How To Configure Browser- based SSO with Kerberos/SPNEGO and Oracle Web. Logic Server. How To Configure Browser- based SSO with Kerberos/SPNEGO and Oracle Web. Logic Serverby Abhijit Patil. Oracle Web. Logic Server offers a complete solution for single sign- on with Microsoft clients using Kerberos. Published May 2. 01.

This article describes how to enable Microsoft clients (browsers in this case), authenticated in a Windows domain, using Kerberos, to be transparently authenticated in a Oracle Web. Logic Server (Oracle Web. Logic Server) domain, based on the same credentials, and without the need to type in a password again. The purpose of this feature is to enable a client browser to access a protected resource on Oracle Web. Logic Server, and to transparently provide Oracle Web. Logic Server with authentication information from the Kerberos database via a SPNEGO ticket. Note that this feature also works for Java SE clients.

Oracle Web. Logic Server will be able to recognize the ticket, and extract the information from it. The server will then use the information for authentication and grant access to the resource if the authenticated user is authorized to access it.

In our example, the principal name will be negotiatetestserver@SECURITYQA. COM. The machine hosting Oracle Web. Logic Server doesn't have to be part of SECURITYQA. In this case it’s part of OTHERDOM. DOM domain. The account type should be .

Popular Alternatives to JIRA for Web, Windows, Mac, Linux, iPhone and more. Explore 192 websites and apps like JIRA, all suggested and ranked by the AlternativeTo. Open Technology. OTRS is one of the most flexible web-based ticketing systems used for Customer Service, Help Desk, IT Service Management. With a fast implementation.

Click Next. Click Finish. Figure 2: Account tab showing properties for “negotiatetestserver” user on KDCConfigure Your User to Comply with the Kerberos Protocol. Locate your newly created user in the Users tree in the left hand pane and double click it. On the . The SPN is used in the process of mutual authentication between the client and the server hosting a particular service.

The client finds a computer account based on the SPN of the service to which it is trying to connect. The ktpass command- line tool enables an administrator to configure a non- Windows Server Kerberos service as a security principal in the Windows Server Active Directory. Ktpass configures the server principal name for the service in Active Directory and generates an MIT- style Kerberos .

The tool allows UNIX- based services that support Kerberos authentication to use the interoperability features provided by the Windows Server Kerberos KDC service. Use the following command to configure SPN (for AES1. C: \Users\bt> ktpass - out negotiatetestserver. We need to specify a JAAS configuration file that specifies the login modules to use. Create a file named krb. Login. conf in the Oracle Web.

Download the current version of Asterisk as well as AsteriskNow Software PBX, Digium\Asterisk Hardware Device Interface (DAHDI) & libpri. Many times we can browse the web and find a 502 bad gateway error at Nginx. There are a few reasons why you will find this message in your webserver log, and here we. OTRS Free is the most flexible and widely used Open Source help desk software around the world and you can download it for free here.

Logic Server domain directory with the following contents: For Oracle Web. Logic Server using Oracle JDK: com. If Oracle Web. Logic Server is using Oracle JDK, specify following options in the Oracle Web. Logic Server java command line: -Dsun. Djava. security. krb. SECURITYQA. COM - Djava. MACHINEC - Djava.

Login. conf - Djavax. Subject. Creds. Only=false. For Oracle Web. Logic Server using IBM JDK, specify following options in the Oracle Web. Logic Server java command line: -Dcom. Djava. security. krb. SECURITYQA. COM - Djava.

MACHINEC - Djava. Login. conf - Djavax. Subject. Creds. Only=false.

Configure Identity Assertion provider. Web. Logic Server includes a security provider, the Negotiate Identity Assertion provider, to support single sign- on (SSO) with Microsoft clients. This identity assertion provider decodes Simple and Protected Negotiate (SPNEGO) tokens to obtain Kerberos tokens, validates the Kerberos tokens, and maps Kerberos tokens to Web. Logic users. You need to configure a Negotiate Identity Assertion provider in your Web.

