Access Weblogic Hosted Applications with Windows Native Authentication

The below steps will help configure a transparent authentication mechanism for accessing Weblogic hosted application based on the users’ Active Directory credentials. Users will be able to securely access the company’s J2EE applications using their work station credentials without having to go through a login screen.

BEFORE YOU BEGIN:

It’s assumed that you already have:

– an Active Directory domain;

– a Weblogic domain  (the steps in this guide describe the setup for a Weblogic cluster spread over two physical machines);

-an Active Directory Authentication Provider defined in the Weblogic security realm;

– the end users will access the J2EE applications via a Weblogic proxy (HTTPClusterServlet based), accessible by end users at wls.domain.com

Also, before setting up the solution, you must ensure that you have the following information:

adhost.whatever.com – The Active Directory hostname

wls1.domain.com – The first Weblogic machine hostname

wls2.domain.com – The second Weblogic machine hostname

wls.domain.com – The proxy server in front of the Weblogic cluster (HttpClusterServlet in this case)

COMPANY.COM – The Kerberos realm

HOW TO:

On the Windows machine:

1. Create an Active Directory user account for your Weblogic Server

This should be a regular user account (not a computer account) and you can name it anything you want. In this article it will be reffered to as wlsAuth

a) Launch Programs/Administrative Tools/Active Directory Users and Computers tool.

b) Right click on the Users node and select New/User (Do not select Machine).

c) Type in the user name in the “Full Name” field and in the “Logon Name” field.

d)Click Next and enter the password.

e)Verify that none of the password options are checked and Click Next. f) Click Finish.

g)Locate your newly created user in the Users tree in the left hand pane.

h) Right-click on the user node and select Properties.

i) Click on the “Account” tab.

j) Check the box: “Use DES encryption types for this account.”

k) Ensure no other box is checked, specifically: “Do not require Kerberos pre-authentication.”

l) Click OK

2. Define a Service Principal Name

This step will match a hostname of the Weblogic server that the browser will access to the Active Directory account you have just created:

a)

setspn -A HTTP/wls.domain.com wlsAuth

Registering ServicePrincipalNames for CN=wlsAuth,CN=Users,DC=mydom,DC=com HTTP/wls.domain.com Updated object

setspn -A HTTP/wls1.domain.com wlsAuth

Registering ServicePrincipalNames for CN=wlsAuth,CN=Users,DC=mydom,DC=com HTTP/wls1.domain.com Updated object

setspn -A HTTP/wls2.domain.com wlsAuth

Registering ServicePrincipalNames for CN=wlsAuth,CN=Users,DC=mydom,DC=com HTTP/wls2.domain.com Updated object

You can check what SPNs (Service Principal Names) you have associated with your account with the below command:

b)

setspn -L wlsAuth

Registered ServicePrincipalNames for CN=wlsAuth,CN=Users,DC=mydom,DC=com: HTTP/wls.domain.com HTTP/wls1.domain.com HTTP/wls2.domain.com

3.Create a keytab that will be used by each Weblogic machine

ktpass -princ HTTP/wlsAuth.domain.com@COMPANY.COM -mapUser wlsAuth -pass <user_password> -crypto DES-CBC-CRC –pType KRB5_NT_PRINCIPAL -out  wlsAuth.keytab

Targeting domain controller: adhost.whatever.com

Successfully mapped HTTP/wlsAuth.domain.com to wlsAuth.

Password succesfully set!

Key created.

Output keytab to wlsAuth.keytab:

Keytab version: 0x502

keysize 57 HTTP/wlsAuth.domain.com@COMPANY.COM ptype 1 (KRB5_NT_PRINCIPAL) vno 8 etype 0x1 (DES-CBC-CRC) keylength 8 (0x86200d6bfd515eba)

You must now test the keytab by using the kinit command:

kinit -k –t wlsAuth.keytab wlsAuth

You should not be asked for a password to successfully authenticate. Once the test is carried out successfully, copy the wlsAuth.keytab file on each Weblogic machine, under the domain directory.

On the Weblogic Server(s)

4. Edit the kerberos settings on the Weblogic server(s)

For the Weblogic server(s) to know to which Kerberos realm to authenticate, you must edit the /etc/krb5.conf file on each Weblogic physical host. You need root privilege for this.

