Skip Headers
Oracle® Fusion Middleware Integration Guide for Oracle Access Manager
11g Release 1 (11.1.1)

Part Number E15740-07
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Index
Index
Go to Master Index
Master Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
PDF · Mobi · ePub

9 Configuring Oracle Access Manager For Windows Native Authentication

Oracle Access Manager 11g interoperates with Windows Native Authentication (WNA). This chapter explains how to integrate with WNA.

This chapter contains these sections:

9.1 Before You Begin

A fully-configured Microsoft Active Directory authentication service should be set up with user accounts to map Kerberos services, Service Principal Names (SPNs) for those accounts, and key tab files. For more information, see Oracle Fusion Middleware Securing Oracle WebLogic Server 11g Release 1 (10.3.3) E13707-03.

9.2 About Oracle Access Manager with Windows Native Authentication

Oracle Access Manager enables Microsoft Internet Explorer users to automatically authenticate to their Web applications using their desktop credentials. This is known as Windows Native Authentication (WNA).

Cross-platform authentication is achieved by emulating the negotiate behavior of native Windows-to-Windows authentication services that use the Kerberos protocol. In order for cross-platform authentication to work, non-Windows servers (in this case, Oracle Access Manager) must parse SPNEGO tokens in order to extract Kerberos tokens which are then used for authentication.

With Oracle Access Manager single sign-on combined with WNA, a Kerberos session ticket is generated that contains her login credentials, among other things. This Kerberos session ticket is not visible to the user.

However, with WNA implemented, the user can click on her Web application without another challenge for credentials. Instead, her Kerberos session ticket, which includes her credentials, is passed through the browser to the Oracle Access Manager server. The server validates the credentials by checking them against the Key Distribution Center server (KDC server) on the Windows domain server. (Note: The KDC, which is a trusted third party, uses logically separate servers to grant and process tickets, including the service server to authenticate session tickets and confirm the client's identity.)

If authentication succeeds she is granted access to her Web applications automatically.

For instance, the application must be protected by an Oracle Access Manager application domain that uses the Kerberos authentication scheme (KerbScheme) with WNA as the challenge method. In this case, credentials must be stored in a Windows Active Directory instance that is registered as a user-identify store with Oracle Access Manager.

9.3 Performing Prerequisite Tasks

The integration tasks are as follows:

9.3.1 Edit the krb5.conf File

To edit the krb5.conf file

  1. Open the krb5.conf file, which is located in /etc/krb5.conf.

  2. Update the file with the following entries

    [Libdefaults]
    default_realm = HOLMIUM.NGAM.COM
    ticket_lifetime = 600
     
    [realms]
     
    HOLMIUM.NGAM.COM = {
    kdc = holmium.us.example.com
    admin_server = holmium.us.example.com
    default_domain = HOLMIUM.NGAM.COM
    }
     
    [domain_realm]
    .holmium.ngam.com = HOLMIUM.NGAM.COM
    holmium.ngam.com = HOLMIUM.NGAM.COM
    

9.3.2 Create the Service Principal Name (SPN)

You perform this task to create an SPN and associate it with a user.

The following procedure includes an example user named testuser. The Oracle Access Manager server is deployed on a machine named mynode47.us.example.com.

To create the SPN and associate it with a user

  1. Create the user in Microsoft Active Directory.

  2. Run ktpass to create the service principal name and associate it with this user. For example:

    ktpass -princ HTTP/service@HOLMIUM.NGAM.COM -pass Oblix!@# 
    -mapuser testuser -out D:\etc\ keytab.service
    

    Here:

    • HTTP/service@HOLMIUM.NGAM.COM is a principal name associated with user testuser.

    • Oblix!@# is testuser's password.

    • The service is the name of the machine on which the Oracle Access Manager server is deployed. For example, if the service is mynode47.us.example.com then the principal name is HTTP/mynode47.us.example.com@HOLMIUM.NGAM.COM.

    • The -mapuser parameter specifies a userid (samaccountname) to which this principal name is to be attached. A given principal name can only be attached to one user.

    • D:\etc\ keytab.service is the keytab file to be generated. Once the file is generated, this keytab file will be used on the Oracle Access Manager server.

  3. Copy the newly created keytab.services file to the machine on which the NG server is running.

9.3.3 Obtain the Kerberos Ticket

You use the kinit command to obtains the master Kerberos ticket that you use to get tickets for other services.

