Skip to Content
author's profile photo Former Member
Former Member

Windows AD SSO Config, with Weblogic 9, BO XI R3

Hi,

I have done BO XI R3 Windows AD and SSO configuration with Weblogic 9. I have given the right of "Trust this user for Delegation" for the service accounts. The client is concerned about this rights given to this (service account) user for security reasons. I know as per the Documentation this right should be given for the Service Accounts. Has anybody tried SSO without giving "Delegation" rights to the Service Account? Does it work?

I believe that for Authenticating Windows AD (without SSO), the service account does not require the "Delegation" right. (Tim expecting a response from you)

Thanks in Advance

Add a comment
10|10000 characters needed characters exceeded

Related questions

2 Answers

  • Best Answer
    Posted on Dec 22, 2008 at 07:33 PM

    Manual logon with AD will work without delegation, SSO will not. We need to delegate credentials from the client browser to the CMS, there is no way around this. Since you are using weblogic then you must be using java SSO (vintela)? Right now there is a bug with vintela that prevents us from using constrained delegation, this works on our .net kerberos but not vintela. At one point we had plansd to address it in SP2 but I'm not sure anymore. Currently there is a note on our support site specifying this is not supported.

    Now I know Microsoft makes a big deal about constrained delegation, but we have probably over a 1000 customers using vintela and I have never heard of 1 security violation, and the demand for constrained delegation (a yet even more complicated way of implementing kerberos) is non-existant right now. This is about the 3rd time I've been asked in 2 years.

    To exploit this you would need a java programmer inside your internal network with the user/pw of the service account. Make sure the pw is encrypted via keytab and you should be fine. If that's not ok with your AD admins then you may need to consider reverting back to manual auth instead and remove delegation.

    Regards,

    Tim

    Add a comment
    10|10000 characters needed characters exceeded

  • author's profile photo Former Member
    Former Member
    Posted on Dec 23, 2008 at 04:37 AM

    Thank you very much for the Info Tim, yes we are using vintela.

    Add a comment
    10|10000 characters needed characters exceeded

Before answering

You should only submit an answer when you are proposing a solution to the poster's problem. If you want the poster to clarify the question or provide more information, please leave a comment instead, requesting additional details. When answering, please include specifics, such as step-by-step instructions, context for the solution, and links to useful resources. Also, please make sure that you answer complies with our Rules of Engagement.
You must be Logged in to submit an answer.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MB each and 10.5 MB total.