IBM

Configuring Kerberos
based SSO in Solaris and
Weblogic Application
server Environment
Kerberos configuration
Saravana Kumar KKB & Arvind Kumar P

About the authors: Saravana is working as a Staff Software Engineer (QA) for IBM Policy N team under
ECM. You can contact him with your queries at saravkkb@in.ibm.com. Arvind is working as a Advisory
Software Engineer QA for Atlas team under ECM. Reach out to him at apachuno@in.ibm.com

[Abstract: Today many products have support for SSO. Kerberos is most recommended
efficient and secure network accesses across the enterprise. This article provides
information about the configuration of single sign-on (SSO) using Kerberos in Oracle
Solaris and Oracle Web logic server.]

Configuring Kerberos based SSO in Solaris and Weblogic Application server

Environment

Introduction:

Single sign-on (SSO) allows users to sign in once to the system and login to other
application without any authentication.

1.1 Why Kerberos ?

Kerberos is a technology that allows for strong authentication in open and distributed
Networks. It is a credible security solution for four main reasons:
1. Kerberos is mature. It has been widely used and widely studied for a long time. In
security that counts for a great deal.
2. Kerberos meets the requirements of modern distributed systems. It was developed
in response to a well-defined and clearly thought through set of requirements for
secure authentication in an open environment with insecure communications links;
it has turned out that those requirements closely match the requirements of modern
distributed systems operating over networks based on Internet Protocols.
3. Kerberos is architecturally sound. It is designed around a clear set of architectural
and functional abstractions; that architectural soundness has allowed it to evolve
over time, and make it easy to integrate it into other systems. This same
architectural soundness makes it easy to analyze how Kerberos will behave.
4. Kerberos is already in place. Kerberos is already integrated into most popular
operating systems and many widely-used software applications. It is an integral
part of todays IT infrastructure.

2 Machine configuration:
2.1 What is KDC ?
The Kerberos Key Distribution Center (KDC) is a network service that supplies session
tickets and temporary session keys to users and computers within an Active Directory
domain. The KDC runs on each domain controller as part of Active Directory Domain
Services (AD DS).

2.2 What is SPNEGO?

Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO) is a standard protocol
that is used to negotiate the authentication protocol. It is used when a client application
wants to authenticate to a remote server. SPNEGO is a standard specification defined in
IETF RFC 2478. SPNEGO is used in a Web SSO. It is responsible for authenticating
access to a secured paged, such as a WebSphere Application Server resource that is
identified in an HTTP request. Microsoft also uses SPNEGO for its browser-based SSO
solutions.

Configuring Kerberos based SSO in Solaris and Weblogic Application server

Environment
Machine A

Machine B
(weblogic.kerb. mycompany.com)

(ad.kerb.mycompany.com)

7
Windows 2008/2012
KDC/
Domain controller

6
Solaris 10
Weblogic
Application server

4
1
3
2
Client.Kerb. mycompany.com

8
5

Client Machine
Windows 8/ 7/vista(Browser)
Machine C

Figure 1: Machine configuration for Kerberos authentication

1. When the logged-on user (MACHINE C) requests a resource from Oracle

WebLogic Server (MACHINEB), it sends the initial HTTP GET verb.
2. Oracle WebLogic Server (MACHINEB), running the SPNEGO Token Handler
code, requires authentication and issues a 401 Access Denied, WWWAuthenticate: Negotiate response.
3. The client (Browser on MACHINEC) then requests the session ticket from the
TGS/KDC (MACHINEA).
3

Configuring Kerberos based SSO in Solaris and Weblogic Application server

Environment
4. The TGS/KDC (MACHINEA) supplies the client with the necessary Kerberos
Ticket (assuming the client is authorized) wrapped in a SPNEGO Token.
5. The client re-sends the HTTP GET request + the Negotiate SPNEGO Token in an
Authorization: Negotiate base64(token) header.
6. SPNEGO Web authentication in Weblogic server sees the HTTP header with the
SPNEGO token. SPNEGO validates the SPNEGO token and gets the identity
(principal) of the user.
7. After Weblogic gets the identity of the user, it validates the user in Microsoft
Active Directory/KDC. When the identification process is executed, weblogic
executes the related Java code (servlets, JSPs, EJBs, and so on) and checks
authorizations.
8. Oracle WebLogic Server's SPNEGO Token Handler code accepts and processes
the token through GSS API, authenticates the user and responds with the requested
URL.

