Use the Microsoft Client to configure a single Logon

The following section describes how to use simple and protected negotiate (SPNEGO) mechanism and Kerberos protocol for Windows Authentication and WebLogic negotiation identity declaration provider to use the Microsoft Client to set a single sign-on (SSO ).

• 
  
  Microsoft Client single logon Overview
• 
  
  System Requirements for SSO using Microsoft clients
• 
  
  Use a Microsoft Client for single Logon: the main steps are as follows:
• 
  
  Create Kerberos ID for WebLogic Server
• 
  
  Configure the Microsoft Client to use Windows integrated Authentication
• 
  
  Create a JAAS logon File
• 
  
  Configure the identity declaration provider
• 
  
  Use Kerberos Authentication in WebLogic Server through startup parameters
• 
  
  Verify the SSO configuration of the Microsoft Client

Microsoft Client single logon Overview

By using the Microsoft Client for Single login (SSO), you can run the web application in the WebLogic Server domain or in the Web Service and Microsoft domain.. NET web service client or browser client (such as Internet Explorer) for cross-platform authentication. Microsoft clients must use Windows authentication based on the simple and protected authentication mechanism (SPNEGO.

Cross-platform authentication is achieved by simulating the negotiation behavior of the local windows to Windows authentication service using Kerberos protocol. To enable cross-platform authentication to run properly, non-Windows servers (WebLogic Server in this article) Need to parse the SPNEGO flag to extract the Kerberos flag that will then be used for authentication.

System Requirements for SSO using Microsoft clients

To use SSO through the Microsoft Client, you must:

Install on the host:

• 
  
  Windows 2000 or later
• 
  
  Fully configured active directory authentication service. Specific Active Directory requirements include:
  • 
    
    User account used to map the Kerberos service
  • 
    
    Service Principal name (SPNs) of these accounts)
  • 
    
    Create a keytab file and copy it to the startup directory of the WebLogic Server domain
• 
  
  Weblogic server has been correctly installed and configured to authenticate through Kerberos (as described in this article)

Install on the client:

• 
  
  Windows 2000 Professional SP2 or later
• 
  
  One of the following types of clients:
  • 
    
    Use the appropriate Internet Explorer. Internet Explorer 6.01 or later is supported.
  • 
    
    . NET Framework 1.1 and the Web service client that has been properly configured.

    
    
    The client must log on to the Windows 2000 Domain and obtain Kerberos creden。 from the Active Directory Server in the domain. Local logon does not work.

Use a Microsoft Client for single Logon: the main steps are as follows:

To configure SSO on a Microsoft Client, You need to configure the Microsoft Active Directory, client, and WebLogic Server domains. For more information about these processes, see the following section ).

• 
  
  Define a principal in Active Directory to indicate WebLogic Server. Kerberos uses the Active Directory Server in Microsoft to store the required security information.
• 
  
  Any Microsoft Client that needs to be accessed in the Microsoft domain must be set to use Windows integrated authentication to send Kerberos tickets when available.
• 
  
  In the security field of the WebLogic Server domain, configure a negotiation ID to declare the provider. The Web application or Web Service used in SSO needs to set authentication in a specific form. In addition, you must create a JAAS logon file that defines the Kerberos ID of the WebLogic Server.

To use the Microsoft Client to configure SSO, perform the following operations:

1. 
   
   Configure the network domain to use Kerberos. See configure a network domain to use Kerberos
   .
2. 
   
   Create the Kerberos ID for WebLogic Server.
   1. 
      
      Create a user account in the Active Directory of the host running WebLogic Server.
   2. 
      
      The name of the Service principal that created the account.
   3. 
      
      Create a user ing and keytab file for this account.

      
      
      See create Kerberos ID for WebLogic Server
      .

3. 
   
   Select a Microsoft Client (Web service or browser) and configure it to use Windows integrated authentication. See configure the Microsoft Client to use Windows integrated Authentication
   .
4. 
   
