I have external users that must utheticate at the firewall before being allowed into the network. At the moment, this forces the users to authenticate twice, once for the firewall and once for the WebLogic application.
I am trying to use Kerberos to eliminate the double login issue. I have setup Microsoft TMG server in our DMZ that authenticates the user, creates a Kerb token for the authentication session and then passes the token to the internal IIS servers. I also have WebLogic SSO working so it signs me in using SSO if I point my browser to the IIS server. It breaks when I attempt to access the app from the external network even when I configure a host file entry to allow the same FQDN that was working inside the network.
Here's the authentication Process....
A user authenticates against the Microsoft TMG server. A Kerb session token is created for the user that is passed to the IIS servers located inside the corporate network.
The IIS servers accept the token as a valid authentication attempt and log the user into IIS.
From there, the WL IIS proxy module passes the token to WebLogic
WebLogic rejects the authentication attempt as an invalid authentication attempt.
I have SPNs configured for the URLs and Kerb working for all the Microsoft bits. I'm very new to WebLogic and, quite frankly, struggling to understand the relevant pieces to get WebLogic to accept the Kerb token from the IIS service.
Login below to reply: