OAM 11g integration with Microsoft Windows Active Directory (WNA, IWA, Kerberos) for Zero Sign-On

This post covers key points and documents required to integrate Oracle Access Manager (OAM) 11g using Windows Native Authentication (WNA) so that user logged into Windows Active Directory (MS-AD), try to access recourse protected by OAM (using Kerberos Authentication Scheme) should grant access without logon (zero sign-on).

.

.

If you are new to Oracle Access Manager 11g then check my book on OAM/OIM 11g available from Amazon

.

Terminology

  • WNA : Windows Native Authentication
  • IWA : Integrated Windows Authentication
  • Kerberos : is a Protocol that defines how clients interact with network authentication service.
  • KDC : Kerberos Key Distribution Center server issues kerberos ticket
  • SPN : Service Principal Name
  • TGS : Ticket Granting System
  • NTLM : NTLAN Manager
  • SPNEGO  : Simple and Protected GSSAPI Negotiation
    .

Integration of OAM (10g/11g) with Windows Domain Authentication (WNA/IWA) is to achieve requirement where user logged in to windows domain should not be prompted again when trying to access resource protected by OAM using Kerberos authentication scheme.

 

OAM 10G VS 11G for zero Sign-On with Windows Domain

A. OAM 10g integration with Windows Domain Authentication (this integration is also referred as IWA) uses IE Browser and IIS Web Server. On IIS Web Server, WebGate is installed with authentication module UseIISBuiltinAuthentication. If client is authenticated at windows (NTLM or Kerberos) and tries to access resource protected by IIS WebGate, IIS Server requests browser to send an authentication token to verify. If token (user logged in to windows domain) is verified , the webgate’s UseIISBuiltinAuthentication module sets HTTP Header variable with name of windows domain user (already authenticated in windows domain). OAM server then uses this HTTP Header variable (user logged into domain) to authenticate and authorise user in OAM.

B. OAM 11g integration with Windows Domain Authentication (this integration is also referred as WNA) is based on SPNEGO and Kerberos. OAM 11g integration with Windows Domain Authentication (WNA) requires:
i) User’s IE Browser setting to have Integrated Windows Authentication feature enabled


ii) Add OAM cookie domain under Local Intranet Zone in browser
iii) OAM Server to be configured as Service Provider in Microsoft KDC

If an user authenticated via Kerberos to Windows AD domain, tries to access OAM resource (protected by Kerberos authentication scheme), OAM returns Not Authorised (HTTP 401) to start SPNEGO. The browser (configured with IWA) contacts kerberos KDC to obtain kerberos ticket for OAM Server. The browser sends the Kerberos ticket to the OAM Server. OAM Server (configured with kerberos authentication scheme) reads the kerberos ticket and authenticates/authorizes user.

 

High Level Integration Steps to configure OAM 11g with Windows Domain

1. Create user in Active Directory which OAM will use during WNA

2.
Create SPN using ktpass tool of Windows (This command will create keytab file and map user service account with AD user created in previous step)

3.
Copy keytab file (generated in previous step) to OAM Server

4.
Create kerberos configuration file (krb5.conf or any other name) with details like AD Domain, KDC Server

5. At this stage you should have keytab, kerberos conf file, and user used as SPN used earlier

6. Go to OAM and from OAM Console and define Keberos Plug-In (This plug-in uses Identity store defined as default. Make sure AD is defined as default Identity Store in OAM 11g )


7. Verify Kerberos authentication scheme uses challenge method WNA and Authentication Module kerberos

8. To enable debug related to kerberos for OAM use java flag
-Dsun.security.krb5.debug=true  -Dsun.security.spnego.debug=true

9. Configure resource in OAM to use Kerberos Authentication Scheme

.

References/Related

  • 1379388.1 OAM 11g : How to use OAM 11.1.1.5 and NTLM/Kerberos negotiation with Windows 7
  • 1299411.1 OAM 11g : What is the Difference between IWA and WNA ?
  • 1416860.1 OAM 11g WNA Step by Step Setup Guide
  • 1416903.1 Oracle Access Manager 11g WNA Quick Start Guide
  • OAM 11g integration for WNA

 

About the Author Atul Kumar

Oracle ACE, Author, Speaker and Founder of K21 Technologies & K21 Academy : Specialising in Design, Implement, and Trainings.

follow me on:

Leave a Comment:

14 comments
rtylka says May 1, 2012

One problem I’m having with WNA configuration with OAM11g and EBIS is the encryption type. DES encryption is turned off by default in Windows 7 and Windows Server 2008 R2 and it is DES encryption that seems to be required for this type of setup on linux. We tried making all Win7 domain users use DES encryption but it caused them to be unable to change their passwords. So DES is definitely out for us. Not sure what else we can do…

Reply
venkat28 says October 12, 2012

Hello Atul:

Can we configure webgate for IIS 5.O running in Windows 2000 machine. If so, can you please explain me how can it be done? Are there any webgate versions available?

