SlideShare a Scribd company logo

Configuring kerberos based sso in weblogic

Harihara sarma
Harihara sarma

Configuring kerberos based sso in weblogic

Software
1 of 11
Download to read offline
IBM Configuring Kerberos based SSO in Weblogic Application server Environment Kerberos configuration Saravana Kumar KKB 10/11/2013 Saravana, is working as a Staff Software Engineer (QA) for IBM Policy Atlas team under ECM. Reach out to him at saravkkb@in.ibm.com Abstract: Today many products have support for SSO. Kerberos is most recommended efficient and secure network accesses across the enterprise. This article provides information about the configuration of single sign-on (SSO) using Kerberos in Oracle Web logic server.
Configuring Kerberos based SSO in Weblogic Application server Environment 2 Introduction: Single sign-on (SSO) allows users to sign in once to the system and login to other application without any authentication. 1.1 Why Kerberos ? Kerberos is a technology that allows for strong authentication in open, distributed networks. It is a credible security solution for four main reasons: 1. Kerberos is mature. It has been widely used and widely studied for a long time. In security, that counts for a great deal. 2. Kerberos meets the requirements of modern distributed systems. It was developed in response to a well-defined and clearly thought through set of requirements for secure authentication in an open environment with insecure communications links; it has turned out that those requirements closely match the requirements of modern distributed systems operating over networks based on Internet Protocols. 3. Kerberos is architecturally sound. It is designed around a clear set of Architectural and functional abstractions; that architectural soundness has allowed it to evolve over time, and make it easy to integrate it into other systems. This same architectural soundness makes it easy to analyze how Kerberos will behave. 4. Kerberos is already in place. Kerberos is already integrated into most popular operating systems and many widely-used software applications. It is an integral part of today’s IT infrastructure. 2 Machine configuration: 2.1 What is KDC ? The Kerberos Key Distribution Center (KDC) is a network service that supplies session tickets and temporary session keys to users and computers within an Active Directory domain. The KDC runs on each domain controller as part of Active Directory Domain Services (AD DS). 2.2 What is SPNEGO? Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO) is a standard protocol that is used to negotiate the authentication protocol used when a client application wants to authenticate to a remote server. SPNEGO is a standard specification defined in IETF RFC 2478. SPNEGO is used in a Web SSO. It is responsible for authenticating access to a secured paged, such as a WebSphere Application Server resource that is identified in an HTTP request. Microsoft also uses SPNEGO for its browser-based SSO solutions.
Configuring Kerberos based SSO in Weblogic Application server Environment 3 Machine A Machine B (weblogic.kerb. mycompany.com) (ad.kerb.mycompany.com) 7 KDC/ 6 Domain controller Weblogic Application server 4 1 3 2 8 Client.Kerb. mycompany.com 5 Figure 1: Machine configuration for Kerberos authentication 1. When the logged-on user (MACHINE C) requests a resource from Oracle WebLogic Server (MACHINEB), it sends the initial HTTP GET verb. 2. Oracle WebLogic Server (MACHINEB), running the SPNEGO Token Handler code, requires authentication and issues a 401 Access Denied, WWW- Authenticate: Negotiate response. 3. The client (Browser on MACHINEC) then requests the session ticket from the TGS/KDC (MACHINEA). Client Machine Windows 8/ 7/vista- (Browser) Machine C
Configuring Kerberos based SSO in Weblogic Application server Environment 4 4. The TGS/KDC (MACHINEA) supplies the client with the necessary Kerberos Ticket (assuming the client is authorized) wrapped in a SPNEGO Token. 5. The client re-sends the HTTP GET request + the Negotiate SPNEGO Token in an Authorization: Negotiate base64(token) header. 6. SPNEGO Web authentication in Weblogic server sees the HTTP header with the SPNEGO token. SPNEGO validates the SPNEGO token and gets the identity (principal) of the user. 7. After Weblogic gets the identity of the user, it validates the user in Microsoft Active Directory/KDC. When the identification process is executed, Weblogic executes the related Java code (servlets, JSPs, EJBs, and so on) and checks authorizations. 8. Oracle WebLogic Server's SPNEGO Token Handler code accepts and processes the token through GSS API, authenticates the user and responds with the requested URL. 3 Steps: 3.1 Machine: KDC- scenario name: Machine A 1. Create a user in Active directory E.g.: HTTP_weblogic don’t select any option except password will not expire and user cannot change password. 2. Setspn >setspn -a HTTP/weblogic HTTP_weblogic >setspn -a HTTP/weblogic.kerb.mycompany.com HTTP_weblogic 3. Test >setspn –l HTTP_weblogic should list only 2 4. Generate Keytab file C:UsersAdministrator>ktpass -princ HTTP_weblogic@KERB.mycompany.COM -pass Admin123 -crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL -kvno 0 -out c:krb5.keytab Transfer the keytab file to weblogic machine and to the domain directory of weblogic 3.2 Machine: Weblogic - scenario machine name: Machine B 1. Create krb5Login.conf file com.sun.security.jgss.initiate { com.sun.security.auth.module.Krb5LoginModule required