   Set the WebLogic Server domain to use Kerberos authentication.
   1. 
      
      Create a JAAS logon file and point it to the Active Directory Server and keytab file in the Microsoft domain created in step 1. See create a JAAS logon File
      .
   2. 
      
      Configure the negotiate identity declaration provider in the WebLogic Server security field. See configure the negotiate identity declaration provider
      .
5. 
   
   Start WebLogic Server with specific startup parameters. See use Kerberos Authentication in WebLogic Server through startup parameters
   .

The following sections describe these steps in detail.

Configure the network domain to use Kerberos

By using the Active Directory and Kerberos service, the Windows domain controller can act as the Kerberos Key Distribution Center (kdc ). On any domain controller, the Active Directory and Kerberos services run automatically.

To configure Kerberos in the network domain controller, You need to configure each computer that wants to access KDC to find the Kerberos domain and available KDC servers. On a Windows computer, modifyC:/winnt
Folderkrb5.ini
File. On a Unix computer, modifykrb5.conf
File. The default location is/etc/krb5/
. For example:

Listing 6-1 example krb5.ini File

[libdefaults]
default_realm = MYDOM.COM (Identifies the default realm.Set its value to your Kerberos realm)
default_tkt_enctypes = des-cbc-crc
default_tgs_enctypes = des-cbc-crc
ticket_lifetime = 600

[realms]

MYDOM.COM = {
kdc =  (host running the KDC)
(For Unix systems, you need to specify port88, as in :88)
admin_server = MachineA
default_domain = MYDOM.COM

[domain_realm]
.mydom.com = MYDOM.COM

[appdefaults]
autologin = true
forward = true
forwardable = true
encrypt = true

Create Kerberos ID for WebLogic Server

Active Directory supports service principal names (SPNs). SPNs are key components in Kerberos authentication. They are the unique identifier of the Service Running on the server. You need to set the SPNs for each service that uses Kerberos authentication so that the client can identify the services on the network. The SPNs are typically similar to name@YOUR.REALM. You need to define SPNs to indicate Weblogic server in the Kerberos field. If no SPNs are set for a service, the client cannot find the service. If the SPNs are not correctly set, Kerberos Authentication fails. The keytab file is used to store SPNs. The keytab file is copied to the WebLogic Server domain and used during logon. This configuration step describes how to create the WebLogic Server's SPNs, user ing, and keytab files.

This configuration step requires the following active directory utility:

• 
  
  setspn—
  Windows 2000 Resource Kit
• 
  
  ktpass—
  Windows 2000 distribution CDProgram Files/Support Tools

Note:

setspn
Andktpass
The Active Directory Utility is a Microsoft product. Therefore, BEA Systems does not provide complete documentation on such utilities. For more information, see the appropriate Microsoft documentation.

To create a Kerberos identity for WebLogic Server, perform the following steps:

1. 
   
   On the Active Directory Server, create a user account for the host running WebLogic Server (select "new"> "user" instead of "new"> "computer ").

   
   
   When creating this user account, you should use the simple name of the computer. For example, if the host name is myhost.example.com
   , Createmyhost.
   .

   
   
   Record the password defined when creating a user account. This password is required in step 3. Do not select"User must change password at next logon
   "Option or any other password options.

2. 
   
   Configure a new user account to conform to the Kerberos protocol. The encryption type of this user account must be des and Kerberos pre-authentication is required.
   1. 
      
      In the "user" tree in the left pane, right-click the name of the user account and select "properties ".
   2. 
      
      Select the "Account" tab and select the "this account requires DES encryption type" box. Make sure that no other boxes are selected. In particular, do not select the "do not require Kerberos pre-Authentication" box.
   3. 
      
      Setting the encryption type may damage the password. Therefore, you should reset the user password by right-clicking the name of the user account, selecting "Reset Password", and re-entering the same password previously specified.
3. 
   
