My Oracle Support Banner

WebLogic Server Support Pattern: Kerberos and SPNEGO Configuration Issues (Doc ID 1332241.1)

Last updated on NOVEMBER 17, 2023

Applies to:

Oracle WebLogic Server - Version 10.0 and later
Information in this document applies to any platform.


This document is a support pattern describing how to troubleshoot and resolve issues occurring while configuring SSO with Kerberos/SPNEGO and WebLogic Server

This document explains how to troubleshoot issues while configuring SSO with Kerberos/SPNEGO and WebLogic Server. It is intended to cover WebLogic Server 10.3.x and higher, but most of the information is also applicable to WebLogic Server version 10.0.x, 9.x. Readers of this document should have good understanding of WebLogic Server security system as well as Windows Kerberos protocol.


To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!

In this Document
 Troubleshooting Steps
 Why does the problem occur?
 What is Single Sign-On?
 What is Kerberos?
 What is SPNEGO?
 Authentication protocols in Windows 2000 and later
 Kerberos Version 5
 Windows NT LAN Manager (NTLM)
 Benefits of Kerberos Authentication
 Faster connections
 Kerberos Components in Windows 2000
 Key Distribution Center
 Kerberos Policy
 Configuring Single Sign-On with Microsoft Clients
 The KDC Configuration:
 Step 1: Configure your network domain to use Kerberos
 Step 2: Create an user account for the WebLogic Server
 Step 3: Define a Service Principal Name and create a keytab for the service
 If WebLogic Server runs on a Windows machine:
 If WebLogic Server runs on a Unix machine:
 The Client Configuration:
 Step 4: Configure the client for Single Sign-On
 Provide the WebLogic Server host with KDC information
 Set up the browser to use Kerberos
 The WebLogic Server Configuration:
 Step 5: configure the WebLogic Server for Single Sign-On
 Configure the Single Pass Negotiate Identity Assertion provider
 Kerberos/SPNEGO troubleshooting utilities
 The kinit utility:
 The klist utility:
 The kerbtray utility:
 The keytab utility:
 The ktpass utility:
 Useful Debug flags
 Common Problems and Resolutions
 Kinit errors
 SPN issues
 WebLogic Server/JAAS errors
 Proxy/Load balancer consideration for WebLogic/Kerberos Configuration
 IIS Proxy server:
 WebLogic Cluster Consideration for Kerberos Configuration
 Firewall/NAT and multi-homed machine consideration for Kerberos Configuration
 Enhancements in the 10.3.0 release
 Known Issues

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.