6-10 Securing Oracle WebLogic Server Example 6–2 shows a sample JAAS login file for Kerberos authentication. Significant sections are shown in bold. Example 6–2 Sample JAAS Login File for Kerberos Authentication com.sun.security.jgss.krb5.initiate { com.sun.security.auth.module.Krb5LoginModule required principal=myhostExample.CORP useKeyTab=true keyTab=mykeytab storeKey=true; }; com.sun.security.jgss.krb5.accept { com.sun.security.auth.module.Krb5LoginModule required principal=myhostExample.CORP useKeyTab=true keyTab=mykeytab storeKey=true; }; For the principal option, specify the value of the userPrincipalName attribute of the account under which the service is running. Incorrectly specifying the user principal name results in an error such as Unable to obtain password from user. The keytab file specified in the keytab option must be accessible by the WebLogic Server process. Ensure that the appropriate permissions are set. If you are unsure of the search path WebLogic Server is using, provide the absolute path to the file. Make sure you enclose the path in double quotes, and replace any backslash \ in the path with a double backslash \\ or a forward slash .

6.8 Configuring the Identity Assertion Provider

WebLogic Server includes a security provider, the Negotiate Identity Assertion provider, to support single sign-on SSO with Microsoft clients. This identity assertion provider decodes Simple and Protected Negotiate SPNEGO tokens to obtain Kerberos tokens, validates the Kerberos tokens, and maps Kerberos tokens to WebLogic users. You need to configure a Negotiate Identity Assertion provider in your WebLogic security realm in order to enable SSO with Microsoft clients. See Section 5.9.3, Configuring a Negotiate Identity Assertion Provider, and Configure Authentication and Identity Assertion providers in the Oracle WebLogic Server Administration Console Help.

6.9 Using Startup Arguments for Kerberos Authentication with WebLogic Server

To use Kerberos authentication with WebLogic Server, use the following start-up arguments when you start WebLogic Server: Notes: For JDK 1.4 and JDK 5.0, the JAAS Login Entry names are com.sun.security.jgss.initiate and com.sun.security.jgss.accept. For JDK 6.0, the JAAS Login Entry names are com.sun.security.jgss.krb5.initiate and com.sun.security.jgss.krb5.accept. Configuring Single Sign-On with Microsoft Clients 6-11 -Djavax.security.auth.useSubjectCredsOnly=false -Djava.security.auth.login.config=krb5Login.conf -Djava.security.krb5.realm=Example.CORP -Djava.security.krb5.kdc=ADhostname where ■ javax.security.auth.useSubjectCredsOnly specifies that it is permissible to use an authentication mechanism other than Subject credentials. ■ java.security.auth.login.config specifies the JAAS login file, krb5Login.conf, described in Section 6.7, Creating a JAAS Login File. ■ java.security.krb5.realm defines the Microsoft domain in which the Active Directory server runs. ■ java.security.krb5.kdc defines the host name on which the Active Directory server runs. Java GSS messages are often very useful during troubleshooting, so you might want to add -Dsun.security.krb5.debug=true as part of the initial setup.

6.10 Verifying Configuration of SSO with Microsoft Clients