Thanks,
Venkat

Reply
User1 says March 23, 2014

Hi Atul,

I have configured OID as default user store in OAM. With this I have to implement WNA. and I have mentioned OID as user store in the LDAP Authentication Module , Created the Kerberos Authentication Module named WNA_OID, and pointed WNA_OID module in KerberosSchemeOID with challenege Method as WNA. Now in an Application domain I have created a WNA policy which protectes the wnatest.html page and has KerberosSchemeOID.
OID, OAM and the wnatest.html pages are on same linux server whereas AD is on different Windows machine.
I have already verified the knit and klist command on the linux server (where OAM and OID are installed)and found authenticated.
There is a user present in both AD and OID with same password.
I have enabled WNA in IE of AD machine and while testing WNA , I found “An incorrect Username or Password was specified” error and when I have disbled WNA from IE and then it pops up for credentials . When I entered manually like username: abc.kjl, and password maually, it authenticates and allow to see the home page.
So it looks the credentails taken from desktop login are not working , while when maually passed the credential it works and get authenticated from OID.
Please suggest what should I do to make WNA happen automatically with WNA enabled in IE.

Reply
User1 says March 23, 2014

when checked the OAM log I found below error :

Please advice.

Thanks

Reply
User1 says March 23, 2014

I have checked the OAM log and found below error. Please suggest.

Thanks

Reply
User1 says March 24, 2014

Reply
User1 says March 24, 2014

below is the error:

Thanks

Reply
User1 says March 24, 2014

I am unable to copy the error, trying to post once again..

Reply
User1 says March 26, 2014

[2014-03-26T09:23:21.447-05:00] [oam_server1] [ERROR] [] [oracle.oam.proxy.oam] [tid: [ACTIVE].ExecuteThread: ‘1’ for queue: ‘weblogic.kernel.Default (self-tuning)’] [userId: ] [ecid:

9f3fcf5e6669ac10:452849f0:144feb12069:-8000-0000000000000012,1:21415] [APP: oam_server#11.1.2.0.0] Session invalid as returned by PBL_check_valid_session_response responseEvent fail for user

DnU=CN%3Dweblogic,cn%3Dusers,dc%3Daccenture,dc%3Dcom
[2014-03-26T09:27:05.014-05:00] [oam_server1] [ERROR] [] [oracle.oam.proxy.oam] [tid: [ACTIVE].ExecuteThread: ‘0’ for queue: ‘weblogic.kernel.Default (self-tuning)’] [userId: ] [ecid:

9f3fcf5e6669ac10:452849f0:144feb12069:-8000-0000000000000012,1:21746] [APP: oam_server#11.1.2.0.0] Session invalid as returned by PBL_check_valid_session_response responseEvent fail for user

DnU=CN%3Dweblogic,cn%3Dusers,dc%3Daccenture,dc%3Dcom
[2014-03-26T09:30:37.329-05:00] [oam_server1] [ERROR] [OAMSSA-20027] [oracle.oam.user.identity.provider] [tid: [ACTIVE].ExecuteThread: ‘0’ for queue: ‘weblogic.kernel.Default (self-tuning)’]

[userId: ] [ecid: 9f3fcf5e6669ac10:452849f0:144feb12069:-8000-000000000000004c,0] [APP: oam_server#11.1.2.0.0] Could not get user : Acc1234$$, idstore: OID, with exception:

oracle.security.idm.ObjectNotFoundException: No User found matching the criteria.
[2014-03-26T09:49:30.818-05:00] [oam_server1] [ERROR] [OAM-02010] [oracle.oam.controller] [tid: [ACTIVE].ExecuteThread: ‘1’ for queue: ‘weblogic.kernel.Default (self-tuning)’] [userId: ]

[ecid: 9f3fcf5e6669ac10:452849f0:144feb12069:-8000-0000000000000063,0] [APP: oam_server#11.1.2.0.0] User account is locked. Authentication failed.
[2014-03-26T10:42:00.802-05:00] [oam_server1] [ERROR] [] [oracle.oam.proxy.oam] [tid: [ACTIVE].ExecuteThread: ‘1’ for queue: ‘weblogic.kernel.Default (self-tuning)’] [userId: ] [ecid:

9f3fcf5e6669ac10:452849f0:144feb12069:-8000-0000000000000012,1:21912] [APP: oam_server#11.1.2.0.0] Session invalid as returned by PBL_check_valid_session_response responseEvent fail for user

DnU=CN%3Dweblogic,cn%3Dusers,dc%3Daccenture,dc%3Dcom
[2014-03-26T10:42:00.802-05:00] [oam_server1] [ERROR] [] [oracle.oam.proxy.oam] [tid: [ACTIVE].ExecuteThread: ‘0’ for queue: ‘weblogic.kernel.Default (self-tuning)’] [userId: ] [ecid:

