WebLogic Server Support Pattern: Kerberos and SPNEGO Configuration Issues
(Doc ID 1332241.1)
Last updated on NOVEMBER 17, 2023
Applies to:
Oracle WebLogic Server - Version 10.0 and laterInformation in this document applies to any platform.
Goal
This document is a support pattern describing how to troubleshoot and resolve issues occurring while configuring SSO with Kerberos/SPNEGO and WebLogic Server
This document explains how to troubleshoot issues while configuring SSO with Kerberos/SPNEGO and WebLogic Server. It is intended to cover WebLogic Server 10.3.x and higher, but most of the information is also applicable to WebLogic Server version 10.0.x, 9.x. Readers of this document should have good understanding of WebLogic Server security system as well as Windows Kerberos protocol.
Solution
To view full details, sign in with your My Oracle Support account. |
|
Don't have a My Oracle Support account? Click to get started! |
In this Document
| Goal |
| Solution |
| Troubleshooting Steps |
| Why does the problem occur? |
| What is Single Sign-On? |
| What is Kerberos? |
| What is SPNEGO? |
| Authentication protocols in Windows 2000 and later |
| Kerberos Version 5 |
| Windows NT LAN Manager (NTLM) |
| Benefits of Kerberos Authentication |
| Faster connections |
| Kerberos Components in Windows 2000 |
| Key Distribution Center |
| Kerberos Policy |
| Configuring Single Sign-On with Microsoft Clients |
| The KDC Configuration: |
| Step 1: Configure your network domain to use Kerberos |
| Step 2: Create an user account for the WebLogic Server |
| Step 3: Define a Service Principal Name and create a keytab for the service |
| If WebLogic Server runs on a Windows machine: |
| If WebLogic Server runs on a Unix machine: |
| The Client Configuration: |
| Step 4: Configure the client for Single Sign-On |
| Provide the WebLogic Server host with KDC information |
| Set up the browser to use Kerberos |
| The WebLogic Server Configuration: |
| Step 5: configure the WebLogic Server for Single Sign-On |
| Configure the Single Pass Negotiate Identity Assertion provider |
| Kerberos/SPNEGO troubleshooting utilities |
| The kinit utility: |
| The klist utility: |
| The kerbtray utility: |
| The keytab utility: |
| The ktpass utility: |
| Useful Debug flags |
| Common Problems and Resolutions |
| Kinit errors |
| SPN issues |
| WebLogic Server/JAAS errors |
| Proxy/Load balancer consideration for WebLogic/Kerberos Configuration |
| IIS Proxy server: |
| WebLogic Cluster Consideration for Kerberos Configuration |
| Firewall/NAT and multi-homed machine consideration for Kerberos Configuration |
| Enhancements in the 10.3.0 release |
| Known Issues |
| References |