v8 SP4 SPNEGO Identity Asserter problem - Weblogic

This is a discussion on v8 SP4 SPNEGO Identity Asserter problem - Weblogic ; I configured my domain to authenticate against AD using the SPNEGO Identity Asserter. Two questions. 1) How do I do authorization ? Do I enter the name of an AD group in the webapps weblogic.xml under Principal-Name? Or use weblogic ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: v8 SP4 SPNEGO Identity Asserter problem

  1. v8 SP4 SPNEGO Identity Asserter problem

    I configured my domain to authenticate against AD using the SPNEGO Identity Asserter.

    Two questions.

    1) How do I do authorization ? Do I enter the name of an AD group in the webapps weblogic.xml under Principal-Name? Or use weblogic groups (if so, how do the userids get matched) ?

    2) It doesn't work - I get challenged for userid/pwd/domain.

    In debug, I get:

    "Found NTLM token when expecting SPNEGO"

    What can I do about this ?

    Some lines from debug...


    ####<11-Feb-2005 18:03:27 o'clock GMT> <> <> <000000>
    ####<11-Feb-2005 18:03:27 o'clock GMT> <> <> <000000>
    ####<11-Feb-2005 18:03:27 o'clock GMT> <> <> <000000> Resource: type=, application=earspnegodemo, contextPath=/earspnegodemo, uri=/index.jsp, httpMethod=GET>
    ####<11-Feb-2005 18:03:27 o'clock GMT> <> <> <000000> Subject: 0

    Thanks,
    Mike

  2. Re: v8 SP4 SPNEGO Identity Asserter problem

    Hi Mike,

    I have a similar problem and posted here last week but sadly got no replies. Perhaps if we discuss our problem we may get some momentum going?

    Have you configured the AD Authenticator in Weblogic console and can you see your users/groups from Active Directory?

    There is a tool called kerbtray which allows you to look at the Kerberos tickets on your client pc.

    From previous Single Sign on solutions I have investigated you need to have at least three pcs one for WL, one for AD and one acting as client but belonging to the AD domain.

    I have configured my set up as the dev2dev documents suggest, I can see the users/domains in WL, and have the Kerberos ticket on my client pc but still I get the user/password prompt. Although I don't get the message you do about the NTLM token.

    I am currently in BEA HQ (in UK) so I may be able to find someone to discuss the problem with.

    cheers

    Stephen

+ Reply to Thread