Oracle Access Manager Integration with Microsoft Active Directory for Zero Sign-on.

Oracle Access Manager integration with WNA/AD 1 22 nd November 2015 Hyderabad, India #AIOUG # SANGAM15 SANGAM 15 Sumit Gupta . . . . meeting of minds

Introduction Presenter – Sumit Gupta 10+ Years experience in Oracle Fusion Middleware OPN Certified IAM Expert Oracle Identity Manager 11g Certified Implementation Specialist Oracle Access Management Suite Plus 11g Implementation Specialist Oracle Certified Associate, Oracle Weblogic Server 12c administrator Presenter UKOUG Tech 14 – Liverpool, UK Middleware SIG – Reading, UK Sangam 2015 – Hyderabad, India UKOUG Tech 15 – Birmingham, UK Blogger ( www.OraWorld.co.uk ) More than 150 articles 1200 + subscribers www.OraWorld.co.uk www.OraWorld.co.uk 2 Copyright © 2015 , OraWorld Ltd. All rights reseved

Agenda Windows Native Authentication Overview Kerberos Basics WNA Configurations WNA Testing (Demo Viewlet ) WNA Sequence Flow Lessons Learnt References QnA Session www.OraWorld.co.uk Copyright © 2015 , OraWorld Ltd. All rights reserved 3

Kerberos Basics www.OraWorld.co.uk Copyright © 2015 , OraWorld Ltd. All rights reserved 5 Native authentication protocol in Active Directory Kerberos Domain Principal (Machines, Services & Users) Service Principal Name (SPN) PROTOCOL/hostname for services username@DOMAIN for users Key Distribution Center (KDC ) Ticket Granting Ticket (TGT) Service Ticket (ST)

WNA High Level Steps Tasks on the Windows domain controller: Configuring the domain controller to support Kerberos Authentication Generating a keytab file for a service user Tasks on the Oracle Access Manager server: Configuring an Active Directory identity store Configuring a Kerberos authentication module Defining a policy that uses the Kerberos authentication module to protect resources Configuring end-user browsers 23 www.OraWorld.co.uk Copyright © 2015 , OraWorld Ltd. All rights reserved

WNA Configuration KeyTab generation – contains shared secret key of the service ktpass.exe - princ HTTP/<OHS hostname>@<AD Server Domain> -pass < Password of the user created to be mapped> – mapuser <AD DOMAIN\ sAMAccountName of the user created > – out < Location_of_keytab_file > www.OraWorld.co.uk Copyright © 2015 , OraWorld Ltd. All rights reserved 25 AD Server

WNA Configuration Copy generated keytab (binary file) to OAM Server Set up krb5. conf Unix : / etc /krb5.conf on unix Windows: C:\windows\krb5.conf KRB5_CONFIG env variable www.OraWorld.co.uk Copyright © 2015 , OraWorld Ltd. All rights reserved 27 OAM Server [logging] default = FILE:/u01/app/oracle/middleware/Oracle_IAM1/ wna /krb5libs.log kdc = FILE:/u01/app/oracle/middleware/Oracle_IAM1/ wna /krb5kdc.log admin_server = FILE:/ var /log/ kadmind.log [ libdefaults ] default_realm = OWAD.LOCAL dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 600 clock_skew = 600 udp_preference_limit = 1 default_tkt_enctypes = RC4-HMAC default_tgs_enctypes = RC4-HMAC [realms] OWAD.LOCAL = { kdc = owwin-ad.owad.local admin_server = owwin-ad.owad.local default_domain = OWAD.LOCAL } [ domain_realm ] . owad.local = OWAD.LOCAL owad.local = OWAD.LOCAL