[logging]

default = FILE:/var/log/krb5libs.log

kdc = FILE:/var/log/krb5kdc.log

admin_server = FILE:/var/log/kadmind.log

[libdefaults]

default_realm = COMPANY.COM

default_tkt_enctypes = des-cbc-crc

default_tgs_enctypes = des-cbc-crc

ticket_lifetime = 600

[realms]

COMPANY.COM = {

kdc = adhost.whatever.com

default_domain = COMPANY.COM

}

[domain_realm]

.company.com = COMPANY.COM

company.com = COMPANY.COM

[appdefaults]

autologin = true

forward = true

forwardable = true

encrypt = true

5. Configure weblogic authentication with JGSS and the Kerberos realm

Create a krb5Login.conf file in the Weblogic domain directory of each physical machine in your cluster. The content of the file should be:

com.sun.security.jgss.krb5.initiate

{

com.sun.security.auth.module.Krb5LoginModule

required

principal=”wlsAuth@COMPANY.COM”

useKeyTab=true

keyTab=wlsAuth.keytab

storeKey=true debug=true;

};

com.sun.security.jgss.krb5.accept

{

com.sun.security.auth.module.Krb5LoginModule

Required

principal=”wlsAuth@COMAPNY.COM”

useKeyTab=true keyTab=wlsAuth.keytab

storeKey=true debug=true;

};

If you are using Java5, the classes names are slightly different:

com.sun.security.jgss.initiate

com.sun.security.jgss.accept

! Notice the missing “krb5”

6.  Configure Weblogic servers to use this authentication model

Add the below arguments to your managed servers startup arguments:

-Djava.security.auth.login.config=krb5Login.conf -Djavax.security.auth.useSubjectCredsOnly=false -Dweblogic.security.enableNegotiate=true

7. Configure the Single Pass Negotiate Identity Assertion provider

In Weblogic administration console create a new Negotiate Identity Asserter, which is able to extract a SPNEGO/Kerberos ticket for the incoming request. You need to enable this provider for your server to use the Kerberos ticket it will receive from the browser.

a) Expand the Security -> Realms nodes.

b) Select the name of your realm.

c) Expand the Providers -> Authentication Providers nodes.

d) On the Authenticators tab, click “Configure a new Single Pass Identity Asserter”.

e) Define name and token information for the Single Pass Identity Assertion provider. For Active Types, check to ensure that Authorization is set in the Active Types Chosen list box.

f) Click Apply to save your changes.

8. Edit the Application descriptors

a)Edit your application /WEB-INF/web.xml to secure the applications resources. Add the following tags within the <web-app>:

<security-constraint>

<display-name>Security Constraint for SSO </display-name>

<web-resource-collection>

        <web-resource-name>MyApp</web-resource-name>

<description>Only those granted the SSORole role may access the MyApp resource. </description>

<url-pattern>/*</url-pattern>

        <http-method>GET</http-method>

<http-method>POST</http-method>

    </web-resource-collection>

<auth-constraint>

        <role-name>SSORole</role-name>

</auth-constraint>

</security-constraint>

<login-config>

    <auth-method>CLIENT-CERT</auth-method>

</login-config>

<security-role>

<description>Role description</description>

<role-name>SSORole</role-name>

</security-role>

This will give full access to all resources in the application to all users that have the SSORole. However, we still need to map the SSORole to a principal in Weblogic.

b)Edit the /WEB-INF/weblogic.xml to map the SSORole to a user or a group of users in the Weblogic realm. The below example will map the SSORole to the “Domain Users” in AD, which contains all the users in the domain:

<security-role-assignment>

<role-name>SSORole</role-name>

<principal-name>Domain Users</principal-name>

</security-role-assignment>

On the end-user’s PC:

9.Setting up Internet Explorer to use Integrated Windows Authentication:

Certain configurations must me changed on the end users browsers in order to activate Windows Native Authnetication:

a) Go to Tools -> Internet Options.

b) Select the “Security” tab.

c) Click on “Local Intranet” Icon. This will enable the “Sites” button.

d)Click “Sites” button. This will show a “Local Intranet” Popup.

e) Make sure the option “Include all local (intranet) sites not listed in other zones” option selected (Windows XP Only).

f) Click on “Advanced” Button. In the new popup window, add the URL for the Weblogic proxy wls.domain.com

g) Click “OK” to save your settings.

h) In the “Security” tab, Click “Custom Level” button.

i) In the “Security Settings” dialog, under “User Authentication” section, make sure “Automatic logon only in Intranet zone” option is selected.

j) Click “OK” to save your settings.

k) Go to “Connections” tab -> LAN Settings.

l) If you have a proxy server enabled, Click on “Advanced” button. Make sure you add the URL for the machine hosting WebLogic in the “Exceptions” box.

m) In the “Internet Options -> Advanced” tab, make sure “Enable Integrated Windows Authentication (requires restart)” option is checked. Click “OK” (If this option is not selected previously, you need to close all browser instances for the setting to take effect).

References and Troubleshooting:

The procedure is also documented in the Configuring Single Sign-On with Microsoft Clients section in the Oracle® Fusion Middleware Securing Oracle WebLogic Server documentation

Also, a good source for troubleshooting techniques is Note 779272.1 on My Oracle Support site.