This discussion is archived
1 Reply Latest reply: Jul 10, 2013 4:25 AM by Vijaya Moderator -Oracle RSS

Add MS Active Directory to Weblogic as a security provider

jtyreman Newbie
Currently Being Moderated



I am in the process of trying to add MS Active Directory to my Weblogic setup, i am using version


The steps i have done so far:


i have added a new security provider call MS Active Directory i have added the Principal:


CN=WUK-LDAP,OU=Service Accounts,OU=Service Roles,OU="SomeNameHere",OU=WOS Operating Companies,DC=DS,DC="SomeNameHere",DC=COM


(I have subbed some information out as its sensitive)

The credential which is the password for user WUK-LDAP


the UserBaseDN and GroupBaseDN are the same:


OU="SomeNameHere",OU=WOS Operating Companies,DC=DS,DC="Some Name Here",DC=COM


when i have restarted i get the groups back over 1000+ but no users,

Can anyone suggest why?



  • 1. Re: Add MS Active Directory to Weblogic as a security provider
    Vijaya Moderator -Oracle Expert
    Currently Being Moderated


    Please check if you have followed the below steps to setup and test Microsoft Active Directory with WebLogic Server 11g.

    Active Directory Configuration

    1. Connect to AD box.
    2. Start -> Administrative Tools -> Active Directory Users and Computers.
    3. Expand the Domain Name (example:
    4. Right click on "Users." Choose "New." Choose "User."
    5. First name = adweblogic User logon name = adweblogic. Click next.
    6. Provide a password for the new user. Uncheck everything except for "Password never expires."
    7. Click Finish.
    8. Under "Users" you will now see the user that you created. Right click on it and choose "Add to a group"
    9. Click "Advanced" and then "Find Now"
    10. Choose the "Administrators" group. Click OK. Click OK. Click OK.

    WLS Configuration

    1. Connect to the WLS console as the default Weblogic user
    2. On the left, click on "Security Realms"
    3. Click on "myrealm"
    4. Click on the Providers Tab
    5. Click "New" to create a new Authentication Provider
    6. Give it a name and choose ActiveDirectoryAuthenticator as the type. Click ok.
    7. Under the Providers tab, click on "DefaultAuthenticator". Change the control flag to "Sufficient". Save the changes.
    8. Under the Providers tab, click on the new provider that you created. Change the control flag to "Sufficient". Save the changes.
    9. Click on the "Provider Specific" tab for the new provider you created. Refer to step 3 (domain name) of the AD config steps above as this will directly impact the values for "Principal", "User Base DN", and "Group Base DN". You will fill out the form in a similar manner to this:

      Host: <full hostname for AD box> (if the OS cannot resolve this host, the connection to AD will fail)
      Port: 389
      Principal: CN=Administrator,CN=Users,DC=ad,DC=vm,DC=oracle,DC=com
      Credential: vcap4CEL
      Confirm Credential: vcap4CEL
      SSLEnabled: is not checked
      User Base DN: CN=Users,DC=ad,DC=vm,DC=oracle,DC=com
      All Users Filter: leave it blank
      User From Name Filter: (&(cn=%u)(objectclass=user))
      User Search Scope: subtree
      User Name Attribute: cn
      User Object Class: user
      Use Retrieved User Name as Principal: is not checked
      Group Base DN: CN=Builtin,DC=ad,DC=vm,DC=oracle,DC=com
      All Groups Filter: leave it blank
      Group From Name Filter: (&(cn=%g)(objectclass=group))
      Group Search Scope: subtree
      Group Membership Searching: unlimited
      Max Group Membership Search Level: 0

      Leave all other settings at their defaults. Some of the above settings may already be set as default.

      Save the settings.
    10. In the provider list, reorder the providers so that the AD provider is at the top of the list.
    11. Restart the AdminServer
    12. Login to the WLS console as the adwebogic user (this is the AD user)



    The best way to know whether or not WLS is talking to AD is to login with the default weblogic account and go to the security realm and click on the Users and Groups tab. There should be users and groups listed there that were imported from AD. If those are not there, WLS is not talking to AD. A nice tool to have available while you are doing this testing is this LDAP browser which allows you to connect to AD directly and browse the AD objects. It is a very useful tool. You can download it from



    If the new AD user will be used to perform administrative tasks, the user must be a member of the Administrators group in AD.  See the following WLS documentation.

    Oracle Fusion Middleware Securing Oracle WebLogic Server 11g Release 1 (10.3.3)
    Configuring LDAP Authentication Providers




  • Correct Answers - 10 points
  • Helpful Answers - 5 points