WNA Configuration www.OraWorld.co.uk Copyright © 2015 , OraWorld Ltd. All rights reserved 28 OAM Server Klist commands [ orafmw@iam ~]$ klist -e klist : No credentials cache found (ticket cache FILE:/ tmp /krb5cc_500) Kerberos 4 ticket cache: / tmp /tkt500 klist : You have no tickets cached [ orafmw@iam ~]$ klist -k /u01/app/oracle/middleware/Oracle_IAM1/ wna / oraworld.keytab -t -K -e Keytab name: FILE:/u01/app/oracle/middleware/Oracle_IAM1/ wna / oraworld.keytab KVNO Timestamp Principal ---- ----------------- -------------------------------------------------------- 3 01/01/70 01:00:00 HTTP/ oraworld. [email protected] ( ArcFour with HMAC/md5) (0x1d1b117a1db40dc241f7838b083a6b9d)

WNA Configuration www.OraWorld.co.uk Copyright © 2015 , OraWorld Ltd. All rights reserved 29 OAM Server Kinit command [ orafmw@iam ~]$ kinit -V HTTP/ oraworld. [email protected] -k -t /u01/app/oracle/middleware/Oracle_IAM1/ wna / oraworld.keytab Authenticated to Kerberos v5 [ orafmw@iam ~]$ klist -e Ticket cache: FILE:/ tmp /krb5cc_500 Default principal: HTTP/ oraworld. [email protected] Valid starting Expires Service principal 06/22/15 11:47:22 06/22/15 21:47:27 krbtgt /OWAD. [email protected] renew until 06/23/15 11:47:22, Etype ( skey , tkt ): ArcFour with HMAC/md5, ArcFour with HMAC/md5 Kerberos 4 ticket cache: / tmp /tkt500 klist : You have no tickets cached

Browser Configuration www.OraWorld.co.uk 39 Copyright © 2015 , OraWorld Ltd. All rights reserved 39 Open Internet Explorer Go to Tools > Internet Options > Security > Local Intranet > Advanced Add OAM Server host name Internet Explorer

Browser Configuration www.OraWorld.co.uk 42 Copyright © 2015 , OraWorld Ltd. All rights reserved 42 Go to Advanced tab > Security Check the box besides – Enable Integrated Windows Authentication Internet Explorer

Browser Configuration www.OraWorld.co.uk 44 Copyright © 2015 , OraWorld Ltd. All rights reserved 44 Go to Security > Local Intranet > Custom Level Select Automatic logon only in Intranet zone Restart Internet Explorer Internet Explorer

WNA Sequence Diagram www.OraWorld.co.uk Copyright © 2015 , OraWorld Ltd. All rights reserved 51 OAM Server Log. <11-Jun-2015 13:03:12 o'clock BST> <Notice> < LoggingService > <BEA-320401> <The log file has been rotated to /u01/app/oracle/middleware/ user_projects /domains/ iam_domain /servers/oam_server1/logs/oam_server1.log00059. Log messages will continue to be logged in /u01/app/oracle/middleware/ user_projects /domains/ iam_domain /servers/oam_server1/logs/oam_server1.log.> >>> KeyTabInputStream , readName (): OWAD.LOCAL >>> KeyTabInputStream , readName (): HTTP >>> KeyTabInputStream , readName (): oraworld.com >>> KeyTab : load() entry length: 63; type: 23 Added key: 23version: 3 Ordering keys wrt default_tkt_enctypes list default etypes for default_tkt_enctypes : 23. 0: EncryptionKey : keyType =23 kvno =3 keyValue (hex dump)= 0000: 1D 1B 11 7A 1D B4 0D C2 41 F7 83 8B 08 3A 6B 9D ...z....A....:k.

