Oracle Access Manager Integration with Microsoft Active Directory for Zero Sign-on.
Download as PPTX, PDF2 likes4,169 views
The document is a presentation on integrating Oracle Access Manager with Windows Native Authentication and Active Directory. It includes an agenda that covers WNA and Kerberos basics, WNA configurations on the domain controller and OAM server, testing WNA using a demo, and lessons learned. The main sections describe Kerberos authentication protocols, generating a keytab file on the domain controller, configuring an Active Directory identity store and Kerberos authentication module on OAM, and browser settings for SSO using WNA.
![WNA Configuration
• Copy generated keytab
(binary file) to OAM Server
• Set up krb5.conf
- Unix : /etc/krb5.conf on unix
- Windows: C:windowskrb5.conf
• KRB5_CONFIG env variable
www.OraWorld.co.uk
Copyright © 2015, OraWorld Ltd. All rights reserved 27
OAM Server
[logging]
default = FILE:/u01/app/oracle/middleware/Oracle_IAM1/wna/krb5libs.log
kdc = FILE:/u01/app/oracle/middleware/Oracle_IAM1/wna/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = OWAD.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 600
clock_skew= 600
udp_preference_limit= 1
default_tkt_enctypes = RC4-HMAC
default_tgs_enctypes = RC4-HMAC
[realms]
OWAD.LOCAL = {
kdc = owwin-ad.owad.local
admin_server = owwin-ad.owad.local
default_domain = OWAD.LOCAL
}
[domain_realm]
.owad.local = OWAD.LOCAL
owad.local = OWAD.LOCAL](https://image.slidesharecdn.com/oamwnasangam15-151123195308-lva1-app6892/85/Oracle-Access-Manager-Integration-with-Microsoft-Active-Directory-for-Zero-Sign-on-27-320.jpg)
![WNA Configuration
www.OraWorld.co.uk
Copyright © 2015, OraWorld Ltd. All rights reserved 28
OAM Server
• Klist commands
[orafmw@iam ~]$ klist -e
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_500)
Kerberos 4 ticket cache: /tmp/tkt500
klist: You have no tickets cached
[orafmw@iam ~]$ klist -k /u01/app/oracle/middleware/Oracle_IAM1/wna/oraworld.keytab -t -K -e
Keytab name: FILE:/u01/app/oracle/middleware/Oracle_IAM1/wna/oraworld.keytab
KVNO Timestamp Principal
---- ----------------- --------------------------------------------------------
3 01/01/70 01:00:00 HTTP/oraworld.com@OWAD.LOCAL (ArcFour with
HMAC/md5) (0x1d1b117a1db40dc241f7838b083a6b9d)](https://image.slidesharecdn.com/oamwnasangam15-151123195308-lva1-app6892/85/Oracle-Access-Manager-Integration-with-Microsoft-Active-Directory-for-Zero-Sign-on-28-320.jpg)
![WNA Configuration
www.OraWorld.co.uk
Copyright © 2015, OraWorld Ltd. All rights reserved 29
OAM Server
• Kinit command
[orafmw@iam ~]$ kinit -V HTTP/oraworld.com@OWAD.LOCAL -k -t
/u01/app/oracle/middleware/Oracle_IAM1/wna/oraworld.keytab
Authenticated to Kerberos v5
[orafmw@iam ~]$ klist -e
Ticket cache: FILE:/tmp/krb5cc_500
Default principal: HTTP/oraworld.com@OWAD.LOCAL
Valid starting Expires Service principal
06/22/15 11:47:22 06/22/15 21:47:27 krbtgt/OWAD.LOCAL@OWAD.LOCAL
renew until 06/23/15 11:47:22, Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5
Kerberos 4 ticket cache: /tmp/tkt500
klist: You have no tickets cached](https://image.slidesharecdn.com/oamwnasangam15-151123195308-lva1-app6892/85/Oracle-Access-Manager-Integration-with-Microsoft-Active-Directory-for-Zero-Sign-on-29-320.jpg)
Oracle Access Manager Integration with Microsoft Active Directory for Zero Sign-on.
