Link: Weblogic and Active Directory Authentication

Luke Dewavrin is writing about what it takes to get Weblogic use Microsoft Active Directory as an Authentication Provider.

He also mentions couple of issues that people get burned by the first time they use WLS Security Providers architecture.

Specifically, he talks about the need to set JAAS flags to “Sufficient” or “Optional”. Let me reinforce that; the flag need to be changed before the provider setup is saved. Otherwise, you most probably will not be able to restart WLS instance again.

Fortunately, WLS 8.1 stores the information in the config.xml and it can be edited fairly easy. As a history note, WLS 7.0 stored the information in the binary form outside of config.xml and to edit it, one would have to follow recovery export/import procedures.

For myself, I always found Active Directory hard to troubleshoot, mostly because of the inability to get good logs. As a comparison, iPlanet Directory Server has very detailed and helpful access logs that I have used many times to isolate issues like incorrect configuration, slow authentication and even firewall timeout. I tried to find an equivalent set of logs for AD, but could not. Maybe they call it something else entirely.

BlogicBlogger Over and Out