Configuring Kerberos based SSO in Weblogic Application server Environment 5 principal=”<SPN username>” useKeyTab=true keyTab=”<key Tab file name>” storeKey=true debug=true; }; com.sun.security.jgss.krb5.accept { com.sun.security.auth.module.Krb5LoginModule Required principal==”<SPN username>” useKeyTab=true keyTab="<key Tab file name> " storeKey=true debug=true; }; 2. Have a krb5.ini file in c:windows directory of weblogic machine [libdefaults] default_realm = <REALM NAME> default_tkt_enctypes = rc4-hmac arcfour-hmac-md5 default_tgs_enctypes = rc4-hmac arcfour-hmac-md5 ticket_lifetime = 600 [realms] <REALM NAME>= { kdc = <IP>:88 admin_server = <HOSTNAME OF AD/KDC> default_domain = <REALM NAME> } [domain_realm] Realm name = <REALM NAME> .realm name = <REALM NAME> [appdefaults] autologin = true forward = true forwardable = true encrypt = true 3. In Weblogic startup command add the following set kerb_login=%kerb_login% -Djavax.security.auth.useSubjectCredsOnly=false - Dweblogic.security.enableNegotiate=true -Djava.security.auth.login.config="<path of krb5Login.conf file" -Djava.security.krb5.realm=REALM NAME - Djava.security.krb5.kdc=ad -Dweblogic.StdoutSeverityLevel=64 - Dweblogic.Debug.DebugSecurityAtz=true -Dweblogic.Debug.DebugSecurityAtn=false 4. Add the following in “myrealm- providers” of weblogic Home >Summary of Security Realms >myrealm >Providers a) Add “WebLogic Negotiate Identity Assertion provider”
Configuring Kerberos based SSO in Weblogic Application server Environment 6 b) Add another realm “Provider that performs LDAP authentication” with following details in Provider specific Tab
Configuring Kerberos based SSO in Weblogic Application server Environment 7 Figure 2: Weblogic Security Realm configuration Save and restart web logic server 3.3 Machine: client - scenario machine name: Machine C For Single Sign On to occur, you will need an authenticated Microsoft client, belonging to the domain controlled by your realm, and requesting access to the Oracle WebLogic Server service. 3.3.1 Configuring Internet Explorer Browser To configure an Internet Explorer browser to use Windows authentication, follow these procedures in Internet Explorer. Configure Local Intranet Domains 1. In Internet Explorer, select Tools > Internet Options. 2. Select the Security tab.
Configuring Kerberos based SSO in Weblogic Application server Environment 8 3. Select Local intranet and click Sites. 4. In the Local intranet popup, ensure that the Include all sites that bypass the proxy server and Include all local (intranet) sites not listed in other zones options are checked. Figure 3: Local Intranet Dialog Box for Internet Explorer 5. Click Advanced. 6. In the Local intranet (Advanced) dialog box, add all relative domain names that will be used for Oracle WebLogic Server instances participating in the SSO configuration (for example, myhost.example.com) and click OK. Fig 4: Advanced Local Intranet Dialog Box for Internet Explorer
Configuring Kerberos based SSO in Weblogic Application server Environment 9 Configure Intranet Authentication 1. Select Tools > Internet Options. 2. Select the Security tab. 3. Select Local intranet and click Custom Level... . 4. In the Security Settings dialog box, scroll to the User Authentication section. 5. Select Automatic logon only in Intranet zone. This option prevents users from having to re-enter logon credentials, which is a key piece to this solution. 6. Click OK. Figure 5: Configure Intranet Authentication
Configuring Kerberos based SSO in Weblogic Application server Environment 10 Verify Proxy Settings If you have a proxy server enabled: 1. Select Tools > Internet Options. 2. Select the Connections tab and click LAN Settings. 3. Verify that the proxy server address and port number are correct. 4. Click Advanced. 5. In the Proxy Settings dialog box, ensure that all desired domain names are entered in the Exceptions field. 6. Click OK to close the Proxy Settings dialog box. 3.3.2 Configuring Mozilla Firefox Browser To configure a Firefox browser to use Windows Integrated authentication, complete the following steps: 1. Start Firefox. 2. Enter about:config in the Location Bar. 3. Enter the filter string network.negotiate. 4. Set the preferences as shown in Figure below: Figure 6: Firefox configuration
Configuring Kerberos based SSO in Weblogic Application server Environment 11 3.3.3 Configuring Google Chrome Browser No special configuration needed for Chrome Browser. 3.4 Other configuration: 1. Ensure all the 3 machines Machine A, Machine B and C are able to ping each other using machine “hostnames”. If not then it should be added in host entry. 4 Testing the SSO To verify that SSO is configured properly, point a browser to the Web application or Web service you want to use. If you are logged on to a Windows domain and have Kerberos credentials acquired from the Active Directory server in the domain, you should be able to access the Web application or Web service without providing a username or password.

