Members | Sign In
Weblogic Wonders > Security

Passing Kerberos from IIS Server Fails

posted May 16, 2013 19:23:09 by ErnestCorreale
I have external users that must utheticate at the firewall before being allowed into the network. At the moment, this forces the users to authenticate twice, once for the firewall and once for the WebLogic application.

I am trying to use Kerberos to eliminate the double login issue. I have setup Microsoft TMG server in our DMZ that authenticates the user, creates a Kerb token for the authentication session and then passes the token to the internal IIS servers. I also have WebLogic SSO working so it signs me in using SSO if I point my browser to the IIS server. It breaks when I attempt to access the app from the external network even when I configure a host file entry to allow the same FQDN that was working inside the network.

Here's the authentication Process....
A user authenticates against the Microsoft TMG server. A Kerb session token is created for the user that is passed to the IIS servers located inside the corporate network.

The IIS servers accept the token as a valid authentication attempt and log the user into IIS.

From there, the WL IIS proxy module passes the token to WebLogic

WebLogic rejects the authentication attempt as an invalid authentication attempt.

I have SPNs configured for the URLs and Kerb working for all the Microsoft bits. I'm very new to WebLogic and, quite frankly, struggling to understand the relevant pieces to get WebLogic to accept the Kerb token from the IIS service.
page   1
1 reply
khan.faysal06 said Sep 19, 2013 09:39:43
I guess you will need an Identity asserter to process the http token.
Can u enable debugHttp and SecuityATN & SecurityATZ and mail us the logs?

Login below to reply: