WebLogic Kerberos (SSO) Authentication Issue : Error 401 Forbidden : No Configuration was registered that can handle the configuration named com. sun. security. jgss. krb5. accept
I recently configured Kerberos (Single Sign-On) in WebLogic using steps mentioned here, While accessing application using Active Directory account received error “Error 401 – Forbidden” . This post covers steps I did to troubleshoot this issue.
To see various different ways to configure Single Sign-On with WebLogic check Chris Johnson’s post here . For step by step Kerberos Configuration for WebLogic on Windows check Chris’s another post here
Moving back to my issue here is what I did to troubleshoot
Debug: Enabled debug for authentication & authorization via WebLogic Console — Servers -> [Server Name] -> Debug -> WebLogic -> Security -> atn (for Authentication) and atz (for Authorization) and click Enable
The Error : Checked in Managed Server (one on which application was deployed) Log file and found error
_______
<21-Mar-2011 10:04:57 o’clock GMT> <Debug> <SecurityAtn> <BEA-000000> <com.bea.common.security.internal.service. JAASAuthenticationConfigurationServiceImpl. getAppConfigurationEntry(com.sun.security.jgss.krb5.accept)>
<21-Mar-2011 10:04:57 o’clock GMT> <Debug> <SecurityAtn> <BEA-000000> <Exception com.bea.common.security.internal.utils.negotiate. NegotiateTokenException: java.lang.IllegalArgumentException: No Configuration was registered that can handle the configuration named com.sun.security.jgss.krb5.accept
com.bea.common.security.internal.utils.negotiate. NegotiateTokenException: java.lang. IllegalArgumentException: No Configuration was registered that can handle the configuration named com.sun.security.jgss.krb5.accept
at com.bea.common. security.internal.utils.negotiate. SPNEGONegotiateToken.get Username(SPNEGONegotiateToken.java:186)
at weblogic.security. providers.authentication. NegotiateIdentityAsserterProvider Impl.assertChallengeIdentity(NegotiateIdentityAsserterProviderImpl.java:213)
at com.bea.common.security.internal.legacy. service.ChallengeIdentity AssertionProviderImpl$ ChallengeIdentityAsserterV2Adapter. assertChallengeIdentity (ChallengeIdentity AssertionProviderImpl.java:130)
at com.bea.common.security.internal.service. ChallengeIdentityAssertionToke nServiceImpl. assertChallengeIdentity(ChallengeIdentityAssertion TokenServiceImpl.java:120)
____________
Checks :
1. Verified that KRB5.ini is under c:\windows (WebLogic is running on Windows Server)
2. Kerberos Configuration File (KRB5LOGIN.conf) defined at WebLogic Server Startup is available
3. Keytab file defined under KRB5LOGIN.conf is correct
.
Issue: Principal in kerberos configuration file was ” where as it was expecting character in format ” (Check double quotes format)
.
Fix :
Change principal in KRB5LOGIN.conf from
principal=”HTTP/SERVERNAME.MYDOMAIN@MYDOMAIN”;
to
principal=“HTTP/SERVERNAME.MYDOMAIN@MYDOMAIN“;
Note: The double quotes between principal name