Recommended

Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)
Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)
Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)Richard Bullington-McGuire
 
Smart Card Authentication
Smart Card AuthenticationSmart Card Authentication
Smart Card AuthenticationDan Usher
 
Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0Vladimir Dzhuvinov
 
Single Sign On with OAuth and OpenID
Single Sign On with OAuth and OpenIDSingle Sign On with OAuth and OpenID
Single Sign On with OAuth and OpenIDGasperi Jerome
 
CAS Enhancement
CAS EnhancementCAS Enhancement
CAS EnhancementGuo Albert
 
CIS 2012 - Going Mobile with PingFederate and OAuth 2
CIS 2012 - Going Mobile with PingFederate and OAuth 2CIS 2012 - Going Mobile with PingFederate and OAuth 2
CIS 2012 - Going Mobile with PingFederate and OAuth 2scotttomilson
 
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6Kenneth Peeples
 
SAML and Other Types of Federation for Your Enterprise
SAML and Other Types of Federation for Your EnterpriseSAML and Other Types of Federation for Your Enterprise
SAML and Other Types of Federation for Your EnterpriseDenis Gundarev
 

Recommended

Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)
Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)
Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)Richard Bullington-McGuire
 
Smart Card Authentication
Smart Card AuthenticationSmart Card Authentication
Smart Card AuthenticationDan Usher
 
Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0Vladimir Dzhuvinov
 
Single Sign On with OAuth and OpenID
Single Sign On with OAuth and OpenIDSingle Sign On with OAuth and OpenID
Single Sign On with OAuth and OpenIDGasperi Jerome
 
CAS Enhancement
CAS EnhancementCAS Enhancement
CAS EnhancementGuo Albert
 
CIS 2012 - Going Mobile with PingFederate and OAuth 2
CIS 2012 - Going Mobile with PingFederate and OAuth 2CIS 2012 - Going Mobile with PingFederate and OAuth 2
CIS 2012 - Going Mobile with PingFederate and OAuth 2scotttomilson
 
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6Kenneth Peeples
 
SAML and Other Types of Federation for Your Enterprise
SAML and Other Types of Federation for Your EnterpriseSAML and Other Types of Federation for Your Enterprise
SAML and Other Types of Federation for Your EnterpriseDenis Gundarev
 
IdP, SAML, OAuth
IdP, SAML, OAuthIdP, SAML, OAuth
IdP, SAML, OAuthDan Brinkmann
 
Securing your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID ConnectSecuring your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID ConnectManish Pandit
 
“Secure Portal” or WebSphere Portal – Security with Everything
“Secure Portal” or WebSphere Portal – Security with Everything“Secure Portal” or WebSphere Portal – Security with Everything
“Secure Portal” or WebSphere Portal – Security with EverythingDave Hay
 
Authentication and Single Sing on
Authentication and Single Sing onAuthentication and Single Sing on
Authentication and Single Sing onguest648519
 
Kerberos Survival Guide - St. Louis Day of .Net
Kerberos Survival Guide - St. Louis Day of .NetKerberos Survival Guide - St. Louis Day of .Net
Kerberos Survival Guide - St. Louis Day of .NetJ.D. Wade
 
MGT300 Using Microsoft System Center to Manage beyond the Trusted Domain
MGT300 Using Microsoft System Center to Manage beyond the Trusted DomainMGT300 Using Microsoft System Center to Manage beyond the Trusted Domain
MGT300 Using Microsoft System Center to Manage beyond the Trusted DomainLouis Göhl
 
CIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
CIS14: Consolidating Authorization for API and Web SSO using OpenID ConnectCIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
CIS14: Consolidating Authorization for API and Web SSO using OpenID ConnectCloudIDSummit
 
JWT SSO Inbound Authenticator
JWT SSO Inbound AuthenticatorJWT SSO Inbound Authenticator
JWT SSO Inbound AuthenticatorMifrazMurthaja
 
Kerberos Survival Guide SPS Chicago
Kerberos Survival Guide SPS ChicagoKerberos Survival Guide SPS Chicago
Kerberos Survival Guide SPS ChicagoJ.D. Wade
 
OpenID Connect and Single Sign-On for Beginners
OpenID Connect and Single Sign-On for BeginnersOpenID Connect and Single Sign-On for Beginners
OpenID Connect and Single Sign-On for BeginnersSalesforce Developers
 
Introduction to PicketLink
Introduction to PicketLinkIntroduction to PicketLink
Introduction to PicketLinkJBUG London
 
Kerberos Survival Guide: Columbus 2015
Kerberos Survival Guide: Columbus 2015Kerberos Survival Guide: Columbus 2015
Kerberos Survival Guide: Columbus 2015J.D. Wade
 
Kerberos Survival Guide: SharePoint Saturday Nashville 2015
Kerberos Survival Guide: SharePoint Saturday Nashville 2015Kerberos Survival Guide: SharePoint Saturday Nashville 2015
Kerberos Survival Guide: SharePoint Saturday Nashville 2015J.D. Wade
 
Troubleshooting Novell Access Manager 3.1
Troubleshooting Novell Access Manager 3.1Troubleshooting Novell Access Manager 3.1
Troubleshooting Novell Access Manager 3.1Novell
 
08 asp.net session11
08 asp.net session1108 asp.net session11
08 asp.net session11Niit Care
 
2. Day 2 - Identify and SSO
2. Day 2 - Identify and SSO2. Day 2 - Identify and SSO
2. Day 2 - Identify and SSOHuy Pham
 
ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2Rodrigo Cândido da Silva
 
Keycloak Single Sign-On
Keycloak Single Sign-OnKeycloak Single Sign-On
Keycloak Single Sign-OnRavi Yasas
 
Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2Justin Richer
 
LASCON 2017: SAML v. OpenID v. Oauth
LASCON 2017: SAML v. OpenID v. OauthLASCON 2017: SAML v. OpenID v. Oauth
LASCON 2017: SAML v. OpenID v. OauthMike Schwartz
 
Sp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guideSp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guideHai Nguyen
 
Creating Secure Applications
Creating Secure Applications Creating Secure Applications
Creating Secure Applications guest879f38
 

More Related Content

What's hot

Securing your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID ConnectSecuring your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID ConnectManish Pandit
 
“Secure Portal” or WebSphere Portal – Security with Everything
“Secure Portal” or WebSphere Portal – Security with Everything“Secure Portal” or WebSphere Portal – Security with Everything
“Secure Portal” or WebSphere Portal – Security with EverythingDave Hay
 
Authentication and Single Sing on
Authentication and Single Sing onAuthentication and Single Sing on
Authentication and Single Sing onguest648519
 
