sso kerberos weblogic 10.3 failing with spnego and kerb5

Hello, we are experiencing an sso issue with kerberos delegation. we have tested in VCMP version 11.4.1 and version 12.0. The user authenticates on APM logon page using AD credentials, then APM processes a Kerberos tgt request and sso mapping.

 

Apr 8 10:08:48 slot1/xxxx debug websso.1[16815]: 014d0001:7: Getting UCC:myuser@LOCALDOMAIN.LOCAL@LOCALDOMAIN.LOCAL, lifetime:600Apr 8 10:08:48 slot1/xxxx debug websso.1[16815]: 014d0001:7: Found UCC:myuser@LOCALDOMAIN.LOCAL@LOCALDOMAIN.LOCAL, lifetime:600 left:99Apr 8 10:08:48 slot1/xxxx debug websso.1[16815]: 014d0001:7: UCCmap.size = 1, UCClist.size = 1Apr 8 10:08:48 slot1/xxxx debug websso.1[16815]: 014d0001:7: S4U ======> - we have cached S4U2Proxy ticket for user: myuser@LOCALDOMAIN.LOCAL server: HTTP/myservername.localdomain.local@@LOCALDOMAIN.LOCALApr 8 10:08:48 slot1/xxxx debug websso.1[16815]: 014d0001:7: S4U ======> OK!Apr 8 10:08:48 slot1/xxxx debug websso.1[16815]: 014d0001:7: GSSAPI: Server: HTTP/myservername.localdomain.local@LOCALDOMAIN.LOCAL, User: myuser@LOCALDOMAIN.LOCAL

 

In the logs, everything seems ok, but when capturing the traffic, we can see that the 401 mode does not submit the kerberos ticket after getting the first UNAUTHORIZED Negotiate response from the server.

 

When we set the authorization mode to ALWAYS in Kerberos SSO, the ticket is submitted to the server, but the server always returns the 401 UNAUTHORIZED then the basic authentication pops up.

 

We are experiencing this issue with weblogic 10.3 as backend web server.

 

any hint ?

 

thank you.