Tutorials‎ > ‎

Integrate Oracle GlassFish v3 with Microsoft Active Directory

These instructions need to be performed as the user "webuser" on the DAS server.

WARNING: If you have an existing cluster(s), reboot all the nodes with the full sync option enabled!

Download the latest spnego-*.jar at http://sourceforge.net/projects/spnego/files/ and place the jar in "/opt/glassfish3/glassfish/domains/domain1/lib".

Add the following lines to "/opt/glassfish3/glassfish/domains/domain1/config/login.conf":
spnego-client {
    com.sun.security.auth.module.Krb5LoginModule required;
};

pnego-server {
    com.sun.security.auth.module.Krb5LoginModule required
    storeKey=true
    isInitiator=false;
};

Add the following lines to "/opt/glassfish3/glassfish/domains/domain1/config/default-web.xml" and don't forget to fill in the "preauth.username" and "preauth.password" with the Active Directory(AD) lookup-user credentials!
<filter>
    <filter-name>SpnegoHttpFilter</filter-name>
    <filter-class>net.sourceforge.spnego.SpnegoHttpFilter</filter-class>

    <init-param>
        <param-name>spnego.allow.basic</param-name>
        <param-value>true</param-value>
    </init-param>

    <init-param>
        <param-name>spnego.allow.localhost</param-name>
        <param-value>true</param-value>
    </init-param>

    <init-param>
        <param-name>spnego.allow.unsecure.basic</param-name>
        <param-value>true</param-value>
    </init-param>

    <init-param>
        <param-name>spnego.login.client.module</param-name>
        <param-value>spnego-client</param-value>
    </init-param>

    <init-param>
        <param-name>spnego.krb5.conf</param-name>
        <param-value>krb5.conf</param-value>
    </init-param>

    <init-param>
        <param-name>spnego.login.conf</param-name>
        <param-value>login.conf</param-value>
    </init-param>

    <init-param>
        <param-name>spnego.preauth.username</param-name>
        <param-value>${preauth.username}</param-value>
    </init-param>

    <init-param>
        <param-name>spnego.preauth.password</param-name>
        <param-value>${preauth.password}</param-value>
     </init-param>

     <init-param>
        <param-name>spnego.login.server.module</param-name>
        <param-value>spnego-server</param-value>
     </init-param>

     <init-param>
         <param-name>spnego.prompt.ntlm</param-name>
         <param-value>true</param-value>
     </init-param>

     <init-param>
         <param-name>spnego.logger.level</param-name>
         <param-value>7</param-value>
     </init-param>
</filter>

<filter-mapping>
    <filter-name>SpnegoHttpFilter</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

Create a file "/opt/glassfish3/glassfish/domains/domain1/config/krb5.conf" and add the lines below:
[libdefaults]
    default_tkt_enctypes = aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc
    default_tgs_enctypes = aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc
    permitted_enctypes = aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc

[realms]
    EXAMPLE.ORG = {
    kdc = example.org
    default_domain = EXAMPLE.ORG
}

[domain_realm]
    .EXAMPLE.ORG = EXAMPLE.ORG

Create a file named "/opt/glassfish3/glassfish/domains/domain1/config/config-files" with the following content:
admin-keyfile
cacerts.jks
default-web.xml
domain-passwords
domain.xml
keyfile
keystore.jks
server.policy
sun-acc.xml
wss-server-config-1.0.xml
wss-server-config-2.0.xml
login.conf
krb5.conf