3 Scenario Overview:
This scenario contains 2 major parts:
1. Adding the Solaris machine to Domain controller
2. Configuring Oracle Weblogic server for Kerberos
This scenario requires the following Pre-requisite:
A functioning Microsoft Windows 2008 Active Directory Domain
Including:
A domain controller
A client workstation
Users must be able to log in to the domain.
A working domain controller and at least one client computer in that domain is required.
Using SPNEGO from the domain controller does not work. For more information, you can
find the tutorial How do I install Active Directory on the Windows Server 2008 server at:
http://www.petri.co.il/installing-active-directory-windows-server-2008.htm

A functioning Weblogic server with a domain created

4 Steps:
4.1 Machine: KDC- scenario name: Machine A
1. Create a user in Active directory
E.g.: solaris229
Dont select any option except password, it will not expire and user cannot change
password.

Configuring Kerberos based SSO in Solaris and Weblogic Application server

Environment
2. Generate Keytab file
C:\Users\Administrator> ktpass -princ HTTP/solaris229@KERB.MYCOMPANY.COM mapuser solaris229 -pass Admin123 -out C:\solaris\krb5.keytab -crypto RC4-HMAC-NT -p
type KRB5_NT_PRINCIPAL

Transfer the keytab file to weblogic machine and to the domain bin directory of weblogic.

4.2 Machine: Weblogic - scenario machine name: Machine B

4.2.1 Steps to configure system files:
1. Edit the resolv.conf and add the domain controller specific entries.
Path : /etc/resolv.conf
--------------------domainname KERB.MYCOMPANY.COM
nameserver <Domain controller IP>
search kerb.mycompany.com
2. Edit the host entry and add the domain controller specific entries.
Path : /etc/hosts
--------------<IP Address> windowsvista.kerb.mycompany.com windowsvista
<IP Address> ad.KERB.MYCOMPANY.COM
ad

3. Edit the krb5.conf file and kdc.conf file in /etc/krb5 directory as mentioned
below
Path: /etc/krb5/krb5.conf
Move the krb5.conf file to Weblogic domain bin directory
--------------[libdefaults]
default_realm = KERB.MYCOMPANY.COM
default_tkt_enctypes = rc4-hmac arcfour-hmac-md5
default_tgs_enctypes = rc4-hmac arcfour-hmac-md5
ticket_lifetime = 600
[realms]
KERB. MYCOMPANY.COM = {
kdc = 9.126.145.237:88
admin_server = ad
default_domain = KERB. MYCOMPANY.COM

Configuring Kerberos based SSO in Solaris and Weblogic Application server

Environment
}
[domain_realm]
kerb.atlas.com = KERB. MYCOMPANY.COM
.kerb.atlas.com = KERB. MYCOMPANY.COM

[appdefaults]
kinit = {
autologin = true
renewable = true
forward = true
encrypt = true
forwardable= true
}
gkadmin = {
help_url = http://docs.sun.com:80/ab2/coll.384.1/SEAM/@AB2PageView/1195
}
Path: /etc/krb5/kdc.conf
----------defaults]
kdc_ports = 88
[realms]
KERB.MYCOMPANY.COM = {
profile = /etc/krb5/krb5.conf
database_name = /var/krb5/principal
admin_keytab = /etc/krb5/krb5.keytab
acl_file = /etc/krb5/kadm5.acl
kadmind_port = 749
max_life = 8h 0m 0s
max_renewable_life = 7d 0h 0m 0s
default_principal_flags = +preauth
}
4. Add below lines in nsswitch.conf
Path : /etc/nsswitch.conf
---------passwd: files ldap winbind
group: files ldap winbind