9f3fcf5e6669ac10:452849f0:144feb12069:-8000-0000000000000012,1:21913] [APP: oam_server#11.1.2.0.0] Session invalid as returned by PBL_check_valid_session_response responseEvent fail for user

DnU=CN%3Dweblogic,cn%3Dusers,dc%3Daccenture,dc%3Dcom
[2014-03-26T11:14:19.339-05:00] [oam_server1] [ERROR] [] [oracle.oam.proxy.oam] [tid: [ACTIVE].ExecuteThread: ‘1’ for queue: ‘weblogic.kernel.Default (self-tuning)’] [userId: ] [ecid:

9f3fcf5e6669ac10:452849f0:144feb12069:-8000-0000000000000012,1:23913] [APP: oam_server#11.1.2.0.0] Session invalid as returned by PBL_check_valid_session_response responseEvent fail for user

DnU=cn%3Dweblogic,cn%3Dusers,dc%3Daccenture,dc%3Dcom
[2014-03-26T11:14:43.694-05:00] [oam_server1] [ERROR] [OAMSSA-20023] [oracle.oam.user.identity.provider] [tid: [ACTIVE].ExecuteThread: ‘1’ for queue: ‘weblogic.kernel.Default (self-tuning)’]

[userId: ] [ecid: 9f3fcf5e6669ac10:452849f0:144feb12069:-8000-00000000000000b6,0] [APP: oam_server#11.1.2.0.0] Authentication Failure for user : weblogic, for idstore OID with exception

invalid username/password with primary error message [LDAP: error code 49 – Invalid Credentials]
[2014-03-26T11:45:36.412-05:00] [oam_server1] [ERROR] [OAM-02010] [oracle.oam.controller] [tid: [ACTIVE].ExecuteThread: ‘0’ for queue: ‘weblogic.kernel.Default (self-tuning)’] [userId: ]

[ecid: 9f3fcf5e6669ac10:452849f0:144feb12069:-8000-00000000000000f3,0] [APP: oam_server#11.1.2.0.0] User account is locked. Authentication failed.
[2014-03-26T11:48:26.928-05:00] [oam_server1] [ERROR] [OAM-02010] [oracle.oam.controller] [tid: [ACTIVE].ExecuteThread: ‘0’ for queue: ‘weblogic.kernel.Default (self-tuning)’] [userId: ]

[ecid: 9f3fcf5e6669ac10:452849f0:144feb12069:-8000-000000000000010e,0] [APP: oam_server#11.1.2.0.0] User account is locked. Authentication failed.

Reply
User1 says March 26, 2014

Hi Atul,

Any help on the above error which I am facing while doing WNA with OAM 11g R2 where OID is the Primary and System Store… please suggest.

I am struggling with this error.

Thanks,

Reply
Atul Kumar says March 26, 2014

@USer1

Check if user is available in both OID & AD and account is not locked.

—–

Regards
Atul Kumar
Contact Us for Consulting Services

Reply
User1 says March 27, 2014

Thanks Atul for the reply.

Yes user is present in both OID & AD and is part of Administrator Group in both places.

Now I am getting only one error as mentioned below

[2014-03-27T10:45:01.395-05:00] [oam_server1] [ERROR] [OAM-02010] [oracle.oam.controller] [tid: [ACTIVE].ExecuteThread: ‘0’ for queue: ‘weblogic.kernel.Default (self-tuning)’] [userId: ] [ecid: 9f3fcf5e6669ac10:-2fdcd47:145035f6363:-8000-0000000000000108,0] [APP: oam_server#11.1.2.0.0] User account is locked. Authentication failed.

I was able to solve the below two errors by adding the OID authentication Provider in weblogic

9f3fcf5e6669ac10:452849f0:144feb12069:-8000-0000000000000012,1:23913] [APP: oam_server#11.1.2.0.0] Session invalid as returned by PBL_check_valid_session_response responseEvent fail for user DnU=cn%3Dweblogic,cn%3Dusers,dc%3Daccenture,dc%3Dcom

[2014-03-26T11:14:43.694-05:00] [oam_server1] [ERROR] [OAMSSA-20023][oracle.oam.user.identity.provider] [tid: [ACTIVE].ExecuteThread: ’1′ for queue: ‘weblogic.kernel.Default (self-tuning)’] [userId: ] [ecid:9f3fcf5e6669ac10:452849f0:144feb12069:-8000-00000000000000b6,0] [APP: oam_server#11.1.2.0.0] Authentication Failure for user : weblogic, for idstore OID with exception invalid username/password with primary error message [LDAP: error code 49 – Invalid Credentials]

Please guide

Thanks

Reply
mickey says November 5, 2014

Hi. I wonder if you had any experience to reset EBS passwords after implementing SSO with WNA. Some of our users have “Both” as SSO Login type profile option and will be forced to change their EBS passwords time to time. Because user record is linked with SSO – Password is unchangeable. Could you please advise. Thanks

Reply
Add Your Reply

Not found