7 Replies Latest reply on Feb 23, 2010 9:02 AM by sandeep_singh

    Weblogic SSO with AD - My Try - What's wrong?

    685111
      Dear All

      I'm trying to setup Weblogic to Authenticate using AD and have SSO with a Windows workstation(joined to the domain).

      I just setup an Active Directory(Win2K3), a Windows XP(SP2) and a Linux System(CentOS5) with Weblogic 10.3.

      I'm wondering what is wrong with my configuration. I can only logon on Adminstration Console using weblogics local users, and even with entering username(those which created on AD) and password AD Authentication does not work.

      Anyone has simliar experiance or any clue?

      Appreciated
      TIA
      Cheers

      Here is the setup:
      -----

      The domain is: example.com and machines are: dc.example.com (AD), winclient.example.com (Windows XP joined to the example.com domain) and weblogic.example.com (CentOS with Weblogic 10.3 installed)
      The hosts file on all three machines are filled with their FQDN, Machine Name and corresponding IP addresses. They all have ping working successfully between each two of them. Firewalls are checked to be off.

      These are the steps I came through based on documentation I could found on the net:

      h1. 0. Configuring Your Network Domain to Use Kerberos

      In Linux Machine(Weblogic Server) edit Kerberos configuration file for appropriate values:

      */etc/krb5.conf*
      -----
      \[logging\]
      default = FILE:/var/log/krb5libs.log
      kdc = FILE:/var/log/krb5kdc.log
      admin_server = FILE:/var/log/kadmind.log

      \[libdefaults\]
      default_realm = EXAMPLE.COM
      default_tkt_enctypes = des-cbc-crc
      default_tgs_enctypes = des_cbc_crc
      dns_lookup_realm = false
      dns_lookup_kdc = false
      ticket_lifetime =28800
      forwardable = yes

      \[realms\]
      EXAMPLE.COM = {
      kdc = 192.168.1.193:88
      admin_server = dc
      default_domain = EXAMPLE.COM
      }

      \[domain_realm\]
      .example.com = EXAMPLE.COM
      example.com = EXAMPLE.COM

      \[kdc\]
      profile = /var/kerberos/krb5kdc/kdc.conf

      \[appdefaults\]
      autologin = true
      forward = true
      forwardable = true
      encrypt = true
      pkinit = {
      allow_pkinit = false
      }
      -----

      h1. 1. Create two users on AD: "New->User" with "User must change password at next logon" option cleared (not tidked)
      weblogic (for weblogic service) (with password = "password1")
      weblogicusr (the user which should access Weblogic Administration Console) ("password2")

      * Note that group membership of these two users are left default.(Domain Users)

      h1. 2. For "weblogic" & "weblogicusr" user set these Account Optiones:
      - Use DES encryption types for this account (ticked)
      - Do not require Kerberos preauthentication (cleared)

      * then reset the password again for "weblogic" (with password = "password1") and "weblogicusr" (with "password2").

      h1. 3. Create Service Principal Names for Weblogic Server and User on Win2K3 machine:
      - >setspn -a host/weblogic.example.com weblogic
      - >setspn -a HTTP/weblogic.example.com weblogic

      here is the result
      -----
      C:\Documents and Settings\Administrator.DC>setspn -L weblogic
      Registered ServicePrincipalNames for CN=weblogic,CN=Users,DC=example,DC=com:

      HTTP/weblogic
      host/weblogic
      HTTP/weblogic.example.com
      host/weblogic.example.com
      -----

      and

      - >setspn -a HTTP/weblogic.example.com weblogicusr

      and the result
      -----
      C:\Documents and Settings\Administrator.DC>setspn -L weblogicusr
      Registered ServicePrincipalNames for CN=Weblogic User,CN=Users,DC=example,DC=com:

      HTTP/weblogicsrv.example.com
      HTTP/weblogicsrv
      -----

      h1. 4. Create the keytab file for Weblogic Server:
      On AD machine issue:
      (ktpass from MS Windows Support Tools)
      >ktpass -princ host/weblogic@EXAMPLE.COM -pass password1 -mapuser weblogic -out c:\temp\weblogic.host.keytab
      >ktpass -princ HTTP/weblogic@EXAMPLE.COM -pass password1 -mapuser weblogic -out c:\temp\weblogic.HTTP.keytab

