使用Weblogic 11g OEL进行SSO配置
[英]SSO Configuration with Weblogic 11g OEL
问题描述
I'm receiving following error in Weblogic while accessing application through AD user for SSO. 
通过AD用户访问SSO的应用程序时,我在Weblogic中收到以下错误。
> <> <> <1471875042422> <BEA-000000> <com.bea.common.security.internal.legacy.service.ChallengeIdentityAssertionProviderImpl$ChallengeIdentityAsserterV2Adapter.assertChallengeIdentity(Authorization.Negotiate)>
####<22-Aug-2016 15:10:42 o'clock BST> <Debug> <SecurityAtn> <ndl-wln-100.centricait.com> <ND_Manage1> <[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1471875042422> <BEA-000000> <GSSExceptionInfo:>
####<22-Aug-2016 15:10:42 o'clock BST> <Debug> <SecurityAtn> <ndl-wln-100.centricait.com> <ND_Manage1> <[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1471875042423> <BEA-000000> < major: (13) : No valid credentials provided>
####<22-Aug-2016 15:10:42 o'clock BST> <Debug> <SecurityAtn> <ndl-wln-100.centricait.com> <ND_Manage1> <[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1471875042423> <BEA-000000> < minor: (-1) : Failed to find any Kerberos credentails>
####<22-Aug-2016 15:10:42 o'clock BST> <Debug> <SecurityAtn> <ndl-wln-100.centricait.com> <ND_Manage1> <[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1471875042423> <BEA-000000> <acceptGssInitContextToken failed
com.bea.security.utils.kerberos.KerberosException: No valid credentials provided (Mechanism level: Failed to find any Kerberos credentails)
at com.bea.security.utils.kerberos.KerberosTokenHandler.acceptGssInitContextTokenInDoAs(KerberosTokenHandler.java:334)
at com.bea.security.utils.kerberos.KerberosTokenHandler.access$000(KerberosTokenHandler.java:41)
at com.bea.security.utils.kerberos.KerberosTokenHandler$1.run(KerberosTokenHandler.java:226)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAsPrivileged(Subject.java:536)
at com.bea.security.utils.kerberos.KerberosTokenHandler.acceptGssInitContextToken(KerberosTokenHandler.java:224)
at com.bea.security.utils.kerberos.KerberosTokenHandler.acceptGssInitContextToken(KerberosTokenHandler.java:152)
at com.bea.common.security.internal.utils.negotiate.SPNEGONegotiateToken.getUsername(SPNEGONegotiateToken.java:57)
at weblogic.security.providers.authentication.NegotiateIdentityAsserterProviderImpl.assertChallengeIdentity(NegotiateIdentityAsserterProviderImpl.java:210)
at com.bea.common.security.internal.legacy.service.ChallengeIdentityAssertionProviderImpl$ChallengeIdentityAsserterV2Adapter.assertChallengeIdentity(ChallengeIdentityAssertionProviderImpl.j
I already have verified keytab using kinit -V -k -t negotestserver.keytab HTTP/WL-HOST@MYDOMAIN.COM its successfully Authenticated. 我已经使用kinit -V -k -t negotestserver.keytab HTTP/WL-HOST@MYDOMAIN.COM验证了keytab的成功身份。 Wonder whats the solution of this issue any help will be appreciated. 不知道该问题的解决方案将对您有所帮助。
1 个解决方案
解决方案1
0 已采纳 2016-08-23 19:58:56
Most probably the ticket that's sent from browser to Weblogic is not Kerberos ticket, but NTLM. 从浏览器发送到Weblogic的票证很可能不是Kerberos票证,而是NTLM。 There can be many reasons why IE would use NTLM over Kerberos, most of the time it's incorrect setup or Windows settings. IE可能有许多原因会导致Kerberos在大多数情况下使用不正确的设置或Windows设置,而在Kerberos上使用NTLM。 Can you check the ticket in your log? 您可以检查日志中的票吗? If it looks something like this: 如果看起来像这样:
YIGCBgYrBgEFBQKgeDB2oDAwLgYKKwYBBAGCNwICCgYJKoZIgvcSAQICBgkqhkiG9xIBAgIGCisGAQQBgjcCAh6iQgRATlRMTVNTUAABAAAAl7II4g4ADgAyAAAACgAKACgAAAAGAbEdAAAAD0xBUFRPUC0yNDVMSUZFQUNDT1VOVExMQw==
it's NTLM. 是NTLM。 Kerberos ticket is at least twice as long. Kerberos票证的长度至少是其两倍。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.