使用 Weblogic 11g OEL 的 SSO 配置
SSO Configuration with Weblogic 11g OEL
我在通过 AD 用户访问 SSO 应用程序时在 Weblogic 中收到以下错误。
> <> <> <1471875042422> <BEA-000000> <com.bea.common.security.internal.legacy.service.ChallengeIdentityAssertionProviderImpl$ChallengeIdentityAsserterV2Adapter.assertChallengeIdentity(Authorization.Negotiate)>
####<22-Aug-2016 15:10:42 o'clock BST> <Debug> <SecurityAtn> <ndl-wln-100.centricait.com> <ND_Manage1> <[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1471875042422> <BEA-000000> <GSSExceptionInfo:>
####<22-Aug-2016 15:10:42 o'clock BST> <Debug> <SecurityAtn> <ndl-wln-100.centricait.com> <ND_Manage1> <[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1471875042423> <BEA-000000> < major: (13) : No valid credentials provided>
####<22-Aug-2016 15:10:42 o'clock BST> <Debug> <SecurityAtn> <ndl-wln-100.centricait.com> <ND_Manage1> <[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1471875042423> <BEA-000000> < minor: (-1) : Failed to find any Kerberos credentails>
####<22-Aug-2016 15:10:42 o'clock BST> <Debug> <SecurityAtn> <ndl-wln-100.centricait.com> <ND_Manage1> <[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1471875042423> <BEA-000000> <acceptGssInitContextToken failed
com.bea.security.utils.kerberos.KerberosException: No valid credentials provided (Mechanism level: Failed to find any Kerberos credentails)
at com.bea.security.utils.kerberos.KerberosTokenHandler.acceptGssInitContextTokenInDoAs(KerberosTokenHandler.java:334)
at com.bea.security.utils.kerberos.KerberosTokenHandler.access[=10=]0(KerberosTokenHandler.java:41)
at com.bea.security.utils.kerberos.KerberosTokenHandler.run(KerberosTokenHandler.java:226)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAsPrivileged(Subject.java:536)
at com.bea.security.utils.kerberos.KerberosTokenHandler.acceptGssInitContextToken(KerberosTokenHandler.java:224)
at com.bea.security.utils.kerberos.KerberosTokenHandler.acceptGssInitContextToken(KerberosTokenHandler.java:152)
at com.bea.common.security.internal.utils.negotiate.SPNEGONegotiateToken.getUsername(SPNEGONegotiateToken.java:57)
at weblogic.security.providers.authentication.NegotiateIdentityAsserterProviderImpl.assertChallengeIdentity(NegotiateIdentityAsserterProviderImpl.java:210)
at com.bea.common.security.internal.legacy.service.ChallengeIdentityAssertionProviderImpl$ChallengeIdentityAsserterV2Adapter.assertChallengeIdentity(ChallengeIdentityAssertionProviderImpl.j
我已经使用 kinit -V -k -t negotestserver.keytab HTTP/WL-HOST@MYDOMAIN.COM 成功验证了密钥表。想知道这个问题的解决方案是什么,我们将不胜感激。
很可能从浏览器发送到 Weblogic 的票不是 Kerberos 票,而是 NTLM。 IE 使用 NTLM 而不是 Kerberos 的原因可能有很多,大多数情况下是不正确的设置或 Windows 设置。你能检查你日志中的票吗?如果它看起来像这样:
YIGCBgYrBgEFBQKgeDB2oDAwLgYKKwYBBAGCNwICCgYJKoZIgvcSAQICBgkqhkiG9xIBAgIGCisGAQQBgjcCAh6iQgRATlRMTVNTUAABAAAAl7II4g4ADgAyAAAACgAKACgAAAAGAbEdAAAAD0xBUFRPUC0yNDVMSUZFQUNDT1VOVExMQw==
这是 NTLM。 Kerberos 票据至少是两倍长。
我在通过 AD 用户访问 SSO 应用程序时在 Weblogic 中收到以下错误。
> <> <> <1471875042422> <BEA-000000> <com.bea.common.security.internal.legacy.service.ChallengeIdentityAssertionProviderImpl$ChallengeIdentityAsserterV2Adapter.assertChallengeIdentity(Authorization.Negotiate)>
####<22-Aug-2016 15:10:42 o'clock BST> <Debug> <SecurityAtn> <ndl-wln-100.centricait.com> <ND_Manage1> <[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1471875042422> <BEA-000000> <GSSExceptionInfo:>
####<22-Aug-2016 15:10:42 o'clock BST> <Debug> <SecurityAtn> <ndl-wln-100.centricait.com> <ND_Manage1> <[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1471875042423> <BEA-000000> < major: (13) : No valid credentials provided>
####<22-Aug-2016 15:10:42 o'clock BST> <Debug> <SecurityAtn> <ndl-wln-100.centricait.com> <ND_Manage1> <[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1471875042423> <BEA-000000> < minor: (-1) : Failed to find any Kerberos credentails>
####<22-Aug-2016 15:10:42 o'clock BST> <Debug> <SecurityAtn> <ndl-wln-100.centricait.com> <ND_Manage1> <[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1471875042423> <BEA-000000> <acceptGssInitContextToken failed
com.bea.security.utils.kerberos.KerberosException: No valid credentials provided (Mechanism level: Failed to find any Kerberos credentails)
at com.bea.security.utils.kerberos.KerberosTokenHandler.acceptGssInitContextTokenInDoAs(KerberosTokenHandler.java:334)
at com.bea.security.utils.kerberos.KerberosTokenHandler.access[=10=]0(KerberosTokenHandler.java:41)
at com.bea.security.utils.kerberos.KerberosTokenHandler.run(KerberosTokenHandler.java:226)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAsPrivileged(Subject.java:536)
at com.bea.security.utils.kerberos.KerberosTokenHandler.acceptGssInitContextToken(KerberosTokenHandler.java:224)
at com.bea.security.utils.kerberos.KerberosTokenHandler.acceptGssInitContextToken(KerberosTokenHandler.java:152)
at com.bea.common.security.internal.utils.negotiate.SPNEGONegotiateToken.getUsername(SPNEGONegotiateToken.java:57)
at weblogic.security.providers.authentication.NegotiateIdentityAsserterProviderImpl.assertChallengeIdentity(NegotiateIdentityAsserterProviderImpl.java:210)
at com.bea.common.security.internal.legacy.service.ChallengeIdentityAssertionProviderImpl$ChallengeIdentityAsserterV2Adapter.assertChallengeIdentity(ChallengeIdentityAssertionProviderImpl.j
我已经使用 kinit -V -k -t negotestserver.keytab HTTP/WL-HOST@MYDOMAIN.COM 成功验证了密钥表。想知道这个问题的解决方案是什么,我们将不胜感激。
很可能从浏览器发送到 Weblogic 的票不是 Kerberos 票,而是 NTLM。 IE 使用 NTLM 而不是 Kerberos 的原因可能有很多,大多数情况下是不正确的设置或 Windows 设置。你能检查你日志中的票吗?如果它看起来像这样:
YIGCBgYrBgEFBQKgeDB2oDAwLgYKKwYBBAGCNwICCgYJKoZIgvcSAQICBgkqhkiG9xIBAgIGCisGAQQBgjcCAh6iQgRATlRMTVNTUAABAAAAl7II4g4ADgAyAAAACgAKACgAAAAGAbEdAAAAD0xBUFRPUC0yNDVMSUZFQUNDT1VOVExMQw==
这是 NTLM。 Kerberos 票据至少是两倍长。