6 Configuring Single Sign-On with Microsoft Clients

The following sections explain how to set up single sign-on (SSO) with Microsoft clients, using Windows authentication based on the Simple and Protected Negotiate (SPNEGO) mechanism and the Kerberos protocol, together with the WebLogic Negotiate Identity Assertion provider.

Overview of Single Sign-On with Microsoft Clients

Single sign-on (SSO) with Microsoft clients allows cross-platform authentication between Web applications or Web Services running in a WebLogic Server domain and .NET Web Service clients or browser clients (for example, Internet Explorer) in a Microsoft domain. The Microsoft clients must use Windows authentication based on the Simple and Protected Negotiate (SPNEGO) mechanism.

Cross-platform authentication is achieved by emulating the negotiate behavior of native Windows-to-Windows authentication services that use the Kerberos protocol. In order for cross-platform authentication to work, non-Windows servers (in this case, WebLogic Server) need to parse SPNEGO tokens in order to extract Kerberos tokens which are then used for authentication.

For more information about Windows and Kerberos, see http://technet.microsoft.com/en-us/library/bb742431.aspx.

System Requirements for SSO with Microsoft Clients

To use SSO with Microsoft clients you need:

A host computer with:

  • Windows 2000 or later installed

  • Fully-configured Active Directory authentication service. Specific Active Directory requirements include:

    • User accounts for mapping Kerberos services

    • Service Principal Names (SPNs) for those accounts

    • Key tab files created and copied to the start-up directory in the WebLogic Server domain

  • WebLogic Server installed and configured properly to authenticate through Kerberos, as described in this chapter

Client systems with:

  • Windows 2000 Professional SP2 or later installed

  • One of the following types of clients:

    • A properly configured Internet Explorer browser. Internet Explorer 6.01 or later is supported.

    • .NET Framework 1.1 and a properly configured Web Service client.

    Clients must be logged on to a Windows 2000 domain and have Kerberos credentials acquired from the Active Directory server in the domain. Local logins will not work.

Single Sign-On with Microsoft Clients: Main Steps

Configuring SSO with Microsoft clients requires set-up procedures in the Microsoft Active Directory, the client, and the WebLogic Server domain. (These procedures are detailed in the sections that follow.)

  • Define a principal in Active Directory to represent the WebLogic Server. The Kerberos protocol uses the Active Directory server in the Microsoft domain to store the necessary security information.

  • Any Microsoft client you want to access in the Microsoft domain must be set up to use Windows Integrated authentication, sending a Kerberos ticket when available.

  • In the security realm of the WebLogic Server domain, configure a Negotiate Identity Assertion provider. The Web application or Web Service used in SSO needs to have authentication set in a specific manner. A JAAS login file that defines the location of the Kerberos identification for WebLogic Server must be created.

To configure SSO with Microsoft clients:

  1. Configure your network domain to use Kerberos. See Configuring Your Network Domain to Use Kerberos.

  2. Create a Kerberos identification for WebLogic Server.

    1. Create a user account in the Active Directory for the host on which WebLogic Server is running.

    2. Create a Service Principal Name for this account.

    3. Create a user mapping and keytab file for this account.

    See Creating a Kerberos Identification for WebLogic Server.

  3. Choose a Microsoft client (either a Web Service or a browser) and configure it to use Windows Integrated authentication. See Configuring Microsoft Clients to Use Windows Integrated Authentication.

  4. Set up the WebLogic Server domain to use Kerberos authentication.

    1. Create a JAAS login file that points to the Active Directory server in the Microsoft domain and the keytab file created in Step 1. See Creating a JAAS Login File.

    2. Configure a Negotiate Identity Assertion provider in the WebLogic Server security realm. See Configuring a Negotiate Identity Assertion Provider.

  5. Start WebLogic Server using specific start-up arguments. See Using Startup Arguments for Kerberos Authentication with WebLogic Server.

The following sections describe these steps in detail.

Configuring Your Network Domain to Use Kerberos

A Windows domain controller can serve as the Kerberos Key Distribution Center (KDC), using the Active Directory and the Kerberos services. On any domain controller, the Active Directory and the Kerberos services are running automatically.

