BEA Logo BEA WebLogic Server Release 5.0

  Corporate Info  |  News  |  Solutions  |  Products  |  Partners  |  Services  |  Events  |  Download  |  How To Buy

Administering the WebLogic Windows NT security realm

Setting up and configuring NTRealm
Testing NTRealm
Troubleshooting NTRealm
Change history

This document describes how to set up and configure the WebLogic Windows NT security realm (NTRealm) for your WebLogic Server. NTRealm is an alternative authenticating realm for WebLogic Server. After installing NTRealm, WebLogic Server queries a Windows NT domain controller for information on users and groups instead of weblogic.password and properties in the file. Access control lists (ACLs) are still defined in the file.


Using NTRealm, you can manage Windows and WebLogic Server users in one place. You do not have to edit the file whenever a user joins or leaves and you do not have to restart WebLogic Server whenever you make a change.

NTRealm realm provides authentication (users and groups), but not authorization (ACLs). ACLs are defined in the file with properties that begin with 'weblogic.allow'.

WebLogic Server accesses NTRealm through CachingRealm, a realm that hosts alternative realms such as NTRealm. CachingRealm also caches information it looks up to improve performance. The cache is disabled by default. See Administering the WebLogic caching realm for information on enabling and tuning the cache.

CachingRealm uses the default realm, WLPropertyRealm, for ACLs and as a backup for users not found in NTRealm. Users you define in the file are valid unless overridden in the Windows NT domain. CachingRealm always queries NTRealm first, so a user defined in NTRealm overrides a user with the same name in the properties file.

The "system" user must be declared in the properties file to allow WebLogic Server to start. The "system" user may also be declared in the Windows NT domain. If it is, clients must supply the Windows NT "system" user password to authenticate successfully.

NTRealm requires that you run the WebLogic Server as a Windows administrative user who can read security-related data from the Windows NT Domain Controller.

To use NTRealm, you must run WebLogic Server as a Windows NT service on a computer in the Windows NT domain. You do not have to run it on a domain controller. If you run WebLogic Server from the command line, NTRealm authentication will not succeed. See Using WebLogic Server as an NT 4.0 service for instructions on running WebLogic Server as a Windows NT service.

Since the WebLogic Server reads ACLs from the file at startup time, you must restart the WebLogic Server after you change an ACL. If you use groups with your ACLs, however, you can avoid having to restart as often. Changing Windows NT group membership allows you to manage individual users' access to WebLogic Server resources dynamically.

Setting up the WebLogic Windows NT realm

  1. Edit the file, which you can find in the classes/weblogic/security/ntrealm directory. The file contains a single property that specifies the Windows NT Primary Domain Controller. The Primary Domain Controller is the computer where users and groups are defined for the domain. Here is an example that defines computer "hudson" in domain "" as the Primary Domain Controller:

    You can set the property to "." if the local computer (where the WebLogic Server executes) is the Primary Domain Controller.

    You can save the edited file in the WebLogic home directory (the directory where you start the server). NTRealm first looks for the file in the WebLogic home directory, and, if it is not found there, in the classes/weblogic/security/ntrealm directory.

  2. Add the following property to your file:\

  3. Set up caching for the NTRealm. See Administring the WebLogic caching realm for help.

  4. To access user and group information, the WebLogic Server must be able to make system calls on the Windows NT computer where the WebLogic Server is running. To verify that this is true:

    1. Log into Windows NT with an Administrator account.
    2. Start User Manager, which is in the Administrative Tools program group.
    3. Select the user that will run the WebLogic Server.
    4. Choose User Rights from the Policies menu.
    5. Check the Show Advanced User Rights checkbox.
    6. Select Act as part of the operating system from the Rights list.
    7. Click the Add button and enter the name of the user under whose account the WebLogic Server will execute.

  5. Make sure that your PATH environment variable includes the weblogic\bin directory. The WebLogic Server loads Wlntrealm.dll from this directory.

  6. Start WebLogic Server.

Testing NTRealm

After you have started WebLogic Server with NTRealm installed, you can perform the following checks to test that it is working properly.

  1. Load the AdminRealm servlet in a browser. This servlet displays information about the realm the WebLogic Server is using, and it lists all known users, groups, and ACLs. Load the servlet using a URL like this:

    The default file has an ACL that restricts the AdminRealm servlet to the "system" user.

  2. Display the realm in the WebLogic Console. The Console displays all the users and ACLs known in the realm.

  3. Add an ACL to your file for the helloWorld example servlet. First find the weblogic.httpd.register property for the helloWorld servlet and make sure that it is uncommented. Add the following property:

    Replace username with the name of a user in your Windows NT domain. Replace groupname with the name of a group in your Windows NT domain -- but select a group that does not include username.

    Restart the WebLogic Server and then load the helloWorld servlet with a URL like this:


    Try entering the name and password for a Windows NT user who is not included in the ACL you added for the servlet. You should get a message telling you that you are not authorized.

    Try entering the name and password of a Windows NT user who you did include in the ACL, either as an individual or a member of the group. The servlet should load and display the "Hello World" message.

Troubleshooting NTRealm

Diagnosing an NTRealm startup failure

  1. The most common configuration problem with NTRealm has to do with Windows NT policies and the user whose account runs WebLogic Server. The user account that runs WebLogic Server requires special permissions to access the Windows NT domain. The steps for granting this permission are in the configuration instructions.

  2. Add the property to the file. Then watch the log for messages. The messages may help you determine the cause of the failure.

Change history

Release 5.0, Beta 1

WebLogic Server alternative realms, including the Windows NT realm, have been reorganized for this release.

  1. The new CachingRealm hosts all alternative realms, including NTRealm. See Administering the WebLogic Caching Realm for help using this realm.

  2. It is no longer necessary to duplicate the "guest" user and "system" user in your Windows NT domain.

  3. Also, you no longer have to create the "everyone" group in Windows NT. All users automatically belong to the "everyone" group. Note: the WebLogic Console and the AdminRealm servlet display an "everyone" group containing all users except those from the Windows NT domain. For greater performance, NTRealm does not retrieve users from the Windows NT domain to create the "everyone" group.

  4. The class no longer has a main() that tests connectivity to your domain controller.

  5. You must still run WebLogic Server on a Windows NT domain controller. This restriction should be removed in the next beta release.

Release 4.5

Initial release.


Copyright © 2000 BEA Systems, Inc. All rights reserved.
Required browser: Netscape 4.0 or higher, or Microsoft Internet Explorer 4.0 or higher.
Last updated 11/29/1999