      (ktab from JRE 6)
      >ktab -k c:\temp\weblogic.keytab -a weblogic@EXAMPLE.COM
      Password for weblogic@EXAMPLE.COM:*password1*
      Done!
      Service key for weblogic@EXAMPLE.COM is saved in c:\temp\weblogic.keytab

      ** Note I could not kinit successfully merely with weblogic.host.keytab and/or weblogic.HTTP.keytab, I got this error +"Key table entry not found while getting initial credentials"+ how ever the keytab I created using ktab("weblogic.keytab") works fine in this case, so I decided to merge whole three of them into a keytab.
      >\[root@weblogic keytabs\]# kinit -k -t weblogic.host.keytab weblogic@EXAMPLE.COM
      >kinit(v5): Key table entry not found while getting initial credentials

      h1. 5. Port and Merge keytabs
      Then I ported these three files to the Linux Machine(weblogic.example.com): weblogic.host.keytab, weblogic.HTTP.keytab and weblogic.keytab
      and merged into one keytab:

      ktutil: "rkt weblogic.host.keytab"
      ktutil: "rkt weblogic.HTTP.keytab"
      ktutil: "rkt weblogic.keytab"
      ktutil: "wkt weblogic-keytab"
      ktutil: "q"

      * then put the result keytab "weblogic-keytab" somewhere in Weblogic Path:
      >/root/bea/user_projects/domains/base_domain/kerberos


      h2. 5.1 Test the keytab and kerberos configuration

      >\[root@weblogic keytabs\]# kinit -k -t weblogic-keytab weblogic@EXAMPLE.COM
      >\[root@weblogic keytabs\]# klist
      >Ticket cache: FILE:/tmp/krb5cc_0
      >Default principal: weblogic@EXAMPLE.COM
      >
      >Valid starting Expires Service principal
      >09/04/09 16:16:42 09/05/09 00:16:42 krbtgt/EXAMPLE.COM@EXAMPLE.COM
      >

      Kerberos 4 ticket cache: /tmp/tkt0
      klist: You have no tickets cached
      h1. 6. Creating a JAAS Login File
      Create krb5Login.conf and put it in here: "/root/bea/user_projects/domains/base_domain/kerberos/"

      krb5Login.conf
      -----
      com.sun.security.jgss.initiate {

      com.sun.security.auth.module.Krb5LoginModule required
      principal=*"weblogic@EXAMPLE.COM"* useKeyTab=true
      keyTab=*/root/bea/user_projects/domains/base_domain/kerberos/weblogic-keytab* storeKey=true;
      };

      com.sun.security.jgss.accept {

      com.sun.security.auth.module.Krb5LoginModule required
      principal=*"weblogic@oEXAMPLE.COM"* useKeyTab=true
      keyTab=*/root/bea/user_projects/domains/base_domain/kerberos/weblogic-keytab* storeKey=true;

      };
      -----

      h1. 7. Modify startup options

      add these option to "/root/bea/user_projects/domains/base_domain/bin/startWebLogic.sh"
      h2. 7.1 Kerberos
      -Djava.security.krb5.realm=EXAMPLE.COM
      -Djava.security.krb5.kdc=dc.example.com
      -zjava.security.auth.login.config=$PATHTOKRB/krb5Login.conf
      -Djavax.security.auth.useSubjectCredsOnly=false
      -Dweblogic.security.enableNegotiate=true
      h2. 7.2 Debug
      -DDebugSecurityAdjudicator=true
      -Dweblogic.debug.DebugSecurityAtn=true
      -Dsun.security.krb5.debug=true
      -Dweblogic.StdoutDebugEnabled=true";
      -Dweblogic.log.StdoutSeverity=Debug
      h1. 8. Configuring the Identity Assertion Provider

