Hi All,
I am in the middle of setting up Kerberos SSO for EPM 11.1.2.4. Following are my references:
https://www.oracle.com/technetwork/middleware/bi-foundation/config-epm-foundation-kerberos-303841.pdf
https://docs.oracle.com/cd/E57185_01/OPUSC/OPUSC.pdf
http://www.ateam-oracle.com/kerberos-and-weblogic-server-on-windows-step-by-step/
The issue I faced was during the Kerberos testing with SSODiag i.e.
Error 401--Unauthorized
From RFC 2068 Hypertext Transfer Protocol -- HTTP/1.1:
10.4.2 401 Unauthorized
The request requires user authentication. The response MUST include a WWW-Authenticate header field (section 14.46) containing a challenge applicable to the requested resource. The client MAY repeat the request with a suitable Authorization header field (section 14.8). If the request already included Authorization credentials, then the 401 response indicates that authorization has been refused for those credentials. If the 401 response contains the same challenge as the prior response, and the user agent has already attempted authentication at least once, then the user SHOULD be presented the entity that was given in the response, since that entity MAY include relevant diagnostic information. HTTP access authentication is explained in section 11.
And was not be able to see: Retrieving Kerberos User principal name... Success
Following are the detail step-by-step that I have done in each server:
1. Create new AD user as Kerberos service ID with following options ticked:
- User cannot change password
- Password never expires
- This account supports Kerberos AES 128 bit encryption
- This account supports Kerberos AES 256 bit encryption
2. Set Principal name
- Set SPN with: setspn -A HTTP/APPserver ADuser
- Check principal with: setspn -l ADuser -> Registered for ADuser: HTTP/APPserver
- EPM (App server - Weblogic, HFM, FDMEE, RA, etc - e.g. APPserver)
1. Create C:\Windows\krb5.ini
[libdefaults]
default_realm = REALM.COM
default_tkt_enctypes = des-cbc-crc des-cbc-md5 aes128-cts aes256-cts rc4-hmac
default_tgs_enctypes = des-cbc-crc des-cbc-md5 aes128-cts aes256-cts rc4-hmac
ticket_lifetime = 600
[realms]
REALM.COM = {
kdc = 123.123.123.123
admin_server = ADserver
default_domain = REALM.COM
}
[domain_realm]
.realm.com = REALM.COM
[appdefaults]
autologin = true
forward = true
forwardable = true
encrypt = true
2. Generate keytab: ktab -a HTTP/APPserver@REALM.COM
3. Verify keytab:
- klist -k krb5.keytab
- java -Dsun.security.krb5.debug=true sun.security.krb5.internal.tools.Kinit -k -t krbr5.keytab HTTP/APPserver@REALM.COM -> New ticket is stored in cache file C:\Users\xxxxx\krb5cc_xxxxx
4. Configure LDAP in Weblogic (ActiveDirectoryAuthenticator) -> control flag: OPTIONAL
5. Configure Negotiate Identity Assertion (NegotiateIdentityAsserter) -> unticked “Form Based Negotiation Enabled”
6. Configure LDAP in Shared Service
7. Create C:\Oracle\Middleware\user_projects\domain\EPMServer\krb5Login.conf and copy krb5.keytab to the same folder
com.sun.security.jgss.initiate {
com.sun.security.auth.module.Krb5LoginModule required
principal="HTTP/APPserver@REALM.COM"
useKeyTab=true
keyTab=krb5.keytab
storeKey=true
debug=true;
};
com.sun.security.jgss.accept {
com.sun.security.auth.module.Krb5LoginModule required
principal="HTTP/APPserver@REALM.COM"
useKeyTab=true
keyTab=krb5.keytab
storeKey=true
debug=true;
};
com.sun.security.jgss.krb5.accept {
com.sun.security.auth.module.Krb5LoginModule required
principal="HTTP/APPserver@REALM.COM"
useKeyTab=true
keyTab=krb5.keytab
storeKey=true
debug=true;
};
8. Add below JAVA_OPTIONS parameter in startWebLogic.cmd:
-Djava.security.krb5.realm=REALM.COM
-Djava.security.krb5.kdc=ADserver
-Djava.security.auth.login.config=krb5Login.conf
-Djavax.security.auth.useSubjectCredsOnly=false
-Dsun.security.krb5.debug=true
9. Add the same parameter in regedit with new JVMOptions and change JVMOptionCount.
10. Since I have IIS with HFM deployed, in Authentication for each web sites, disabled "Anonymous Authentication" and enabled "Windows Authentication"
11. Deploy SSODiag.war and create authorization policies on / and /index.jsp -> NOTE: If I removed the authorization policies, the SSODiag showing the page but Retrieving Kerberos User principal name... Failed
- EPM (Web Server - OHS - e.g. OHSserver)
1. Setup mod_wl_ohs.conf
<LocationMatch ^/SSODiag/>
SetHandler weblogic-handler
WeblogicCluster APPserver:9000
</LocationMatch>
2. Restart OHS
- Client (used APP server but login as the new AD user - IE 11)
1. Enabled "Integrated Windows Authentication" in internet options
2. Add OHS server site to "Local intranet"
3. Set user authentication logon to "Automatic logon only in Intranet zone"
4. Access "https://OHSserver:19443/SSODiag/krbssodiag"
Anyone could help to review if I have set up correctly or did I miss any steps somewhere in between?
Thanks for the help!
setspn –A HTTP/