tag:blogger.com,1999:blog-1816408742331555186.post2857209464220432199..comments2023-05-22T03:03:54.478-07:00Comments on Oracle Fusion Middleware Security: Kerberos and WebLogic Server on Windows step-by-stepChris Johnson (Oracle)http://www.blogger.com/profile/13331466366556759355noreply@blogger.comBlogger19125tag:blogger.com,1999:blog-1816408742331555186.post-27410653619594008642011-09-05T09:49:51.397-07:002011-09-05T09:49:51.397-07:00This comment has been removed by a blog administrator.webuserhttps://www.blogger.com/profile/12367711023284630998noreply@blogger.comtag:blogger.com,1999:blog-1816408742331555186.post-50049877858175466212011-02-16T07:45:29.940-08:002011-02-16T07:45:29.940-08:00I wrote another article on how HTTP and Kerberos w...I wrote another article on how HTTP and Kerberos works. Perhaps that will help? http://fusionsecurity.blogspot.com/2011/01/how-does-kerberos-actually-work-in-http.htmlChris Johnson (Oracle)https://www.blogger.com/profile/13331466366556759355noreply@blogger.comtag:blogger.com,1999:blog-1816408742331555186.post-36105066529066892122011-02-14T22:12:42.813-08:002011-02-14T22:12:42.813-08:00Hi Chris,
Thanks for the document. Can you plea...Hi Chris,<br /><br /><br /><br />Thanks for the document. Can you please little bit describe about the error 401 Unauthorized? I am still on this same error when I access the app even if I finish the full setup. <br /><br /><br /><br /><br /><br />Regards,<br /><br />BabuBabu Sankarhttps://www.blogger.com/profile/03589943714664257596noreply@blogger.comtag:blogger.com,1999:blog-1816408742331555186.post-75833985742371771832011-01-26T12:25:58.673-08:002011-01-26T12:25:58.673-08:00@keshav: Can you get in touch with me directly. ch...@keshav: Can you get in touch with me directly. christopher.johnson at oracle.com. I am working on a tool that helps troubleshoot these sorts of issues.Chris Johnson (Oracle)https://www.blogger.com/profile/13331466366556759355noreply@blogger.comtag:blogger.com,1999:blog-1816408742331555186.post-44702469976616080852011-01-11T07:57:40.290-08:002011-01-11T07:57:40.290-08:00Hi
I am getting the below error at my End
>&...Hi <br /><br />I am getting the below error at my End<br /><br />>>>KRBError:<br /> sTime is Fri Jan 07 18:11:59 CET 2011 1294420319000<br /> suSec is 554452<br /> error code is 24<br /> error Message is Pre-authentication information was invalid<br /> realm is ARK.CHRIST.NET<br /> sname is krbtgt/ARK.CHRIST.NET<br /> eData provided.<br /> msgType is 30<br />>>>Pre-Authentication Data:<br /> PA-DATA type = 11<br /> PA-ETYPE-INFO etype = 1<br /><07.01.2011 18:11 Uhr MEZ> <Exception com.bea.common.security.internal.utils.negotiate.NegotiateTokenException: GSS<br />Exception: No valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT credentials failed!)<br />com.bea.common.security.internal.utils.negotiate.NegotiateTokenException: GSSException: No valid credentials provided (Mechanism level: Attempt to obt<br />ain new ACCEPT credentials failed!)<br /> at com.bea.common.security.internal.utils.negotiate.SPNEGONegotiateToken.getUsername(SPNEGONegotiateToken.java:180)<br /> at weblogic.security.providers.authentication.NegotiateIdentityAsserterProviderImpl.assertChallengeIdentity(NegotiateIdentityAsserterProviderI<br />mpl.java:213)<br /><br />Any Help would be highly AppreciatedWeblogic Userhttps://www.blogger.com/profile/08468653745560976354noreply@blogger.comtag:blogger.com,1999:blog-1816408742331555186.post-24951010430197611982010-12-28T04:32:21.111-08:002010-12-28T04:32:21.111-08:00Can you please clarify if you have done all your s...Can you please clarify if you have done all your steps on windows 2003 server/XP? Does it work if Weblogic runs on Linux server? Do we need to generate ktab and kinit on windows 2003 server?Unknownhttps://www.blogger.com/profile/13658751089258348319noreply@blogger.comtag:blogger.com,1999:blog-1816408742331555186.post-57850837604336391002010-12-14T22:43:06.338-08:002010-12-14T22:43:06.338-08:00Hi John,
