This is a brief description on how to enable Kerberos Authentication on an existing WebLogic webserver instance. It will basically describe the following portions:
- Configure the AD
- Configure an existing (or new) user in AD that will be the Ticket-holder
- Generate a keytab-file
- Configure krb5{.conf,.ini}
- Error-cases
You can use the following commands to check weather the connection is up, or closed to the required ad-domain:
ktutil
addent -password -p [email protected] -k 1 -e RC4-HMAC
wlk username.keyfile
q
In order to get the Active Directory stuff to work propertly, we need a user that will act as our "ticketmaster". Please add a new user, or use an existing one. We'll be using an existing one named "username".
# Example:
ktpass -princ HTTP/[email protected] -pass 123456 +desonly -kvno 4 ptype KRB5_NT_PRINCIPAL -mapOp set -out username.keytab -crypto DES-CBC-CRC -mapuser [email protected]
# Example:
ktpass -princ HTTP/[email protected] -pass 123456 -desonly -kvno 4 -ptype KRB5_NT_PRINCIPAL -mapop add -out username.keytab -crypto All -mapuser [email protected]
The mentioned commands will add a principle and change the password of the user. Aditionally, you will have the option to either support desOnly or not (please..don't). A file named "username.keytab" will also be generated. This file is something that will be used later when connecting to the AD domain for Kerberos connection tickets.
This stuff is configured on a Linux server, but you may just as well configure a Windows server.
Naming conventions
- Linux:
- /etc/krb5.conf
- Windows
- C:\Windows\krb5.init
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = DOMAIN.NAME
allow_weak_crypto = true
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
ticket_lifetime = 600
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
dns_lookup_realm = true
dns_lookup_kdc = true
default_tkt_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
default_tgs_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
[realms]
DOMAIN.NAME = {
kdc = idm-kdadc-vt01.domain.name:88
admin_server = idm-kdadc-vt01.domain.name:88
default_domain = DOMAIN.NAME
}
[domain_realm]
.domain.name = DOMAIN.NAME
domain.name = DOMAIN.NAME
[login]
krb4_convert = true
krb4_get_tickets = false
[appdefaults]
autologin = true
forward = true
forwardable = true
encrypt = true
Add the above configuration to the krb5.conf-file :-)
Use the following command to try the connection based on the configuration you've specificed in the krb5.conf-file:
kinit -V HTTP/[email protected] -k -t ~/path/to/username.keytab
This should output similar to this stuff:
Using default cache: /tmp/krb5cc_500
Using principal: HTTP/[email protected]
Using keytab: /home/whomever//path/to/username.keytab
Authenticated to Kerberos v5
Which, obviously, should give you an indication on how the connection was carried out.
This can be caused by numerous things. But the ones that is mostly common is as follows:
-
Domain names is not in UPPER CASE
-
User that has been defined has been set with the AD-property (remove the following, if set. it WILL cause stuff to fail)
- Use Kerberos DES encryption types for this account
-
Verify that the level of encryption is correct. How do you check this? Run the mentioned command below
-
Reset the user password (yes, as odd it might sound like, this may actually help)
-
Still got issues? regenerate the keytab-file
klist -ke ~/iam1/kerberos/weblogicsrv.keytab
The path to your keytab.service file is wrong
Error: kinit(v5): Client not found in Kerberos database.
Make sure that there is only 1 account in AD that has the SPN of your HTTP/host@REALM. If there is more than one account set to the SPN authentication will fail. You can issue these two commands to verify:
# either
setspn -Q HTTP/oamserver.corp.domain.com
ldifde -f c:\upn_out.txt -d “DC=domain,DC=com” -l * -r “(userprincipalname=HTTP/[email protected])” -p subtree -s addc1.corp.domain.com
# or
kinit [username]
# or
kinit HTTP/host@REALM