Has anyone configured Kerberos SSO on Web Logic 12.1.2 with JDK 1.7 on Win 2012 successfully?

0
votes

I am trying to configure Kerberos SSO on Web Logic 12.1.2 with JDK 1.7.x on Win 2012 R2. I am using Java ktab java command to create keytab file. The encryption includes DES and rc4-hmac. My kerberos ini file only uses rc4-hmac encryption. But when I try to login to my application I am getting this error in Web Logic log file (fragment):

####<Nov 13, 2014 7:24:29 AM PST> <Debug> <SecurityAtn> <ifvm00131> <ICN_ManagedServer_2> <[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1415892269395> <BEA-000000> <acceptGssInitContextToken failed
com.bea.security.utils.kerberos.KerberosException: Failure unspecified at GSS-API level (Mechanism level: Encryption type AES256 CTS mode with HMAC SHA1-96 is not supported/enabled)
    at com.bea.security.utils.kerberos.KerberosTokenHandler.acceptGssInitContextTokenInDoAs(KerberosTokenHandler.java:351)
    at com.bea.security.utils.kerberos.KerberosTokenHandler.access$100(KerberosTokenHandler.java:43)
    at com.bea.security.utils.kerberos.KerberosTokenHandler$2.run(KerberosTokenHandler.java:239)
    at java.security.AccessController.doPrivileged(Native Method)
    at javax.security.auth.Subject.doAsPrivileged(Subject.java:536)
    at com.bea.security.utils.kerberos.KerberosTokenHandler.acceptGssInitContextToken(KerberosTokenHandler.java:237)
    at com.bea.security.utils.kerberos.KerberosTokenHandler.acceptGssInitContextToken(KerberosTokenHandler.java:165)
    at com.bea.common.security.internal.utils.negotiate.SPNEGONegotiateToken.getUsername(SPNEGONegotiateToken.java:57)
    at weblogic.security.providers.authentication.NegotiateIdentityAsserterProviderImpl.assertChallengeIdentity(NegotiateIdentityAsserterProviderImpl.java:210)
    at com.bea.common.security.internal.legacy.service.ChallengeIdentityAssertionProviderImpl$ChallengeIdentityAsserterV2Adapter.assertChallengeIdentity(ChallengeIdentityAssertionProviderImpl.java:130)
    at com.bea.common.security.internal.service.ChallengeIdentityAssertionTokenServiceImpl.assertChallengeIdentity(ChallengeIdentityAssertionTokenServiceImpl.java:120)

and login to my application is unsuccessful. I am getting in browser Error 401--Unauthorized error.

When I reconfigure the env using the AES256 encryption I am getting Checksum failed error.

I wonder if anyone experienced similar issues and was able to resole it successfully?

Here is my krb5.ini file located in the c:\windows directory

[libdefaults]
    default_realm = MYREALM.LOCAL
    kdc_timesync = 1
    ccache_type = 4
    forwardable = true
    proxiable = true
    default_tgs_enctypes = rc4-hmac
    default_tkt_enctypes = rc4-hmac
    ticket_lifetime = 600

[realms]
    MYREALM.LOCAL = {
        kdc = adhostname.mydomain.local:88
        admin_server = adhostname.mydomain.local
        default_domain = mydomain.local
    }

[domain_realm]
    mydomain.local = MYREALM.LOCAL
    .mydomain.local = MYREALM.LOCAL

And this is my config file

com.sun.security.jgss.krb5.initiate 
{
   com.sun.security.auth.module.Krb5LoginModule required
   principal="[email protected]" useKeyTab=true
   keyTab="C:\\sso\\wlker.keytab" storeKey=true debug=true;
};

com.sun.security.jgss.krb5.accept 
{
   com.sun.security.auth.module.Krb5LoginModule Required
   principal="[email protected]" useKeyTab=true
   keyTab="C:\\sso\\wlker.keytab" storeKey=true debug=true;
};

Myapp
{
weblogic.security.auth.login.UsernamePasswordLoginModule required authOnLogin=true;
};
1
kerberos
Why is the principal realm different to the realm in the krb5.conf?Michael-O
Well spotted but in this example this is just a typo sorry. It is MYREALM.LOCAL In my real env they are the same.Irina

1 Answers

0
votes

I have already answered this before. Please search, you have to enable/install unlimited security policy.