TroubleShooting OAM-Sharepoint Integration

This post will describe some of the trouble shooting tips of OAM and Sharepoint Integration.
Error: Images not appearing:-
Simulation:
1. Access the sharepoint portal page.
2. Enter the OAM credentials to login to portal.
3. Sharepoint portal page will be shown but images are not displayed.
Probable Solution: Check the Anonymous Access checkbox is enabled in Sharepoint Administration website. If not enable it and restart IIS web server.
Create a new web site and create 2 sites, first for default as / and second for testing purpose as sample.
Add the same hostname:port in the host identifiers section.
Restart Access Server.
Goto IIS console and to the new website created, enable the anonymous authentication in the Directory Security. Add the IIS impersonation dll in the Home Directory –> Configurations. Move the IIS dll upwards.
Restart IIS server and test the new sharepoint portal for OAM integration.

Error: Authentication prompting twice:-
Simulation:
1. Access the sharepoint portal page.
2. A windows pops up, user enters OAM credentials and submits.
3. Again a window appears (for Windows Native Authentication) for credentials.
4. Enter the credentials again with DOMAIN (eg., domain_name\orcladmin) and submit.
5. Sharepoint portal page will be shown.
Probable Solution : Check the Integrated Windows Authentication checkbox is enabled in the Sharepoint website. If so, uncheck it and restart IIS webserver.
Error : Access is Denied:
Description:
1. Access the sharepoint portal page.
2. A windows pops up, user enters OAM credentials and submits.
Probable Solutions:
1.Check if there is time difference between OAM machine and webgate Sharepoint machine.
2. Check the web based policies in Sharepoint Portal Administration Page to see if the authorized to see the resource.

Error : 401 UnAuthorized
Solution: Check if the anonymous access is diasabled in the sharepoint website. If so, enable the checkbox and restart IIS server.
Error:The following file(s) have been blocked by the administrator: /access/oblix/apps/webgate/bin/webgate.dll
Probable Solution: Goto Policy Manager console, access the sharepoint policy domain. Goto Authorization rules and check the access is allowed to all users. If not select Any One and try accessing the SPPS resource.

Keypoints to remember for this integration:
1. SPPSImpersonator should be added in DomainController Security Policy and Domain Security Policy. Goto LocalPolicies –> User Rights Assignments and double click act as part of operating system and add the SPPSImpersonator user.
2. Sharepoint machine and OAM installed machine should not have time difference.
3. Sharepoint Administrator website should not have IISImpersonation dll.
4. Sharepoint Administrator website should have both anonymous access and Integrated Windows Authentication checkboxes enabled.
5. The Sharepoint portal website should have anonymous access checkbox enabled, but IWA checkbox disabled.
6. Make the IISImpersonationExtension.dll as the first option in the Wildcard application maps in the sharepoint portal website properties.
7. Ensure that Allow option for Oracle Webgate in Web Service Extensions is greyed.
8. While installing .Net Framework 3.0 (before installing sharepoint) ensure that you are online (internet connection).
9. The Sharepoint policy domain should have Headervar as IMPERSONATE with attribute as uid in the Authentication Actions.
10. Ensure that port is specfied in IIS access gate in the Access System Console before IIS webgate installation.

KeyPoints for Multi Domain SSO:
The above integration has E-business Suite, OAM and Sharepoint were existing on different machines in different domains. OAM will provide multi domain SSO for E-biz and Sharepoint applications.
The OHS webgate installed on OAM machine should act as primary authentication server and IIS webgate installed on Sharepoint machine will act as secondary server.

However, both the webgates will have primary HTTP cookie domain and preferred hostnames specified with their respective domain and machine names.

The Authentication scheme for IIS webgate should have challenge redirect field specified as OHS server (eg., http://ohs_installed_hostname:port).

The Authentication scheme for E-business suite application should have authentication level (say 0) less than that of Auth level for IIS webgate(say 1).

About the Author Mahendra

I am engulfed in Oracle Identity & Access Management domain. I have expertise on providing the optimized solutions for user provisioning, web access management, Single Sign-On and federation capabilities etc., I am also well versed with complex integrations within Identity Management and other product domains. I have expertise on building demos and implementation experience on products Oracle Access Manager, Oracle Adaptive Access Manager, Oracle Entitlement Server, Oracle Virtual Directory, Oracle Internet Directory etc., Look @ my blog: http://talkidentity.blogspot.com

Leave a Comment:

14 comments
Add Your Reply