问题
I am trying to configure Kerberos SSO on Web Logic 12.1.2 with JDK 1.7.x on Win 2012 R2. I am using Java ktab java command to create keytab file. The encryption includes DES and rc4-hmac. My kerberos ini file only uses rc4-hmac encryption.
But when I try to login to my application I am getting this error in Web Logic log file (fragment):
####<Nov 13, 2014 7:24:29 AM PST> <Debug> <SecurityAtn> <ifvm00131> <ICN_ManagedServer_2> <[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1415892269395> <BEA-000000> <acceptGssInitContextToken failed
com.bea.security.utils.kerberos.KerberosException: Failure unspecified at GSS-API level (Mechanism level: Encryption type AES256 CTS mode with HMAC SHA1-96 is not supported/enabled)
at com.bea.security.utils.kerberos.KerberosTokenHandler.acceptGssInitContextTokenInDoAs(KerberosTokenHandler.java:351)
at com.bea.security.utils.kerberos.KerberosTokenHandler.access$100(KerberosTokenHandler.java:43)
at com.bea.security.utils.kerberos.KerberosTokenHandler$2.run(KerberosTokenHandler.java:239)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAsPrivileged(Subject.java:536)
at com.bea.security.utils.kerberos.KerberosTokenHandler.acceptGssInitContextToken(KerberosTokenHandler.java:237)
at com.bea.security.utils.kerberos.KerberosTokenHandler.acceptGssInitContextToken(KerberosTokenHandler.java:165)
at com.bea.common.security.internal.utils.negotiate.SPNEGONegotiateToken.getUsername(SPNEGONegotiateToken.java:57)
at weblogic.security.providers.authentication.NegotiateIdentityAsserterProviderImpl.assertChallengeIdentity(NegotiateIdentityAsserterProviderImpl.java:210)
at com.bea.common.security.internal.legacy.service.ChallengeIdentityAssertionProviderImpl$ChallengeIdentityAsserterV2Adapter.assertChallengeIdentity(ChallengeIdentityAssertionProviderImpl.java:130)
at com.bea.common.security.internal.service.ChallengeIdentityAssertionTokenServiceImpl.assertChallengeIdentity(ChallengeIdentityAssertionTokenServiceImpl.java:120)
and login to my application is unsuccessful. I am getting in browser Error 401--Unauthorized error.
When I reconfigure the env using the AES256 encryption I am getting Checksum failed error.
I wonder if anyone experienced similar issues and was able to resole it successfully?
Here is my krb5.ini file located in the c:\windows directory
[libdefaults]
default_realm = MYREALM.LOCAL
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
default_tgs_enctypes = rc4-hmac
default_tkt_enctypes = rc4-hmac
ticket_lifetime = 600
[realms]
MYREALM.LOCAL = {
kdc = adhostname.mydomain.local:88
admin_server = adhostname.mydomain.local
default_domain = mydomain.local
}
[domain_realm]
mydomain.local = MYREALM.LOCAL
.mydomain.local = MYREALM.LOCAL
And this is my config file
com.sun.security.jgss.krb5.initiate
{
com.sun.security.auth.module.Krb5LoginModule required
principal="account@REALM.LOCAL" useKeyTab=true
keyTab="C:\\sso\\wlker.keytab" storeKey=true debug=true;
};
com.sun.security.jgss.krb5.accept
{
com.sun.security.auth.module.Krb5LoginModule Required
principal="account@REALM.LOCAL" useKeyTab=true
keyTab="C:\\sso\\wlker.keytab" storeKey=true debug=true;
};
Myapp
{
weblogic.security.auth.login.UsernamePasswordLoginModule required authOnLogin=true;
};
回答1:
I have already answered this before. Please search, you have to enable/install unlimited security policy.
来源:https://stackoverflow.com/questions/26928190/has-anyone-configured-kerberos-sso-on-web-logic-12-1-2-with-jdk-1-7-on-win-2012