- 1. Oracle Access Manager integration with WNA/AD 122nd November 2015 Hyderabad, India #AIOUG SANGAM 15 Sumit Gupta . . . . meeting of minds
- 2. Introduction • Presenter – Sumit Gupta • 10+ Years experience in Oracle Fusion Middleware • OPN Certified IAM Expert – Oracle Identity Manager 11g Certified Implementation Specialist – Oracle Access Management Suite Plus 11g Implementation Specialist – Oracle Certified Associate, Oracle Weblogic Server 12c administrator • Presenter – UKOUG Tech 14 – Liverpool, UK – Middleware SIG – Reading, UK – Sangam 2015 – Hyderabad, India – UKOUG Tech 15 – Birmingham, UK • Blogger (www.OraWorld.co.uk) – More than 150 articles – 1200 + subscribers www.OraWorld.co.ukwww.OraWorld.co.uk 2Copyright © 2015, OraWorld Ltd. All rights reseved
- 3. Agenda • Windows Native Authentication Overview • Kerberos Basics • WNA Configurations • WNA Testing (Demo Viewlet) • WNA Sequence Flow • Lessons Learnt • References • QnA Session www.OraWorld.co.uk Copyright © 2015, OraWorld Ltd. All rights reserved 3
- 4. Windows Native Authentication www.OraWorld.co.uk Copyright © 2015, OraWorld Ltd. All rights reserved 4
- 5. Kerberos Basics www.OraWorld.co.uk Copyright © 2015, OraWorld Ltd. All rights reserved 5 • Native authentication protocol in Active Directory • Kerberos Domain • Principal (Machines, Services & Users) – Service Principal Name (SPN) • PROTOCOL/hostname for services • username@DOMAIN for users • Key Distribution Center (KDC) • Ticket Granting Ticket (TGT) • Service Ticket (ST)
- 6. Kerberos Basics www.OraWorld.co.uk Copyright © 2015, OraWorld Ltd. All rights reserved 6
- 7. Kerberos Basics www.OraWorld.co.uk Copyright © 2015, OraWorld Ltd. All rights reserved 7
- 8. Kerberos Basics www.OraWorld.co.uk Copyright © 2015, OraWorld Ltd. All rights reserved 8
- 9. Kerberos Basics www.OraWorld.co.uk Copyright © 2015, OraWorld Ltd. All rights reserved 9
- 10. Kerberos Basics www.OraWorld.co.uk Copyright © 2015, OraWorld Ltd. All rights reserved 10
- 11. Kerberos Basics www.OraWorld.co.uk Copyright © 2015, OraWorld Ltd. All rights reserved 11
- 12. Kerberos Basics www.OraWorld.co.uk Copyright © 2015, OraWorld Ltd. All rights reserved 12
- 13. Kerberos Basics www.OraWorld.co.uk Copyright © 2015, OraWorld Ltd. All rights reserved 13
- 14. Kerberos Basics www.OraWorld.co.uk Copyright © 2015, OraWorld Ltd. All rights reserved 14
- 15. Kerberos Basics www.OraWorld.co.uk Copyright © 2015, OraWorld Ltd. All rights reserved 15
- 16. Kerberos Basics www.OraWorld.co.uk Copyright © 2015, OraWorld Ltd. All rights reserved 16
- 17. Kerberos Basics www.OraWorld.co.uk Copyright © 2015, OraWorld Ltd. All rights reserved 17
- 18. Kerberos Basics www.OraWorld.co.uk Copyright © 2015, OraWorld Ltd. All rights reserved 18
- 19. Kerberos Basics www.OraWorld.co.uk Copyright © 2015, OraWorld Ltd. All rights reserved 19
- 20. Kerberos Basics www.OraWorld.co.uk Copyright © 2015, OraWorld Ltd. All rights reserved 20
- 21. Kerberos Basics www.OraWorld.co.uk Copyright © 2015, OraWorld Ltd. All rights reserved 21
- 22. Kerberos Basics www.OraWorld.co.uk Copyright © 2015, OraWorld Ltd. All rights reserved 22
- 23. WNA High Level Steps • Tasks on the Windows domain controller: - Configuring the domain controller to support Kerberos Authentication - Generating a keytab file for a service user • Tasks on the Oracle Access Manager server: - Configuring an Active Directory identity store - Configuring a Kerberos authentication module - Defining a policy that uses the Kerberos authentication module to protect resources • Configuring end-user browsers 23 www.OraWorld.co.uk Copyright © 2015, OraWorld Ltd. All rights reserved
