Problems unwrapping SPNEGO token for Single Signon (SSO) in WebLogic Server 8.1.

Nika Gerson Lohman Nika at
Fri Jan 23 20:55:56 GMT 2009

It turned out to be solved by removing the SSOAccount in AD and recreating it (including re-setting the password, which had already been done several times).



From: Nika Gerson Lohman 
Sent: Friday, January 02, 2009 9:04 AM
To: 'samba-technical at'
Subject: Problems unwrapping SPNEGO token for Single Signon (SSO) in WebLogic Server 8.1.

First of all, a quick description of our issue. We've tried many different things, but cannot get WebLogic to unwrap the SPNEGO token so it authenticates using Kerberos. We received several errors while trying to debug, here's the one we see most:

       KDC has no support for encryption type (14)

But we doubt it has anything to do with the encryption type, as these are set correctly everywhere.

We've tried following some of the instructions on the BEA website (which contain several errors). 

One of them was also adding a host/ SPN (in krb5login.conf) but then, when using HTTP/ SPN we get the following error (it seems with multiple SPN's it only takes the first or last SPN that was set):

       Client not found in Kerberos database (6)

Next try was using the host/ SPN but that results in the following error:

       Integrity check on decrypted field failed (31)

We've tried changing the default_*_enctypes in KRB5.INI (We've removed the entries, and also tried only DES_CBC_MD5 and DES_CBC_CRC) but that did not change the behaviour.

We've tried adding the AllowTGTSessionKey registry key on client and server, but that didn't change it either.

We are not sure what details you need for this to debug, so here's what we've done to install the environment (please note that ip-addresses, domain, client and server names are made up and are different in real-life),

We have two domains: 

Domain1 (DOMAIN1.COM) contains:

       Domain Controller          "AD1"                with IP 
       Domain Controller          "AD2"                with IP
       Client                            "Client1"            with IP

Domain2 (DOMAIN2.COM) contains:

       Domain Controller          "AD3"                with IP
       Server   (WebLogic)        "Server1"           with IP

Between Domain1 and Domain2 a firewall exists in which we've opened the relevant ports like LDAP (TCP 389), Kerberos (UDP 88), WebLogic (7001/7002).We do not see any firewall blocks on other ports.

We've configured AD1 (Microsoft AD with KDC) as follows:

1. Account "SSOAccountAD" created
2. Password never expires
3. DES encryption on
4. Do not require Kerberos preauthentication off
5. Password "Password" was reset several times
6. ServicePrincipalName was set using this
    setspn -A HTTP/Server1.DOMAIN1.COM SSOAccountAD
7. ServicePrincipalName on AD1 was checked (and found to be ok) using this command:
    setspn -L SSOAccountAD
8. KTPass was executed:
ktpass -princ HTTP/Server1 at DOMAIN1.COM -mapuser SSOAccountAD -pass Password
9. User Logon name was checked:
10. ServicePrincipalName on AD2 was checked (and found to be ok) using this command:
    setspn -L SSOAccountAD

We've configured the WebLogic Server (Server1) as follows:

1. LDAP authentication was activated and test ok
2. Single Pass Negotiate Identity Asserter was created with Chosen Type "Authorization"
3. KRB5.INI file was created and added to %windir% (and C:\WINNT folder to be able to test with Java ktab and kinit which do not look in the %windir% folder):
default_realm = DOMAIN1.COM
dns_lookup_realm = false
dns_lookup_kdc = false

kdc =
admin_server =
default_domain = DOMAIN1.COM

[domain_realm] = DOMAIN1.COM = DOMAIN1.COM

autologin = true
forward = true
forwardable = true
encrypt = true
4. We've installed JDK jdk-1_5_0_12-windows-i586-p.exe
5. Keytab File was created (with password "Password"):
    ktab -k SSOKeyTabFile -a HTTP/Server1 at DOMAIN1.COM
6. Keytab File and Kerberos communication was tested using:
kinit -k -t SSOKeyTabFile HTTP/Server1 at DOMAIN1.COM
7. Keytab File and Kerberos communication was tested using Java (incl. Debugging):
java -k -t SSOKeyTabFile HTTP/Server1 at DOMAIN1.COM
8. Keytab was listed:
9. SSOKeyTabFile was copied to the WebLogic ProductionDomain folder
10. The krb5login.conf file was created and copied to the WebLogic ProductionDomain folder: { required
     principal="HTTP/Server1 at DOMAIN1.COM" useKeyTab=true
     keyTab=SSOKeyTabFile storeKey=true debug=true;
}; { required
     principal=" HTTP/Server1 at DOMAIN1.COM " useKeyTab=true 
     keyTab=SSOKeyTabFile storeKey=true debug=true;
11. WebLogic service and startWeblogic.cmd were modified with the following parameters:<ProductionFolder>\krb5login.conf

For the client pc (Client1) we've checked the browser settings:
       Automatic Logon only in Intranet Zone
            Enable Integrated Windows Authentication

On the client we've used "kerbtray.exe" to see whether a kerberos token is created, and it is (although with the full domain name, HTTP/

We've checked for Kerberos communication with Wireshark and see that the client does communicate, and passes the SPNEGO token to the WebLogic server, but we do not see any Kerberos communication on the WebLogic server. The server simply requests Authorisation again.

If required we have the full wireshark traces of the WebLogic Server and the Client. We also have very detailed WebLogic tracing which I can provide.

Kind Regards,


Nika Gerson Lohman
Senior Software Engineer
Tele'Train Software BV,
Paasheuvelweg 1
1105 BE Amsterdam

+31 (0)20 379 03 52
+31 (0)20 379 03 53
Private Fax:
+31 (0)84 222 49 06
+31 (0)62 040 13 50
nika at
nika at

More information about the samba-technical mailing list