This post covers key points and documents required to integrate Oracle Access Manager (OAM) 11g using Windows Native Authentication (WNA) so that user logged into Windows Active Directory (MS-AD), try to access recourse protected by OAM (using Kerberos Authentication Scheme) should grant access without logon (zero sign-on).

.

.

If you are new to Oracle Access Manager 11g then check my book on OAM/OIM 11g available from Amazon

.

Terminology

  • WNA : Windows Native Authentication
  • IWA : Integrated Windows Authentication
  • Kerberos : is a Protocol that defines how clients interact with network authentication service.
  • KDC : Kerberos Key Distribution Center server issues kerberos ticket
  • SPN : Service Principal Name
  • TGS : Ticket Granting System
  • NTLM : NTLAN Manager
  • SPNEGO  : Simple and Protected GSSAPI Negotiation
    .

Integration of OAM (10g/11g) with Windows Domain Authentication (WNA/IWA) is to achieve requirement where user logged in to windows domain should not be prompted again when trying to access resource protected by OAM using Kerberos authentication scheme.

 

OAM 10G VS 11G for zero Sign-On with Windows Domain

A. OAM 10g integration with Windows Domain Authentication (this integration is also referred as IWA) uses IE Browser and IIS Web Server. On IIS Web Server, WebGate is installed with authentication module UseIISBuiltinAuthentication. If client is authenticated at windows (NTLM or Kerberos) and tries to access resource protected by IIS WebGate, IIS Server requests browser to send an authentication token to verify. If token (user logged in to windows domain) is verified , the webgate’s UseIISBuiltinAuthentication module sets HTTP Header variable with name of windows domain user (already authenticated in windows domain). OAM server then uses this HTTP Header variable (user logged into domain) to authenticate and authorise user in OAM.

B. OAM 11g integration with Windows Domain Authentication (this integration is also referred as WNA) is based on SPNEGO and Kerberos. OAM 11g integration with Windows Domain Authentication (WNA) requires:
i) User’s IE Browser setting to have Integrated Windows Authentication feature enabled


ii) Add OAM cookie domain under Local Intranet Zone in browser
iii) OAM Server to be configured as Service Provider in Microsoft KDC

If an user authenticated via Kerberos to Windows AD domain, tries to access OAM resource (protected by Kerberos authentication scheme), OAM returns Not Authorised (HTTP 401) to start SPNEGO. The browser (configured with IWA) contacts kerberos KDC to obtain kerberos ticket for OAM Server. The browser sends the Kerberos ticket to the OAM Server. OAM Server (configured with kerberos authentication scheme) reads the kerberos ticket and authenticates/authorizes user.

 

High Level Integration Steps to configure OAM 11g with Windows Domain

1. Create user in Active Directory which OAM will use during WNA

2.
Create SPN using ktpass tool of Windows (This command will create keytab file and map user service account with AD user created in previous step)

3.
Copy keytab file (generated in previous step) to OAM Server

4.
Create kerberos configuration file (krb5.conf or any other name) with details like AD Domain, KDC Server

5. At this stage you should have keytab, kerberos conf file, and user used as SPN used earlier

6. Go to OAM and from OAM Console and define Keberos Plug-In (This plug-in uses Identity store defined as default. Make sure AD is defined as default Identity Store in OAM 11g )


7. Verify Kerberos authentication scheme uses challenge method WNA and Authentication Module kerberos

8. To enable debug related to kerberos for OAM use java flag
-Dsun.security.krb5.debug=true  -Dsun.security.spnego.debug=true

9. Configure resource in OAM to use Kerberos Authentication Scheme

.

References/Related

  • 1379388.1 OAM 11g : How to use OAM 11.1.1.5 and NTLM/Kerberos negotiation with Windows 7
  • 1299411.1 OAM 11g : What is the Difference between IWA and WNA ?
  • 1416860.1 OAM 11g WNA Step by Step Setup Guide
  • 1416903.1 Oracle Access Manager 11g WNA Quick Start Guide
  • OAM 11g integration for WNA

 

Related Posts for Access Manager


  1. Integration Steps – 10g AS with OAM (COREid)
  2. OAS – OAM (Access Manager / Oblix COREid) Integration Architecture
  3. Oblix COREid and Oracle Identity Management
  4. Installing Oracle Access Manager (Oblix COREid / Netpoint)
  5. Oracle Access Manager (Oblix COREid) 10.1.4.2 Upgrade
  6. Access Manager: WebGate Request Flow
  7. Introduction to Oracle Access manager : Identity and Access System – WebPass , Webgate, Policy Manager
  8. Certified Directory Server (AD, OID, Tivoli, Novell, Sun or OVD) and their version with Oracle Access Manager
  9. Install Oracle Access Manager (OAM) 10.1.4.3 Identity Server, WebPass, Policy Manager, Access Server, WebGate
  10. Multi-Language or multi-lingual Support/Documentation for Oracle Access Manager (OAM)
  11. OAM Policy Manager Setup Issue “Error in setting Policy Domain Root” : OAM with AD and Dynamic Auxiliary Class
  12. OAM 10.1.4.3 Installation Part II – Indentity Server Installation
  13. OAMCFGTOOL : OAM Configuration Tool for Fusion Middleware 11g (SOA/WebCenter) Integration with OAM
  14. Oracle Access Manager Installation Part III : Install WebPass
  15. OAM : Access Server Service Missing when installing Access Manager with ADSI for AD on Windows
  16. OAM : Create User Identity – You do not have sufficient rights : Create User Workflow
  17. Password Policy in Oracle Access Manager #OAM
  18. Changes in Oracle Access Manager 11g R1 (11.1.1.3)
  19. Agents in OAM 11g (WebGate 10g/11g, OSSO/mod_osso, AccessGate IDM Domain agent) aka PEP (Policy Enforcement Points)
  20. How to install Patches in Oracle Access Manager 10g : Bundle Patch / BPXX
  21. Session Management in #OAM 11g : SME , Idle Timeout, Session Lifetime
  22. Part IX : Install OAM Agent – 11g WebGate with OAM 11g
  23. How to integrate OAM 11g with OID 11g for User/Identity Store
  24. How to install Bundle Patch (BP) on OAM 11.1.1.3 – BP02 (10368022) OAM 11.1.1.3.2
  25. Error starting OAM on IBM AIX : AMInitServlet : failed to preload on startup oam java. lang. Exception InInitializer Error
  26. OAMCFG-60024 The LDAP operation failed. OAMCFG-60014 Oracle Access Manager is not configured with this directory
  27. How to Edit (create, delete, modify) Identity Store of OAM 11g from command line (WLST) – editUserIdentityStoreConfig
  28. OAM WebGate Registration RREG – Resource URL format is not valid
  29. Blank Screen on OAM 10g Identity Server Console : /identity/oblix
  30. Oracle 10g/11g webgate software download location
  31. How to find Webgate 10g/11g Version and Patches Applied
  32. OAM integration with OIF : Authentication Engine or Service Provider
  33. OAM 11g integration with Microsoft Windows Active Directory (WNA, IWA, Kerberos) for Zero Sign-On
  34. OAM 11g : How to change Security Mode (OPEN, SIMPLE, CERT) – WebGate to Access Server Communication
  35. Forgot Password link on OAM Login Page
  36. OIM-OAM-OAAM integration – Account Lockout in OAM obLoginTryCount , oblockouttime, MaxRetryLimit
  37. How to identify which LDAP (OID/AD/OVD) server OAM 11g connects to and as what user ?
  38. OAM 10g WebGate installation failed with Sorry Invalid User or Invalid Group
  39. Beware if you are running OAM in SIMPLE mode with 10g WebGate : Oracle AccessGate API is not initialized
  40. Troubleshooting : 11g WebGate with OHS 11g integrated with OAM 11g : OBWebGate_AuthnAndAuthz: Oracle AccessGate API is not initialized
  41. Deploying OAM in high availability across data centres in Active Active cluster : New Feature in OAM 11gR2 PS2
  42. New OAMConsole in OAM 11gR2 PS2 : Enabling Federation, STS, Mobile & Social in Oracle Access Management Suite 11.1.2.2