Currnetly our IT helpdesk guy has alread...Hi John,<br /><br />Currnetly our IT helpdesk guy has already registered HTTP services in domain which i am going to access on application server<br /><br />And before landing in your blog i was checking http://spnego.sourceforge.net/ <br />http://spnego.sourceforge.net/pre_flight.html<br /><br />and there i could see krb5.conf and login.conf <br />files being talked about <br /><br />So my question is can we use those .conf files and make it accessible to weblogic <br /><br />please note that i am trying to implement kerberos with spnego with applicatioin server being weblogic11g<br /><br />Please let me know <br />Thanks in advance,<br />SarfrazUnknownhttps://www.blogger.com/profile/17091206131568944104noreply@blogger.comtag:blogger.com,1999:blog-1816408742331555186.post-19324424428095030582010-11-13T00:01:56.220-08:002010-11-13T00:01:56.220-08:00Hi Josh,
I'm trying to configure sso in my we...Hi Josh,<br /><br />I'm trying to configure sso in my weblogic and AD. My weblogic is in Redhat and AD in win2003. I always get this error:<br /><br />Error 401--Unauthorized <br />From RFC 2068 Hypertext Transfer Protocol -- HTTP/1.1:<br />10.4.2 401 Unauthorized<br />The request requires user authentication. The response MUST include a WWW-Authenticate header field (section 14.46) containing a challenge applicable to the requested resource. The client MAY repeat the request with a suitable Authorization header field (section 14.8). If the request already included Authorization credentials, then the 401 response indicates that authorization has been refused for those credentials. If the 401 response contains the same challenge as the prior response, and the user agent has already attempted authentication at least once, then the user SHOULD be presented the entity that was given in the response, since that entity MAY include relevant diagnostic information. HTTP access authentication is explained in section 11.<br /> <br />Really appreciate the help.<br /><br />Regards,<br />EricAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-1816408742331555186.post-4754333492087275972010-09-09T11:17:02.904-07:002010-09-09T11:17:02.904-07:00Santhoshi,
Identity and Authorization work the s...Santhoshi, <br /><br />Identity and Authorization work the same in Weblogic regardless of how you authenticate.<br /><br />So you should be able to use username and password, certificate, Kerberos, SPNEGO, or a custom Authenticator or Identity Asserter and not have to change the code in your application.<br /><br />HTHChris Johnson (Oracle)https://www.blogger.com/profile/13331466366556759355noreply@blogger.comtag:blogger.com,1999:blog-1816408742331555186.post-36314106686385097382010-09-09T11:14:42.405-07:002010-09-09T11:14:42.405-07:00Mario,
As far as I know it should work with that ...Mario,<br /><br />As far as I know it should work with that JDK.<br /><br />The important things to look for are mentioned above - make sure you see the server asking for "Negotiate" authentication, that you see the browser sending a Kerberos ticket.<br /><br />In a later post I mentioned that I have run into trouble getting the browser to do Kerberos instead of NTLM. Info http://fusionsecurity.blogspot.com/2010/02/testing-your-weblogickerberos-setup.html<br /><br />What errors are you seeing?<br />Have you opened a support request yet?Chris Johnson (Oracle)https://www.blogger.com/profile/13331466366556759355noreply@blogger.comtag:blogger.com,1999:blog-1816408742331555186.post-22342696400549602422010-09-02T08:43:00.501-07:002010-09-02T08:43:00.501-07:00Hi,
I'm trying to configure SSO in Weblogic 1...Hi, <br />I'm trying to configure SSO in Weblogic 10.0 MP1 over AIX without success. The jvm is 1.5_09 IBM JDK. This is a prerequisite for the application we're hosting in weblogic. <br /><br />This may be an issue?<br /><br />Thanks,<br />MarioMario Maderahttps://www.blogger.com/profile/12041337992927540452noreply@blogger.comtag:blogger.com,1999:blog-1816408742331555186.post-64784206148960094402010-08-31T07:55:33.752-07:002010-08-31T07:55:33.752-07:00Hello Josh,
May I know how the authorization work...Hello Josh,<br /><br />May I know how the authorization works if we implement this authentication mechanism. How do we know which user logged into the application? In NTLM authentication, we can get the user name of the user who logged in using this owa_util.get_cgi_env('REMOTE_USER');<br />How to know which user logged into the application using this authentication mechanism?Unknownhttps://www.blogger.com/profile/16878086978229629882noreply@blogger.comtag:blogger.com,1999:blog-1816408742331555186.post-82565765690634131772010-08-04T17:57:09.878-07:002010-08-04T17:57:09.878-07:00You don't need a keytab file for every user. T...You don't need a keytab file for every user. The key tab has the credentials for the user account associated with the service's SPN. It simply to allow the service to authenticate its self with the KDC and decrypt tickets sent by others for the service. <br /><br />HTH,<br /><br />JBJosh Bregmanhttps://www.blogger.com/profile/02941092121498005387noreply@blogger.comtag:blogger.com,1999:blog-1816408742331555186.post-12535784757301355332010-08-03T02:48:24.852-07:002010-08-03T02:48:24.852-07:00Dear Josh,
Thanks for the article, very usefull f...Dear Josh,<br /><br />Thanks for the article, very usefull for me.<br /><br />Please suggest me for my requirement:<br />I understand that we need to generate keytab file for all windows users (who intend to use this web service), so how do I generate on keytab file for all such users.<br /><br />And in case in future; If more users need to be added/ removed, how best can we do this?<br /><br />Thanks and Regards<br />Arunachalam.C<br />DubaiUnknownhttps://www.blogger.com/profile/02499467915322105943noreply@blogger.comtag:blogger.com,1999:blog-1816408742331555186.post-63812645178859303102010-04-30T06:20:01.513-07:002010-04-30T06:20:01.513-07:00I'm not Spring Security expert, but I would st...I'm not Spring Security expert, but I would start <a href="http://blog.springsource.com/2009/09/28/spring-security-kerberos/" rel="nofollow">here</a>. I think this means that you don't do the SPNEGO set-up in WLS, but in Spring Security directly.Josh Bregmanhttps://www.blogger.com/profile/02941092121498005387noreply@blogger.comtag:blogger.com,1999:blog-1816408742331555186.post-74080038847613586092010-04-29T07:09:31.063-07:002010-04-29T07:09:31.063-07:00Hi,
Please help me to provide a doc for SPNEG0+We...Hi,<br /><br />Please help me to provide a doc for SPNEG0+WebLogic10.3+Kerberos+Win2k3 Setup so that it will work on Spring security 3.0.<br /><br />Please help.Linuxfanatichttps://www.blogger.com/profile/11939992921923345345noreply@blogger.comtag:blogger.com,1999:blog-1816408742331555186.post-76923263499608427812010-04-29T04:23:24.254-07:002010-04-29T04:23:24.254-07:00You could use the SPNEGO setup listed in this post...You could use the SPNEGO setup listed in this post to get desktop SSO to WLS. This assumes that all of the servers support SPNEGO. If not, you could use Oracle Access Manager, put that in front of the services. If all you have is WLS, and you don't need desktop SSO, I would just use the out of the box session capabilities of WLS.Josh Bregmanhttps://www.blogger.com/profile/02941092121498005387noreply@blogger.comtag:blogger.com,1999:blog-1816408742331555186.post-506729672628634202010-04-28T05:17:30.357-07:002010-04-28T05:17:30.357-07:00Can you give me a suggestion/step, I need to confi...Can you give me a suggestion/step, I need to configure SSO for my J2ee env. Am using Weblogic 10.3,AD 2003 and Spring 3.0.Linuxfanatichttps://www.blogger.com/profile/11939992921923345345noreply@blogger.comtag:blogger.com,1999:blog-1816408742331555186.post-61635663906876391342010-03-18T14:05:33.790-07:002010-03-18T14:05:33.790-07:00Hi
I tried to configure kerberos with Weblogic 9....Hi<br /><br />I tried to configure kerberos with Weblogic 9.2 MP3 and when i open up the application page i'm getting http 403 error.<br /><br />Any ideas?Anonymoushttps://www.blogger.com/profile/13298318501635970708noreply@blogger.com