It turned out to be solved by removing the SSOAccount in AD and recreating it
(including re-setting the password, which had already been done several times).
Regards,
Nika.
________________________________________
From: Nika Gerson Lohman
Sent: Friday, January 02, 2009 8:58 AM
To: 'kerberos@mit.edu'
Subject: Problems unwrapping SPNEGO token for Single Signon (SSO) in WebLogic
Server 8.1.
First of all, a quick description of our issue. We've tried many different
things, but cannot get WebLogic to unwrap the SPNEGO token so it authenticates
using Kerberos. We received several errors while trying to debug, here's the
one we see most:
KDC has no support for encryption type (14)
But we doubt it has anything to do with the encryption type, as these are set
correctly everywhere.
We've tried following some of the instructions on the BEA website (which
contain several errors).
One of them was also adding a host/ SPN (in krb5login.conf) but then, when
using HTTP/ SPN we get the following error (it seems with multiple SPN's it
only takes the first or last SPN that was set):
Client not found in Kerberos database (6)
Next try was using the host/ SPN but that results in the following error:
Integrity check on decrypted field failed (31)
We've tried changing the default_*_enctypes in KRB5.INI (We've removed the
entries, and also tried only DES_CBC_MD5 and DES_CBC_CRC) but that did not
change the behaviour.
We've tried adding the AllowTGTSessionKey registry key on client and server,
but that didn't change it either.
We are not sure what details you need for this to debug, so here's what we've
done to install the environment (please note that ip-addresses, domain, client
and server names are made up and are different in real-life),
We have two domains:
Domain1 (DOMAIN1.COM) contains:
Domain Controller "AD1" with IP 192.168.0.1
Domain Controller "AD2" with IP 192.168.1.1
Client "Client1" with IP
192.168.2.1
Domain2 (DOMAIN2.COM) contains:
Domain Controller "AD3" with IP 10.0.0.1
Server (WebLogic) "Server1" with IP 10.0.1.2
Between Domain1 and Domain2 a firewall exists in which we've opened the
relevant ports like LDAP (TCP 389), Kerberos (UDP 88), WebLogic (7001/7002).We
do not see any firewall blocks on other ports.
We've configured AD1 (Microsoft AD with KDC) as follows:
1. Account "SSOAccountAD" created
2. Password never expires
3. DES encryption on
4. Do not require Kerberos preauthentication off
5. Password "Password" was reset several times
6. ServicePrincipalName was set using this
setspn -A HTTP/Server1.DOMAIN1.COM SSOAccountAD
7. ServicePrincipalName on AD1 was checked (and found to be ok) using this
command:
setspn -L SSOAccountAD
8. KTPass was executed:
ktpass -princ HTTP/serv...@domain1.com -mapuser SSOAccountAD -pass Password
9. User Logon name was checked:
HTTP/Server1
10. ServicePrincipalName on AD2 was checked (and found to be ok) using this
command:
setspn -L SSOAccountAD
We've configured the WebLogic Server (Server1) as follows:
1. LDAP authentication was activated and test ok
2. Single Pass Negotiate Identity Asserter was created with Chosen Type
"Authorization"
3. KRB5.INI file was created and added to %windir% (and C:\WINNT folder to be
able to test with Java ktab and kinit which do not look in the %windir% folder):
[libdefaults]
default_realm = DOMAIN1.COM
dns_lookup_realm = false
dns_lookup_kdc = false
default_tkt_enctypes=DES-CBC-CRC
default_tgs_enctypes=DES-CBC-CRC
[realms]
DOMAIN1.COM = {
kdc = 192.168.0.1
admin_server = 192.168.0.1
default_domain = DOMAIN1.COM
}
[domain_realm]
.domain1.com = DOMAIN1.COM
domain1.com = DOMAIN1.COM
[appdefaults]
autologin = true
forward = true
forwardable = true
encrypt = true
4. We've installed JDK 1.5.0.12: jdk-1_5_0_12-windows-i586-p.exe
5. Keytab File was created (with password "Password"):
ktab -k SSOKeyTabFile -a HTTP/serv...@domain1.com
6. Keytab File and Kerberos communication was tested using:
kinit -k -t SSOKeyTabFile HTTP/serv...@domain1.com
7. Keytab File and Kerberos communication was tested using Java (incl.
Debugging):
java -Dsun.security.krb5.debug=true sun.security.krb5.internal.tools.Kinit -k
-t SSOKeyTabFile HTTP/serv...@domain1.com
8. Keytab was listed:
java -Dsun.security.krb5.debug=true
sun.security.krb5.internal.tools.Klist
9. SSOKeyTabFile was copied to the WebLogic ProductionDomain folder
10. The krb5login.conf file was created and copied to the WebLogic
ProductionDomain folder:
com.sun.security.jgss.initiate {
com.sun.security.auth.module.Krb5LoginModule required
principal="HTTP/serv...@domain1.com" useKeyTab=true
keyTab=SSOKeyTabFile storeKey=true debug=true;
};
com.sun.security.jgss.accept {
com.sun.security.auth.module.Krb5LoginModule required
principal=" HTTP/serv...@domain1.com " useKeyTab=true
keyTab=SSOKeyTabFile storeKey=true debug=true;
};
11. WebLogic service and startWeblogic.cmd were modified with the following
parameters:
-Djava.security.krb5.realm=DOMAIN1.COM
-Djava.security.krb5.kdc=192.168.0.1
-Djava.security.auth.login.config=<ProductionFolder>\krb5login.conf
-Djavax.security.auth.useSubjectCredsOnly=false
-Dweblogic.security.enableNegotiate=true
-DDebugSecurityAdjudicator=true
-Dweblogic.debug.DebugSecurityAtn=true
-Dweblogic.debug.DebugSecurityAtz=true
-Dweblogic.Debug.DebugSecurityATN=true
-Dweblogic.StdoutSeverityLevel=64
-Dweblogic.StdoutDebugEnabled=true
For the client pc (Client1) we've checked the browser settings:
Automatic Logon only in Intranet Zone
Enable Integrated Windows Authentication
On the client we've used "kerbtray.exe" to see whether a kerberos token is
created, and it is (although with the full domain name,
HTTP/Server1.domain1.com).
We've checked for Kerberos communication with Wireshark and see that the client
does communicate, and passes the SPNEGO token to the WebLogic server, but we do
not see any Kerberos communication on the WebLogic server. The server simply
requests Authorisation again.
If required we have the full wireshark traces of the WebLogic Server and the
Client. We also have very detailed WebLogic tracing which I can provide.
Kind Regards,
Nika.
Nika Gerson Lohman
Senior Software Engineer
Tele'Train Software BV, http://www.teletrain.nl
Paasheuvelweg 1
1105 BE Amsterdam
Telefoon:
+31 (0)20 379 03 52
Fax:
+31 (0)20 379 03 53
Private Fax:
+31 (0)84 222 49 06
Mobiel:
+31 (0)62 040 13 50
E-Mail:
n...@teletrain.nl
MSN:
n...@teletrain.nl
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