Java GSS requires a Kerberos configuration file. The default name and location of the Kerberos configuration file depends on the operating system being used. Java GSS uses the following order to search for the default configuration file:

  1. The file referenced by the Java property java.security.krb5.conf.

  2. ${java.home}/lib/security/krb5.conf.

  3. %windir%\krb5.ini on Microsoft Windows platforms.

  4. /etc/krb5/krb5.conf on Solaris platforms.

  5. /etc/krb5.conf on other Unix platforms.

To configure Kerberos in your Windows domain controller, you need to configure each machine that will access the KDC to locate the Kerberos realm and available KDC servers. For example:

Example 6-1 Sample krb5.ini File

[libdefaults]
default_realm = MYDOM.COM (Identifies the default realm. Set its value to your Kerberos realm)
default_tkt_enctypes = des-cbc-crc
default_tgs_enctypes = des-cbc-crc
ticket_lifetime = 600
[realms]
MYDOM.COM = {
kdc = <IP address for MachineA> (host running the KDC)
(For Unix systems, you need to specify port 88, as in <IP-address>:88)
admin_server = MachineA
default_domain = MYDOM.COM
}
[domain_realm]
.mydom.com = MYDOM.COM

[appdefaults]
autologin = true
forward = true
forwardable = true
encrypt = true

Creating a Kerberos Identification for WebLogic Server

Active Directory provides support for service principal names (SPN), which are a key component in Kerberos authentication. SPNs are unique identifiers for services running on servers. Every service that uses Kerberos authentication needs to have an SPN set for it so that clients can identify the service on the network. An SPN usually looks something like name@YOUR.REALM. You need to define an SPN to represent your WebLogic Server in the Kerberos realm. If an SPN is not set for a service, clients have no way of locating that service. Without correctly set SPNs, Kerberos authentication is not possible. Keytab files are the mechanism for storing the SPNs. Keytab files are copied to the WebLogic Server domain and are used in the login process. This configuration step describes how to create an SPN, user mapping, and keytab file for WebLogic Server.

This configuration step requires the use of the following Active Directory utilities:

  • setspn—Windows 2000 Resource Kit

  • ktpass—Windows 2000 distribution CD in Program Files\Support Tools

    Note:

    The setspn and ktpass Active Directory utilities are products of Microsoft. Therefore, Oracle does not provide complete documentation for this utilities. For more information, see the appropriate Microsoft documentation.

To create a Kerberos identification for WebLogic Server:

  1. In the Active Directory server, create a user account for the host computer on which WebLogic Server runs. (Select New > User, not New > Machine.)

    When creating the user account, use the simple name of the computer. For example, if the host is named myhost.example.com, create a user in Active Directory called myhost.

    Note the password you defined when creating the user account. You will need it in step 3. Do not select the User must change password at next logon option, or any other password options.

  2. Configure the new user account to comply with the Kerberos protocol. The user account's encryption type must be DES and the account must require Kerberos pre-authentication.

    1. Right-click the name of the user account in the Users tree in the left pane and select Properties.

    2. Select the Account tab and check the box "Use DES encryption types for this account." Make sure no other boxes are checked, particularly the box "Do not require Kerberos pre-authentication."

    3. Setting the encryption type may corrupt the password. Therefore, reset the user password by right-clicking the name of the user account, selecting Reset Password, and re-entering the same password specified earlier.

  3. Use the setspn utility to create the Service Principal Names (SPNs) for the user account created in step 1. Enter the following commands:

    setspn -a host/myhost.example.com myhost 
    setspn -a HTTP/myhost.example.com myhost 
    
  4. Check which SPNs are associated with your user account, using the following command:

    setspn -L account name 
    

    This is an important step. If the same service is linked to a different account in the Active Directory server, the client will not send a Kerberos ticket to the server.

  5. Create a user mapping using the ktpass utility. For example, on Windows systems:

    ktpass -princ host/myhost@Example.CORP -pass password -mapuser myhost -out c:\temp\myhost.host.keytab
    
  6. Create a keytab file. On Windows, the ktab utility manages principal name and key pairs in the key table and allows you to list, add, update, or delete principal names and key pairs. On UNIX, it is preferable to use the ktpass utility.

    Windows

    1. Run the ktab utility on the host on which WebLogic Server is running to create the keytab file:

      ktab -k keytab-filename -a myhost@Example.CORP 
      
    2. Copy the keytab file to the startup directory in the WebLogic Server domain.

    UNIX

    1. Create a user mapping using the ktpass utility, using a command like this, where password is the password for the user account created in step 1:

      ktpass -princ HTTP/myhost@Example.CORP -pass password -mapuser myhost -out c:\temp\myhost.HTTP.keytab
      
    2. Copy the keytab file created in Step a to the startup directory in the WebLogic Server domain.

    3. Login as root and then merge them into a single keytab using the ktutil utility as follows:

      ktutil: "rkt myhost.host.keytab"
      ktutil: "rkt myhost.HTTP.keytab"
      ktutil: "wkt mykeytab"
      ktutil: "q"
      
  7. Run the kinit utility to verify Kerberos authentication is working properly.

kinit -k -t keytab-file account-name 

The output should be something similar to:

New ticket is stored in cache file C:\Documents and Settings\Username\krb5cc_MachineB

Configuring Microsoft Clients to Use Windows Integrated Authentication

Ensure the Microsoft client you want to use for single sign-on is configured to use Windows Integrated authentication. The following sections describe how to configure a .NET Web server, an Internet Explorer browser client, and a Mozilla Firefox client to use Windows Integrated authentication:

Configuring a .NET Web Service

To configure a .NET Web Service to use Windows authentication:

  1. In the web.config file for the Web Service, set the authentication mode to Windows for IIS and ASP.NET as follows:

    <authentication mode="Windows" />
    

    This setting is usually the default.

  2. Add the statement needed for the Web Services client to pass to the proxy Web Service object so that the credentials are sent through SOAP.

    For example, if you have a Web Service client for a Web Service that is represented by the proxy object conv, the syntax is as follows:

    /*
    * Explicitly pass credentials to the Web Service
    */
    conv.Credentials =
    System.Net.CredentialCache.DefaultCredentials;
    

Configuring an Internet Explorer Browser

To configure an Internet Explorer browser to use Windows authentication, follow these procedures in Internet Explorer.

Configure Local Intranet Domains

  1. In Internet Explorer, select Tools > Internet Options.

  2. Select the Security tab.

  3. Select Local intranet and click Sites.

  4. In the Local intranet popup, ensure that the "Include all sites that bypass the proxy server" and "Include all local (intranet) sites not listed in other zones" options are checked.

  5. Click Advanced.

  6. In the Local intranet (Advanced) dialog box, add all relative domain names that will be used for WebLogic Server instances participating in the SSO configuration (for example, myhost.example.com) and click OK.

Configure Intranet Authentication

  1. Select Tools > Internet Options.

  2. Select the Security tab.

  3. Select Local intranet and click Custom Level... .

  4. In the Security Settings dialog box, scroll to the User Authentication section.

  5. Select Automatic logon only in Intranet zone. This option prevents users from having to re-enter logon credentials, which is a key piece to this solution.

  6. Click OK.

Verify the Proxy Settings

If you have a proxy server enabled:

  1. Select Tools > Internet Options.

  2. Select the Connections tab and click LAN Settings.

  3. Verify that the proxy server address and port number are correct.

  4. Click Advanced.

  5. In the Proxy Settings dialog box, ensure that all desired domain names are entered in the Exceptions field.

  6. Click OK to close the Proxy Settings dialog box.

Set Integrated Authentication for Internet Explorer 6.0

In addition to the settings already described, one additional setting is required if you are running Internet Explorer 6.0.

  1. In Internet Explorer, select Tools > Internet Options.

  2. Select the Advanced tab.

  3. Scroll to the Security section.

  4. Make sure that Enable Integrated Windows Authentication option is checked and click OK.

  5. If this option was not checked, restart the computer.

Configuring a Mozilla Firefox Browser

To configure a Firefox browser to use Windows Integrated authentication, complete the following steps:

  1. Start Firefox.

  2. Enter about:config in the Location Bar.

  3. Enter the filter string network.negotiate.

  4. Set the preferences as shown in Table 6-1.

    Table 6-1 Preferences Required in Firefox for Windows Integrated Authentication

    Preference Name Status Type Value
    network.negotiate-auth.allow-proxies
    
    default
    
    boolean
    
    true
    
    network.negotiate-auth.delegation-uris
    
    user set
    
    string
    
    http://,https://
    
    network.negotiate-auth.gsslib
    
    default
    
    string
    

    <blank>Foot 1 

    network.negotiate-auth.trusted-uris
    
    user set
    
    string
    
    http://,https://
    
    network.negotiate-auth.using-native-gsslib
    
    default
    
    boolean
    
    true
    

    Footnote 1 The value for the network.negotiate-auth.gsslib preference should be kept blank.

Creating a JAAS Login File

If you are running WebLogic Server on either the Windows or UNIX platforms, you need a JAAS login file. The JAAS login file tells the WebLogic Security Framework to use Kerberos authentication and defines the location of the keytab file which contains Kerberos identification information for WebLogic Server. You specify the location of the JAAS login file in the java.security.auth.login.config startup argument for WebLogic Server, as described in Using Startup Arguments for Kerberos Authentication with WebLogic Server.

Notes:

For JDK 1.5 and JDK 1.4, the JAAS Login Entry name is com.sun.security.jgss.accept.

For JDK 1.6, the JAAS Login Entry name was changed to com.sun.security.jgss.krb5.accept.

Example 6-2 contains a sample JAAS login file for Kerberos authentication. Significant sections are shown in bold.

Example 6-2 Sample JAAS Login File for Kerberos Authentication

com.sun.security.jgss.initiate {

     com.sun.security.auth.module.Krb5LoginModule required
     principal="myhost@Example.CORP" useKeyTab=true
     keyTab=mykeytab storeKey=true;
};

com.sun.security.jgss.accept {

     com.sun.security.auth.module.Krb5LoginModule required
     principal="myhost@Example.CORP" useKeyTab=true 
     keyTab=mykeytab storeKey=true;

};

For the principal option, specify the value of the userPrincipalName attribute of the account under which the service is running. (Incorrectly specifying the user principal name results in an error such as "Unable to obtain password from user.")

The keytab file specified in the keytab option must be accessible by the WebLogic Server process. Ensure that the appropriate permissions are set. If you are unsure of the search path WebLogic Server is using, provide the absolute path to the file.

Configuring the Identity Assertion Provider

WebLogic Server includes a security provider, the Negotiate Identity Assertion provider, to support single sign-on (SSO) with Microsoft clients. This identity assertion provider decodes Simple and Protected Negotiate (SPNEGO) tokens to obtain Kerberos tokens, validates the Kerberos tokens, and maps Kerberos tokens to WebLogic users. You need to configure a Negotiate Identity Assertion provider in your WebLogic security realm in order to enable SSO with Microsoft clients. See Configuring a Negotiate Identity Assertion Provider and "Configure Authentication and Identity Assertion providers" in the Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help.

Using Startup Arguments for Kerberos Authentication with WebLogic Server

To use Kerberos authentication with WebLogic Server, use the following start-up arguments when you start WebLogic Server:

-Djavax.security.auth.useSubjectCredsOnly=false
-Djava.security.auth.login.config=krb5Login.conf
-Djava.security.krb5.realm=Example.CORP 
-Djava.security.krb5.kdc=ADhostname 

where

  • javax.security.auth.useSubjectCredsOnly specifies that it is permissible to use an authentication mechanism other than Subject credentials.

  • java.security.auth.login.config specifies the JAAS login file, krb5Login.conf, described in Creating a JAAS Login File.

  • java.security.krb5.realm defines the Microsoft domain in which the Active Directory server runs.

  • java.security.krb5.kdc defines the host name on which the Active Directory server runs.

Java GSS messages are often very useful during troubleshooting, so you might want to add -Dsun.security.krb5.debug=true as part of the initial setup.

Verifying Configuration of SSO with Microsoft Clients

To verify that SSO with Microsoft clients is configured properly, point a browser (that you have configured as described in Configuring an Internet Explorer Browser) to the Microsoft Web application or Web Service you want to use. If you are logged on to a Windows domain and have Kerberos credentials acquired from the Active Directory server in the domain, you should be able to access the Web application or Web Service without providing a username or password.