Kerberos Survival Guide - St. Louis Day of .Net
Kerberos Survival Guide - St. Louis Day of .NetKerberos Survival Guide - St. Louis Day of .Net
Kerberos Survival Guide - St. Louis Day of .NetJ.D. Wade
 
MGT300 Using Microsoft System Center to Manage beyond the Trusted Domain
MGT300 Using Microsoft System Center to Manage beyond the Trusted DomainMGT300 Using Microsoft System Center to Manage beyond the Trusted Domain
MGT300 Using Microsoft System Center to Manage beyond the Trusted DomainLouis Göhl
 
CIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
CIS14: Consolidating Authorization for API and Web SSO using OpenID ConnectCIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
CIS14: Consolidating Authorization for API and Web SSO using OpenID ConnectCloudIDSummit
 
JWT SSO Inbound Authenticator
JWT SSO Inbound AuthenticatorJWT SSO Inbound Authenticator
JWT SSO Inbound AuthenticatorMifrazMurthaja
 
Kerberos Survival Guide SPS Chicago
Kerberos Survival Guide SPS ChicagoKerberos Survival Guide SPS Chicago
Kerberos Survival Guide SPS ChicagoJ.D. Wade
 
OpenID Connect and Single Sign-On for Beginners
OpenID Connect and Single Sign-On for BeginnersOpenID Connect and Single Sign-On for Beginners
OpenID Connect and Single Sign-On for BeginnersSalesforce Developers
 
Introduction to PicketLink
Introduction to PicketLinkIntroduction to PicketLink
Introduction to PicketLinkJBUG London
 
Kerberos Survival Guide: Columbus 2015
Kerberos Survival Guide: Columbus 2015Kerberos Survival Guide: Columbus 2015
Kerberos Survival Guide: Columbus 2015J.D. Wade
 
Kerberos Survival Guide: SharePoint Saturday Nashville 2015
Kerberos Survival Guide: SharePoint Saturday Nashville 2015Kerberos Survival Guide: SharePoint Saturday Nashville 2015
Kerberos Survival Guide: SharePoint Saturday Nashville 2015J.D. Wade
 
Troubleshooting Novell Access Manager 3.1
Troubleshooting Novell Access Manager 3.1Troubleshooting Novell Access Manager 3.1
Troubleshooting Novell Access Manager 3.1Novell
 
08 asp.net session11
08 asp.net session1108 asp.net session11
08 asp.net session11Niit Care
 
2. Day 2 - Identify and SSO
2. Day 2 - Identify and SSO2. Day 2 - Identify and SSO
2. Day 2 - Identify and SSOHuy Pham
 
ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2Rodrigo Cândido da Silva
 
Keycloak Single Sign-On
Keycloak Single Sign-OnKeycloak Single Sign-On
Keycloak Single Sign-OnRavi Yasas
 
Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2Justin Richer
 
LASCON 2017: SAML v. OpenID v. Oauth
LASCON 2017: SAML v. OpenID v. OauthLASCON 2017: SAML v. OpenID v. Oauth
LASCON 2017: SAML v. OpenID v. OauthMike Schwartz
 

What's hot (20)

IdP, SAML, OAuth
IdP, SAML, OAuthIdP, SAML, OAuth
IdP, SAML, OAuth
 
Securing your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID ConnectSecuring your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID Connect
 
“Secure Portal” or WebSphere Portal – Security with Everything
“Secure Portal” or WebSphere Portal – Security with Everything“Secure Portal” or WebSphere Portal – Security with Everything
“Secure Portal” or WebSphere Portal – Security with Everything
 
Authentication and Single Sing on
Authentication and Single Sing onAuthentication and Single Sing on
Authentication and Single Sing on
 
Kerberos Survival Guide - St. Louis Day of .Net
Kerberos Survival Guide - St. Louis Day of .NetKerberos Survival Guide - St. Louis Day of .Net
Kerberos Survival Guide - St. Louis Day of .Net
 
MGT300 Using Microsoft System Center to Manage beyond the Trusted Domain
MGT300 Using Microsoft System Center to Manage beyond the Trusted DomainMGT300 Using Microsoft System Center to Manage beyond the Trusted Domain
MGT300 Using Microsoft System Center to Manage beyond the Trusted Domain
 
CIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
CIS14: Consolidating Authorization for API and Web SSO using OpenID ConnectCIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
CIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
 
JWT SSO Inbound Authenticator
JWT SSO Inbound AuthenticatorJWT SSO Inbound Authenticator
JWT SSO Inbound Authenticator
 
Kerberos Survival Guide SPS Chicago
Kerberos Survival Guide SPS ChicagoKerberos Survival Guide SPS Chicago
Kerberos Survival Guide SPS Chicago
 
OpenID Connect and Single Sign-On for Beginners
OpenID Connect and Single Sign-On for BeginnersOpenID Connect and Single Sign-On for Beginners
OpenID Connect and Single Sign-On for Beginners
 
Introduction to PicketLink
Introduction to PicketLinkIntroduction to PicketLink
Introduction to PicketLink
 
Kerberos Survival Guide: Columbus 2015
Kerberos Survival Guide: Columbus 2015Kerberos Survival Guide: Columbus 2015
Kerberos Survival Guide: Columbus 2015
 
Kerberos Survival Guide: SharePoint Saturday Nashville 2015
Kerberos Survival Guide: SharePoint Saturday Nashville 2015Kerberos Survival Guide: SharePoint Saturday Nashville 2015
Kerberos Survival Guide: SharePoint Saturday Nashville 2015
 
Troubleshooting Novell Access Manager 3.1
Troubleshooting Novell Access Manager 3.1Troubleshooting Novell Access Manager 3.1
Troubleshooting Novell Access Manager 3.1
 
08 asp.net session11
08 asp.net session1108 asp.net session11
08 asp.net session11
 
2. Day 2 - Identify and SSO
2. Day 2 - Identify and SSO2. Day 2 - Identify and SSO
2. Day 2 - Identify and SSO
 
ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2
 
Keycloak Single Sign-On
Keycloak Single Sign-OnKeycloak Single Sign-On
Keycloak Single Sign-On
 
Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2
 
LASCON 2017: SAML v. OpenID v. Oauth
LASCON 2017: SAML v. OpenID v. OauthLASCON 2017: SAML v. OpenID v. Oauth
LASCON 2017: SAML v. OpenID v. Oauth
 

Similar to Configuring kerberos based sso in weblogic

Sp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guideSp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guideHai Nguyen
 
Creating Secure Applications
Creating Secure Applications Creating Secure Applications
Creating Secure Applications guest879f38
 
Stronger Authentication with Biometric SSO
Stronger Authentication with Biometric SSOStronger Authentication with Biometric SSO
Stronger Authentication with Biometric SSORamesh Nagappan
 
Dave Carroll Application Services Salesforce
Dave Carroll Application Services SalesforceDave Carroll Application Services Salesforce
Dave Carroll Application Services Salesforcedeimos
 
A Detailed Guide to Securing React applications with Keycloak - WalkingTree ...
A Detailed Guide to Securing React applications with Keycloak - WalkingTree ...A Detailed Guide to Securing React applications with Keycloak - WalkingTree ...
A Detailed Guide to Securing React applications with Keycloak - WalkingTree ...Ganesh Kumar
 
Web Single sign on system
Web Single sign on systemWeb Single sign on system
Web Single sign on systemSwati Sinha
 
Exploring Advanced Authentication Methods in Novell Access Manager
Exploring Advanced Authentication Methods in Novell Access ManagerExploring Advanced Authentication Methods in Novell Access Manager
Exploring Advanced Authentication Methods in Novell Access ManagerNovell
 
Novell® iChain® 2.3
Novell® iChain® 2.3Novell® iChain® 2.3
Novell® iChain® 2.3webhostingguy
 
MSWD:MERN STACK WEB DEVELOPMENT COURSE CODE
MSWD:MERN STACK WEB DEVELOPMENT COURSE CODEMSWD:MERN STACK WEB DEVELOPMENT COURSE CODE
MSWD:MERN STACK WEB DEVELOPMENT COURSE CODEannalakshmi35
 
SecDevOps - The Operationalisation of Security
SecDevOps - The Operationalisation of SecuritySecDevOps - The Operationalisation of Security
SecDevOps - The Operationalisation of SecurityDinis Cruz
 
validation of user credentials in social network by using Django backend aut...
validation of user credentials in social network by using Django backend aut...validation of user credentials in social network by using Django backend aut...
validation of user credentials in social network by using Django backend aut...izzatisholehah
 
Java Web Programming [9/9] : Web Application Security
Java Web Programming [9/9] : Web Application SecurityJava Web Programming [9/9] : Web Application Security
Java Web Programming [9/9] : Web Application SecurityIMC Institute
 
Kerberos Security in Distributed Systems
Kerberos Security in Distributed SystemsKerberos Security in Distributed Systems
Kerberos Security in Distributed SystemsIRJET Journal
 
Actor Model Import Connector for Microsoft Active Directory
Actor Model Import Connector for Microsoft Active DirectoryActor Model Import Connector for Microsoft Active Directory
Actor Model Import Connector for Microsoft Active Directoryprotect724rkeer
 
Low Hanging Fruit, Making Your Basic MongoDB Installation More Secure
Low Hanging Fruit, Making Your Basic MongoDB Installation More SecureLow Hanging Fruit, Making Your Basic MongoDB Installation More Secure
Low Hanging Fruit, Making Your Basic MongoDB Installation More SecureMongoDB
 
Introduction to Blockchain and Hyperledger
Introduction to Blockchain and HyperledgerIntroduction to Blockchain and Hyperledger
Introduction to Blockchain and HyperledgerDev_Events
 
Oralce SSL walelt -TCPS_Troubleshooting_PB.pptx
Oralce SSL walelt -TCPS_Troubleshooting_PB.pptxOralce SSL walelt -TCPS_Troubleshooting_PB.pptx
Oralce SSL walelt -TCPS_Troubleshooting_PB.pptxssuser865ecd
 
How to -_implement_clientless_single_sign_on_authentication_in_multiple_activ...
How to -_implement_clientless_single_sign_on_authentication_in_multiple_activ...How to -_implement_clientless_single_sign_on_authentication_in_multiple_activ...
How to -_implement_clientless_single_sign_on_authentication_in_multiple_activ...SaNju MuLak
 

Similar to Configuring kerberos based sso in weblogic (20)

Sp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guideSp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guide
 
Creating Secure Applications
Creating Secure Applications Creating Secure Applications
Creating Secure Applications
 
Stronger Authentication with Biometric SSO
Stronger Authentication with Biometric SSOStronger Authentication with Biometric SSO
Stronger Authentication with Biometric SSO
 
Dave Carroll Application Services Salesforce
Dave Carroll Application Services SalesforceDave Carroll Application Services Salesforce
Dave Carroll Application Services Salesforce
 
A Detailed Guide to Securing React applications with Keycloak - WalkingTree ...
A Detailed Guide to Securing React applications with Keycloak - WalkingTree ...A Detailed Guide to Securing React applications with Keycloak - WalkingTree ...
A Detailed Guide to Securing React applications with Keycloak - WalkingTree ...
 