WNA Sequence Diagram www.OraWorld.co.uk Copyright © 2015 , OraWorld Ltd. All rights reserved 52 http://oraworld.com:7777/secured/ index.html GET /secured/ index.html HTTP/1.1 Host: oraworld.com:7777 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0 Accept: text/ html,application / xhtml+xml,application / xml;q =0.9,*/*;q=0.8 Accept-Language: en-US,en;q =0.5 Accept-Encoding: gzip , deflate Connection: keep-alive HTTP/1.1 302 Found Date: Mon, 29 Jun 2015 11:48:49 GMT Server: Oracle-Application-Server-11g Set-Cookie: OAMAuthnHintCookie =0@1435578529; httponly ; path=/; domain=.com Set-Cookie: OAMRequestContext_oraworld.com:7777_505353=PSSttVqN64gXBgIbzgp8jA==;max-age=300; httponly ; path=/ Location: http://oraworld.com:14100/oam/server/obrareq.cgi?encquery%3DxjRnrPN5vUi8FDE0h2Os3fXf <Trimmed> Content-Length: 652 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1

WNA Sequence Diagram www.OraWorld.co.uk Copyright © 2015 , OraWorld Ltd. All rights reserved 53 http://oraworld.com:14100/ oam /server/ obrareq.cgi?encquery %<Trimmed > GET / oam /server/obrareq.cgi?encquery%3DxjRn<Trimmed>HTTP/1.1 Host: oraworld.com:14100 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0 Accept: text/ html,application / xhtml+xml,application / xml;q =0.9,*/*;q=0.8 Accept-Language: en-US,en;q =0.5 Accept-Encoding: gzip , deflate Cookie: OAMRequestContext_oraworld.com:7777_505353=PSSttVqN64gXBgIbzgp8jA== Connection: keep-alive HTTP/1.1 302 Moved Temporarily Connection: close Date: Mon, 29 Jun 2015 11:48:49 GMT Transfer-Encoding: chunked Location: http://oraworld.com:14100/ oam / CredCollectServlet / WNA ?authn_try_count =0& spnegotoken = string&challenge_url =%2Foam%2FCredCollectServlet%2FWNA&request_id=-276341910699531784&locale= en_US&resource_url =http%253A%252F%252Foraworld.com%253A7777%252Fsecured%252Findex.html Set-Cookie: OAM_REQ_0=VERSION_4~ugKPHSCILJo%<Trimmed>; path=/; HttpOnly Set-Cookie: OAM_REQ_COUNT=VERSION_4~1; path=/; HttpOnly X-ORACLE-DMS-ECID: 74645cb114abea27:-3751213f:14dfcde14b8:-8000-0000000000029fd1

WNA Sequence Diagram www.OraWorld.co.uk Copyright © 2015 , OraWorld Ltd. All rights reserved 54 http://oraworld.com:14100/ oam / CredCollectServlet / WNA?authn_try_count =0&spnegotoken= string&challenge_url =%2Foam%2FCredCollectServlet%2FWNA&request_id=-276341910699531784&locale= en_US&resource_url =http%253A%252F%252Foraworld.com%253A7777%252Fsecured%252Findex.html GET / oam / CredCollectServlet / WNA ?authn_try_count =0& spnegotoken = string&challenge_url =%2Foam%2FCredCollectServlet%2FWNA&request_id=-276341910699531784&locale= en_US&resource_url =http%253A%252F%252Foraworld.com%253A7777%252Fsecured%252Findex.html HTTP/1.1 Host: oraworld.com:14100 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0 Accept: text/ html,application / xhtml+xml,application / xml;q =0.9,*/*;q=0.8 Accept-Language: en-US,en;q =0.5 Accept-Encoding: gzip , deflate Cookie: OAMRequestContext_oraworld.com:7777_505353=<Trimmed>OAM_REQ_COUNT=VERSION_4~1 Connection: keep-alive HTTP/1.1 401 Unauthorized Cache-Control: no-cache, no-store Date: Mon, 29 Jun 2015 11:48:50 GMT Pragma: no-cache Content-Length: 0 Content-Type: text/html; charset=UTF-8 Expires: 0 WWW-Authenticate: Negotiate WWW-Authenticate: Basic realm="OAM 11g"