   Usesetspn
   The utility creates a service principal name (SPNs) for the user account created in step 1 ). Enter the following command:
   

   setspn -a host/myhost.example.com myhost
   

   
   

   setspn -a HTTP/myhost.example.com myhost
   

4. 
   
   Run the following command to check the SPNs associated with your user account:
   

   setspn -L account name
   

   
   
   This is an important step. If you link the same service to another account on the Active Directory Server, the client will not send Kerberos tickets to the server.

5. 
   
   Usektpass
   Utility to create user ing:

   
   
   Windows
   
   ktpass -princ host/
myhost@Example.CORP
-pass
password
-mapuser myhost -out c:/temp/myhost.host.keytab

6. 
   
   Create a keytab file. On Windows,ktab
   You can use this utility to manage the principal name and key pair in the key table, and allow you to list, add, update, or delete the principal name and key pair. On UNIX, it is best to usektpass
   Utility.

   
   
   Windows

   1. 
      
      Run on the host running WebLogic Serverktab
      Utility to create a keytab file:
      

      ktab -k keytab-filename -a myhost@Example.CORP
      

   2. 
      
      Copy the keytab file to the startup directory of the WebLogic Server domain.

      
      
      UNIX

   3. 
      
      Usektpass
      Create a user ing using commands similar to the following.password
      Is the password of the User Account Created in Step 1:
      

      ktpass -princ HTTP/myhost@Example.CORP -pass password -mapuser myhost 
      -out c:/temp/myhost.HTTP.keytab
      

   4. 
      
      Copy the keytab File Created in step a to the startup directory of the WebLogic Server domain.
   5. 
      
      Log on as the root user, and then usektutil
      The utility combines them into a keytab file, as shown below:
      

      ktutil: "rkt myhost.host.keytab"
      ktutil: "rkt myhost.HTTP.keytab"
      ktutil: "wkt mykeytab"
      ktutil: "q"

7. 
   
   Runkinit
   Utility to verify that Kerberos authentication is normal.
   

   kinit -k -t keytab-file account-name
   

   
   
   Its output should be similar to the following:

   
   

   New ticket is stored in cache file C:/Documents and 
   Settings/Username/krb5cc_MachineB
   

Configure the Microsoft Client to use Windows integrated Authentication

Ensure that the Microsoft Client that needs to be used for a Single login is configured to use Windows integrated authentication. The following section describes how to configure the. NET web server and the Internet Explorer client to use Windows integrated authentication.

Configure. NET Web Service

To configure. NET web service to use Windows authentication, perform the following operations:

1. 
   
   Inweb.config
   File, set IIS and ASP. NET Authentication Mode to Windows, as shown below:
   

   
   
   This is usually the default setting.

2. 
   
   Add the statement that the Web service client needs to pass to the proxy web service object to send creden。 through soap.

   
   
   For example, if the web service client of a Web Service is a proxy objectconv
   Syntax:

   
   

   /*
   * Explicitly pass creden to the Web Service
   */
   Conv. Credentials =
   System. net. credentialcache. defaultcredentials;

Configure Internet Explorer

To configure Internet Explorer to use Windows authentication, perform the following procedure in Internet Explorer:

Configure Local intranet domain

1. 
   
   In Internet Explorer, choose tools> Internet Options ".
2. 
   
   Select the "Security" tab.
3. 
   
   Select "Local intranet" and click "Site ".
4. 
   
   In the "Local intranet" pop-up window, make sure that the "include all sites that do not use proxy servers" and "include all local (Intranet) sites that are not listed in other regions" options are selected.
5. 
   
   Click
   "Advanced"
   .
6. 
   
   In the "Local intranet" (advanced) dialog box, add all the relative domain names (for example,myhost.example.com
   ), And then click OK ".

Configure Intranet Authentication

1. 
   
   Select "Tools"> "Internet Options ".
2. 
   
