Weblogic + Kerberos + SSO

Question

I'm trying to configure Single Sign On with weblogic and Kerberos.

So, but I still get login page, may be you can tell me what is wrong by this log:

Debug is  true storeKey true useTicketCache false useKeyTab true doNotPrompt false ticketCache is null isInitiator true KeyTab is /oracle/product12/user_projects/domains/test/krb/test.keytab refreshKrb5Config is false principal is kinp@TEST.ORG tryFirstPass is false useFirstPass is false storePass is false clearPass is false
KeyTab instance already exists
Added key: 23version: 19
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 3.
0: EncryptionKey: keyType=23 kvno=19 keyValue (hex dump)=
0000: C3 CB 19 1C 64 6E F9 7F   6A C9 31 FB EE 69 E7 35  ....dn..j.1..i.5


principal's key obtained from the keytab
Acquire TGT using AS Exchange
default etypes for default_tkt_enctypes: 23 3.
>>> KrbAsReq calling createMessage
>>> KrbAsReq in createMessage
>>> KrbKdcReq send: kdc=192.168.0.100 UDP:88, timeout=30000, number of retries =3, #bytes=137
>>> KDCCommunication: kdc=192.168.0.100 UDP:88, timeout=30000,Attempt =1, #bytes=137
>>> KrbKdcReq send: #bytes read=181
>>> KrbKdcReq send: #bytes read=181
>>> KdcAccessibility: remove 192.168.0.100
>>> KDCRep: init() encoding tag is 126 req type is 11
>>>KRBError:
     sTime is Tue Jan 20 10:46:05 EET 2015 1421743565000
     suSec is 576578
     error code is 25
     error Message is Additional pre-authentication required
     realm is TEST.ORG
     sname is krbtgt/TEST.ORG
     eData provided.
     msgType is 30
>>>Pre-Authentication Data:
     PA-DATA type = 11
     PA-ETYPE-INFO etype = 23
     PA-ETYPE-INFO salt = 
>>>Pre-Authentication Data:
     PA-DATA type = 19
     PA-ETYPE-INFO2 etype = 23
     PA-ETYPE-INFO2 salt = null
>>>Pre-Authentication Data:
     PA-DATA type = 2
     PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
     PA-DATA type = 16
>>>Pre-Authentication Data:
     PA-DATA type = 15
AcquireTGT: PREAUTH FAILED/REQUIRED, re-send AS-REQ
>>>KrbAsReq salt is TEST.ORGdev
default etypes for default_tkt_enctypes: 23 3.
Pre-Authenticaton: find key for etype = 23
AS-REQ: Add PA_ENC_TIMESTAMP now
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbAsReq calling createMessage
>>> KrbAsReq in createMessage
>>> KrbKdcReq send: kdc=192.168.0.100 UDP:88, timeout=30000, number of retries =3, #bytes=220
>>> KDCCommunication: kdc=192.168.0.100 UDP:88, timeout=30000,Attempt =1, #bytes=220
>>> KrbKdcReq send: #bytes read=1408
>>> KrbKdcReq send: #bytes read=1408
>>> KdcAccessibility: remove 192.168.0.100
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbAsRep cons in KrbAsReq.getReply dev
principal is dev@TEST.ORG
EncryptionKey: keyType=23 keyBytes (hex dump)=0000: C3 CB 19 1C 64 6E F9 7F   6A C9 31 FB EE 69 E7 35  ....dn..j.1..i.5

Added server's keyKerberos Principal dev@TEST.ORGKey Version 19key EncryptionKey: keyType=23 keyBytes (hex dump)=
0000: C3 CB 19 1C 64 6E F9 7F   6A C9 31 FB EE 69 E7 35  ....dn..j.1..i.5


        [Krb5LoginModule] added Krb5Principal  dev@TEST.ORG to Subject
Commit Succeeded 

Found key for dev@TEST.ORG(23)
Entered Krb5Context.acceptSecContext with state=STATE_NEW

I get this log, when I'm trying to access login page.

Error exception:

com.bea.security.utils.kerberos.KerberosException: Failure unspecified at GSS-API level (Mechanism level: Specified version of key is not available (44))
    at com.bea.security.utils.kerberos.KerberosTokenHandler.acceptGssInitContextTokenInDoAs(KerberosTokenHandler.java:334)
    at com.bea.security.utils.kerberos.KerberosTokenHandler.access$000(KerberosTokenHandler.java:41)
    at com.bea.security.utils.kerberos.KerberosTokenHandler$1.run(KerberosTokenHandler.java:226)
...
Caused By: GSSException: Failure unspecified at GSS-API level (Mechanism level: Specified version of key is not available (44))
    at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:741)
    at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:323)
    at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:267)
...
Caused By: KrbException: Specified version of key is not available (44)
    at sun.security.krb5.EncryptionKey.findKey(EncryptionKey.java:516)
    at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:260)
    at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:134)
...

Thanks!

Answer 1

Can't post comment, posting this as an answer. You need to enable Weblogic's authentication logging:

1. In Weblogic console click the “Lock & Edit” button in the top left corner.
2. Select Environment – Servers in the Domain Structure portlet on the left.
3. Select your server on the Summary of Servers page.
4. Select the “Debug” tab.
5. Drill down to weblogic – security – atn.
6. Select the checkbox to the left of word DebugSecurityAtn.
7. Click the “Enable” button at the top or bottom of the page.
8. Go to your server again, click on Logging tab,
9. Scroll down and click on Advanced
10. In "Message destination(s) - Log file" change the severity level to Debug
11. Click the “Save” button at the top or bottom of the page.
12. Click “Activate changes” in the top-left corner.

After that try logging in again, you will have much more info in your log.