WNA Sequence Diagram www.OraWorld.co.uk Copyright © 2015 , OraWorld Ltd. All rights reserved 55 http://oraworld.com:14100/oam/CredCollectServlet/WNA?authn_try_count=0&spnegotoken=string&challenge_url=%2Foam%2FCredCollectServlet%2FWNA&request_id=-23&locale=en_US&resource_url=http%253A%252F%252Foraworld.com%253A7777%252Fsecured%252Findex.html GET / oam / CredCollectServlet / WNA?authn_try_count =0&spnegotoken= string&challenge_url =%2Foam%2FCredCollectServlet%2FWNA&request_id=-27784&locale= en_US&resource_url =http%253A%252F%252Foraworld.com777%252Fsecured?Findex.html HTTP/1.1 Host: oraworld.com:14100 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0 Accept: text/ html,application / xhtml+xml,application / xml;q =0.9,*/*;q=0.8 Accept-Language: en-US,en;q =0.5 Cookie: OAMRequestContext_oraworld.com:7777_50<Trimmed> LJeWMsd ; OAM_REQ_COUNT=VERSION_4~1 Connection: keep-alive Authorization: Negotiate YIIGlgYGKwYBBQUCoIIGijCCBoagMDA <Trimmed>== HTTP/1.1 302 Moved Temporarily Connection: close Date: Mon, 29 Jun 2015 11:48:50 GMT Transfer-Encoding: chunked Location: http://oraworld.com:7777/ obrar.cgi?encreply =<Trimmed> Set-Cookie: OAM_ID=VERSION_4~SrAPo4Sh9v3M<Trimmed>; path=/; HttpOnly Set-Cookie: OAM_GITO=v1~uid:Wnauser1r&<Trimmed>c-oraworld.c&; path=/; HttpOnly ; expires=Thu, 01-Jan-1970 01:00:00 GMT Set-Cookie: OAM_REQ_0=invalid; path=/; HttpOnly X-ORACLE-DMS-ECID: 74645cb114abea27:-3751213f:14dfcde14b8:-8000-0000000000029fd6

WNA Sequence Diagram www.OraWorld.co.uk Copyright © 2015 , OraWorld Ltd. All rights reserved 57 http://oraworld.com:7777/ obrar.cgi?encreply =<Trimmed > GET / obrar.cgi?encreply =<Trimmed>k%3D HTTP/1.1 Host: oraworld.com:7777 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0 Accept: text/ html,application / xhtml+xml,application / xml;q =0.9,*/*;q=0.8 Accept-Language: en-US,en;q =0.5 Accept-Encoding: gzip , deflate Cookie: OAMRequestContext_oraworld.com:7777_505353= PSSt <Trimmed>rr2SMpNMOF2B/DbQk3/N1Ua1onzJ Connection: keep-alive HTTP/1.1 302 Found Date: Mon, 29 Jun 2015 11:48:52 GMT Server: Oracle-Application-Server-11g Set-Cookie: OAMRequestContext_oraworld.com:7777_505353=;expires= thursday , 01-jan-1970 01:00:00 gmt ; httponly ; path=/ Set-Cookie: OAMAuthnCookie_oraworld.com:7777 =<Trimmed>%3D;httponly; path=/ Set-Cookie: OAMAuthnHintCookie =X; httponly ; path=/ Location: /secured/ index.html Content-Length: 230 Keep-Alive: timeout=5, max=99 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1