Configuring Kerberos based SSO in Solaris and Weblogic Application server

Environment

4.2.2 Configuring Samba and Joining the domain

5. Edit the smb.conf
Path: /etc/sfw/smb.conf
--------------# workgroup = NT-Domain-Name or Workgroup-Name, eg: MIDEARTH
workgroup = KERB
# server string is the equivalent of the NT Description field
server string = Samba Server
# Security mode. Defines in which mode Samba will operate. Possible
# values are share, user, server, domain and ads. Most people will want
# user level security. See the Samba-HOWTO-Collection for details.
security = ADS
# Use password server option only with security = server
# The argument list may include:
# password server = My_PDC_Name [My_BDC_Name] [My_Next_BDC_Name]
# or to auto-locate the domain controller/s
# password server = *
password server = ad.KERB.MYCOMPANY.COM

6. Command to Join the Domain

$ /usr/sfw/bin/net ads join -U 'HTTP/solaris229@KERB.MYCOMPANY.COM'
Once this command runs successfully the machine will be joined to the Domain.
You could see the machine in AD users and computers

4.2.3 Creating krb5Login configuration file

7. Create krb5Login.conf file
Path: <Weblogic domain>/bin
=============
com.sun.security.jgss.initiate

{
com.sun.security.auth.module.Krb5LoginModule required
principal=<SPN username> useKeyTab=true
keyTab=<path of the key Tab file name> storeKey=true debug=true;
};
7

Configuring Kerberos based SSO in Solaris and Weblogic Application server

Environment
com.sun.security.jgss.krb5.accept
{
com.sun.security.auth.module.Krb5LoginModule Required
principal==<SPN username> useKeyTab=true
keyTab="<key Tab file name> " storeKey=true debug=true;
};

4.2.4 Configuring Weblogic server

8. Add the below lines in weblogic startup

File name Startweblogic.sh
if [ "${WLS_REDIRECT_LOG}" = "" ] ; then
echo "Starting WLS with line:"
echo "${JAVA_HOME}/bin/java ${JAVA_VM} ${MEM_ARGS} Dsun.security.krb5.d
ebug=true -Djavax.security.auth.useSubjectCredsOnly=false -Dweblogic.security.
enableNegotiate=true Djava.security.auth.login.config="/export/home/oracle/Oracle/Middleware/user
_projects/domains/policyatlas/bin/krb5Login.conf" Djava.security.krb5.conf="/export/home/oracle/Oracle/Middleware/user_project
s/domains/policyatlas/bin/krb5.conf" Djava.security.krb5.realm=KERB.ATLAS.COM -Djava.security.krb5.kdc=ad Dweblogic.StdoutSeverityLevel=64 -Dweblogic.Debug.DebugSecurityAtz=true Dweblogic.Debug.DebugSecurityAtn=false -Dweblogic.Name=${SERVER_NAME} Djava.security.policy=${WL_HOME}/server/lib/weblogic.policy ${JAVA_OPTIONS}
${PROXY_SETTINGS} ${SERVER_CLASS}"
${JAVA_HOME}/bin/java ${JAVA_VM} ${MEM_ARGS} Dsun.security.krb5.debug=true -Dsun.security.krb5.debug=true Djavax.security.auth.useSubjectCredsOnly=false Dweblogic.security.enableNegotiate=true Djava.security.auth.login.config="/export/home/oracle/Oracle/Middleware/user
_projects/domains/policyatlas/bin/krb5Login.conf" Djava.security.krb5.realm=KERB.ATLAS.COM -Djava.security.krb5.kdc=ad Dweblogic.StdoutSeverityLevel=64 -Dweblogic.Debug.DebugSecurityAtz=true Dweblogic.Debug.DebugSecurityAtn=false -Dweblogic.Name=${SERVER_NAME} Djava.security.policy=${WL_HOME}/server/lib/weblogic.policy ${JAVA_OPTIONS}
${PROXY_SETTINGS} ${SERVER_CLASS}
:

Configuring Kerberos based SSO in Solaris and Weblogic Application server

Environment
9. Add the following in myrealm- providers of weblogic
Home >Summary of Security Realms >myrealm >Providers
a) Add WebLogic Negotiate Identity Assertion provider
b) Add another realm Provider that performs LDAP authentication with
following details in Provider specific Tab

Figure 2: Weblogic Security Realm configuration

Configuring Kerberos based SSO in Solaris and Weblogic Application server

Environment
Save and restart web logic server.