      In Weblogic Administration I created a Security Realm called "example.com" with everything default and made it default. Then restarted the Weblogic Server.
      Again in Administation Console did this to example.com Security Realm:

      h2. 8.1 -> Prividers: Add 3 Providers
      Negotiate     WebLogic Negotiate Identity Assertion provider     1.0
           DIA     WebLogic Identity Assertion provider     1.0
           AD     Provider that performs LDAP authentication     1.0 (Active Directory provider)
           Default     WebLogic Authentication Provider     1.0

      h2. 8.2 -> Change the default parameters

      h3. 8.2.1 Negotiate     WebLogic Negotiate Identity Assertion provider
      -> Base64 Decoding Required: false (No Change, but shouldn't it be true and how to change?)
      -> Form Based Negotiation Enabled: Removed the tick

      h3. 8.2.2 DIA     WebLogic Identity Assertion provider (no changes)
      (no changes)

      h3. 8.2.3 AD     Provider that performs LDAP authentication (Active Directory provider)
      -> Control Flag: *SUFFICIENT*
      -> User Name Attribute: *sAMAccountName*
      -> Principal: *HTTP/weblogic@EXAMPLE.COM*
      -> Host: *192.168.1.193*
      -> User Base DN: *CN=Users,DC=example,dc=com*
      -> Propagate Cause For Login Exception: *ticked*
      -> Group Base DN: *CN=Users,DC=example,dc=com*

      -> Credential: *password1*

      * others left with their default values.

      h1. 9. Configuring an Internet Explorer Browser

      On Windows XP machine (winclient.example.com):

      h2. 9.1 Configure Local Intranet Domains

      - In Internet Explorer, Tools > Internet Options -> the Security tab -> Local intranet -> Sites:
      > "Include all sites that bypass the proxy server" *ticked*
      > "Include all local (intranet) sites not listed in other zones" *ticked*

      - then in -> Advanced Dialog Box added this:
      > weblogic.example.com

      h2. 9.2 Configure Intranet Authentication

      - In Internet Explorer, Tools > Internet Options -> the Security tab -> Local intranet -> Custome Level:
      > In the Security Settings dialog box -> the User Authentication section.
      > "Automatic logon only in Intranet zone" *ticked*

      h2. 9.3 The Proxy Settings

      No proxies are enabled

      h2. 9.4 Enable Integrated Windows Authentication
      - In Internet Explorer, Tools > Internet Options -> Advanced tab -> Security section:
      > "Enable Integrated Windows Authentication" *ticked* by default

      Edited by: Mehdi Sarmadi on Sep 4, 2009 5:51 AM
        • 1. Re: Weblogic SSO with AD - My Try - What's wrong?
          685111
          I found something in Logfile:

          <Sep 4, 2009 6:17:39 PM IRDT> <Debug> <SecurityAtn> <BEA-000000> <LDAP Atn Login username: weblogicusr>
          <Sep 4, 2009 6:17:39 PM IRDT> <Debug> <SecurityAtn> <BEA-000000> <new LDAP connection to host 192.168.1.193 port 389 use local conne
          ction is false>
          <Sep 4, 2009 6:17:39 PM IRDT> <Debug> <SecurityAtn> <BEA-000000> <created new LDAP connection LDAPConnection { ldapVersion:2 bindDN:
          ""}>
          <Sep 4, 2009 6:17:39 PM IRDT> <Debug> <SecurityAtn> <BEA-000000> <connection failed netscape.ldap.LDAPException: error result (49);
          80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece^@>
          <Sep 4, 2009 6:17:39 PM IRDT> <Debug> <SecurityAtn> <BEA-000000> <[Security:090294]could not get connection>

          According to this post: Re: WL10.3 and SSO and Active Directory

          a correct ldap connection should look like this:

          <LDAP Atn Login username: Administrator>
          <userExists? user:Administrator>
          <new LDAP connection to host 10.10.0.254 port 389 use local connection is false>
          <created new LDAP connection LDAPConnection { ldapVersion:2 bindDN:""}>
          <connection succeeded>
          *<getConnection return conn:LDAPConnection {ldaps://10.10.0.254:389 ldapVersion:3 bindDN:"HTTP/thehost@DOMAIN.LOCAL"}>
          <getDNForUser search("CN=Users,DC=DOMAIN,dc=local", "(&(&(cn=Administrator)(objectclass=user))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))", base DN & below)>xist>*



          Moreover, I turned AD's debug logging and this is what happens when I try to login with a AD user: Why "Anonymous Logon"?!

