Cross-platform authentication is achieved by emulating the negotiate behavior of native Windows-to-Windows authentication services that use the Kerberos protocol. In order for cross-platform authentication to work, non-Windows servers (WebSphere/WebLogic Servers) need to parse SPNEGO tokens in order to extract Kerberos tokens which are then used for authentication. This post gives a brief overview of the requirements and steps to setup SSO with Windows in Weblogic and provides the resources for further reference:
- Windows 2000 or later installed
- Fully-configured Active Directory authentication service.
- WebLogic Server installed and configured properly to authenticate through Kerberos
- Windows 2000 Professional SP2 or later installed
- One of the following types of clients:
- A properly configured Internet Explorer browser. Internet Explorer 6.01 or later is supported.
- .NET Framework 1.1 and a properly configured Web Service client.
- Clients must be logged on to a Windows 2000 domain and have Kerberos credentials acquired from the Active Directory server in the domain. Local logons will not work.
Configuring SSO with Microsoft clients requires set-up procedures in the Microsoft Active Directory, the client, and the WebLogic Server domain.
- Define a principal in Active Directory to represent the WebLogic Server. The Kerberos protocol uses the Active Directory server in the Microsoft domain to store the necessary security information.
- Any Microsoft client you want to access in the Microsoft domain must be set up to use Windows Integrated authentication, sending a Kerberos ticket when available.
- In the security realm of the WebLogic Server domain, configure a Negotiate Identity Assertion provider. The Web application or Web Service used in SSO needs to have authentication set in a specific manner. A JAAS login file that defines the location of the Kerberos identification for WebLogic Server must be created.
- Configure your network domain to use Kerberos.
- Create a Kerberos identification for WebLogic Server.
- Create a user account in the Active Directory for the host on which WebLogic Server is running.
- Create a Service Principal Name for this account.
- Create a user mapping and keytab file for this account.
- Choose a Microsoft client (either a Web Service or a browser) and configure it to use Windows Integrated authentication.
- Set up the WebLogic Server domain to use Kerberos authentication.
- Create a JAAS login file that points to the Active Directory server in the Microsoft domain and the keytab file created in Step 1.
- Configure a Negotiate Identity Assertion provider in the WebLogic Server security realm.
- Start WebLogic Server using specific start-up arguments.