The kinit command uses the /etc/krb5.conf file; ensure that this file has the correct attributes. The basic syntax for kinit is: shown here

kinit  [-k] [-t <keytab_filename>] [<principal>] 

To obtain the Kerberos ticket

  1. On the Oracle Access Manager server host machine, run the command from
    JDK_HOME/bin.

    kinit –V HTTP/mynode47.us.example.com@HOLMIUM.NGAM.COM –k –t /scratch/kerberos/keytab.service 
    

    where:

    • -V indicates verbose mode

    • principal name is HTTP/mynode47.us.example.com@HOLMIUM.NGAM.COM

    • -k instructs the command to use keytab

    • -t is the keytab filename to use

  2. Proceed to "Configuring Oracle Access Manager for WNA".

9.4 Configuring Oracle Access Manager for WNA

This section provides the following topics with steps you can follow:

9.4.1 Set Up the Kerberos Authentication Module in Oracle Access Manager

Before you can use WNA, you must define specific values for the Kerberos authentication module in the Oracle Access Manager policy configuration oam-policy.xml file.

Users with valid Oracle Access Manager Administrator credentials can perform the following task to define specific values for the Kerberos authentication module in Oracle Access Manager.

To set up the Kerberos Authentication Module

Note:

These instructions require hand-editing a configuration file. You can also perform this task using the OAM Administration Console.

  1. Locate the oam-config.xml file in the following path:

    Middleware_Home/user_projects/domains/IDMDomain/config/fmwconfig/oam-config.xml

  2. Make a backup copy of the oam-config.xml file and store it in another location in case you need it later.

  3. Edit the oam-config.xml file to define Kerberos module parameters and values. Examples of these parameters include the keytab file containing pairs of Kerberos principals and encrypted keys, and the krb5.conf file which contains Kerberos configuration information including the locations of KDCs. (Note: The files are created at Kerberos installation and appear in the install directory.) Edit the file as follows:

    <authn-module name="Kerberos" type="KERBEROS" id="4" description="Kerberos 
    Module">
    <property value="/u01/app/oracle/install/fmw11g/Middleware/wna/<host_
    name>.keytab" name="keytabfile"/>
    <property value="HTTP/<host_name>.example.com" name="principal"/>
    <property value="/u01/app/oracle/install/fmw11g/Middleware/wna/krb5.conf" 
    name="krbconfigfile"/>
    </authn-module>
    

    Here, "host_name" is the name of the Oracle Access Manager server host.

  4. Save the file.

  5. Proceed with "Set the Oracle Access Manager Authentication Scheme for Windows Native Authentication".

9.4.2 Set the Oracle Access Manager Authentication Scheme for Windows Native Authentication

Users with valid Oracle Access Manager administrator credentials can perform the following task to define specific values for the Kerberos authentication module in Oracle Access Manager.

You can use the Oracle Access Manager Administration Console to ensure that the authentication policy for the protected page is set to use the Kerberos authentication scheme and that the scheme uses the Windows Native Authentication challenge method.

To set the Kerberos authentication scheme

  1. Configure the Kerberos authentication scheme to use WNA as a challenge method:

    1. From the Oracle Access Manager Policy Configuration tab, navigation pane, expand the Authentication Schemes node.

    2. Double-click KerbScheme to display the configuration details.

    3. Change the Challenge Method to WNA, if needed.

    4. Click Apply and close the confirmation window.

    5. Close the page.

  2. Configure the application domain protecting the resource to use the Kerberos authentication scheme as follows:

    1. From the Oracle Access Manager Policy Configuration tab, navigation pane, expand the Application Domains node.

    2. Locate the desired application domain name an expand it.

    3. In the application domain node, expand the Authentication Policies node reveal existing policies.

    4. Double-click your Protected Resource Policy to display the related page.

    5. Authentication Scheme: Choose KerbScheme from the list.

    6. Click Apply, and then close the confirmation window.

    7. Close the page.

  3. Proceed to "Register Microsoft Active Directory as a User-Identity Data Store".

9.4.3 Register Microsoft Active Directory as a User-Identity Data Store

When using Windows Native Authentication, the user credentials must reside in Microsoft Active Directory, which must be registered as the user identity store for Oracle Access Manager.

Users with valid Oracle Access Manager Administrator credentials can perform the following task to register Microsoft Active Directory as the user store for Oracle Access Manager.

