SSO Configuration with Weblogic 11g OEL

Question

I'm receiving following error in Weblogic while accessing application through AD user for SSO.

> <> <> <1471875042422> <BEA-000000> <com.bea.common.security.internal.legacy.service.ChallengeIdentityAssertionProviderImpl$ChallengeIdentityAsserterV2Adapter.assertChallengeIdentity(Authorization.Negotiate)>
####<22-Aug-2016 15:10:42 o'clock BST> <Debug> <SecurityAtn> <ndl-wln-100.centricait.com> <ND_Manage1> <[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1471875042422> <BEA-000000> <GSSExceptionInfo:>
####<22-Aug-2016 15:10:42 o'clock BST> <Debug> <SecurityAtn> <ndl-wln-100.centricait.com> <ND_Manage1> <[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1471875042423> <BEA-000000> <   major: (13) : No valid credentials provided>
####<22-Aug-2016 15:10:42 o'clock BST> <Debug> <SecurityAtn> <ndl-wln-100.centricait.com> <ND_Manage1> <[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1471875042423> <BEA-000000> <   minor: (-1) : Failed to find any Kerberos credentails>
####<22-Aug-2016 15:10:42 o'clock BST> <Debug> <SecurityAtn> <ndl-wln-100.centricait.com> <ND_Manage1> <[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1471875042423> <BEA-000000> <acceptGssInitContextToken failed
com.bea.security.utils.kerberos.KerberosException: No valid credentials provided (Mechanism level: Failed to find any Kerberos credentails)
        at com.bea.security.utils.kerberos.KerberosTokenHandler.acceptGssInitContextTokenInDoAs(KerberosTokenHandler.java:334)
        at com.bea.security.utils.kerberos.KerberosTokenHandler.access$000(KerberosTokenHandler.java:41)
        at com.bea.security.utils.kerberos.KerberosTokenHandler$1.run(KerberosTokenHandler.java:226)
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.Subject.doAsPrivileged(Subject.java:536)
        at com.bea.security.utils.kerberos.KerberosTokenHandler.acceptGssInitContextToken(KerberosTokenHandler.java:224)
        at com.bea.security.utils.kerberos.KerberosTokenHandler.acceptGssInitContextToken(KerberosTokenHandler.java:152)
        at com.bea.common.security.internal.utils.negotiate.SPNEGONegotiateToken.getUsername(SPNEGONegotiateToken.java:57)
        at weblogic.security.providers.authentication.NegotiateIdentityAsserterProviderImpl.assertChallengeIdentity(NegotiateIdentityAsserterProviderImpl.java:210)
        at com.bea.common.security.internal.legacy.service.ChallengeIdentityAssertionProviderImpl$ChallengeIdentityAsserterV2Adapter.assertChallengeIdentity(ChallengeIdentityAssertionProviderImpl.j

I already have verified keytab using kinit -V -k -t negotestserver.keytab HTTP/WL-HOST@MYDOMAIN.COM its successfully Authenticated. Wonder whats the solution of this issue any help will be appreciated.

Answer 1

Most probably the ticket that's sent from browser to Weblogic is not Kerberos ticket, but NTLM. There can be many reasons why IE would use NTLM over Kerberos, most of the time it's incorrect setup or Windows settings. Can you check the ticket in your log? If it looks something like this:

YIGCBgYrBgEFBQKgeDB2oDAwLgYKKwYBBAGCNwICCgYJKoZIgvcSAQICBgkqhkiG9xIBAgIGCisGAQQBgjcCAh6iQgRATlRMTVNTUAABAAAAl7II4g4ADgAyAAAACgAKACgAAAAGAbEdAAAAD0xBUFRPUC0yNDVMSUZFQUNDT1VOVExMQw==

it's NTLM. Kerberos ticket is at least twice as long.