Web Single sign on system
Web Single sign on systemWeb Single sign on system
Web Single sign on system
 
1205 bhat pdf-ssl
1205 bhat pdf-ssl1205 bhat pdf-ssl
1205 bhat pdf-ssl
 
Exploring Advanced Authentication Methods in Novell Access Manager
Exploring Advanced Authentication Methods in Novell Access ManagerExploring Advanced Authentication Methods in Novell Access Manager
Exploring Advanced Authentication Methods in Novell Access Manager
 
Novell® iChain® 2.3
Novell® iChain® 2.3Novell® iChain® 2.3
Novell® iChain® 2.3
 
MSWD:MERN STACK WEB DEVELOPMENT COURSE CODE
MSWD:MERN STACK WEB DEVELOPMENT COURSE CODEMSWD:MERN STACK WEB DEVELOPMENT COURSE CODE
MSWD:MERN STACK WEB DEVELOPMENT COURSE CODE
 
SecDevOps - The Operationalisation of Security
SecDevOps - The Operationalisation of SecuritySecDevOps - The Operationalisation of Security
SecDevOps - The Operationalisation of Security
 
presentation_finals
presentation_finalspresentation_finals
presentation_finals
 
validation of user credentials in social network by using Django backend aut...
validation of user credentials in social network by using Django backend aut...validation of user credentials in social network by using Django backend aut...
validation of user credentials in social network by using Django backend aut...
 
Java Web Programming [9/9] : Web Application Security
Java Web Programming [9/9] : Web Application SecurityJava Web Programming [9/9] : Web Application Security
Java Web Programming [9/9] : Web Application Security
 
Kerberos Security in Distributed Systems
Kerberos Security in Distributed SystemsKerberos Security in Distributed Systems
Kerberos Security in Distributed Systems
 
Actor Model Import Connector for Microsoft Active Directory
Actor Model Import Connector for Microsoft Active DirectoryActor Model Import Connector for Microsoft Active Directory
Actor Model Import Connector for Microsoft Active Directory
 
Low Hanging Fruit, Making Your Basic MongoDB Installation More Secure
Low Hanging Fruit, Making Your Basic MongoDB Installation More SecureLow Hanging Fruit, Making Your Basic MongoDB Installation More Secure
Low Hanging Fruit, Making Your Basic MongoDB Installation More Secure
 
Introduction to Blockchain and Hyperledger
Introduction to Blockchain and HyperledgerIntroduction to Blockchain and Hyperledger
Introduction to Blockchain and Hyperledger
 
Oralce SSL walelt -TCPS_Troubleshooting_PB.pptx
Oralce SSL walelt -TCPS_Troubleshooting_PB.pptxOralce SSL walelt -TCPS_Troubleshooting_PB.pptx
Oralce SSL walelt -TCPS_Troubleshooting_PB.pptx
 
How to -_implement_clientless_single_sign_on_authentication_in_multiple_activ...
How to -_implement_clientless_single_sign_on_authentication_in_multiple_activ...How to -_implement_clientless_single_sign_on_authentication_in_multiple_activ...
How to -_implement_clientless_single_sign_on_authentication_in_multiple_activ...
 

Recently uploaded

What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...Technogeeks
 
Unveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsUnveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsAhmed Mohamed
 
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio, Inc.
 
What is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWhat is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWave PLM
 
What are the key points to focus on before starting to learn ETL Development....
What are the key points to focus on before starting to learn ETL Development....What are the key points to focus on before starting to learn ETL Development....
What are the key points to focus on before starting to learn ETL Development....kzayra69
 
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...Matt Ray
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...stazi3110
 
Cyber security and its impact on E commerce
Cyber security and its impact on E commerceCyber security and its impact on E commerce
Cyber security and its impact on E commercemanigoyal112
 
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...Cizo Technology Services
 
EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityNeo4j
 
Cloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEECloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEEVICTOR MAESTRE RAMIREZ
 
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...Natan Silnitsky
 
Xen Safety Embedded OSS Summit April 2024 v4.pdf
Xen Safety Embedded OSS Summit April 2024 v4.pdfXen Safety Embedded OSS Summit April 2024 v4.pdf
Xen Safety Embedded OSS Summit April 2024 v4.pdfStefano Stabellini
 
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...Angel Borroy López
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEOrtus Solutions, Corp
 
MYjobs Presentation Django-based project
MYjobs Presentation Django-based projectMYjobs Presentation Django-based project
MYjobs Presentation Django-based projectAnoyGreter
 
PREDICTING RIVER WATER QUALITY ppt presentation
PREDICTING RIVER WATER QUALITY ppt presentationPREDICTING RIVER WATER QUALITY ppt presentation
PREDICTING RIVER WATER QUALITY ppt presentationvaddepallysandeep122
 
Unveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New FeaturesUnveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New FeaturesŁukasz Chruściel
 
Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureDinusha Kumarasiri
 

Recently uploaded (20)

What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...
 
Unveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsUnveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML Diagrams
 
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
 
What is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWhat is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need It
 
What are the key points to focus on before starting to learn ETL Development....
What are the key points to focus on before starting to learn ETL Development....What are the key points to focus on before starting to learn ETL Development....
What are the key points to focus on before starting to learn ETL Development....
 
