Configuring Single Sign-On with Microsoft Clients 6-5

6.5.2 Step 2: Configure the User Account to Comply with Kerberos

Configure the new user account to comply with the Kerberos protocol as follows. The user accounts encryption type must be DES and the account must require Kerberos pre-authentication.

1. Right-click the name of the user account in the Users tree in the left pane and

select Properties. 2. Select the Account tab and check the box Use DES encryption types for this account . Make sure no other boxes are checked, particularly the box Do not require Kerberos pre-authentication.

3. Click OK.

6.5.3 Step 3: Define a Service Principal Name and Create a Keytab for the Service

As mentioned in Section 6.5, Creating a Kerberos Identification for WebLogic Server, an SPN is a unique name that identifies an instance of a service and is associated with the logon account under which the service instance runs. The SPN is used in the process of mutual authentication between the client and the server hosting a particular service. The client finds a computer account based on the SPN of the service to which it is trying to connect. So, in a specific project, you need to link the service that will be invoked by your WebLogic clients to the account you just defined for your WebLogic Server. For example, the service invoked by the WebLogic browser clients is HTTPmyhost.example.com, which needs to be linked to the myhost account. Windows account names are not multipart as Kerberos principal names. Because of this, it is not possible to directly create an account using the name HTTPhostname.dns.com. Such a principal instance is created through service principal name mappings. In this case, an account is created with a meaningful name hostname , and a service principal name mapping is added for HTTPhostname.dns.com. The specific steps for defining an SPN and creating a keytab for the service depend on the underlying platform on which WebLogic Server is running. They are provided in the following sections: ■ Section 6.5.3.1, Defining an SPN and Creating a Keytab on Windows Systems ■ Section 6.5.3.2, Defining an SPN and Creating a Keytab on UNIX Systems

6.5.3.1 Defining an SPN and Creating a Keytab on Windows Systems

If WebLogic Server runs on a Windows system, complete the following steps: 1. Use the setspn utility to create the SPN for the HTTP service for the WebLogic Server account created in Step 1. For example: Note: If you are running WebLogic Server on Windows 2003 and the IBM JDK 6, the user account’s encryption type must be RC4-HMAC. Caution: Setting the encryption type may corrupt the password. Therefore, reset the user password by right-clicking the name of the user account, selecting Reset Password, and re-entering the password created in Section 6.5.1, Step 1: Create a User Account for the Host Computer. 6-6 Securing Oracle WebLogic Server setspn -A HTTPmyhost.example.com myhost 2. Identify the SPNs that are associated with your user account by entering the setspn -L command. For example: setspn -L myhost 3. Use the ktab utility to create a keytab to be exported to the WebLogic Server machine. The command to run the ktab utility has the following syntax note that the Kerberos realm name must be entered in all uppercase: ktab -k keytab-file-name -a account-nameREALM.NAME For example: ktab -k mykeytab -a myhostMYDOM.COM When prompted for a password, enter the password created in Step 1. 4. Save the keytab file in a secure location and export it to the domain directory of your WebLogic Server instance for example, to myhost.

6.5.3.2 Defining an SPN and Creating a Keytab on UNIX Systems

If WebLogic Server runs on a UNIX system, create an SPN and a keytab file for the HTTP service for the WebLogic Server account by using the ktpass command-line tool. This tool enables an administrator to configure a non-Windows Server Kerberos service as a security principal in the Windows Server Active Directory. The ktpass command configures the server principal name for the service in Active Directory and generates a Kerberos keytab file containing the shared secret key of the service. The tool allows UNIX-based services that support Kerberos authentication to use the interoperability features provided by the Windows Server Kerberos KDC service. The ktpass command has the following syntax: ktpass -princ HTTPhostnameREALM-NAME -mapuser account-name -pass password -out keytab-file-name For example: ktpass -princ HTTPmyhost.example.comMYDOM.COM -mapuser myhost -pass welcome1 -out mykeytab Tip: The preceding is an important step. If the same service is linked to a different account in the Active Directory server, the client will not send a Kerberos ticket to the server. Configuring Single Sign-On with Microsoft Clients 6-7

6.5.4 Step 4: Verify Correct Setup