I have an AD server which I can connect to programmatically with a test driver.
No biggy, can search through the tree, etc.
However, I can't seem to make the leap between this and declaring security in
the Weblogic console so that AD users are successfully allowed to log into the
server and application.
I set up an Active Directory Authenticator for my domain. The configuration appears
to be correct, with the proper server name, principal, filters, etc. I can verify
this through the driver, I use the same values and things work. However, Weblogic
throws the following exception at start up if I try to use my AD username/password
The WebLogic Server did not start up properly.
Exception raised:
java.lang.SecurityException: Authentication for user <username> denied
at weblogic.security.service.SecurityServiceManager.doBootAuthorization(
SecurityServiceManager.java:1078)
at weblogic.security.service.SecurityServiceManager.initialize(SecurityS
erviceManager.java:1216)
at weblogic.t3.srvr.T3Srvr.initialize1(T3Srvr.java:723)
at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:594)
at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:282)
at weblogic.Server.main(Server.java:32)
Reason: Fatal initialization exception
Throwable: java.lang.SecurityException: Authentication for user <username> denied
java.lang.SecurityException: Authentication for user <username> denied
at weblogic.security.service.SecurityServiceManager.doBootAuthorization(
SecurityServiceManager.java:1078)
at weblogic.security.service.SecurityServiceManager.initialize(SecurityS
erviceManager.java:1216)
at weblogic.t3.srvr.T3Srvr.initialize1(T3Srvr.java:723)
at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:594)
at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:282)
at weblogic.Server.main(Server.java:32)
It seems like I'm missing a bridge between the AD authenticator and the users/groups/roles
configured in Weblogic.
If anyone could shed some light, or point me to some really good references for
basic AD authenticating through WLS, I would greatly appreciate it
<jca...@raytheon.com> wrote in message news:3f26...@newsgroups.bea.com...
>
> Hello y'all, did some searching and unfortunately this appears to be a
topic with
> a lot of questions and very few resources to pool from.
>
> I have an AD server which I can connect to programmatically with a test
driver.
> No biggy, can search through the tree, etc.
>
> However, I can't seem to make the leap between this and declaring security
in
> the Weblogic console so that AD users are successfully allowed to log into
the
> server and application.
>
> I set up an Active Directory Authenticator for my domain. The
configuration appears
> to be correct, with the proper server name, principal, filters, etc. I
can verify
> this through the driver, I use the same values and things work. However,
Weblogic
> throws the following exception at start up if I try to use my AD
username/password
>
> The WebLogic Server did not start up properly.
> Exception raised:
> java.lang.SecurityException: Authentication for user <username> denied
This indicates that the boot username and password could not be
authenticated in your AD server.
Turn on debug (DebugSecurityAtn="true" in the ServerDebugMBean) and look at
the ldap_trace.log
file for the ldap bind request. Is it using the correct dn and credential
for your ad server.
Thanks Peter, once I switched it to use the full <username>@<domain dc string>,
this worked. I was just using the username. So I am now validating users fine
through my application.
I posted another question about getting the console to recognize AD users and
groups, and according to some other posts I've read, this should be fixed in the
latest SP. I'll have to give that a try, if I can get CM around here to agree
with it.
Do I need an AD account to log into the console and start up the server? Right
now I start it up by using a user created in Weblogic, not AD. I'd like to have
everything regarding Weblogic handled with AD users, and not have to worry about
creating them in the console.
Thanks!
Jason
Yikes, we are using SP 2, which it appears is the latest, yet I'm still not getting
AD information... that's not good.
> Yikes, we are using SP 2, which it appears is the latest, yet I'm still
not getting
> AD information... that's not good.
>
I had thought that SP3 was out but I don't see it on the web site. I will
ask a console expert in what
sp the fix is in.
> I had thought that SP3 was out but I don't see it on the web site. I will
> ask a console expert in what
> sp the fix is in.
>
>
The fix is in 7.0 SP3.
>
Aaaah, that would explain it then. Luckily everything is working other than not
seeing the users/groups in the console, so visibly seeing them there is just a
bonus. Given the way we slowly move to SPs, it may be awhile before we can switch
to SP3.
Thanks for all the info!