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
 
2.pdf Ejercicios de programación competitiva
2.pdf Ejercicios de programación competitiva2.pdf Ejercicios de programación competitiva
2.pdf Ejercicios de programación competitiva
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
 
Cyber security and its impact on E commerce
Cyber security and its impact on E commerceCyber security and its impact on E commerce
Cyber security and its impact on E commerce
 
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
 
EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered Sustainability
 
Cloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEECloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEE
 
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
 
Xen Safety Embedded OSS Summit April 2024 v4.pdf
Xen Safety Embedded OSS Summit April 2024 v4.pdfXen Safety Embedded OSS Summit April 2024 v4.pdf
Xen Safety Embedded OSS Summit April 2024 v4.pdf
 
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
 
MYjobs Presentation Django-based project
MYjobs Presentation Django-based projectMYjobs Presentation Django-based project
MYjobs Presentation Django-based project
 
PREDICTING RIVER WATER QUALITY ppt presentation
PREDICTING RIVER WATER QUALITY ppt presentationPREDICTING RIVER WATER QUALITY ppt presentation
PREDICTING RIVER WATER QUALITY ppt presentation
 
Unveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New FeaturesUnveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New Features
 
Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with Azure
 

Configuring kerberos based sso in weblogic

  • 1. IBM Configuring Kerberos based SSO in Weblogic Application server Environment Kerberos configuration Saravana Kumar KKB 10/11/2013 Saravana, is working as a Staff Software Engineer (QA) for IBM Policy Atlas team under ECM. Reach out to him at saravkkb@in.ibm.com Abstract: Today many products have support for SSO. Kerberos is most recommended efficient and secure network accesses across the enterprise. This article provides information about the configuration of single sign-on (SSO) using Kerberos in Oracle Web logic server.
  • 2. Configuring Kerberos based SSO in Weblogic Application server Environment 2 Introduction: Single sign-on (SSO) allows users to sign in once to the system and login to other application without any authentication. 1.1 Why Kerberos ? Kerberos is a technology that allows for strong authentication in open, distributed networks. It is a credible security solution for four main reasons: 1. Kerberos is mature. It has been widely used and widely studied for a long time. In security, that counts for a great deal. 2. Kerberos meets the requirements of modern distributed systems. It was developed in response to a well-defined and clearly thought through set of requirements for secure authentication in an open environment with insecure communications links; it has turned out that those requirements closely match the requirements of modern distributed systems operating over networks based on Internet Protocols. 3. Kerberos is architecturally sound. It is designed around a clear set of Architectural and functional abstractions; that architectural soundness has allowed it to evolve over time, and make it easy to integrate it into other systems. This same architectural soundness makes it easy to analyze how Kerberos will behave. 4. Kerberos is already in place. Kerberos is already integrated into most popular operating systems and many widely-used software applications. It is an integral part of today’s IT infrastructure. 2 Machine configuration: 2.1 What is KDC ? The Kerberos Key Distribution Center (KDC) is a network service that supplies session tickets and temporary session keys to users and computers within an Active Directory domain. The KDC runs on each domain controller as part of Active Directory Domain Services (AD DS). 2.2 What is SPNEGO? Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO) is a standard protocol that is used to negotiate the authentication protocol used when a client application wants to authenticate to a remote server. SPNEGO is a standard specification defined in IETF RFC 2478. SPNEGO is used in a Web SSO. It is responsible for authenticating access to a secured paged, such as a WebSphere Application Server resource that is identified in an HTTP request. Microsoft also uses SPNEGO for its browser-based SSO solutions.
  • 3. Configuring Kerberos based SSO in Weblogic Application server Environment 3 Machine A Machine B (weblogic.kerb. mycompany.com) (ad.kerb.mycompany.com) 7 KDC/ 6 Domain controller Weblogic Application server 4 1 3 2 8 Client.Kerb. mycompany.com 5 Figure 1: Machine configuration for Kerberos authentication 1. When the logged-on user (MACHINE C) requests a resource from Oracle WebLogic Server (MACHINEB), it sends the initial HTTP GET verb. 2. Oracle WebLogic Server (MACHINEB), running the SPNEGO Token Handler code, requires authentication and issues a 401 Access Denied, WWW- Authenticate: Negotiate response. 3. The client (Browser on MACHINEC) then requests the session ticket from the TGS/KDC (MACHINEA). Client Machine Windows 8/ 7/vista- (Browser) Machine C
