https://blogs.oracle.com/blogbypuneeth/entry/configure_kerberos_with_weblogic_server
Steps to configure Kerberos / SPNEGO / NTLM authentication with Weblogic Server running on Oracle JDK :
By Puneeth-Oracle on Jul 20, 2013
* The AD machine used in this configuration is : SLKRBTRN6-01.slkrbtrn6.bea.com ( Windows 2008 R2 )
* Weblogic Server is on machine : SLKRBTRN6-03. ( Windows XP )
——-
Step 1 :
– Create a new user say, ” wlsclient ” on AD for your Weblogic server instance.
Note :
– The account type should be “User”, not a “Computer” in the AD.
– Check password never expires option for the user.
– DES encryption type is disabled by default on Windows 2008 AD and hence donot check this option for the user.
– If your AD is on Windows 2003, enable DES encyption type for your user –> after enabling this option make sure you reset the password for this user.
– If you want to use AES encryption type make sure you check ” This account supports AES 128 bit encryption “/ “This account supports AES 256 bit encryption “ in the username –> properties –> Account Options field.
– If you want to use AES256-SHA1 cipher strength then,
You need to download and install this bundle which provides “unlimited strength” policy files which contain no restrictions on cryptographic strengths.
* For Oracle JDK 6: Download Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 6 from
Link : http://www.oracle.com/technetwork/java/javase/downloads/jce-6-download-429243.html.
* For Oracle JDK 7: Download Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 7 from
Link : http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html .
Overwrite 2 jar files under “<JAVA_HOME>/jre/lib/security” directory with 2 jar files inside downloaded zip file.
Step 2 :
Create a krb5.ini file.
Syntax :
*****
default_realm = <Identifies the default realm. Set its value to your Kerberos realm – all caps>
default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
ticket_lifetime = 600
kdc_timesync = 1
ccache_type = 4
[realms]
<Your Kerberos realm – remember all caps> = {
kdc = <IP address of the KDC/AD server>
(For Unix systems, you need to specify port 88, as in <IP-address>:88)
admin_server = <FQDN – host name of the KDC/AD server>
default_domain = <Windows domain name in caps>
}
[domain_realm]
.<DNS domain name suffix, starting with .> = <Your Kerberos realm – remember all caps>
<DNS domain name suffix.> = <Your Kerberos realm – remember all caps>
[appdefaults]
autologin = true
forward = true
forwardable = true
encrypt = true
*****
Note :
* This file has to be created on the machine where Weblogic Server is installed.
* If you have Weblogic Server installed on a Windows machines, create a file named krb5.ini / On Unix machines, the file is called krb5.conf instead of krb5.ini.
* See the following default Kerberos configuration files and their locations:
[Windows] The default location is c:\winnt\krb5.ini.
Note: if the krb5.ini file is not located in the c:\winnt directory it might be located in c:\windows.
[Linux] The default location is /etc/krb5.conf.
[AIX] [HP-UX] [Solaris] On other Unix platforms, the default location is /etc/krb5/krb5.conf.