How to SSO in mixed OS environment


System Requirements
Date and Time configuration
DNS configuration
Creating a unique service account in Active Directory
Create a Single Sign On group in Active Directory
Generate a Keytab file on the Windows 2008R2 machine
Configuring the Negotiate Identity Assertion Provider
Configuring an Active Directory Authentication Provider
Create a Kerberos Configuration file
Creating a JAAS Login File
Startup Arguments for Kerberos Authentication with WebLogic Server
Creating the Kerberos Ticket for WebLogic
Setup Internet Explorer (and others) on the Windows 7 client
Enabling DES support for legacy applications



This article is an step by step guide to configure Single Sign On (SSO) in mixed OS environments, before we get started let me just say that Kerberos/SPNEGO is one of those things that when it works it's awesome, and when it doesn't it's incredibly frustrating to debug. Add to the mix the fact that so much of what's happening is automatic and so few people actually understand what's really happening, and you have a recipe for pain and frustration. So if you during this process feel like pulling out what is left of your hair, please do it, you are fully entitled to do so.

How does this work? Here is a brief overview:

The Browser sends a GET request to your web application (1), which then returns that "negotiate" authentication is required (2). The Browser will then ask the Kerberos Server to get a so called service ticket (3). The Browser then sends this service ticket, which proves the identity of the caller, and some additional things to the web application (5). After validating the ticket, based on a shared secret (the keytab file) between your web application and the Kerberos server, you get back the username.

Note: Everything in Kerberos is a Principal - machines, services and even users. A Principal is identified by a simple string called a Service Principal Name or SPN in one of two forms - either PROTOCOL/hostname for services (e.g. HTTP/ for a web server) or username@DOMAIN for users (e.g. fodsved@MATAS.DK). The case of the string is important; the Protocol and domain name are always in CAPITAL LETTERS and the hostname and username are always in lower case.

System requirements

For today’s exercise we will use a Windows 2008 R2 for the Active Directory, and Oracle Linux for the Weblogic server, the clients will be using Windows 7 for Internet Explorer.


Active Directory

Windows 2008R2


Domain Controller: FREJA

Host name: freja

IP address:

DNS server:


WebLogic Server

Oracle Enterprise Linux 5

JDK 1.6.2.

Oracle host name:

DNS search path: oracle

IP address:

DNS server:


Internet Explorer 8 and later, or a .NET Web Service client

Windows 7

Windows XP

IP address:

DNS server:



Date and Time configuration

 Have all machines synchronized in the same time zone, time and date.


DNS configuration

 Put the following A records in your DNS server

_kerberos-master._udp.matas.local     A
_kerberos-master._tcp.matas.local     A

The above entries are automatically added in networks where the AD server is configured to update DNS, in any case you should check for their presence.

freja.matas.local                      A                        A

Test your DNS server by running the following command

dcdiag /s:freja.matas.local

All errors must be corrected before you continue

Creating a unique service account in Active Directory

First start by adding a user to the Active Directory

dsadd user "cn=wlsuser,cn=users,dc=matas,dc=local" -disabled no -mustchpwd no -canchpwd no -pwdneverexpires yes -acctexpires never -pwd @windows2008 -upn wlsuser@matas.local

Now check that you don’t have any duplicate SPN’s by entering

setspn –Q HTTP/*

Note:If you have installed IIS on the machine, then uninstall it. IIS registers the Kerberos service principal HTTP/machine and HTTP/ and if you leave IIS installed you'll never manage to get Kerberos on WebLogic working correctly.

Once you have created that user, use the setspn utility to associate the HTTP/machine and HTTP/ principals with the user.

setspn -a HTTP/wlserver wlsuser
setspn -a HTTP/ wlsuser

Create a Single Sign On group in Active Directory

Create a Group in Active Directory called WebLogicADusers and add all Active Directory users that should have Single Sign On access to the Weblogic server, the group is referenced in the weblogic.xml configuration file of your web application or service.

Note:  Do not use space in group names, it will not work at all with WebLogic SSO


Generate a Keytab file on the Windows 2008R2 machine

The ktpass command configures the server principal name for the host or service in Active Directory and generates an MIT-style Kerberos keytab file containing the shared secret key of the service. The command allows UNIX-based services that support Kerberos authentication to use the interoperability features provided by the Windows Server Kerberos KDC service.

ktpass /princ HTTP/ /pass @windows2008 /mapuser wlsuser@MATAS.LOCAL /out krb5.keytab /ptype KRB5_NT_PRINCIPAL /crypto RC4-HMAC-NT

The generated output:

Targeting domain controller: FREJA.matas.local
Using legacy password setting method
Successfully mapped HTTP/ to wlsuser.

