done. So I have to find the reason why the servers have no contact. As I mentioned, I'm able to run a ping both ways between the servers. I do not have the telnet utility in the closed network, so I can't run a telnet to port no. 88 on the AD server, but there's no firewalls running on the servers so communication on port 88 should work fine.
  • 3. Re: Problem with OBIEE/WLS and MS AD Single Sign On configuration
    Haakon Newbie
    Currently Being Moderated
    SVS,
    you were absolutely right! I did have an error in the krb5.ini file! One of the "L"s in LOCAL was spelt lOCAL, but with my terminal login font I didn't spot it before now!
    I'm now able to reach the AD server, and get a new error.
    Exception: krb_error 31 Integrity check on decrypted field failed (31)
    So I guess there's something wrong with either the WLS generated keytab or my setup on the AD server.

    Regards,
    -Haakon-

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points