   Select the "Security" tab.
3. 
   
   Select "Local intranet" and click "Custom Level ...".
4. 
   
   In the "Security Settings" dialog box, scroll to the "user verification" section.
5. 
   
   Select "automatically log on only in the Intranet region". With this option, you do not have to re-enter the login creden。, which is a key part of this solution.
6. 
   
   Click OK ".

Verify proxy settings

If the proxy server is enabled:

1. 
   
   Select "Tools"> "Internet Options ".
2. 
   
   Select the connection tab and click LAN Settings ".
3. 
   
   Verify that the proxy server address and port number are correct.
4. 
   
   Click "advanced ".
5. 
   
   In the "Proxy Settings" dialog box, make sure that all domain names are entered in the "exception" field.
6. 
   
   Click OK to close the Proxy Settings dialog box.

Set integrated authentication for Internet Explorer 6.0

If you are running Internet Explorer 6.0, You Need To perform other settings in addition to the described settings.

1. 
   
   In Internet Explorer, choose tools> Internet Options ".
2. 
   
   Select the "advanced" tab.
3. 
   
   Scroll to the "Security" section.
4. 
   
   Make sure that you select enable integrated Windows authentication (restart required), and then click OK ".
5. 
   
   If this option is not selected, restart the computer.

Create a JAAS logon File

If Weblogic server is running on Windows or UNIX, the JAAS logon file is required. The JAAS logon file instructs the Weblogic Security Framework to use Kerberos Authentication and define the location of the keytab file containing the Kerberos identity information of the WebLogic Server. The file is specified in the Java. Security. Auth. login. config startup parameter of WebLogic Server. For example, you can use Kerberos Authentication in Weblogic server by using the startup parameter.
.

Listing 6-2
Contains a sample JAAS logon file for Kerberos authentication.

Listing 6-2 Sample JAAS logon file for Kerberos Authentication

com.sun.security.jgss.initiate {

     com.sun.security.auth.module.Krb5LoginModule required
     principal="myhost@Example.CORP" useKeyTab=true
     keyTab=mykeytab storeKey=true;
};

com.sun.security.jgss.accept {

     com.sun.security.auth.module.Krb5LoginModule required
     principal="myhost@Example.CORP" useKeyTab=true 
     keyTab=mykeytab storeKey=true;

};

Configure the identity declaration provider

WebLogic Server contains a security provider-a negotiated identity declaration provider that supports Single login (SSO) using Microsoft clients ). The identity declaration provider decodes the simple and protected SPNEGO flag to obtain the Kerberos flag, and maps the Kerberos flag to the Weblogic user after verifying the Kerberos flag. You need to configure the negotiate identity declaration provider in the Weblogic Security field to enable SSO for Microsoft clients. See the configuration negotiation ID declaration provider in "console online help"
And configure the identity authentication and identity declaration provider
.

Use Kerberos Authentication in WebLogic Server through startup parameters

To use Kerberos Authentication in WebLogic Server, use the following startup parameters when starting WebLogic Server:

-Djava.security.krb5.realm=Example.CORP
-Djava.security.krb5.kdc=ADhostname
-Djava.security.auth.login.config=krb5Login.conf
-Djavax.security.auth.useSubjectCredsOnly=false
-Dweblogic.security.enableNegotiate=true

Where

• 
  
  Java. Security. krb5.realm defines the Microsoft domain that runs the Active Directory Server.
• 
  
  Java. Security. krb5.kdc defines the Host Name of the Active Directory Server.
• 
  
  Java. Security. Auth. login. config defines the location of Kerberos logon information.
• 
  
  Javax. Security. Auth. usesubjectcredsonly specifies that the authentication mechanism beyond the subject creden。 can be used.
• 
  
  Weblogic. Security. enablenegotiate enables the servlet container in WebLogic Server to support the negotiation tag used by SPNEGO.

 

Source of the original article (Click here)