Logic security realm in order to enable SSO with Microsoft clients. See Configuring a Negotiate Identity Assertion Provider .

Install Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files(This step is applicable only if you plan to use AES2. SHA1 cipher strength. Skip this step for all other cipher strengths). You need to download and install this bundle which provides . Overwrite 2 jar files under “< JAVA? In Internet Explorer, select Tools > Internet Options. Select the Security tab.

Select Local intranet and click Sites. In the Local intranet popup, ensure that the Include all sites that bypass the proxy server and Include all local (intranet) sites not listed in other zones options are checked. Figure 3: Local Intranet Dialog Box for Internet Explorer   5. Click Advanced. 6. In the Local intranet (Advanced) dialog box, add all relative domain names that will be used for Oracle Web.

Logic Server instances participating in the SSO configuration (for example, myhost. OK. Figure 4: Advanced Local Intranet Dialog Box for Internet Explorer. Configure Intranet Authentication   1.

Select Tools > Internet Options. Select the Security tab. Select Local intranet and click Custom Level.. In the Security Settings dialog box, scroll to the User Authentication section. Select Automatic logon only in Intranet zone. This option prevents users from having to re- enter logon credentials, which is a key piece to this solution.

Click OK. Figure 5: Configure Intranet Authentication. Verify Proxy Settings.

If you have a proxy server enabled: 1. Select Tools > Internet Options. Select the Connections tab and click LAN Settings. Verify that the proxy server address and port number are correct. Rel Kmspico 8 3 Windows And Office Activator Download. Click Advanced. 5. In the Proxy Settings dialog box, ensure that all desired domain names are entered in the Exceptions field. Click OK to close the Proxy Settings dialog box.

Configuring Mozilla Firefox Browser. To configure a Firefox browser to use Windows Integrated authentication, complete the following steps: 1.

Start Firefox. 2. Enter about: config in the Location Bar. Enter the filter string network.

Set the preferences as shown in Figure below: Figure 6: Preferences Required in Firefox for Windows Integrated Authentication. Configuring Google Chrome Browser. No special configuration needed for Chrome Browser. Verifying Configuration. Login to Machine. A (Browser Client) as user “SECURITYQA. COM\< YOUR- USER- NAME)”Open command prompt and run 'klist purge'.

This is to purge any existing tickets. Figure 7: Using klist to view and purge tickets. Open browser and access url of the web application. In this case, we are accessing a servlet which provides basic HTTP header information: Figure 8: Servlet displaying HTTP info after SPNEGO authentication. If the SSO was unsuccessful you will be prompted for username/password by the browser. In this case you need to check wls server logs for exception (Check Troubleshooting section below). Figure 9: Browser prompting for username/password after SPNEGO failure.

Confirm if browser is sending SPNEGO tokens. Look for message “. Your computer successfully sent out a request, but the KDC never responded. The principal exists in kerberos but the password is wrong. This is a password problem. Double check the validity of your keytab, or of the password that you have entered. Exception: krb. The keytab file you have provided was not created for that principal, or there is no such file (this will be easy to check) .

If the file does exist, the principal xxx might exist in the AD server, but this keytab is not for it. On the other hand, principal might not exist at all. Login. Exception: Krb. Exception: KDC has no support for encryption type (1.

KDC has no support for encryption type. Your KDC does not support the encryption type requested. Please choose an encryption type that is supported by the KDC you are using.< Debug> < Security. Debug> < 0.

Found NTLM token when expecting SPNEGO>. This is a very common error.

It means that the Oracle Web. Logic Server was ready to extract a SPNEGO token but could not find one in the request sent by the browser. Something is wrong in your SPN definition: Either no SPN was defined for this service, or you have duplicate SPNs, which means that the SPN resolved in more than one principal associated with it. Exception: weblogic.

Negotiate. Token.