Integration with the Microsoft Windows Environment, 3 of 13

High-Level Configuration Requirements

There are two common ways of deploying integration with a Microsoft Windows environment. In the first, Oracle Internet Directory is the central enterprise directory and source of truth for user and group data for the Microsoft Windows 2000 and Windows NT environments. In the second, Microsoft Active Directory is the central enterprise directory and source of truth for user and group data for Oracle components.

This section contains these topics:

Deployments with Oracle Internet Directory as the Central Directory

Table 43-5 describes the typical requirements in this deployment.

Table 43-5 Typical Requirements with Oracle Internet Directory as the Central Directory

Requirement	Oracle Internet Directory as Central
Initial bootstrapping	The Directory Integration and Provisioning Assistant populates Microsoft Active Directory with users and groups stored in Oracle Internet Directory. If there are multiple Microsoft Active Directory servers, then the Directory Integration and Provisioning Assistant must be run as many times as there are Microsoft Active Directory servers. Each time you do this, you choose the specific data set required by the target Microsoft Active Directory server.
Synchronization	User and group information is managed in Oracle Internet Directory. Changes to that information are synchronized with Microsoft Active Directory by the Oracle directory integration and provisioning server. The less likely synchronization from Microsoft Active Directory into Oracle Internet Directory can be achieved by configuring an import profile.
Passwords and password verifiers	Passwords are managed in Oracle Internet Directory by using such Oracle tools as the Oracle Internet Directory Self-Service Console. Password changes are synchronized with Microsoft Active Directory by the Oracle directory integration and provisioning server. However, before this server can synchronize the password changes, the password synchronization must be configured in the mapping rules. If the Oracle environment requires a password verifier, the latter is automatically generated when a new user entry is created or when a password is modified.
Oracle Application Server Single Sign-On	Once the OracleAS Single Sign-On server is configured, users log into the Oracle environment through it. When called upon by the OracleAS Single Sign-On server to authenticate a user, the Oracle directory server uses credentials available locally. No external authentication is involved. Users must log in only once to access various applications in the Oracle environment.
Windows native authentication (autologin)	This can be enabled for Windows-based users by configuring the OracleAS Single Sign-On server in the autologin mode. When Windows native authentication is configured, Windows users, once they login into the Windows desktop, need not log into the Oracle environment again.
Active Directory external authentication plug-in	Because user credentials are managed locally in Oracle Internet Directory, the Active Directory external authentication plug-in is not required.

New users or groups created in Oracle Internet Directory, are automatically provisioned into the Microsoft Windows environment by the Oracle directory integration and provisioning server. Before this provisioning can take place, a one-way synchronization must be configured between Oracle Internet Directory and Microsoft Active Directory.

If multiple Microsoft Active Directory servers are involved, then the Oracle directory integration and provisioning server provisions users and groups in the respective Microsoft Active Directory servers. Before this provisioning can take place, a one-way synchronization must be configured between Oracle Internet Directory and Microsoft Active Directory.

Deployments with Microsoft Active Directory as the Central Directory

Table 43-6 describes the typical requirements in this deployment.

Table 43-6 Typical Requirements with Microsoft Active Directory as the Central Directory

Requirement	Microsoft Active Directory as Central
Initial bootstrapping	The Directory Integration and Provisioning Assistant populates Oracle Internet Directory with users and groups stored in Microsoft Active Directory. If there are multiple Microsoft Active Directory servers, then the Directory Integration and Provisioning Assistant must be run as many times as there are Microsoft Active Directory servers. You can choose to manage user information, including password credentials, only in Microsoft Active Directory. In such deployments, to enable single sign-on in the Oracle environment, the Oracle directory integration and provisioning server can synchronize a minimal set of attributes of the user entry into Oracle Internet Directory. Passwords are not migrated.
Synchronization	The source of truth for user and group information is Microsoft Active Directory, and that information is managed there. Changes to user and group information are also synchronized by the Oracle directory integration and provisioning server from Microsoft Active Directory servers into Oracle Internet Directory. The less likely synchronization from Oracle Internet Directory to Microsoft Active Directory is achieved by configuring an export profile.
Passwords and password verifiers	It is assumed that passwords are managed in Microsoft Active Directory by using Microsoft Windows tools. The Oracle directory integration and provisioning server does not synchronize password changes into Oracle Internet Directory. In this deployment, it is not possible to generate password verifiers that the Oracle environment may require. To make a password verifier available in the Oracle environment, a user enables it to be generated by setting the password in the Oracle environment. However, in this case the Oracle directory server generates a password verifier when a password changes. It does not store the password in the `userpassword` attribute, which stays empty.
Oracle Application Server Single Sign-On	Once the OracleAS Single Sign-On server is configured, users log into the Oracle environment through it. To access various components in the Oracle environment, they must log in only once. Users with credentials only in Microsoft Active Directory are authenticated by the Oracle directory server invoking the external authentication plug-in. Users with credentials in Oracle Internet Directory are authenticated locally by the Oracle directory server.
Windows native authentication (autologin)	Same as in Oracle Internet Directory-centered deployment. However, for a user to use autologin, the user must exist in the Microsoft Active Directory. If Oracle Internet Directory contains some local users, then single sign-on does not function for them if Windows native authentication is enabled. Such users require that the attributes `orclsamaccountname` and `krbprincipalname` be populated in their user entries before single sign-on can function for them.
Active Directory external authentication plug-in	Because user credentials are managed in Microsoft Active Directory, this plug-in is required. When called upon by the OracleAS Single Sign-On server to authenticate a user, the Oracle directory server discovers that the credentials are not available in Oracle Internet Directory. It then invokes the external authentication plug-in. The plug-in performs the authentication of the user against the user credentials stored in Microsoft Active Directory.

New users or groups created in Microsoft Active Directory are automatically provisioned into Oracle Internet Directory by the Oracle directory integration and provisioning server. Before the provisioning can take place, a one-way synchronization between Microsoft Active Directory and Oracle Internet Directory must be established.

If multiple Microsoft Active Directory servers are involved, then the Oracle directory integration and provisioning server provisions users and groups from the respective Microsoft Active Directory servers into Oracle Internet Directory. Before the provisioning can take place, a one-way synchronization between Oracle Internet Directory and each Microsoft Active Directory server must be established.

Passwords are not migrated.