Key created.
Output keytab to krb5.keytab:
Keytab version: 0x502
keysize 67 HTTP/ ptype 1 (KRB5_NT_PRINCIPAL) vno 3 etype 0x17 (RC4-HMAC)
keylength 16 (0xc1a3e32a0ab09249e6a89563977ff771)

Note: The ktpass command changes the principal name in the Active Directory server from account-name to HTTP/account-name. Consequently, the keytab file is generated for a principal named HTTP/account-name. However, sometimes the name change does not happen. If not, you should change it manually in the Active Directory server; otherwise the keytab you generate will not work properly.

Now copy the generated krb5.keytab file to the WebLogic machine. I put it in the folder /etc


Configuring the Negotiate Identity Assertion Provider

Negotiate Identity Assertion provider enables single sign-on (SSO) with Microsoft clients. The identity assertion provider decodes Simple and Protected Negotiate (SPNEGO) tokens to obtain Kerberos tokens, validates the Kerberos tokens, and maps them to WebLogic users

Open the WebLogic console application and go to security realms -> myrealm -> providers -> authentication

And create a new authentication provider and select NegotiateIdentityAsserter from the drop down list and name it KerberosIdentityAsserter. Go into the Identity Asserter's configuration and click on the Provider Specific tab and uncheck the "Form Based Negotiation Enabled" box.

Configuring an Active Directory Authentication Provider

Open the WebLogic console application and go to security realms -> myrealm -> providers -> authentication

Create an ActiveDirectoryAuthenticator and name it ADauthenticator

Open the ADauthenticator and go to Provider Specific and set the following, and leaving the reminder at default values.

Principal:                                    CN=wlsuser,CN=Users,DC=matas,DC=local
Credentials:                                @windows2008
User base DN:                             CN=Users,DC=matas,DC=local
Group base DN:                          CN=Users,DC=matas,DC=local

On the Provider Summary page, reorder the providers in the following order, making sure that their Control Flags are set to SUFFICIENT where applicable:

1.      KerberosIdentityAsserter

2.      ADauthenticator (SUFFICIENT)

3.      DefaultAuthenticator (SUFFICIENT)

4.      Other authenticators...

After you logout and then login again on the management console, you should be able to see all you Active Directory users and groups listed together with the embedded LDAP users.


Create a Kerberos Configuration file

On the Linux machine make a file called krb5.conf with the following content, and put it in the /etc folder


default_realm = MATAS.LOCAL
default_tkt_enctypes = rc4-hmac
default_tgs_enctypes = rc4-hmac
permitted_enctypes = rc4-hmac
ticket_lifetime = 6000
kdc =
admin_server = freja.matas.local
default_domain = MATAS.LOCAL
.matas.local = MATAS.LOCAL
autologin = true
forward = true
forwardable = true encrypt = true

Creating a JAAS Login File

The Kerberos related classes included with the JDK require a config file to run properly. Basically this file tells the GSS layer which classes are used to do the actual work and provides configuration information to those classes. Create a krb5login.conf file with the contents below and place the file in your domains home directory, in my case /u01/app/oracle/product/Middleware/user_projects/domains/webcenter

You specify the location of the krb5login.conf file in the startup argument for WebLogic Server
{ required 
}; { required 
}; { required 
}; { required 


Startup Arguments for Kerberos Authentication with WebLogic Server

To use Kerberos authentication with WebLogic Server, Add the following parameters to the JAVA_OPTIONS in the of your domain.


For the Kerberos protocol to authenticate with Active Directory, so you need to configure the Linux system to act as a Kerberos client for the realm (domain) for this facility to work. Oracle Linux supplies the MIT Kerberos software. If the krb5-workstation package has been installed then the necessary client programs will be in /usr/kerberos/bin/

Creating the Kerberos Ticket for WebLogic

Now obtain a Ticket using the kinit command like so:

kinit -k -t /etc/krb5.keytab HTTP/

This should exit without any error messages, and this Kerberos ticket will now appear when you execute the klist -5 command, this is the output generated by klist:

Ticket cache: FILE:/tmp/krb5cc_500
Default principal: HTTP/
Valid starting     Expires            Service principal
10/23/11 06:15:44  10/23/11 06:25:44  krbtgt/MATAS.LOCAL@MATAS.LOCAL

If you want to purge the ticket cache use the kdestroy command.
Tip: The command klist -ke will give you a list if what is in the keytab file.

Test the ticket by using the kinit command again

kinit HTTP/

This should exit without any errors
Deploy a test Application on WebLogic
Create or change an application with ADF Security or a normal Web Application which got security enabled.


<?xml version = '1.0' encoding = 'UTF-8'?>
<web-app xmlns:xsi=""
         version="2.5" xmlns="">
    <servlet-name>Faces Servlet</servlet-name>
    <servlet-name>Faces Servlet</servlet-name>


<<?xml version = '1.0' encoding = 'UTF-8'?>
<weblogic-web-app xmlns:xsi=""

Setup Internet Explorer (and others) on the Windows 7 client

In Internet Explorer, please go to the Tools -> Internet Options -> Advanced tab and check the Enable Integrated Windows Authentication check-box.

Next, switch to the security tab and click Local intranet -> Sites in the Local intranet popup, ensure that the Include all sites that bypass the proxy server and Include all local (intranet) sites not listed in other zones options are checked. Then click the Advanced button and add all relative domain names that will be used for WebLogic Server instances participating in the SSO configuration, in our case http://*

Next, also in the security tab and click Local Intranet -> Custom Level and select Automatic log-on with current user name and password.

Test that the client is actually obtaining a ticket. First clear the ticket cache by running klist purge and then run klist -5 and it should tell you that you have 0 (zero) tickets in the cache, then browse to your security enabled WebLogic application, and run again klist -5  5 and it should tell you that you have tickets in the cache.

Google Chrome
Start chrome.exe with the following parameter --args --auth-server-whitelist="*matas.local" This allows SSO with chrome.

In the address bar of Firefox, type about:config to display the list of current configuration options.
  In the Filter field, type negotiate to restrict the list of options.
  Double-click the network.negotiate-auth.trusted-uris entry to display the Enter string value dialog box.
  Enter the name of the domain against which you want to authenticate, for example, .matas.local.
  Repeat the above procedure for the network.negotiate-auth.delegation-uris entry, using the same domain.


Enabling DES support for legacy applications

Since DES encryption is disabled by default in Windows 2008 R2 and Windows 7, it can cause compatibility problems with legacy applications with only DES encryption or if the Windows account that runs a service is configured to use only DES encryption. These services or applications will fail unless you reconfigure them to support another encryption type or you enable DES support.

You can enable DES encryption for Kerberos authentication on Windows 7 or Server 2008 R2 by editing the Group Policy Object setting Network security: Configure encryption types allowed for Kerberos located in the Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options GPO container. The Group Policy Object can be edited with gpedit.msc.



Check spelling and case errors, this is a common cause for errors.

In general, Wireshark is your friend, use it to capture network traffic, it will expose all visible protocol errors.

Enable debug for authentication and authorization via the WebLogic Console Servers -> [Server Name] -> Debug -> WebLogic -> Security -> atn (for Authentication) and atz (for Authorization).

Sometimes a silent prayer might also do the trick.



Configuring SSO for Microsoft Clients
Step-by-Step Guide to Kerberos 5 (krb5 1.0) Interoperability

SPNEGO-based Kerberos and NTLM HTTP Authentication in Microsoft Windows

Kerberos Requirements

Kerberos troubleshooting

Kerberos Authentication Technical Reference

Kerberos and WebLogic Server on Windows step-by-step

Single Sign On with Windows / Kerberos on WebLogic

Comments (2) -

Auto dial software
Auto dial software
01-10-2012 09:27:57 #

One of the more impressive blogs Ive seen.  Thanks so much for keeping the internet classy for a change.  Youve got style, class, bravado.  I mean it.  Please keep it up because without the internet is definitely lacking in intelligence.

22-10-2012 19:56:27 #

The following time I read a blog, I hope that it doesnt disappoint me as much as this one. I imply, I do know it was my choice to learn, however I actually thought youd have one thing interesting to say. All I hear is a bunch of whining about something that you may fix in the event you werent too busy in search of attention.

Add comment

  Country flag

  • Comment
  • Preview

Month List