Multi Domain AD - Kerberos with WLS :
____________________________________
In this example I am using two AD domains :
UP.COM and DOWN.COM
I have configured a forest trust between these two AD boxes.
I have created a user " up_user " in UP.COM and " down_user " in DOWN.COM.
The two users I created above will represent the Weblogic Server Machine.
I will now create user " test_up " in UP.COM and " test_down " in DOWN.COM
I will use test_up and test_down users to check if Forest Trust is working fine.
Note : The steps below are not a part of multi AD domain Kerberos configuration. This is just to test if Forest Trust is working fine.
Make both the users " test_up " and " test_down " member of " Administrator " group and " Remote Desktop Users " group, so that I can use Remote Desktop Client to login with these users.
Now connect to the DOWN.COM box using RDC, login with UP/test_up
You should be able to login to DOWN.COM domain successfully.
Try the same with test_down user and UP.COM domain.
If you are able to login from a user in one domain to another domain then Forest Trust is configured properly.
Summarizing the above :
AD Machine 1 : celbeavm13.us.oracle.com
AD Domain 1 : UP.COM ( Windows 2008 R2 )
User that represents WLS : up_user
User in UP.COM domain : test_up
AD Machine 2 : celbeavm14.us.oracle.com
AD Domain 2 : DOWN.COM ( Windows 2008 R2 )
User that represents WLS : down_user
User in DOWN.COM : test_down
Weblogic Machine : SLKRBTRN6-03 ( Windows XP )
Weblogic Server 12.1.2
NOTE :
How to configure the SSO for users falling into the multiple domains in Microsoft Active Directory (Doc ID 1470520.1)
For older versions of WLS :
- Apply Patch 14069872 and
- Add the following -D flag in WLS startup scripts : -Dweblogic.security.krb5.useGSSName=true.
For WLS 12.1.1 and above :
- Add the following -D flag in WLS startup scripts : -Dweblogic.security.krb5.useGSSName=true.
So lets get started...!!
STEP 1 :
Step 1a :
- Create a new user say, " up_user " on AD 1 to represent Weblogic server instance.
Step 1b :
- Create a new user say, " down_user " on AD 2 to represent Weblogic server instance.
STEP 2 :
Create a krb5.ini file.
Syntax :
*******
[libdefaults]
default_realm = <Identifies the default realm. Set its value to your Kerberos realm - all caps>
default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
ticket_lifetime = 600
kdc_timesync = 1
ccache_type = 4
[realms]
<Your Kerberos realm 1 – remember all caps> = {
kdc = <IP address of the KDC/AD server 1> // (For Unix systems, you need to specify port 88, as in <IP-address>:88)
admin_server = <FQDN - host name of the KDC/AD server 1>
default_domain = <Windows domain name in caps>
}
<Your Kerberos realm 2 – remember all caps> = {
kdc = <IP address of the KDC/AD server 2> // (For Unix systems, you need to specify port 88, as in <IP-address>:88)
admin_server = <FQDN - host name of the KDC/AD server 2>
}
[domain_realm]
.<DNS domain name suffix, starting with .> = .<Your Kerberos realm 1 – remember all caps>
<DNS domain name suffix.> = <Your Kerberos realm 1 – remember all caps>
.<DNS domain name suffix, starting with .> = .<Your Kerberos realm 2 – remember all caps>
<DNS domain name suffix.> = <Your Kerberos realm 2 – remember all caps>
[appdefaults]
autologin = true
forward = true
forwardable = true
encrypt = true
*******
Example :
[libdefaults]
default_realm = UP.COM
ticket_lifetime = 600
default_tkt_enctypes = RC4-HMAC
default_tgs_enctypes = RC4-HMAC
[realms]
UP.COM = {
kdc = celbeavm13.us.oracle.com
admin_server = celbeavm13.us.oracle.com
default_domain = UP.COM
}
DOWN.COM = {
kdc = celbeavm14.us.oracle.com
admin_server = celbeavm14.us.oracle.com
}
[domain_realm]
.up.com = .UP.COM
up.com = UP.COM
.down.com = .DOWN.COM
down.com = DOWN.COM
Note :
* This file has to be created on the machine where Weblogic Server is installed.
* If you have Weblogic Server installed on a Windows machines, create a file named krb5.ini / On Unix machines, the file is called krb5.conf instead of krb5.ini.
* See the following default Kerberos configuration files and their locations:
[Windows] The default location is c:\winnt\krb5.ini.
Note: if the krb5.ini file is not located in the c:\winnt directory it might be located in c:\windows.
[Linux] The default location is /etc/krb5.conf.
[AIX] [HP-UX] [Solaris] On other Unix platforms, the default location is /etc/krb5/krb5.conf.
STEP 3 :
Step 3a :
To check if the krb5.ini file you created is correct, run the following command :
Command : kinit up_user OR kinit up_user@UP.COM
Step 3b :
To check if the krb5.ini file you created is correct, run the following command :
Command : kinit down_user OR kinit down_user@DOWN.COM
STEP 4 :
Step 4a :
Now create a keytab file ( Run the following commands on AD machine 1 ).
