First of all, a quick description of our issue. We've tried many different things, but cannot get WebLogic to unwrap the SPNEGO token so it authenticates using Kerberos. We received several errors while trying to debug, here's the one we see most:
KDC has no support for encryption type (14) But we doubt it has anything to do with the encryption type, as these are set correctly everywhere. We've tried following some of the instructions on the BEA website (which contain several errors). One of them was also adding a host/ SPN (in krb5login.conf) but then, when using HTTP/ SPN we get the following error (it seems with multiple SPN's it only takes the first or last SPN that was set): Client not found in Kerberos database (6) Next try was using the host/ SPN but that results in the following error: Integrity check on decrypted field failed (31) We've tried changing the default_*_enctypes in KRB5.INI (We've removed the entries, and also tried only DES_CBC_MD5 and DES_CBC_CRC) but that did not change the behaviour. We've tried adding the AllowTGTSessionKey registry key on client and server, but that didn't change it either. We are not sure what details you need for this to debug, so here's what we've done to install the environment (please note that ip-addresses, domain, client and server names are made up and are different in real-life), We have two domains: Domain1 (DOMAIN1.COM) contains: Domain Controller "AD1" with IP 192.168.0.1 Domain Controller "AD2" with IP 192.168.1.1 Client "Client1" with IP 192.168.2.1 Domain2 (DOMAIN2.COM) contains: Domain Controller "AD3" with IP 10.0.0.1 Server (WebLogic) "Server1" with IP 10.0.1.2 Between Domain1 and Domain2 a firewall exists in which we've opened the relevant ports like LDAP (TCP 389), Kerberos (UDP 88), WebLogic (7001/7002).We do not see any firewall blocks on other ports... We've configured AD1 (Microsoft AD with KDC) as follows: 1. Account "SSOAccountAD" created 2. Password never expires 3. DES encryption on 4. Do not require Kerberos preauthentication off 5. Password "Password" was reset several times 6. ServicePrincipalName was set using this setspn -A HTTP/Server1.DOMAIN1.COM SSOAccountAD 1. ServicePrincipalName on AD1 was checked (and found to be ok) using this command: setspn -L SSOAccountAD 1. KTPass was executed: ktpass -princ HTTP/serv...@domain1.com -mapuser SSOAccountAD -pass Password 1. User Logon name was checked: HTTP/Server1 1. ServicePrincipalName on AD2 was checked (and found to be ok) using this command: setspn -L SSOAccountAD We've configured the WebLogic Server (Server1) as follows: 1. LDAP authentication was activated and test ok 2. Single Pass Negotiate Identity Asserter was created with Chosen Type "Authorization" 3. KRB5.INI file was created and added to %windir% (and C:\WINNT folder to be able to test with Java ktab and kinit which do not look in the %windir% folder): [libdefaults] default_realm = DOMAIN1.COM dns_lookup_realm = false dns_lookup_kdc = false default_tkt_enctypes=DES-CBC-CRC default_tgs_enctypes=DES-CBC-CRC [realms] DOMAIN1.COM = { kdc = 192.168.0.1 admin_server = 192.168.0.1 default_domain = DOMAIN1.COM } [domain_realm] .domain1.com = DOMAIN1.COM domain1.com = DOMAIN1.COM [appdefaults] autologin = true forward = true forwardable = true encrypt = true 1. We've installed JDK 1.5.0.12: jdk-1_5_0_12-windows-i586-p.exe 2. Keytab File was created (with password "Password"): ktab -k SSOKeyTabFile -a HTTP/serv...@domain1.com 1. Keytab File and Kerberos communication was tested using: kinit -k -t SSOKeyTabFile HTTP/serv...@domain1.com 1. Keytab File and Kerberos communication was tested using Java (incl. Debugging): java -Dsun.security.krb5.debug=true sun.security.krb5.internal.tools.Kinit -k -t SSOKeyTabFile HTTP/serv...@domain1.com 1. Keytab was listed: java -Dsun.security.krb5.debug=true sun.security.krb5.internal.tools.Klist 1. SSOKeyTabFile was copied to the WebLogic ProductionDomain folder 2. The krb5login.conf file was created and copied to the WebLogic ProductionDomain folder: com.sun.security.jgss.initiate { com.sun.security.auth.module.Krb5LoginModule required principal="HTTP/serv...@domain1.com" useKeyTab=true keyTab=SSOKeyTabFile storeKey=true debug=true; }; com.sun.security.jgss.accept { com.sun.security.auth.module.Krb5LoginModule required principal=" HTTP/serv...@domain1.com " useKeyTab=true keyTab=SSOKeyTabFile storeKey=true debug=true; }; 1. WebLogic service and startWeblogic.cmd were modified with the following parameters: -Djava.security.krb5.realm=DOMAIN1.COM -Djava.security.krb5.kdc=192.168.0.1 -Djava.security.auth.login.config=<ProductionFolder>\krb5login.conf -Djavax.security.auth.useSubjectCredsOnly=false -Dweblogic.security.enableNegotiate=true -DDebugSecurityAdjudicator=true -Dweblogic.debug.DebugSecurityAtn=true -Dweblogic.debug.DebugSecurityAtz=true -Dweblogic.Debug.DebugSecurityATN=true -Dweblogic.StdoutSeverityLevel=64 -Dweblogic.StdoutDebugEnabled=true For the client pc (Client1) we've checked the browser settings: Automatic Logon only in Intranet Zone Enable Integrated Windows Authentication On the client we've used "kerbtray.exe" to see whether a kerberos token is created, and it is (although with the full domain name, HTTP/Server1.domain1.com). We've checked for Kerberos communication with Wireshark and see that the client does communicate, and passes the SPNEGO token to the WebLogic server, but we do not see any Kerberos communication on the WebLogic server. The server simply requests Authorisation again... If required we have the full wireshark traces of the WebLogic Server and the Client. We also have very detailed WebLogic tracing which I can provide. Kind Regards, Nika. Nika Gerson Lohman Senior Software Engineer Tele'Train Software BV, http://www.teletrain.nl<http://www.teletrain.nl/> Paasheuvelweg 1 1105 BE Amsterdam Telefoon: +31 (0)20 379 03 52 Fax: +31 (0)20 379 03 53 Private Fax: +31 (0)84 222 49 06 Mobiel: +31 (0)62 040 13 50 E-Mail: n...@teletrain.nl<mailto:n...@teletrain.nl> MSN: n...@teletrain.nl ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos