Problems unwrapping SPNEGO token for Single Signon (SSO) in
WebLogic Server 8.1.
Nika Gerson Lohman
Nika at teletrain.nl
Fri Jan 2 08:04:14 GMT 2009
First of all, a quick description of our issue. We've tried many different things, but cannot get WebLogic to unwrap the SPNEGO token so it authenticates using Kerberos. We received several errors while trying to debug, here's the one we see most:
KDC has no support for encryption type (14)
But we doubt it has anything to do with the encryption type, as these are set correctly everywhere.
We've tried following some of the instructions on the BEA website (which contain several errors).
One of them was also adding a host/ SPN (in krb5login.conf) but then, when using HTTP/ SPN we get the following error (it seems with multiple SPN's it only takes the first or last SPN that was set):
Client not found in Kerberos database (6)
Next try was using the host/ SPN but that results in the following error:
Integrity check on decrypted field failed (31)
We've tried changing the default_*_enctypes in KRB5.INI (We've removed the entries, and also tried only DES_CBC_MD5 and DES_CBC_CRC) but that did not change the behaviour.
We've tried adding the AllowTGTSessionKey registry key on client and server, but that didn't change it either.
We are not sure what details you need for this to debug, so here's what we've done to install the environment (please note that ip-addresses, domain, client and server names are made up and are different in real-life),
We have two domains:
Domain1 (DOMAIN1.COM) contains:
Domain Controller "AD1" with IP 192.168.0.1
Domain Controller "AD2" with IP 192.168.1.1
Client "Client1" with IP 192.168.2.1
Domain2 (DOMAIN2.COM) contains:
Domain Controller "AD3" with IP 10.0.0.1
Server (WebLogic) "Server1" with IP 10.0.1.2
Between Domain1 and Domain2 a firewall exists in which we've opened the relevant ports like LDAP (TCP 389), Kerberos (UDP 88), WebLogic (7001/7002).We do not see any firewall blocks on other ports...
We've configured AD1 (Microsoft AD with KDC) as follows:
1. Account "SSOAccountAD" created
2. Password never expires
3. DES encryption on
4. Do not require Kerberos preauthentication off
5. Password "Password" was reset several times
6. ServicePrincipalName was set using this
setspn -A HTTP/Server1.DOMAIN1.COM SSOAccountAD
1. ServicePrincipalName on AD1 was checked (and found to be ok) using this command:
setspn -L SSOAccountAD
1. KTPass was executed:
ktpass -princ HTTP/Server1 at DOMAIN1.COM -mapuser SSOAccountAD -pass Password
1. User Logon name was checked:
HTTP/Server1
1. ServicePrincipalName on AD2 was checked (and found to be ok) using this command:
setspn -L SSOAccountAD
We've configured the WebLogic Server (Server1) as follows:
1. LDAP authentication was activated and test ok
2. Single Pass Negotiate Identity Asserter was created with Chosen Type "Authorization"
3. KRB5.INI file was created and added to %windir% (and C:\WINNT folder to be able to test with Java ktab and kinit which do not look in the %windir% folder):
[libdefaults]
default_realm = DOMAIN1.COM
dns_lookup_realm = false
dns_lookup_kdc = false
default_tkt_enctypes=DES-CBC-CRC
default_tgs_enctypes=DES-CBC-CRC
[realms]
DOMAIN1.COM = {
kdc = 192.168.0.1
admin_server = 192.168.0.1
default_domain = DOMAIN1.COM
}
[domain_realm]
.domain1.com = DOMAIN1.COM
domain1.com = DOMAIN1.COM
[appdefaults]
autologin = true
forward = true
forwardable = true
encrypt = true
1. We've installed JDK 1.5.0.12: jdk-1_5_0_12-windows-i586-p.exe
2. Keytab File was created (with password "Password"):
ktab -k SSOKeyTabFile -a HTTP/Server1 at DOMAIN1.COM
1. Keytab File and Kerberos communication was tested using:
kinit -k -t SSOKeyTabFile HTTP/Server1 at DOMAIN1.COM
1. Keytab File and Kerberos communication was tested using Java (incl. Debugging):
java -Dsun.security.krb5.debug=true sun.security.krb5.internal.tools.Kinit -k -t SSOKeyTabFile HTTP/Server1 at DOMAIN1.COM
1. Keytab was listed:
java -Dsun.security.krb5.debug=true sun.security.krb5.internal.tools.Klist
1. SSOKeyTabFile was copied to the WebLogic ProductionDomain folder
2. The krb5login.conf file was created and copied to the WebLogic ProductionDomain folder:
com.sun.security.jgss.initiate {
com.sun.security.auth.module.Krb5LoginModule required
principal="HTTP/Server1 at DOMAIN1.COM" useKeyTab=true
keyTab=SSOKeyTabFile storeKey=true debug=true;
};
com.sun.security.jgss.accept {
com.sun.security.auth.module.Krb5LoginModule required
principal=" HTTP/Server1 at DOMAIN1.COM " useKeyTab=true
keyTab=SSOKeyTabFile storeKey=true debug=true;
};
1. WebLogic service and startWeblogic.cmd were modified with the following parameters:
-Djava.security.krb5.realm=DOMAIN1.COM
-Djava.security.krb5.kdc=192.168.0.1
-Djava.security.auth.login.config=<ProductionFolder>\krb5login.conf
-Djavax.security.auth.useSubjectCredsOnly=false
-Dweblogic.security.enableNegotiate=true
-DDebugSecurityAdjudicator=true
-Dweblogic.debug.DebugSecurityAtn=true
-Dweblogic.debug.DebugSecurityAtz=true
-Dweblogic.Debug.DebugSecurityATN=true
-Dweblogic.StdoutSeverityLevel=64
-Dweblogic.StdoutDebugEnabled=true
For the client pc (Client1) we've checked the browser settings:
Automatic Logon only in Intranet Zone
Enable Integrated Windows Authentication
On the client we've used "kerbtray.exe" to see whether a kerberos token is created, and it is (although with the full domain name, HTTP/Server1.domain1.com).
We've checked for Kerberos communication with Wireshark and see that the client does communicate, and passes the SPNEGO token to the WebLogic server, but we do not see any Kerberos communication on the WebLogic server. The server simply requests Authorisation again...
If required we have the full wireshark traces of the WebLogic Server and the Client. We also have very detailed WebLogic tracing which I can provide.
Kind Regards,
Nika.
Nika Gerson Lohman
Senior Software Engineer
Tele'Train Software BV, http://www.teletrain.nl<http://www.teletrain.nl/>
Paasheuvelweg 1
1105 BE Amsterdam
Telefoon:
+31 (0)20 379 03 52
Fax:
+31 (0)20 379 03 53
Private Fax:
+31 (0)84 222 49 06
Mobiel:
+31 (0)62 040 13 50
E-Mail:
nika at teletrain.nl<mailto:nika at teletrain.nl>
MSN:
nika at teletrain.nl
More information about the samba-technical
mailing list