This post covers key points and documents required to integrate Oracle Access Manager (OAM) 11g using Windows Native Authentication (WNA) so that user logged into Windows Active Directory (MS-AD), try to access recourse protected by OAM (using Kerberos Authentication Scheme) should grant access without logon (zero sign-on).
If you are new to Oracle Access Manager 11g then check my book on OAM/OIM 11g available from Amazon
- WNA : Windows Native Authentication
- IWA : Integrated Windows Authentication
- Kerberos : is a Protocol that defines how clients interact with network authentication service.
- KDC : Kerberos Key Distribution Center server issues kerberos ticket
- SPN : Service Principal Name
- TGS : Ticket Granting System
- NTLM : NTLAN Manager
- SPNEGO : Simple and Protected GSSAPI Negotiation
Integration of OAM (10g/11g) with Windows Domain Authentication (WNA/IWA) is to achieve requirement where user logged in to windows domain should not be prompted again when trying to access resource protected by OAM using Kerberos authentication scheme.
OAM 10G VS 11G for zero Sign-On with Windows Domain
A. OAM 10g integration with Windows Domain Authentication (this integration is also referred as IWA) uses IE Browser and IIS Web Server. On IIS Web Server, WebGate is installed with authentication module UseIISBuiltinAuthentication. If client is authenticated at windows (NTLM or Kerberos) and tries to access resource protected by IIS WebGate, IIS Server requests browser to send an authentication token to verify. If token (user logged in to windows domain) is verified , the webgate’s UseIISBuiltinAuthentication module sets HTTP Header variable with name of windows domain user (already authenticated in windows domain). OAM server then uses this HTTP Header variable (user logged into domain) to authenticate and authorise user in OAM.
B. OAM 11g integration with Windows Domain Authentication (this integration is also referred as WNA) is based on SPNEGO and Kerberos. OAM 11g integration with Windows Domain Authentication (WNA) requires:
i) User’s IE Browser setting to have Integrated Windows Authentication feature enabled
If an user authenticated via Kerberos to Windows AD domain, tries to access OAM resource (protected by Kerberos authentication scheme), OAM returns Not Authorised (HTTP 401) to start SPNEGO. The browser (configured with IWA) contacts kerberos KDC to obtain kerberos ticket for OAM Server. The browser sends the Kerberos ticket to the OAM Server. OAM Server (configured with kerberos authentication scheme) reads the kerberos ticket and authenticates/authorizes user.
High Level Integration Steps to configure OAM 11g with Windows Domain
1. Create user in Active Directory which OAM will use during WNA
2. Create SPN using ktpass tool of Windows (This command will create keytab file and map user service account with AD user created in previous step)
3. Copy keytab file (generated in previous step) to OAM Server
4. Create kerberos configuration file (krb5.conf or any other name) with details like AD Domain, KDC Server
5. At this stage you should have keytab, kerberos conf file, and user used as SPN used earlier
6. Go to OAM and from OAM Console and define Keberos Plug-In (This plug-in uses Identity store defined as default. Make sure AD is defined as default Identity Store in OAM 11g )
8. To enable debug related to kerberos for OAM use java flag
9. Configure resource in OAM to use Kerberos Authentication Scheme
- 1379388.1 OAM 11g : How to use OAM 220.127.116.11 and NTLM/Kerberos negotiation with Windows 7
- 1299411.1 OAM 11g : What is the Difference between IWA and WNA ?
- 1416860.1 OAM 11g WNA Step by Step Setup Guide
- 1416903.1 Oracle Access Manager 11g WNA Quick Start Guide
- OAM 11g integration for WNA