Whether you are using Oracle Virtual Directory or Active Directory with Global Catalogs, this section provides the following topics with steps you can follow:
Users with valid Oracle Access Management Administrator credentials can define an authentication scheme to use in policies protecting applications for Windows Native authentication.
Before you begin, be sure to complete one of the following sections: Integrating KerberosPlugin with Oracle Virtual Directory or Integrating the KerberosPlugin with Search Failover.
You edit (or create) an Application Domain and policies to protect resources for Windows Native Authentication.
Before you begin, complete Creating the Authentication Scheme for Windows Native Authentication.
In the Oracle Access Management Console, click Application Security at the top of the window.
Click Application Domains in the Access Manager section.
Open (or Create) the desired Application Domain, as described in "Managing Application Domains Using the Console".
Resource Definitions: Add Resource Definitions to the domain as described in "Adding and Managing Policy Resource Definitions".
Authentication Policies:
Open the Authentication Policies node, and open (or Create) the desired Authentication Policy with the following attributes:
Authentication Scheme: KerbScheme as the and ensure that it includes the updated KerberosPlugin.
Choose KerbScheme as the Authentication Scheme and ensure that it includes the updated KerberosPlugin.
Click Apply, close the Confirmation window.
Resources for Authentication Policy: Add Resources to the Authentication Policy as described in the Oracle Fusion Middleware Administrator's Guide for Oracle Access Management.
Complete the Authentication Policy with any desired Responses.
Authorization Policies: Complete the Authentication Policy with any desired Responses or Conditions as described in "Defining Authorization Policies for Specific Resources".
Proceed to "Verifying the Access Manager Configuration File".
You can configure Access Manager to use WNA Fallback Authentication upon receiving an NTLM token.
For more information, see Understanding Access Manager WNA Login and Fall Back Authentication.
To configure:
Stop the OAM managed server.
Back up the following file to a safe location:
<WLS domain>
/config/fmwconfig/oam-config.xml
Modify <WLS domain>
/config/fmwconfig/oam-config.xml
as follows:
Find the following line:
<Setting Name="CredentialCollector" Type="htf:map">
After the line, add the following elements (if they are not already present):
-------------------------------------------------------------------------- <Setting Name="WNAOptions" Type="htf:map"> <Setting Name="HandleNTLMResponse" Type="xsd:string">BASIC</Setting> </Setting> --------------------------------------------------------------------------
If the following parameter already exists:
<Setting Name="HandleNTLMResponse" Type="xsd:string">DEFAULT</Setting>
change the HandleNTLMResponse
value from DEFAULT
to BASIC
. For example:
<Setting Name="HandleNTLMResponse" Type="xsd:string">BASIC</Setting>
Restart the OAM server processes.
Note:
See Two BASIC Authentication Prompts Are Displayed for troubleshooting information.
The WNA fallback to FORM-based authentication scheme relies on setting the pre-authentication rule. Create a pre-authentication rule that checks for OAM_WNA_OPT_OUT cookie which supports WNA FORM fallback mechanism. If the value of the OAM_WNA_OPT_OUT cookie is set TRUE, the authentication scheme is switched to FORM-based authentication.
Stop the OAM managed server.
Back up the <WLS domain>
/config/fmwconfig/oam-config.xml
file to a safe location.
Edit <WLS domain>
/config/fmwconfig/oam-config.xml
as follows:
<Setting Name="WNAOptions" Type="htf:map"> <Setting Name="HandleNTLMResponse" Type="xsd:string">FORM</Setting> </Setting>
When NTLM and Kerberos authentications do not work with a browser (such as a non-domain attached browser), the OAM Server responds with an authorization error (403) and HTML content in the body of the response. By default, OAM displays an authorization error page with a Login button. The user needs to click the Login button in the customized page to invoke WNA fallback to FORM-based authentication. You can optionally configure CustomOptOutPage or IsOptOutPersistent parameters in the oam-config.xml
and customize the error page.
Configure the Custom Opt Out Page as follows to emit all the HTML contents from the oam-config.xml
file. The JavaScript function optOut() is invoked when a button in the customized page is clicked. Then OAM emits the JavaScript function optOut().
<Setting Name="CustomOptOutPage" Type="xsd:string">/home/custom.html</Setting>
<Setting Name="IsOptOutPersistent" Type="xsd:boolean">false</Setting>
str(request.requestMap['Cookie']).lower().find('oam_wna_opt_out=true') >= 0
Restart the OAM server processes.
You can verify the Access Manager Configuration file, oam-config.xml
.
Verify that the following are specified in the oam-config.xml
file as in the following example:
path to the krb5.conf
file
path to the keytab
file
a principal to connect with KDC
oam-config.xml
<Setting Name="KerberosModules" Type="htf:map"> <Setting Name="6DBSE52C" Type="htf:map"> <Setting Name="principal" Type="xsd:string">HTTP/oam11g.example.com@LM.EXAMPLE.COM </Setting> <Setting Name="name" Type="xsd:string">XYZKerberosModule</Setting> <Setting Name="keytabfile" Type="xsd:string">/refresh/home/oam.keytab </Setting> <Setting Name="krbconfigfile" Type="xsd:string">/etc/krb5.conf</Setting> </Setting> </Setting>