Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Integrating Active Directory with Weblogic 7.0

1 view
Skip to first unread message

jca...@raytheon.com

unread,
Jul 29, 2003, 6:33:14 PM7/29/03
to

Hello y'all, did some searching and unfortunately this appears to be a topic with
a lot of questions and very few resources to pool from.

I have an AD server which I can connect to programmatically with a test driver.
No biggy, can search through the tree, etc.

However, I can't seem to make the leap between this and declaring security in
the Weblogic console so that AD users are successfully allowed to log into the
server and application.

I set up an Active Directory Authenticator for my domain. The configuration appears
to be correct, with the proper server name, principal, filters, etc. I can verify
this through the driver, I use the same values and things work. However, Weblogic
throws the following exception at start up if I try to use my AD username/password

The WebLogic Server did not start up properly.
Exception raised:
java.lang.SecurityException: Authentication for user <username> denied

at weblogic.security.service.SecurityServiceManager.doBootAuthorization(
SecurityServiceManager.java:1078)
at weblogic.security.service.SecurityServiceManager.initialize(SecurityS
erviceManager.java:1216)
at weblogic.t3.srvr.T3Srvr.initialize1(T3Srvr.java:723)
at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:594)
at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:282)
at weblogic.Server.main(Server.java:32)
Reason: Fatal initialization exception
Throwable: java.lang.SecurityException: Authentication for user <username> denied
java.lang.SecurityException: Authentication for user <username> denied

at weblogic.security.service.SecurityServiceManager.doBootAuthorization(
SecurityServiceManager.java:1078)
at weblogic.security.service.SecurityServiceManager.initialize(SecurityS
erviceManager.java:1216)
at weblogic.t3.srvr.T3Srvr.initialize1(T3Srvr.java:723)
at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:594)
at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:282)
at weblogic.Server.main(Server.java:32)

It seems like I'm missing a bridge between the AD authenticator and the users/groups/roles
configured in Weblogic.

If anyone could shed some light, or point me to some really good references for
basic AD authenticating through WLS, I would greatly appreciate it

Peter

unread,
Aug 7, 2003, 7:29:49 AM8/7/03
to
From: "Peter" <PeterB>
Newsgroups: weblogic.developer.interest.security
References: <3f26...@newsgroups.bea.com>
Subject: Re: Integrating Active Directory with Weblogic 7.0
Date: Thu, 7 Aug 2003 07:29:49 -0400
Lines: 40
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
NNTP-Posting-Host: 216.148.48.18
X-Original-NNTP-Posting-Host: 216.148.48.18
Message-ID: <3f32...@newsgroups.bea.com>
X-Trace: newsgroups.bea.com 1060255807 216.148.48.18 (7 Aug 2003 04:30:07 -0700)
X-Original-Trace: 7 Aug 2003 04:30:07 -0700, 216.148.48.18
Organization: BEA NEWS SITE
XPident: Unknown
Path: newsgroups.bea.com!not-for-mail
Xref: newsgroups.bea.com weblogic.developer.interest.security:10448


<jca...@raytheon.com> wrote in message news:3f26...@newsgroups.bea.com...


>
> Hello y'all, did some searching and unfortunately this appears to be a
topic with
> a lot of questions and very few resources to pool from.
>
> I have an AD server which I can connect to programmatically with a test
driver.
> No biggy, can search through the tree, etc.
>
> However, I can't seem to make the leap between this and declaring security
in
> the Weblogic console so that AD users are successfully allowed to log into
the
> server and application.
>
> I set up an Active Directory Authenticator for my domain. The
configuration appears
> to be correct, with the proper server name, principal, filters, etc. I
can verify
> this through the driver, I use the same values and things work. However,
Weblogic
> throws the following exception at start up if I try to use my AD
username/password
>
> The WebLogic Server did not start up properly.
> Exception raised:
> java.lang.SecurityException: Authentication for user <username> denied

This indicates that the boot username and password could not be
authenticated in your AD server.
Turn on debug (DebugSecurityAtn="true" in the ServerDebugMBean) and look at
the ldap_trace.log
file for the ldap bind request. Is it using the correct dn and credential
for your ad server.


Jason

unread,
Aug 7, 2003, 3:14:36 PM8/7/03
to
From: "Jason" <jca...@raytheon.com>
Sender: "Jason" <jca...@raytheon.com>
Reply-To: "Jason" <jca...@raytheon.com>

Subject: Re: Integrating Active Directory with Weblogic 7.0
Newsgroups: weblogic.developer.interest.security
X-User-Info: 199.46.200.230
References: <3f26...@newsgroups.bea.com> <3f32...@newsgroups.bea.com>
NNTP-Posting-Host: 199.46.200.230
X-Original-NNTP-Posting-Host: 199.46.200.230
Message-ID: <3f32...@newsgroups.bea.com>
Date: 7 Aug 2003 12:14:36 -0700
X-Trace: newsgroups.bea.com 1060283676 199.46.200.230 (7 Aug 2003 12:14:36 -0700)
X-Original-Trace: 7 Aug 2003 12:14:36 -0700, 199.46.200.230
Organization: BEA NEWS SITE
Lines: 65
XPident: Unknown
Path: newsgroups.bea.com!not-for-mail
Xref: newsgroups.bea.com weblogic.developer.interest.security:10471

Thanks Peter, once I switched it to use the full <username>@<domain dc string>,
this worked. I was just using the username. So I am now validating users fine
through my application.

I posted another question about getting the console to recognize AD users and
groups, and according to some other posts I've read, this should be fixed in the
latest SP. I'll have to give that a try, if I can get CM around here to agree
with it.

Do I need an AD account to log into the console and start up the server? Right
now I start it up by using a user created in Weblogic, not AD. I'd like to have
everything regarding Weblogic handled with AD users, and not have to worry about
creating them in the console.

Thanks!
Jason

Jason

unread,
Aug 7, 2003, 3:39:32 PM8/7/03
to

Yikes, we are using SP 2, which it appears is the latest, yet I'm still not getting
AD information... that's not good.

Peter

unread,
Aug 12, 2003, 9:37:42 PM8/12/03
to

"Jason" <jca...@raytheon.com> wrote in message
news:3f32aaf4$1...@newsgroups.bea.com...

> Yikes, we are using SP 2, which it appears is the latest, yet I'm still
not getting
> AD information... that's not good.
>

I had thought that SP3 was out but I don't see it on the web site. I will
ask a console expert in what
sp the fix is in.

Peter

unread,
Aug 13, 2003, 7:41:00 AM8/13/03
to

"Peter" <PeterB> wrote in message news:3f39...@newsgroups.bea.com...

> I had thought that SP3 was out but I don't see it on the web site. I will
> ask a console expert in what
> sp the fix is in.
>
>

The fix is in 7.0 SP3.


>


Jason

unread,
Aug 13, 2003, 5:15:49 PM8/13/03
to

Aaaah, that would explain it then. Luckily everything is working other than not
seeing the users/groups in the console, so visibly seeing them there is just a
bonus. Given the way we slowly move to SPs, it may be awhile before we can switch
to SP3.

Thanks for all the info!

0 new messages