- 24. WNA Configuration • Create a service user in Windows AD Server. www.OraWorld.co.uk Copyright © 2015, OraWorld Ltd. All rights reserved 24 AD Server
- 25. WNA Configuration • KeyTab generation – contains shared secret key of the service ktpass.exe -princ HTTP/<OHS hostname>@<AD Server Domain> -pass <Password of the user created to be mapped> – mapuser <AD DOMAINsAMAccountName of the user created > – out <Location_of_keytab_file> www.OraWorld.co.uk Copyright © 2015, OraWorld Ltd. All rights reserved 25 AD Server
- 26. WNA Configuration www.OraWorld.co.uk Copyright © 2015, OraWorld Ltd. All rights reserved 26 AD Server
- 27. WNA Configuration • Copy generated keytab (binary file) to OAM Server • Set up krb5.conf - Unix : /etc/krb5.conf on unix - Windows: C:windowskrb5.conf • KRB5_CONFIG env variable www.OraWorld.co.uk Copyright © 2015, OraWorld Ltd. All rights reserved 27 OAM Server [logging] default = FILE:/u01/app/oracle/middleware/Oracle_IAM1/wna/krb5libs.log kdc = FILE:/u01/app/oracle/middleware/Oracle_IAM1/wna/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = OWAD.LOCAL dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 600 clock_skew= 600 udp_preference_limit= 1 default_tkt_enctypes = RC4-HMAC default_tgs_enctypes = RC4-HMAC [realms] OWAD.LOCAL = { kdc = owwin-ad.owad.local admin_server = owwin-ad.owad.local default_domain = OWAD.LOCAL } [domain_realm] .owad.local = OWAD.LOCAL owad.local = OWAD.LOCAL
- 28. WNA Configuration www.OraWorld.co.uk Copyright © 2015, OraWorld Ltd. All rights reserved 28 OAM Server • Klist commands [orafmw@iam ~]$ klist -e klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_500) Kerberos 4 ticket cache: /tmp/tkt500 klist: You have no tickets cached [orafmw@iam ~]$ klist -k /u01/app/oracle/middleware/Oracle_IAM1/wna/oraworld.keytab -t -K -e Keytab name: FILE:/u01/app/oracle/middleware/Oracle_IAM1/wna/oraworld.keytab KVNO Timestamp Principal ---- ----------------- -------------------------------------------------------- 3 01/01/70 01:00:00 HTTP/oraworld.com@OWAD.LOCAL (ArcFour with HMAC/md5) (0x1d1b117a1db40dc241f7838b083a6b9d)
- 29. WNA Configuration www.OraWorld.co.uk Copyright © 2015, OraWorld Ltd. All rights reserved 29 OAM Server • Kinit command [orafmw@iam ~]$ kinit -V HTTP/oraworld.com@OWAD.LOCAL -k -t /u01/app/oracle/middleware/Oracle_IAM1/wna/oraworld.keytab Authenticated to Kerberos v5 [orafmw@iam ~]$ klist -e Ticket cache: FILE:/tmp/krb5cc_500 Default principal: HTTP/oraworld.com@OWAD.LOCAL Valid starting Expires Service principal 06/22/15 11:47:22 06/22/15 21:47:27 krbtgt/OWAD.LOCAL@OWAD.LOCAL renew until 06/23/15 11:47:22, Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5 Kerberos 4 ticket cache: /tmp/tkt500 klist: You have no tickets cached
- 30. WNA Configuration www.OraWorld.co.uk Copyright © 2015, OraWorld Ltd. All rights reserved 30 OAM Server
- 31. WNA Configuration www.OraWorld.co.uk Copyright © 2015, OraWorld Ltd. All rights reserved 31 OAM Server
- 32. WNA Configuration www.OraWorld.co.uk Copyright © 2015, OraWorld Ltd. All rights reserved 32 OAM Server
- 33. WNA Configuration www.OraWorld.co.uk Copyright © 2015, OraWorld Ltd. All rights reserved 33 OAM Server
- 34. WNA Configuration www.OraWorld.co.uk Copyright © 2015, OraWorld Ltd. All rights reserved 34 OAM Server
- 35. WNA Configuration www.OraWorld.co.uk Copyright © 2015, OraWorld Ltd. All rights reserved 35 OAM Server
- 36. WNA Configuration www.OraWorld.co.uk Copyright © 2015, OraWorld Ltd. All rights reserved 36 OAM Server
- 37. WNA Configuration www.OraWorld.co.uk Copyright © 2015, OraWorld Ltd. All rights reserved 37 OAM Server
- 38. WNA Configuration www.OraWorld.co.uk Copyright © 2015, OraWorld Ltd. All rights reserved 38 OAM Server
- 39. Browser Configuration www.OraWorld.co.uk 39 Copyright © 2015, OraWorld Ltd. All rights reserved 39 • Open Internet Explorer • Go to Tools > Internet Options > Security > Local Intranet > Advanced • Add OAM Server host name Internet Explorer
- 40. Browser Configuration www.OraWorld.co.uk 40 Copyright © 2015, OraWorld Ltd. All rights reserved 40 Internet Explorer
- 41. Browser Configuration www.OraWorld.co.uk 41 Copyright © 2015, OraWorld Ltd. All rights reserved 41 Internet Explorer
- 42. Browser Configuration www.OraWorld.co.uk 42 Copyright © 2015, OraWorld Ltd. All rights reserved 42 • Go to Advanced tab > Security • Check the box besides – Enable Integrated Windows Authentication Internet Explorer
- 43. Browser Configuration www.OraWorld.co.uk 43 Copyright © 2015, OraWorld Ltd. All rights reserved 43 Internet Explorer
- 44. Browser Configuration www.OraWorld.co.uk 44 Copyright © 2015, OraWorld Ltd. All rights reserved 44 • Go to Security > Local Intranet > Custom Level • Select Automatic logon only in Intranet zone • Restart Internet Explorer Internet Explorer
- 45. Browser Configuration www.OraWorld.co.uk 45 Copyright © 2015, OraWorld Ltd. All rights reserved 45 Internet Explorer
- 46. Browser Configuration www.OraWorld.co.uk 46 Copyright © 2015, OraWorld Ltd. All rights reserved 46 • Google Chrome uses the Internet Explorer settings. Chrome
- 47. Browser Configuration www.OraWorld.co.uk 47 Copyright © 2015, OraWorld Ltd. All rights reserved 47 • about:config • Set network.negotiate-auth.trusted-uris to OAMHOST.DOMAIN. Firefox
- 48. Browser Configuration www.OraWorld.co.uk 48 Copyright © 2015, OraWorld Ltd. All rights reserved 48 Firefox
- 49. WNA Testing www.OraWorld.co.uk Copyright © 2015, OraWorld Ltd. All rights reserved 49 • Demo Viewlet Link • https://www.youtube.com/watch?v=C-HKAN2InyY
- 50. WNA Sequence Diagram www.OraWorld.co.uk Copyright © 2015, OraWorld Ltd. All rights reserved 50
- 51. WNA Sequence Diagram www.OraWorld.co.uk Copyright © 2015, OraWorld Ltd. All rights reserved 51 OAM Server Log. <11-Jun-2015 13:03:12 o'clock BST> <Notice> <LoggingService> <BEA-320401> <The log file has been rotated to /u01/app/oracle/middleware/user_projects/domains/iam_domain/servers/oam_server1/logs/oam_server1.log00059. Log messages will continue to be logged in /u01/app/oracle/middleware/user_projects/domains/iam_domain/servers/oam_server1/logs/oam_server1.log.> >>> KeyTabInputStream, readName(): OWAD.LOCAL >>> KeyTabInputStream, readName(): HTTP >>> KeyTabInputStream, readName(): oraworld.com >>> KeyTab: load() entry length: 63; type: 23 Added key: 23version: 3 Ordering keys wrt default_tkt_enctypes list default etypes for default_tkt_enctypes: 23. 0: EncryptionKey: keyType=23 kvno=3 keyValue (hex dump)= 0000: 1D 1B 11 7A 1D B4 0D C2 41 F7 83 8B 08 3A 6B 9D ...z....A....:k.
- 52. WNA Sequence Diagram www.OraWorld.co.uk Copyright © 2015, OraWorld Ltd. All rights reserved 52 http://oraworld.com:7777/secured/index.html GET /secured/index.html HTTP/1.1 Host: oraworld.com:7777 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive HTTP/1.1 302 Found Date: Mon, 29 Jun 2015 11:48:49 GMT Server: Oracle-Application-Server-11g Set-Cookie: OAMAuthnHintCookie=0@1435578529; httponly; path=/; domain=.com Set-Cookie: OAMRequestContext_oraworld.com:7777_505353=PSSttVqN64gXBgIbzgp8jA==;max-age=300; httponly; path=/ Location: http://oraworld.com:14100/oam/server/obrareq.cgi?encquery%3DxjRnrPN5vUi8FDE0h2Os3fXf <Trimmed> Content-Length: 652 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1
- 53. WNA Sequence Diagram www.OraWorld.co.uk Copyright © 2015, OraWorld Ltd. All rights reserved 53 http://oraworld.com:14100/oam/server/obrareq.cgi?encquery%<Trimmed> GET /oam/server/obrareq.cgi?encquery%3DxjRn<Trimmed>HTTP/1.1 Host: oraworld.com:14100 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: OAMRequestContext_oraworld.com:7777_505353=PSSttVqN64gXBgIbzgp8jA== Connection: keep-alive HTTP/1.1 302 Moved Temporarily Connection: close Date: Mon, 29 Jun 2015 11:48:49 GMT Transfer-Encoding: chunked Location: http://oraworld.com:14100/oam/CredCollectServlet/WNA?authn_try_count=0&spnegotoken=string&challenge_url=%2Foa m%2FCredCollectServlet%2FWNA&request_id=- 276341910699531784&locale=en_US&resource_url=http%253A%252F%252Foraworld.com%253A7777%252Fsecured%252Finde x.html Set-Cookie: OAM_REQ_0=VERSION_4~ugKPHSCILJo%<Trimmed>; path=/; HttpOnly Set-Cookie: OAM_REQ_COUNT=VERSION_4~1; path=/; HttpOnly X-ORACLE-DMS-ECID: 74645cb114abea27:-3751213f:14dfcde14b8:-8000-0000000000029fd1
- 54. WNA Sequence Diagram www.OraWorld.co.uk Copyright © 2015, OraWorld Ltd. All rights reserved 54 http://oraworld.com:14100/oam/CredCollectServlet/WNA?authn_try_count=0&spnegotoken=string&challenge_url=%2Foam%2F CredCollectServlet%2FWNA&request_id=- 276341910699531784&locale=en_US&resource_url=http%253A%252F%252Foraworld.com%253A7777%252Fsecured%252Finde x.html GET /oam/CredCollectServlet/WNA?authn_try_count=0&spnegotoken=string&challenge_url=%2Foam%2FCredCollectServlet%2 FWNA&request_id=- 276341910699531784&locale=en_US&resource_url=http%253A%252F%252Foraworld.com%253A7777%252Fsecured%252Finde x.html HTTP/1.1 Host: oraworld.com:14100 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: OAMRequestContext_oraworld.com:7777_505353=<Trimmed>OAM_REQ_COUNT=VERSION_4~1 Connection: keep-alive HTTP/1.1 401 Unauthorized Cache-Control: no-cache, no-store Date: Mon, 29 Jun 2015 11:48:50 GMT Pragma: no-cache Content-Length: 0 Content-Type: text/html; charset=UTF-8 Expires: 0 WWW-Authenticate: Negotiate WWW-Authenticate: Basic realm="OAM 11g"
- 55. WNA Sequence Diagram www.OraWorld.co.uk Copyright © 2015, OraWorld Ltd. All rights reserved 55 http://oraworld.com:14100/oam/CredCollectServlet/WNA?authn_try_count=0&spnegotoken=string&challenge_url=%2Foam%2F CredCollectServlet%2FWNA&request_id=- 23&locale=en_US&resource_url=http%253A%252F%252Foraworld.com%253A7777%252Fsecured%252Findex.html GET /oam/CredCollectServlet/WNA?authn_try_count=0&spnegotoken=string&challenge_url=%2Foam%2FCredCollectServlet%2FWNA &request_id=-27784&locale=en_US&resource_url=http%253A%252F%252Foraworld.com777%252Fsecured?Findex.html HTTP/1.1 Host: oraworld.com:14100 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Cookie: OAMRequestContext_oraworld.com:7777_50<Trimmed>LJeWMsd; OAM_REQ_COUNT=VERSION_4~1 Connection: keep-alive Authorization: Negotiate YIIGlgYGKwYBBQUCoIIGijCCBoagMDA<Trimmed>== HTTP/1.1 302 Moved Temporarily Connection: close Date: Mon, 29 Jun 2015 11:48:50 GMT Transfer-Encoding: chunked Location: http://oraworld.com:7777/obrar.cgi?encreply=<Trimmed> Set-Cookie: OAM_ID=VERSION_4~SrAPo4Sh9v3M<Trimmed>; path=/; HttpOnly Set-Cookie: OAM_GITO=v1~uid:Wnauser1r&<Trimmed>c-oraworld.c&; path=/; HttpOnly; expires=Thu, 01-Jan-1970 01:00:00 GMT Set-Cookie: OAM_REQ_0=invalid; path=/; HttpOnly X-ORACLE-DMS-ECID: 74645cb114abea27:-3751213f:14dfcde14b8:-8000-0000000000029fd6
- 56. WNA Sequence Diagram www.OraWorld.co.uk Copyright © 2015, OraWorld Ltd. All rights reserved 56
- 57. WNA Sequence Diagram www.OraWorld.co.uk Copyright © 2015, OraWorld Ltd. All rights reserved 57 http://oraworld.com:7777/obrar.cgi?encreply=<Trimmed> GET /obrar.cgi?encreply=<Trimmed>k%3D HTTP/1.1 Host: oraworld.com:7777 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: OAMRequestContext_oraworld.com:7777_505353=PSSt<Trimmed>rr2SMpNMOF2B/DbQk3/N1Ua1onzJ Connection: keep-alive HTTP/1.1 302 Found Date: Mon, 29 Jun 2015 11:48:52 GMT Server: Oracle-Application-Server-11g Set-Cookie: OAMRequestContext_oraworld.com:7777_505353=;expires=thursday, 01-jan-1970 01:00:00 gmt; httponly; path=/ Set-Cookie: OAMAuthnCookie_oraworld.com:7777=<Trimmed>%3D;httponly; path=/ Set-Cookie: OAMAuthnHintCookie=X; httponly; path=/ Location: /secured/index.html Content-Length: 230 Keep-Alive: timeout=5, max=99 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1
- 58. WNA Sequence Diagram www.OraWorld.co.uk Copyright © 2015, OraWorld Ltd. All rights reserved 58 http://oraworld.com:7777/secured/index.html GET /secured/index.html HTTP/1.1 Host: oraworld.com:7777 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: OAM_REQ_0=invalid; OAM_REQ_COUNT=VERSION_4~1; OAM_ID=VERSION_4~SrAPo4Sh9v3Mz9YtR0IUJQ==~<Trimmed<; OAMAuthnHintCookie=X Connection: keep-alive HTTP/1.1 200 OK Date: Mon, 29 Jun 2015 11:48:52 GMT Server: Oracle-Application-Server-11g Set-Cookie: OAMAuthnHintCookie=;expires=thursday, 01-jan-1970 01:00:00 gmt; httponly; path=/ Set-Cookie: OAMAuthnHintCookie=1; httponly; path=/; domain=.com Cache-Control: no-cache Pragma: no-cache Last-Modified: Tue, 23 Jun 2015 19:07:39 GMT Etag: "bc06de-3cd-519341a9c54c0” Accept-Ranges: bytes Content-Length: 973 Connection: Keep-Alive Content-Type: text/html Content-Language: en
- 59. • NTLM versus Kerberos - SPNEGO token can contain either NTLM or Kerberos token depending on the Windows client capabilities. All pre–Windows 2000 clients use NTLM. AD domains by default support “mixed” mode. - If Kerberos fails, the client falls back to NTLM. - HTTP header logger or Fiddler are best to diagnose this. Browser logging can also help. • Clock Skew Errors - Synchronize clocks on both your OAM Server and the AD server . 59 59 www.OraWorld.co.uk Copyright © 2015, OraWorld Ltd. All rights reserved Lessons Learnt
- 60. • Error: - kinit(v5): Key table entry not found while getting initial credentials - kinit(v5): Preauthentication failed while getting initial credentials - kinit(v5): KDC reply did not match expectations while getting initial credentials • PROTOCOL and DOMAIN NAME are always in CAPITAL LETTERS. • hostname and username are always in lower case. 60 60 www.OraWorld.co.uk Copyright © 2015, OraWorld Ltd. All rights reserved Lessons Learnt
- 61. • Configuring Access Manager for Windows Native Authentication OAM 11g WNA Step by Step Setup Guide (Doc ID 1416860.1) • WNA Basics • WNA for multiple AD forest. • Oracle Access Manager 11g WNA Quick Start Guide (Doc ID 1416903.1) • http://tools.ietf.org/html/rfc4559 • Trouble Shooting OAM 11g WNA Issues Quick Start Guide (Doc ID 1433554.1) • Blogs: Enable Logging & Lessons Learnt • Kerberos Basics www.OraWorld.co.uk Copyright © 2015, OraWorld Ltd. All rights reserved 61 References
- 62. QnA www.OraWorld.co.uk Copyright © 2015, OraWorld Ltd. All rights reserved 62