4.3 Machine: client - scenario machine name: Machine C

For Single Sign On to occur you will need an authenticated Microsoft client, belonging to
the domain controlled by your realm, and requesting access to the Oracle WebLogic
Server service

4.3.1 Configuring Internet Explorer Browser

To configure an Internet Explorer browser to use Windows authentication, follow these
procedures in Internet Explorer.
Configure Local Intranet Domains
1. In Internet Explorer, select Tools > Internet Options.
2. Select the Security tab.
3. Select Local intranet and click Sites.
4. In the Local intranet popup, ensure that the Include all sites that bypass the proxy
server and Include all local (intranet) sites not listed in other zones options are
checked.

Figure 3: Local Intranet Dialog Box for Internet Explorer

5. Click Advanced.
6. In the Local intranet (Advanced) dialog box, add all relative domain names that will
be used for Oracle WebLogic Server instances participating in the SSO configuration (for
example, myhost.example.com) and click OK.

10

Configuring Kerberos based SSO in Solaris and Weblogic Application server

Environment

Fig 4: Advanced Local Intranet Dialog Box for Internet Explorer

Configure Intranet Authentication
1. Select Tools > Internet Options.
2. Select the Security tab.
3. Select Local intranet and click Custom Level... .
4. In the Security Settings dialog box, scroll to the User Authentication section.
5. Select Automatic logon only in Intranet zone. This option prevents users from
having to re-enter logon credentials, which is a key piece to this solution.
6. Click OK.

11

Configuring Kerberos based SSO in Solaris and Weblogic Application server

Environment

Figure 5: Configure Intranet Authentication

Verify Proxy Settings
If you have a proxy server enabled:
1. Select Tools > Internet Options.
2. Select the Connections tab and click LAN Settings.
3. Verify that the proxy server address and port number are correct.
4. Click Advanced.
5. In the Proxy Settings dialog box, ensure that all desired domain names are entered in
the Exceptions field.
6. Click OK to close the Proxy Settings dialog box.

4.3.2 Configuring Mozilla Firefox Browser

To configure a Firefox browser to use Windows Integrated authentication, complete the
following steps:
1. Start Firefox.
2. Enter about:config in the Location Bar.
3. Enter the filter string network.negotiate.
4. Set the preferences as shown in Figure below:

12

Configuring Kerberos based SSO in Solaris and Weblogic Application server

Environment

Figure 6: Firefox configuration

4.3.3 Configuring Google Chrome Browser

No special configuration needed for Chrome Browser.

4.4 Other configuration:

1. Ensure all the 3 machines Machine A, Machine B and C are able to ping each other
using machine hostnames. If not then it should be added in host entry.

5 Testing the SSO

To verify that SSO is configured properly, point a browser to the Web application or Web
service you want to use. If you are logged on to a Windows domain and have Kerberos
credentials acquired from the Active Directory server in the domain, you should be able to
access the Web application or Web service without providing a username or password.

13

Configuring Kerberos based SSO in Solaris and Weblogic Application server

Environment

6 Troubleshooting commands
Run the below command in Solaris / Weblogic server machine
bash-3.00$ kinit -V -k -t
<path of the keytab file> <spn name>
Eg:
/export/home/oracle/Oracle/Middleware/user_projects/domains/policyatlas/bin/krb5.keyta
b HTTP/solaris229@KERB.MYATLAS.COM
This should result the following message to confirm SON Username is able to authenticate
with KDC and using the key tab file which was generated.
Result:
Authenticated to Kerberos v5

14