Administering the WebLogic Windows NT security realm
- Setting up and configuring NTRealm
- Testing NTRealm
- Troubleshooting NTRealm
- Change history
This document describes how to set up and configure the WebLogic
Windows NT security realm (NTRealm) for your WebLogic Server. NTRealm
is an alternative authenticating realm for WebLogic Server.
After installing NTRealm, WebLogic Server queries a Windows NT domain
controller for information on users and groups instead of weblogic.password and weblogic.security.group properties
in the weblogic.properties
file. Access control lists (ACLs) are still defined in the weblogic.properties file.
Using NTRealm, you can manage Windows and WebLogic Server users in one
place. You do not have to edit the weblogic.properties file whenever a user joins or
leaves and you do not have to restart WebLogic Server whenever you
make a change.
NTRealm realm provides authentication (users and groups), but not
authorization (ACLs). ACLs are defined in the weblogic.properties file with properties that
begin with 'weblogic.allow'.
WebLogic Server accesses NTRealm through CachingRealm, a realm that
hosts alternative realms such as NTRealm. CachingRealm also caches
information it looks up to improve performance. The cache is disabled
by default. See Administering the WebLogic
caching realm for information on enabling and tuning the cache.
CachingRealm uses the default realm, WLPropertyRealm, for ACLs and as
a backup for users not found in NTRealm. Users you define in the
weblogic.properties file are
valid unless overridden in the Windows NT domain. CachingRealm always
queries NTRealm first, so a user defined in NTRealm overrides a user
with the same name in the properties file.
The "system" user must be declared in the properties file to
allow WebLogic Server to start. The "system" user may also be
declared in the Windows NT domain. If it is, clients must supply the
Windows NT "system" user password to authenticate successfully.
NTRealm requires that you run the WebLogic Server as a Windows
administrative user who can read security-related data from the
Windows NT Domain Controller.
To use NTRealm, you must run WebLogic Server as a Windows NT service
on a computer in the Windows NT domain. You do not have to run it on
a domain controller. If you run WebLogic Server from the command line,
NTRealm authentication will not succeed. See Using WebLogic Server as an NT 4.0 service for
instructions on running WebLogic Server as a Windows NT service.
Since the WebLogic Server reads ACLs from the weblogic.properties file at startup time, you must
restart the WebLogic Server after you change an ACL. If you use
groups with your ACLs, however, you can avoid having to restart as
often. Changing Windows NT group membership allows you to manage
individual users' access to WebLogic Server resources dynamically.
Setting up the WebLogic Windows NT realm
- Edit the ntrealm.properties file, which you can find in the classes/weblogic/security/ntrealm directory.
The ntrealm.properties file
contains a single property that specifies the Windows NT Primary
Domain Controller. The Primary Domain Controller is the computer
where users and groups are defined for the domain. Here is an example
that defines computer "hudson" in domain "domainj.com" as the Primary
You can set the property to "." if the local computer (where the
WebLogic Server executes) is the Primary Domain Controller.
You can save the edited file in the WebLogic home directory (the
directory where you start the server). NTRealm first looks for the
file in the WebLogic home directory, and, if it is not found there, in
the classes/weblogic/security/ntrealm directory.
- Add the following property to your weblogic.properties
Set up caching for the NTRealm. See Administring the
WebLogic caching realm for help.
To access user and group information, the WebLogic Server must be able
to make system calls on the Windows NT computer where the WebLogic Server is
running. To verify that this is true:
- Log into Windows NT with an Administrator account.
- Start User Manager, which is in the Administrative Tools program group.
- Select the user that will run the WebLogic Server.
- Choose User Rights from the Policies menu.
- Check the Show Advanced User Rights checkbox.
- Select Act as part of the
operating system from the Rights list.
- Click the Add button and enter the name of the user under
whose account the WebLogic Server will execute.
- Make sure that your PATH environment variable includes the weblogic\bin directory. The
WebLogic Server loads Wlntrealm.dll from this directory.
- Start WebLogic Server.
After you have started WebLogic Server with NTRealm
installed, you can perform the following checks to test that it
is working properly.
- Load the AdminRealm servlet in a browser. This servlet displays
information about the realm the WebLogic Server is using, and it
lists all known users, groups, and ACLs. Load the servlet using a URL
The default weblogic.properties file has an ACL that restricts the
AdminRealm servlet to the "system" user.
- Display the realm in the WebLogic Console. The Console displays
all the users and ACLs known in the realm.
- Add an ACL to your weblogic.properties file for the helloWorld example
servlet. First find the weblogic.httpd.register property for the helloWorld
servlet and make sure that it is uncommented. Add the following
Replace username with the name of a user in your Windows
NT domain. Replace groupname with the name of a group in your
Windows NT domain -- but select a group that does not include
Restart the WebLogic Server and then load the helloWorld servlet with a URL like this:
Try entering the name and password for a Windows NT user who is not
included in the ACL you added for the servlet. You should get a
message telling you that you are not authorized.
Try entering the name and password of a Windows NT user who you did
include in the ACL, either as an individual or a member of the
group. The servlet should load and display the "Hello World" message.
- Diagnosing an NTRealm startup failure
- The most common configuration problem with NTRealm has to do with
Windows NT policies and the user whose account runs WebLogic Server.
The user account that runs WebLogic Server requires special
permissions to access the Windows NT domain. The steps
for granting this permission are in the configuration instructions.
Add the weblogic.security.realm.debug=true property to the
Then watch the log for messages. The messages may help you
determine the cause of the failure.
- Release 5.0, Beta 1
WebLogic Server alternative realms, including the Windows NT realm,
have been reorganized for this release.
- The new CachingRealm hosts all alternative realms, including NTRealm. See
Administering the WebLogic Caching Realm for
help using this realm.
- It is no longer necessary to duplicate the "guest" user and "system" user in your
Windows NT domain.
- Also, you no longer have to create the "everyone" group in Windows
NT. All users automatically belong to the "everyone"
group. Note: the WebLogic Console and the AdminRealm servlet
display an "everyone" group containing all users except those
from the Windows NT domain. For greater performance, NTRealm does not
retrieve users from the Windows NT domain to create the "everyone"
- The weblogic.security.ntrealm.NTDelegate class no longer
has a main() that tests
connectivity to your domain controller.
- You must still run WebLogic Server on a Windows NT domain controller. This restriction should be removed in the next beta release.
- Release 4.5
- Initial release.