WNA Sequence Diagram www.OraWorld.co.uk Copyright © 2015 , OraWorld Ltd. All rights reserved 58 http://oraworld.com:7777/secured/ index.html GET /secured/ index.html HTTP/1.1 Host: oraworld.com:7777 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0 Accept: text/ html,application / xhtml+xml,application / xml;q =0.9,*/*;q=0.8 Accept-Language: en-US,en;q =0.5 Accept-Encoding: gzip , deflate Cookie: OAM_REQ_0=invalid; OAM_REQ_COUNT=VERSION_4~1; OAM_ID= VERSION_4~SrAPo4Sh9v3Mz9YtR0IUJQ==~<Trimmed<; OAMAuthnHintCookie =X Connection: keep-alive HTTP/1.1 200 OK Date: Mon, 29 Jun 2015 11:48:52 GMT Server: Oracle-Application-Server-11g Set-Cookie: OAMAuthnHintCookie =;expires= thursday , 01-jan-1970 01:00:00 gmt ; httponly ; path=/ Set-Cookie: OAMAuthnHintCookie =1; httponly ; path=/; domain=.com Cache-Control: no-cache Pragma: no-cache Last-Modified: Tue, 23 Jun 2015 19:07:39 GMT Etag : "bc06de-3cd-519341a9c54c0” Accept-Ranges: bytes Content-Length: 973 Connection: Keep-Alive Content-Type: text/html Content-Language: en

NTLM versus Kerberos SPNEGO token can contain either NTLM or Kerberos token depending on the Windows client capabilities. All pre–Windows 2000 clients use NTLM. AD domains by default support “mixed” mode. If Kerberos fails, the client falls back to NTLM. HTTP header logger or Fiddler are best to diagnose this. Browser logging can also help. Clock Skew Errors Synchronize clocks on both your OAM Server and the AD server . 59 59 www.OraWorld.co.uk Copyright © 2015 , OraWorld Ltd. All rights reserved Lessons Learnt

Error: kinit (v5): Key table entry not found while getting initial credentials kinit (v5): Preauthentication failed while getting initial credentials kinit (v5): KDC reply did not match expectations while getting initial credentials PROTOCOL and DOMAIN NAME are always in CAPITAL LETTERS. hostname and username are always in lower case . 60 60 www.OraWorld.co.uk Copyright © 2015 , OraWorld Ltd. All rights reserved Lessons Learnt

Configuring Access Manager for Windows Native Authentication OAM 11g WNA Step by Step Setup Guide (Doc ID 1416860.1 ) WNA Basics WNA for multiple AD forest . Oracle Access Manager 11g WNA Quick Start Guide (Doc ID 1416903.1 ) http://tools.ietf.org/html/ rfc4559 Trouble Shooting OAM 11g WNA Issues Quick Start Guide (Doc ID 1433554.1 ) Blogs: Enable Logging & Lessons Learnt Kerberos Basics www.OraWorld.co.uk Copyright © 2015 , OraWorld Ltd. All rights reserved 61 References

Oracle Access Manager Integration with Microsoft Active Directory for Zero Sign-on.

About This Presentation

Slide Content

Tags

Categories

Download

Quick Actions

Statistics

Related Slideshows

Oracle Access Manager Integration with Microsoft Active Directory for Zero Sign-on.

About This Presentation

Slide Content

Slide 1

Slide 2

Slide 3

Slide 4

Slide 5

Slide 6

Slide 7

Slide 8

Slide 9

Slide 10

Slide 11

Slide 12

Slide 13

Slide 14

Slide 15

Slide 16

Slide 17

Slide 18

Slide 19

Slide 20

Slide 21

Slide 22

Slide 23

Slide 24

Slide 25

Slide 26

Slide 27

Slide 28

Slide 29

Slide 30

Slide 31

Slide 32

Slide 33

Slide 34

Slide 35

Slide 36

Slide 37

Slide 38

Slide 39

Slide 40

Slide 41

Slide 42

Slide 43

Slide 44

Slide 45

Slide 46

Slide 47

Slide 48

Slide 49

Slide 50

Slide 51

Slide 52

Slide 53

Slide 54

Slide 55

Slide 56

Slide 57

Slide 58

Slide 59

Slide 60

Slide 61

Slide 62

Tags

Categories

Download

Quick Actions

Statistics

Related Slideshows

8-top-ai-courses-for-customer-support-representatives-in-2025.pptx

7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx

25-essential-ai-courses-for-user-support-specialists-in-2025.pptx

8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx

Know for Certain

PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx