Weblogic: SSO with Windows

An increasing number of intranet-based applications are requiriong Single sign-on (SSO) with between Windows clients (web browser, .NET application etc.) and Java EE servers. The last time, I blogged SSO with IBM WebSphere application server and Windows. To implement this feature, the Microsoft clients must use Windows authentication based on the Simple and Protected Negotiate (SPNEGO) mechanism.

Cross-platform authentication is achieved by emulating the negotiate behavior of native Windows-to-Windows authentication services that use the Kerberos protocol. In order for cross-platform authentication to work, non-Windows servers (WebSphere/WebLogic Servers) need to parse SPNEGO tokens in order to extract Kerberos tokens which are then used for authentication. This post gives a brief overview of the requirements and steps to setup SSO with Windows in Weblogic and provides the resources for further reference:
Requirements
Server

• Windows 2000 or later installed
• Fully-configured Active Directory authentication service.
• WebLogic Server installed and configured properly to authenticate through Kerberos

Client

• Windows 2000 Professional SP2 or later installed
• One of the following types of clients:
  • A properly configured Internet Explorer browser. Internet Explorer 6.01 or later is supported.
  • .NET Framework 1.1 and a properly configured Web Service client.
• Clients must be logged on to a Windows 2000 domain and have Kerberos credentials acquired from the Active Directory server in the domain. Local logons will not work.

Main Steps for Congifuration
Configuring SSO with Microsoft clients requires set-up procedures in the Microsoft Active Directory, the client, and the WebLogic Server domain.

• Define a principal in Active Directory to represent the WebLogic Server. The Kerberos protocol uses the Active Directory server in the Microsoft domain to store the necessary security information.
• Any Microsoft client you want to access in the Microsoft domain must be set up to use Windows Integrated authentication, sending a Kerberos ticket when available.
• In the security realm of the WebLogic Server domain, configure a Negotiate Identity Assertion provider. The Web application or Web Service used in SSO needs to have authentication set in a specific manner. A JAAS login file that defines the location of the Kerberos identification for WebLogic Server must be created.

To configure SSO with Microsoft clients:

1. Configure your network domain to use Kerberos.
2. Create a Kerberos identification for WebLogic Server.
1. Create a user account in the Active Directory for the host on which WebLogic Server is running.
2. Create a Service Principal Name for this account.
3. Create a user mapping and keytab file for this account.
3. Choose a Microsoft client (either a Web Service or a browser) and configure it to use Windows Integrated authentication.
4. Set up the WebLogic Server domain to use Kerberos authentication.
1. Create a JAAS login file that points to the Active Directory server in the Microsoft domain and the keytab file created in Step 1.
2. Configure a Negotiate Identity Assertion provider in the WebLogic Server security realm.
5. Start WebLogic Server using specific start-up arguments.

References

• Weblogic Documentation: Configuring Single Sign-On with Microsoft Clients
• Weblogic Documentation: Weblogic Security Service Architecture
• SSO with SPNEGO (articles on appliedcrypto)