  • 4. Configuring Kerberos based SSO in Weblogic Application server Environment 4 4. The TGS/KDC (MACHINEA) supplies the client with the necessary Kerberos Ticket (assuming the client is authorized) wrapped in a SPNEGO Token. 5. The client re-sends the HTTP GET request + the Negotiate SPNEGO Token in an Authorization: Negotiate base64(token) header. 6. SPNEGO Web authentication in Weblogic server sees the HTTP header with the SPNEGO token. SPNEGO validates the SPNEGO token and gets the identity (principal) of the user. 7. After Weblogic gets the identity of the user, it validates the user in Microsoft Active Directory/KDC. When the identification process is executed, Weblogic executes the related Java code (servlets, JSPs, EJBs, and so on) and checks authorizations. 8. Oracle WebLogic Server's SPNEGO Token Handler code accepts and processes the token through GSS API, authenticates the user and responds with the requested URL. 3 Steps: 3.1 Machine: KDC- scenario name: Machine A 1. Create a user in Active directory E.g.: HTTP_weblogic don’t select any option except password will not expire and user cannot change password. 2. Setspn >setspn -a HTTP/weblogic HTTP_weblogic >setspn -a HTTP/weblogic.kerb.mycompany.com HTTP_weblogic 3. Test >setspn –l HTTP_weblogic should list only 2 4. Generate Keytab file C:UsersAdministrator>ktpass -princ HTTP_weblogic@KERB.mycompany.COM -pass Admin123 -crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL -kvno 0 -out c:krb5.keytab Transfer the keytab file to weblogic machine and to the domain directory of weblogic 3.2 Machine: Weblogic - scenario machine name: Machine B 1. Create krb5Login.conf file com.sun.security.jgss.initiate { com.sun.security.auth.module.Krb5LoginModule required
  • 5. Configuring Kerberos based SSO in Weblogic Application server Environment 5 principal=”<SPN username>” useKeyTab=true keyTab=”<key Tab file name>” storeKey=true debug=true; }; com.sun.security.jgss.krb5.accept { com.sun.security.auth.module.Krb5LoginModule Required principal==”<SPN username>” useKeyTab=true keyTab="<key Tab file name> " storeKey=true debug=true; }; 2. Have a krb5.ini file in c:windows directory of weblogic machine [libdefaults] default_realm = <REALM NAME> default_tkt_enctypes = rc4-hmac arcfour-hmac-md5 default_tgs_enctypes = rc4-hmac arcfour-hmac-md5 ticket_lifetime = 600 [realms] <REALM NAME>= { kdc = <IP>:88 admin_server = <HOSTNAME OF AD/KDC> default_domain = <REALM NAME> } [domain_realm] Realm name = <REALM NAME> .realm name = <REALM NAME> [appdefaults] autologin = true forward = true forwardable = true encrypt = true 3. In Weblogic startup command add the following set kerb_login=%kerb_login% -Djavax.security.auth.useSubjectCredsOnly=false - Dweblogic.security.enableNegotiate=true -Djava.security.auth.login.config="<path of krb5Login.conf file" -Djava.security.krb5.realm=REALM NAME - Djava.security.krb5.kdc=ad -Dweblogic.StdoutSeverityLevel=64 - Dweblogic.Debug.DebugSecurityAtz=true -Dweblogic.Debug.DebugSecurityAtn=false 4. Add the following in “myrealm- providers” of weblogic Home >Summary of Security Realms >myrealm >Providers a) Add “WebLogic Negotiate Identity Assertion provider”
  • 6. Configuring Kerberos based SSO in Weblogic Application server Environment 6 b) Add another realm “Provider that performs LDAP authentication” with following details in Provider specific Tab
  • 7. Configuring Kerberos based SSO in Weblogic Application server Environment 7 Figure 2: Weblogic Security Realm configuration Save and restart web logic server 3.3 Machine: client - scenario machine name: Machine C For Single Sign On to occur, you will need an authenticated Microsoft client, belonging to the domain controlled by your realm, and requesting access to the Oracle WebLogic Server service. 3.3.1 Configuring Internet Explorer Browser To configure an Internet Explorer browser to use Windows authentication, follow these procedures in Internet Explorer. Configure Local Intranet Domains 1. In Internet Explorer, select Tools > Internet Options. 2. Select the Security tab.
  • 8. Configuring Kerberos based SSO in Weblogic Application server Environment 8 3. Select Local intranet and click Sites. 4. In the Local intranet popup, ensure that the Include all sites that bypass the proxy server and Include all local (intranet) sites not listed in other zones options are checked. Figure 3: Local Intranet Dialog Box for Internet Explorer 5. Click Advanced. 6. In the Local intranet (Advanced) dialog box, add all relative domain names that will be used for Oracle WebLogic Server instances participating in the SSO configuration (for example, myhost.example.com) and click OK. Fig 4: Advanced Local Intranet Dialog Box for Internet Explorer
  • 9. Configuring Kerberos based SSO in Weblogic Application server Environment 9 Configure Intranet Authentication 1. Select Tools > Internet Options. 2. Select the Security tab. 3. Select Local intranet and click Custom Level... . 4. In the Security Settings dialog box, scroll to the User Authentication section. 5. Select Automatic logon only in Intranet zone. This option prevents users from having to re-enter logon credentials, which is a key piece to this solution. 6. Click OK. Figure 5: Configure Intranet Authentication
  • 10. Configuring Kerberos based SSO in Weblogic Application server Environment 10 Verify Proxy Settings If you have a proxy server enabled: 1. Select Tools > Internet Options. 2. Select the Connections tab and click LAN Settings. 3. Verify that the proxy server address and port number are correct. 4. Click Advanced. 5. In the Proxy Settings dialog box, ensure that all desired domain names are entered in the Exceptions field. 6. Click OK to close the Proxy Settings dialog box. 3.3.2 Configuring Mozilla Firefox Browser To configure a Firefox browser to use Windows Integrated authentication, complete the following steps: 1. Start Firefox. 2. Enter about:config in the Location Bar. 3. Enter the filter string network.negotiate. 4. Set the preferences as shown in Figure below: Figure 6: Firefox configuration
  • 11. Configuring Kerberos based SSO in Weblogic Application server Environment 11 3.3.3 Configuring Google Chrome Browser No special configuration needed for Chrome Browser. 3.4 Other configuration: 1. Ensure all the 3 machines Machine A, Machine B and C are able to ping each other using machine “hostnames”. If not then it should be added in host entry. 4 Testing the SSO To verify that SSO is configured properly, point a browser to the Web application or Web service you want to use. If you are logged on to a Windows domain and have Kerberos credentials acquired from the Active Directory server in the domain, you should be able to access the Web application or Web service without providing a username or password.