Syntax : ktpass -princ HTTP/<wls-server-name>@<REALM-NAME> -mapuser <account-name> -pass password -crypto all -ptype KRB5_NT_PRINCIPAL -out <keytab-file-name>
Command : ktpass -princ HTTP/SLKRBTRN6-03@UP.COM -mapuser UP\up_user -pass Weblogic1 -crypto all -kvno 0 -ptype KRB5_NT_PRINCIPAL -out wlsclientUP.keytab
Step 4b :
( Run the following commands on AD machine 2 ).
Command : ktpass -princ HTTP/SLKRBTRN6-03@DOWN.COM -mapuser DOWN\down_user -pass Weblogic1 -crypto all -kvno 0 -ptype KRB5_NT_PRINCIPAL
Instead of the above command, you can also use the following :
Command : setspn -A HTTP/SLKRBTRN6-03@DOWN.COM DOWN\down_user
I would suggest using ktpass as we can set the SPN and create a keytab and set the kvno number in ONE command.
I have seen a BUG with JDK 1.6_22 with kvno, and I suggest you to use kvno 0
http://bugs.java.com/bugdatabase/view_bug.do?bug_id=6984764
You can set kvno using the ktpass command OR
ktab -a <principal name> [<password>] [-n <kvno>] [-append]
NOTE : I am not using the argument -out in the above command ( step 4b ), because we dont need a keytab from both AD machines. Since there is a forest trust configured we just need a keytab file from one of the AD machines.
* Running ktpass will modify the account details, changing the user login name to match the service principal name – note that this is a consequence of running the above command, not something you need to do manually
* Click on the user " up_user " OR " down_user " --> properties to see the change.
* Now copy the keytab file generated to the machine where Weblogic Server is installed.
* If you are using Windows 2003 AD then use the following command :
ktpass –princ HTTP/<wls-server-name>@<REALM-NAME> -mapuser <account-name> –pass password -crypto DES-CBC-CRC -ptype KRB5_NT_PRINCIPAL –out <keytab-file-name>
____________________________
STEP 5 :
After copying the keytab file to the machine where Weblogic Server is installed, run the klist command to see the contents of the keytab file.
Syntax : klist -k <keytab>
Command : klist -e -k wlsclientUP.keytab
If your principal was created properly, you should be able to request a TGT (ticket Granting Ticket) from Kerberos using that principal.
If the keytab file was generated properly, then you should be able to use this file instead of the password of your account. kinit tests both simultaneously.
Syntax : kinit –k –t <keytab-file> <account-name>
Command :
kinit -J-Dsun.security.krb5.debug=true -k -t wlsclientUP.keytab HTTP/SLKRBTRN6-03@UP.COM
OR
java -Dsun.security.krb5.debug=true sun.security.krb5.internal.tools.Kinit -k -t wlsclientUP.keytab HTTP/SLKRBTRN6-03@UP.COM
Note :
* In UNIX use the -V switch or else there wont be any output. ( kinit -V –k –t <keytab-file> <account-name> )
* The above debugs will not work in UNIX. It is specific to Windows.
* When you lock and unlock your computer, you are causing Windows to request new Kerberos tickets. Another way to force Windows to request new Kerberos tickets is to run " klist purge " from the command prompt. This explicitly asks Windows to dump your currently Kerberos tickets and thus, request new ones.
____________________________
STEP 6 :
Now, lets configure Weblogic Server.
Create a file called " krb5Login.conf " and place it in the Weblogic Server domain directory :
Syntax :
com.sun.security.jgss.krb5.initiate {
com.sun.security.auth.module.Krb5LoginModule required
principal="<Service principal account>@<Kerberos realm>"
useKeyTab=true
keyTab=<keytab>
storeKey=true
debug=true;
};
com.sun.security.jgss.krb5.accept {
com.sun.security.auth.module.Krb5LoginModule required
principal="<Service principal account>@<Kerberos realm>"
useKeyTab=true
keyTab= <keytab>
storeKey=true
debug=true;
};
--------------------------------------------
krb5Login.conf :
com.sun.security.jgss.initiate {
com.sun.security.auth.module.Krb5LoginModule required principal="HTTP/SLKRBTRN6-03@UP.COM"
useKeyTab=true keyTab=wlsclientUP.keytab
storeKey=true debug=true;
};
com.sun.security.jgss.krb5.accept {
com.sun.security.auth.module.Krb5LoginModule required principal="HTTP/SLKRBTRN6-03@UP.COM"
useKeyTab=true keyTab=wlsclientUP.keytab
storeKey=true debug=true;
};
Note :
* If you are using JDK 1.5 then change the following line in the above file from " com.sun.security.jgss.krb5.accept " to " com.sun.security.jgss.accept ".
i.e donot use krb5 in the accept and initiate method in the above file if you are using JDK 1.5.
* Weblogic Server domain directory is the default location of keytab file and krb5Login.conf file.
* Even an extra space in krb5Login.conf will cause errors while parsing the file.
Below is a sample file, copy this file to your machine and only change the <UPN> ( "<Service principal account>@<Kerberos realm>" ) and <keytab> entries in it. DONOT give any extra spaces ..!!