Prerequisites

A fully-configured Microsoft Active Directory authentication service should be set up with User accounts for mapping Kerberos services, Service Principal Names (SPNs) for those accounts, and Key tab files. For more information, see Oracle Fusion Middleware Securing Oracle WebLogic Server 11g Release 1 (10.3.3).

To register Microsoft Active Directory with Oracle Access Manager

  1. From the System Configuration tab, navigation pane, expand the Data Sources node.

  2. Click the User Identity Stores node, and then click the Add button in the tool bar.

  3. Enter required values for your Microsoft Active Directory. For example:


    Name: UserIdentityStoreAD
    LDAP Url: ldap://ldap_host.domain.com:389
    Principal: CN=Administrator,CN=Users,DC=dept,DC=domain,DC=com
    Credential: ********
    User Search Base: CN=Users,DC=dept,DC=domain,DC=com
    User Name Attribute: UserPrincipalName
    Subscriber Name: CN=Users,DC=dept,DC=domain,DC=com
    LDAP Provider: AD
  4. Primary: Click the Primary button to make this the primary user identity store for Oracle Access Manager.

  5. Role Mapping: By default, the Oracle Access Manager administrator's role is the same as the WebLogic administrator's role (Administrators). However, you can define a new Oracle Access Manager Administrator's role in the primary user identity store for Oracle Access Manager 11g. For more information, see the Oracle Fusion Middleware Administrator's Guide for Oracle Access Manager.

  6. Click Apply to submit the changes and dismiss the confirmation window.

  7. Restart the Oracle Access Manager Administration Server and managed servers.

9.4.4 Verify the Oracle Access Manager Configuration File

Verify that the following are specified in the oam-config.xml file:

  • path to the krb5.conf file

  • path to the keytab file

  • a principal to connect with KDC

Continuing the example used in earlier steps, the oam-config.xml file looks as follows:

<Setting Name="KerberosModules" Type="htf:map">
   <Setting Name="6DBSE52C" Type="htf:map">
      <Setting Name="principal"           Type="xsd:string">HTTP/mynode47.us.example.com@HOLMIUM.NGAM.COM
      </Setting>
      <Setting Name="name" Type="xsd:string">XYZKerberosModule</Setting>
      <Setting Name="keytabfile"           Type="xsd:string">/scratch/kerberos/keytab.service
      </Setting>
      <Setting Name="krbconfigfile" Type="xsd:string">/etc/krb5.conf</Setting>
   </Setting>
</Setting>

9.5 Enabling the Browser to Return Kerberos Tokens

You use the following procedures to configure the Internet Explorer or Mozilla Firefox browsers to return Kerberos tokens.

To enable Kerberos tokens in Internet Explorer

  1. On a Windows host in the Active Directory domain, sign in as a domain user.

  2. Open the Internet Explorer browser.

  3. From the Tools menu, click Internet Options, click Security, click Local Intranet, click Advanced.

  4. On the Advanced tab, Security section, check the box beside Enable Integrated Windows Authentication, and click OK.

  5. Add Oracle Access Manager CC host or domain name to Local Intranet zone (use the format http://mynode.myhost:myport).

  6. Restart the Internet Explorer browser so the change takes affect.

To enable Kerberos tokens in Mozilla Firefox

  1. Point the browser to about:config.

  2. Add Oracle Access Manager CC host or domain name under network.negotiate-auth.trusted-uris. Use the format network.negotiate-auth.trusted-uris=http://mynode.myhost:myport

9.6 Validating WNA with Oracle Access Manager-Protected Resources

WNA authentication occurs internally.

To validate WNA with Oracle Access Manager-protected resources

  1. Login to a Windows system in the Active Directory domain as a domain user. Ensure the Internet Explorer is enabled for Integrated Windows Authentication (tools, options, Enable Integrated Windows Authentication, restart the browser).

  2. Sign in to the Windows OS client using the Windows domain credentials stored in a hosted Active Directory that is registered with Oracle Access Manager.

  3. Start an IE browser, and enter the URL for the OMAM-protected resource.

  4. Confirm that access is granted with no additional login.

9.7 Troubleshooting WNA Configuration

Cause

The Identity Store used by Oracle Access Manager might not point to Windows Active Directory. By default, the identity store is Embedded LDAP.

Solution

  1. In the Oracle Access Manager Administration Console, review the identity store configuration: System Configuration, Data Sources, User Identity Store.

  2. Confirm the LDAP store settings point to Active Directory.