[Freeipa-users] Kerberos - Weblogic SSO in IPA

[Troels Hansen]

Hi, I'm trying to help a Weblogic admin trying to enable SSO using IPA as a backend in AD trust, and I'm not anywhere near a Java or Weblogic man. 

The ticket looks OK, and I can kinit it. 

Klist shows: 

# klist -ke sso.keytab 
Keytab name: FILE:sso.keytab 
KVNO Principal 
---- -------------------------------------------------------------------------- 
3 HTTP/ssotst01pack.lx.dr.dk at LX.DR.DK (aes256-cts-hmac-sha1-96) 
3 HTTP/ssotst01pack.lx.dr.dk at LX.DR.DK (aes128-cts-hmac-sha1-96) 
3 HTTP/ssotst01pack.lx.dr.dk at LX.DR.DK (des3-cbc-sha1) 
3 HTTP/ssotst01pack.lx.dr.dk at LX.DR.DK (arcfour-hmac) 


Ticket is exported without the need for pre-auth. 

I have made a pretty basic krb5.conf for use with Weblogic: 

[libdefaults] 
default_realm = LX.DR.DK 
permitted_enctypes = aes256-cts-hmac-sha1-96 aes256-cts 
default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes256-cts 
default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes256-cts 
dns_lookup_realm = false 
dns_lookup_kdc = false 
noaddresses = true 
[realms] 
LX.DR.DK = { 
kdc = ipa01.lx.dr.dk 
} 
[domain_realm] 
.lx.dr.dk = LX.DR.DK 
lx.dr.dk = LX.DR.DK 


When trying to authenticate on web-ui I see: 

krb5kdc.log on IPA server shows: 

Feb 27 11:06:44 ipa01.lx.dr.dk krb5kdc[3349](info): AS_REQ (2 etypes {18 18}) 10.80.17.50: ISSUE: authtime 1488190004, etypes {rep=18 tkt=18 ses=18}, HTTP/ssotst01pack.lx.dr.dk at LX.DR.DK for krbtgt/LX.DR.DK at LX.DR.DK 
Feb 27 11:06:44 ipa01.lx.dr.dk krb5kdc[3349](info): AS_REQ (2 etypes {18 18}) 10.80.17.50: ISSUE: authtime 1488190004, etypes {rep=18 tkt=18 ses=18}, HTTP/ssotst01pack.lx.dr.dk at LX.DR.DK for krbtgt/LX.DR.DK at LX.DR.DK 
Feb 27 11:06:44 ipa01.lx.dr.dk krb5kdc[3353](info): AS_REQ (2 etypes {18 18}) 10.80.17.50: ISSUE: authtime 1488190004, etypes {rep=18 tkt=18 ses=18}, HTTP/ssotst01pack.lx.dr.dk at LX.DR.DK for krbtgt/LX.DR.DK at LX.DR.DK 
Feb 27 11:06:44 ipa01.lx.dr.dk krb5kdc[3353](info): AS_REQ (2 etypes {18 18}) 10.80.17.50: ISSUE: authtime 1488190004, etypes {rep=18 tkt=18 ses=18}, HTTP/ssotst01pack.lx.dr.dk at LX.DR.DK for krbtgt/LX.DR.DK at LX.DR.DK 
Feb 27 11:06:44 ipa01.lx.dr.dk krb5kdc[3353](info): AS_REQ (2 etypes {18 18}) 10.80.17.50: ISSUE: authtime 1488190004, etypes {rep=18 tkt=18 ses=18}, HTTP/ssotst01pack.lx.dr.dk at LX.DR.DK for krbtgt/LX.DR.DK at LX.DR.DK 

Java shows: 

[2017-02-22T14:17:06.666+01:00] [oam_server1] [ERROR] [] [oracle.oam.engine.authn] [tid: [ACTIVE].ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: <anonymous>] [ecid: 236b75b1bd93b747:4e356648:15a65f5a492:-8000-00000000000000db,0] [APP: oam_server#11.1.2.0.0] Failure unspecified at GSS-API level (Mechanism level: Specified version of key is not available (44))[[ 
GSSException: Failure unspecified at GSS-API level (Mechanism level: Specified version of key is not available (44)) 

(Not same time, I know. Log files from different days). 

>From what I can see on the krb5 log it tries to make 5 auth requests, but fails with "Specified version of key is not available", however, they are.... I have already verified this and tried exporting new ones just to make sure. 

The unlimited encryption package have been added to Java. 

Does these errors mean anything for some expert on this list, as i'm starting to run out of ideas...... 

-- 


Med venlig hilsen 

Troels Hansen 

Systemkonsulent 

Casalogic A/S 


T (+45) 70 20 10 63 

M (+45) 22 43 71 57 

Red Hat, SUSE, VMware, Citrix, Novell, Yellowfin BI, EnterpriseDB, Sophos og meget mere. 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170227/e9f23c64/attachment.htm>