____________________________
STEP 7 :
Now lets add few -D parameters to Weblogic Server startup script.
-Djava.security.auth.login.config=krb5Login.conf
-Djavax.security.auth.useSubjectCredsOnly=false
-Dweblogic.security.enableNegotiate=true
-Djava.security.debug=configfile,configparser,gssloginconfig // This is the debug flag to check if the config files get parsed properly.
-Dsun.security.krb5.debug=true
< Additional -D parameters that can be set >
-Djava.security.krb5.realm=<realm>
-Djava.security.krb5.kdc=<kdc>
-Dweblogic.security.krb5.useGSSName=true // Use this flag if you are configuring Kerberos with multiple AD domains, you also need to apply patch for Bug 14069872 ( fixed in 12.1.1 ) for this flag to work.
// for IBM JDK you can use the following debug : -Dcom.ibm.security.jgss.debug=all
--
In windows edit " startWebLogic.cmd " file and add the following java options :
set JAVA_OPTIONS=%JAVA_OPTIONS% -Djava.security.auth.login.config=krb5Login.conf –Djavax.security.auth.useSubjectCredsOnly=false –Dweblogic.security.enableNegotiate=true -Dsun.security.krb5.debug=true
In UNIX edit " startWebLogic.sh " file and add the following java options :
JAVA_OPTIONS=”${JAVA_OPTIONS} -Djava.security.auth.login.config=krb5Login.conf –Djavax.security.auth.useSubjectCredsOnly=false –Dweblogic.security.enableNegotiate=true -Dsun.security.krb5.debug=true”
____________________________
STEP 8 :
Login to weblogic console and configure Active Directory provider.
Note :
Say for example you have a " test " user in both the domains ( UP.COM and DOWN.COM ), then Weblogic will not know which domain the user belongs to.
To help WLS understand which domain the user is coming from / to get the fully qualified Kerberos principal we need set the attribute : "weblogic.security.krb5.useGSSName"
So now Weblogic will extract the user from token as " test@UP.COM ".
Add the following system property for the WLS start scripts:
-Dweblogic.security.krb5.useGSSName=true
Once this is done, the ID retrieved from the kerberos token will be in the form of userid@domain
Now make the following changes in console for AD provider :
Login to WLS console --> security realms --> myrealm --> providers --> AD provider --> provider Specific :
Change the "User From Name Filter" and the "User Name Attribute" parameters to use userPrincipalName
Configure AD provider for both the AD domains.
NOTE :
* Another option is to create a single AD provider and connect it to a " Global Catalog ".
Global Catalogs listen by default in port 3268. Check the following link for more information:
http://technet.microsoft.com/en-us/library/cc728188%28v=ws.10%29.aspx
AD administrator could be involved to help with the other properties for the AD Provider (User Base DN, Group Base DN, etc).
Change the control flags of all the providers to " Optional ".
If you have set control flag as sufficient then reorder the providers and make sure Active Directory providers is the first provider in the list.
Apart from the parameter "-Dweblogic.security.krb5.useGSSName=true". We also need to apply a patch for BUG 12545239 ( Fixed in WLS 12.1.1 ).
____________________________
STEP 9 :
Now, create a " NegotiateIdentityAsserter "
____________________________
STEP 10 :
Setup your browser for Kerberos Authentication.
* No special configuration needed for Chrome Browser.
* For Mozilla Firefox browser :
1. Start Firefox.
2. Enter about:config in the Location Bar.
3. Enter the filter string network.negotiate.
4. Double click on network.negotitate-auth.delegation-uris and enter " http://,https:// "
5. Double click on network.negotitate-auth.trusted-uris and enter " http://,https:// "
* For Internet Explorer :
Configure Local Intranet Domains
1. In Internet Explorer, select Tools > Internet Options.
2. Select the Security tab.
3. Select Local intranet and click Sites.
4. In the Local intranet popup, ensure that the Include all sites that bypass the proxy server and Include all local (intranet) sites not listed in other zones options are checked.
5. Click Advanced.
6. In the Local intranet (Advanced) dialog box, add all relative domain names that will be used for Oracle WebLogic Server instances participating in the SSO configuration (for example, myhost.example.com) and click OK.
Configure Intranet Authentication
1. Select Tools > Internet Options.
2. Select the Security tab.
3. Select Local intranet and click Custom Level... .
4. In the Security Settings dialog box, scroll to the User Authentication section.
5. Select Automatic logon only in Intranet zone. This option prevents users from having to re-enter logon credentials, which is a key piece to this solution.
6. Click OK.
Verify Proxy Settings
If you have a proxy server enabled:
1. Select Tools > Internet Options.
2. Select the Connections tab and click LAN Settings.
3. Verify that the proxy server address and port number are correct.
4. Click Advanced.
5. In the Proxy Settings dialog box, ensure that all desired domain names are entered in the Exceptions field.
6. Click OK to close the Proxy Settings dialog box.
Now, when you access your Weblogic Admin Console, you should be able to login to it without entering a username / password.