          Event Type:     Information
          Event Source:     NTDS LDAP
          Event Category:     LDAP Interface
          Event ID:     1535
          Date:          9/4/2009
          Time:          6:47:07 PM
          User:          NT AUTHORITY\*ANONYMOUS LOGON*
          Computer:     DC
          Description:
          Internal event: The LDAP server returned an error.

          Additional Data
          Error value:
          80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece





          Any help would be greatly appreciated
          • 2. Re: Weblogic SSO with AD - My Try - What's wrong?
            685111
            Now I'm one step closer. I just updated /root/bea/wlserver_10.3/server/lib/consoleapp/webapp/WEB-INF/web.xml to have BASIC authentication like this:

            <login-config>
            <auth-method>BASIC</auth-method>
            <form-login-config>
            <form-login-page>/login/LoginForm.jsp</form-login-page>
            <form-error-page>/login/LoginError.jsp</form-error-page>
            </form-login-config>
            </login-config>

            Know I can see something in logfile:

            <Sep 5, 2009 12:56:36 PM IRDT> <Debug> <SecurityAtn> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.h
            andle got username from callbacks[0], UserName=weblogicusr>
            <Sep 5, 2009 12:56:36 PM IRDT> <Debug> <SecurityAtn> <BEA-000000> <LDAP Atn Login username: weblogicusr>
            <Sep 5, 2009 12:56:36 PM IRDT> <Debug> <SecurityAtn> <BEA-000000> <getConnection return conn:LDAPConnection { ldapVersion:2 bindDN:"
            "}>
            <Sep 5, 2009 12:56:36 PM IRDT> <Debug> <SecurityAtn> <BEA-000000> <authenticate user:weblogicusr>
            <Sep 5, 2009 12:56:36 PM IRDT> <Debug> <SecurityAtn> <BEA-000000> <getDNForUser search("ou=people,ou=myrealm,dc=base_domain", "(&(ui
            d=weblogicusr)(objectclass=person))", base DN & below)>
            <Sep 5, 2009 12:56:36 PM IRDT> <Debug> <SecurityAtn> <BEA-000000> <getDNForUser search("ou=people,ou=myrealm,dc=base_domain", "(&(ui
            d=weblogicusr)(objectclass=person))", base DN & below)>
            <Sep 5, 2009 12:56:36 PM IRDT> <Debug> <SecurityAtn> <BEA-000000> <returnConnection conn:LDAPConnection { ldapVersion:2 bindDN:""}>
            <Sep 5, 2009 12:56:36 PM IRDT> <Debug> <SecurityAtn> <BEA-000000> <[Security:090302]Authentication Failed: User weblogicusr denied>
            <Sep 5, 2009 12:56:36 PM IRDT> <Debug> <SecurityAtn> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.initi
            alize LoginModuleClassName=weblogic.security.providers.authentication.LDAPAtnLoginModuleImpl>

            But still no trace of Kerberos authentication...

            Any kind of help or directions would be appreciated
            TIA
            Cheers
            • 3. Re: Weblogic SSO with AD - My Try - What's wrong?
              711406
              Are you still working on this?

              Do you see users in the weblogic console from AD?
              • 4. Re: Weblogic SSO with AD - My Try - What's wrong?
                418631
                Try PAM Pluggable Authentication Modules approach provided by RHEL 5.0 .
                • 5. Re: Weblogic SSO with AD - My Try - What's wrong?
                  694993
                  Mehdi, have you solved problem in topic? I have the same problem on similar configuration with centos 64 weblogic 10.3.

                  Kerberos with apache + php on this machine works fine...
                  • 6. Re: Weblogic SSO with AD - My Try - What's wrong?
                    Faisal WebLogic Wonders
                    Andrey, are you facing the sam LDAP Exception?

                    <connection failed netscape.ldap.LDAPException: error result (49);

                    The above exception is enountered when the password provided for the principal is incorrect.

                    If you are facing a differnt issue or have some other query, kindly post another question in this forum.
                    • 7. Re: Weblogic SSO with AD - My Try - What's wrong?
                      sandeep_singh
                      Hi,

                      if you are Just trying to Login to the WLS admin Console using the user created in AD then using the BASIC as the authentication mechanism will work.

                      However, if you are trying to use the kerberos authentication then the web.xml file should have CLIENT-CERT as the authentication type.

                      hope this helps.

                      Thanks,
                      Sandeep