57.7 Configuring Access Manager for Windows Native Authentication

Whether you are using Oracle Virtual Directory or Active Directory with Global Catalogs, this section provides the following topics with steps you can follow:

57.7.1 Creating the Authentication Scheme for Windows Native Authentication

Users with valid Oracle Access Management Administrator credentials can define an authentication scheme to use in policies protecting applications for Windows Native authentication.

Before you begin, be sure to complete one of the following sections: Integrating KerberosPlugin with Oracle Virtual Directory or Integrating the KerberosPlugin with Search Failover.

  1. In the Oracle Access Management Console, click Application Security at the top of the window.
  2. Click Authentication Schemes in the Access Manager section.
  3. Under Search, type KerberosScheme in the Name box and click Search.
  4. Click KerberosScheme in the search results to open it.

    Set (or confirm) the following attributes:

    Challenge Method: WNA

    Authentication Module: KerberosPlugin

  5. Finish configuring KerberosScheme for your deployment.
  6. Click Apply and close the confirmation window.
  7. Proceed to "Configuring Policies for Windows Native Authentication".

57.7.2 Configuring Policies for Windows Native Authentication

You edit (or create) an Application Domain and policies to protect resources for Windows Native Authentication.

Before you begin, complete Creating the Authentication Scheme for Windows Native Authentication.

  1. In the Oracle Access Management Console, click Application Security at the top of the window.

  2. Click Application Domains in the Access Manager section.

  3. Open (or Create) the desired Application Domain, as described in "Managing Application Domains Using the Console".

  4. Resource Definitions: Add Resource Definitions to the domain as described in "Adding and Managing Policy Resource Definitions".

  5. Authentication Policies:

    1. Open the Authentication Policies node, and open (or Create) the desired Authentication Policy with the following attributes:

      Authentication Scheme: KerbScheme as the and ensure that it includes the updated KerberosPlugin.

      Choose KerbScheme as the Authentication Scheme and ensure that it includes the updated KerberosPlugin.

    2. Click Apply, close the Confirmation window.

    3. Resources for Authentication Policy: Add Resources to the Authentication Policy as described in the Oracle Fusion Middleware Administrator's Guide for Oracle Access Management.

    4. Complete the Authentication Policy with any desired Responses.

  6. Authorization Policies: Complete the Authentication Policy with any desired Responses or Conditions as described in "Defining Authorization Policies for Specific Resources".

  7. Proceed to "Verifying the Access Manager Configuration File".

57.7.3 Configuring WNA for NTLM Fallback

You can configure Access Manager to use WNA Fallback Authentication upon receiving an NTLM token.

For more information, see Understanding Access Manager WNA Login and Fall Back Authentication.

To configure:

  1. Stop the OAM managed server.

  2. Back up the following file to a safe location:

    <WLS domain>/config/fmwconfig/oam-config.xml

  3. Modify <WLS domain>/config/fmwconfig/oam-config.xml as follows:

    1. Find the following line:

      <Setting Name="CredentialCollector" Type="htf:map">
    2. After the line, add the following elements (if they are not already present):

             <Setting Name="WNAOptions" Type="htf:map">
             <Setting Name="HandleNTLMResponse" Type="xsd:string">BASIC</Setting>

      If the following parameter already exists:

      <Setting Name="HandleNTLMResponse" Type="xsd:string">DEFAULT</Setting>

      change the HandleNTLMResponse value from DEFAULT to BASIC. For example:

      <Setting Name="HandleNTLMResponse" Type="xsd:string">BASIC</Setting> 
  4. Restart the OAM server processes.


    See Two BASIC Authentication Prompts Are Displayed for troubleshooting information.

57.7.4 Configuring WNA Fallback to FORM-based Authentication Scheme

The OAM_WNA_OPT_OUT is a host-scoped persisting encrypted cookie set by the OAM Server. This cookie indicates the OAM server to challenge the user with FORM-based authentication when the browser presenting the cookie is not supporting WNA authentication. When set to TRUE, the OAM_WNA_OPT_OUT cookie makes the OAM server to change the authentication scheme from DEFAULT or BASIC to FORM-based before displaying the protected resource.
Upon receiving the NTLM tokens, OAM servers fall back to other authentication mechanisms. When HandleNTLMResponse is set to BASIC, the OAM server falls back to BASIC authentication scheme.

The WNA fallback to FORM-based authentication scheme relies on setting the pre-authentication rule. Create a pre-authentication rule that checks for OAM_WNA_OPT_OUT cookie which supports WNA FORM fallback mechanism. If the value of the OAM_WNA_OPT_OUT cookie is set TRUE, the authentication scheme is switched to FORM-based authentication.

  1. Stop the OAM managed server.

  2. Back up the <WLS domain>/config/fmwconfig/oam-config.xml file to a safe location.

  3. Edit <WLS domain>/config/fmwconfig/oam-config.xml as follows:

    <Setting Name="WNAOptions" Type="htf:map">
    <Setting Name="HandleNTLMResponse" Type="xsd:string">FORM</Setting>
  4. When NTLM and Kerberos authentications do not work with a browser (such as a non-domain attached browser), the OAM Server responds with an authorization error (403) and HTML content in the body of the response. By default, OAM displays an authorization error page with a Login button. The user needs to click the Login button in the customized page to invoke WNA fallback to FORM-based authentication. You can optionally configure CustomOptOutPage or IsOptOutPersistent parameters in the oam-config.xml and customize the error page.

    1. Configure the Custom Opt Out Page as follows to emit all the HTML contents from the oam-config.xml file. The JavaScript function optOut() is invoked when a button in the customized page is clicked. Then OAM emits the JavaScript function optOut().

      <Setting Name="CustomOptOutPage" Type="xsd:string">/home/custom.html</Setting>
    2. The OAM_WNA_OPT_OUT cookie is set as persistent cookie, by default. Configure it as a session cookie as follows:
      <Setting Name="IsOptOutPersistent" Type="xsd:boolean">false</Setting>
  5. Verify if the value of the OAM_WNA_OPT_OUT cookie is set to TRUE and the pre-authentication condition is set as follows:
    str(request.requestMap['Cookie']).lower().find('oam_wna_opt_out=true') >= 0
  6. Restart the OAM server processes.

The OAM server falls back on FORM-based authentication scheme.

57.7.5 Verifying the Access Manager Configuration File

You can verify the Access Manager Configuration file, oam-config.xml.

Verify that the following are specified in the oam-config.xml file as in the following example:

  • path to the krb5.conf file

  • path to the keytab file

  • a principal to connect with KDC


<Setting Name="KerberosModules" Type="htf:map">
   <Setting Name="6DBSE52C" Type="htf:map">
      <Setting Name="principal"           Type="xsd:string">HTTP/oam11g.example.com@LM.EXAMPLE.COM
      <Setting Name="name" Type="xsd:string">XYZKerberosModule</Setting>
      <Setting Name="keytabfile"           Type="xsd:string">/refresh/home/oam.keytab
      <Setting Name="krbconfigfile" Type="xsd:string">/etc/krb5.conf</Setting>