Using Windows Native Authentication

To log in to the Oracle SES application on the Windows platform, you can choose to implement the user authentication mechanism at the Oracle SES application layer, which involves logging in through the Oracle SES login page, or at the Windows operating system layer.

If you enable authentication at the Windows OS layer, then when you log in to a computer using your Windows user credentials, you can automatically access the Oracle SES application as a logged user. You are not required to provide additional authentication credentials to access the Oracle SES application. This is implemented using the Single Sign-On authentication mechanism. To implement this mechanism, the Oracle SES Identity plug-in must be integrated with the Active Directory that manages Windows user authentication. The authentication is implemented using the Kerberos encryption mechanism.

Activating Windows Native Authentication

To activate Windows authentication, you must perform the following steps:

Configuring the Active Directory

The Active Directory is available on the Windows Server. As a first step, configure this active directory.

To configure the Active Directory: 

  1. In the Active Directory server, create a user account called seswna for the Oracle SES instance:

    1. Select New, and then User.

    2. Specify a password for the user. Do not select the User must change password at next logon option.

  2. Configure the new user account to comply with Kerberos protocol. Ensure that the user account's encryption type is set to DES and the user account requires Kerberos pre-authentication. To implement this:

    1. Right-click the user name and select Properties.

    2. Click the Account tab and select Use DES encryption types for this account.

    3. Reset the user password. Right-click the user name, select Reset Password, and reenter the same password that you set earlier. (This step is recommended because setting the encryption type may corrupt the password that you set initially).

  3. Create the Service Principal Names (SPNs) for the user account by using the setspn utility. Enter the following command:

    setspn -a HTTP/<ses-host-name> seswna
    

    where <ses-host-name> must be a fully qualified network address like sesmachine.us.oracle.com.

  4. Create a user mapping using the ktpass utility. Enter the following command:

    ktpass -princ HTTP/<ses- host-name>@<ad-domain-name> -pass <mapuser_password> -mapuser seswna –out c:\temp\seswna.HTTP.keytab –crypto DES-CBC-CRC
    
  5. Copy the keytab file seswna.HTTP.keytab to the Oracle SES instance at ORACLE_HOME/search/base_domain/servers/AdminServer/folder.

Configuring the Active Directory Plug-In

After configuring the seswna user in the active directory, you must set up an identity plug-in for Active Directory. This identity plug-in must be configured to the Active Directory where seswna is created. See "Activating the Active Directory Identity Plug-in" for more information about activating the plug-in.

Activating Windows Native Authentication on Oracle SES

As the final step, activate WNA on Oracle SES.

To activate Windows native authentication on Oracle SES: 

  1. On the Home page, click Global Settings to open the Global Settings page.

  2. Under Out-of-Box Query Application, click Configure Single Sign-On to open the Configure Single Sign-On page.

  3. Select WNA from the list of available Single Sign-On types, and click Activate to enable Windows native authentication.

  4. Restart the middle tier to activate WNA.

To deactivate Windows Native Authentication, on the Configure Single Sign-on page, click Deactivate, and then restart the middle tier.

Whenever a user tries to access the Oracle SES application, the following events are executed:

  • The Oracle SES application checks if Windows native authentication is enabled or not.

  • If it is enabled, then the user is directed to the Search page and can use the application as a logged in user.

  • If it is disabled, then the user is redirected to the Oracle SES Login page.

  • If a user performs an explicit log out from the application, then the user must use the Oracle SES Login page to log in to the application again.

Note that only the Windows user is automatically logged in to the Oracle SES application. If other users wish to use the application as logged users, then they must log in through the Oracle SES Login page. Also, if a user logs in from a Windows computer that is in a domain different from the domain of the Oracle SES Active Identity plug-in, then the user is not automatically logged in to the Oracle SES application, and must log in through the Oracle SES Login page.

Windows Native Authentication is currently supported in the following Web browsers: Microsoft Internet Explorer and Mozilla Firefox.

Configuring Microsoft Internet Explorer to support WNA

To use WNA on Microsoft Internet Explorer, you must perform the following steps:

Configure Local Intranet Domains

To configure the local intranet domain, perform the following steps:

  1. In Internet Explorer, select Tools, and then Internet Options.

  2. From the Internet Options dialog box, select the Security tab.

  3. Select Local intranet and then click Sites.

  4. In the Local intranet dialog box, ensure that the options Include all sites that bypass the proxy server and Include all local (intranet) sites not listed in other zones are selected.

  5. Click Advanced.

  6. Add all relative domain names that are used for Oracle WebLogic Server instances participating in the Single Sign-On configuration (for example, myhost.example.com) and click Close.

  7. On the Local intranet dialog box, Click OK.

Configure Intranet Authentication

To configure Intranet authentication, perform the following steps:

  1. In Internet Explorer, select Tools, and then Internet Options.

  2. From the Internet Options dialog box, select the Security tab.

  3. Select Local intranet, and then click Custom level. This opens the Security Settings-Local Intranet Zone dialog box.

  4. Under User Authentication, select Automatic Logon only in Intranet Zone. Note that this option prevents users from having to reenter log in credentials.

  5. Click OK.

Verify the Proxy Settings

If you have a proxy server enabled, then you must verify the proxy settings. To do this:

  1. In Internet Explorer, select Tools, and then Internet Options.

  2. From the Internet Options dialog box, select the Connections tab.

  3. Click LAN Settings to open the Local Area Network (LAN) Settings dialog box.

  4. Verify that the proxy server address and the port number are correct.

  5. Click Advanced to open the Proxy Settings dialog box.

  6. Ensure that the required domain names are entered in the Exceptions field.

Additional Steps for Internet Explorer 6.0

Additionally, for Internet Explorer 6.0, you must perform the following:

  1. In Internet Explorer, select Tools, and then Internet Options.

  2. From the Internet Options dialog box, select the Advanced tab.

  3. Under Security, ensure that the option Enable Integrated Windows Authentication is selected.

  4. If this option was not previously set, then restart the computer after setting the option.

Configuring Mozilla Firefox to Support WNA

In Mozilla Firefox, perform the following steps to use WNA:

  1. In the Location bar, enter the string about:config. This opens the about:config page in Firefox.

  2. In the Filter field, enter the string network.negotiate.

  3. Set the preferences given in Table 11-8. To set the value for a preference, double-click the preference, and enter the value.

    Table 11-8 WNA Configuration Preference for Firefox

    Preference Name Status Type Value

    network.negotiate-auth.allow-proxies

    default

    boolean

    true

    network.negotiate-auth.delegation-uris

    User set

    string

    http://,https://

    network.negotiate-auth.gsslib

    Default

    string

    <blank>1

    network.negotiate-auth.trusted-uris

    User set

    string

    http://,https://

    network.negotiate-auth.using-native-gsslib

    Default

    boolean

    true


Note:

In previous releases, the base path of Oracle SES was referred to as ORACLE_HOME. In Oracle SES release 11g, the base path is referred to as ORACLE_BASE. This represents the Software Location that you specify at the time of installing Oracle SES.

ORACLE_HOME now refers to the path ORACLE_BASE/seshome.

For more information about ORACLE_BASE, see "Conventions".