OAM 10g IWA implementation with IIS 7.5

This post explains the implementation details around achieving IWA authentication for IIS 7.5 using OAM 10.1.4.3.

Refer to the list of supported / available webgates for respective IIS version and OS version here.

We’ve used Windows 2008 R2 64-bit, IIS 7.5 in our environment. It is assumed that WebGate instances, Host Identifiers, Authentication Schemes and Policies were created already. This post explicitly explains the configuration changes required at IIS servers for IWA mechanism.

First and foremost is installing the Webgate on IIS windows box.

Some of the important notes are:

  1. Select the Server Type as IIS in the installation wizard.
  2. You might see some pop-ups to replace the dll files matching the webgate. Some of those DLLs are msvcirt.dll, mfc70.dll, obnss3.dll etc., Click Yes to replace all those DLL files.
  3. Click Yes to automatically update the IIS configuration.

Here are the actual SSO configuration changes required:

  • Goto C:\Windows\System32\inetsrv\config in WebGate box. Take backup of applicationHost.config file. Edit the applicationHost.config file and search for segment word. Remove the line <add segment=”bin” /> and Save the file.
  • Open the IIS Manager.
  • Go to Sites
  • Click on Site to be protected for IWA.
  • Click ISAPI Filters in the center pane.
  • Verify that OracleWebGate is added pointing to webgate.dll. If it is not already added, create one.
  • Goto Sites. Right click on Site application and click Add Virtual Directory.
  • Specify Alias as access. Specify Physical path as WebGate access folder. Click OK.
  • Select access and double click Handler Mappings in center-pane
  • Click Edit Feature Permissions in Actions pane
  • Enable Execute check-box and click OK
  • Goto webgate access folder D:\Oracle\webgate\access and right click and select Security. Verify the following.
  1. Verify user “IUSR”, has “Allow” for “Modify”
  2. Verify user “IIS_IUSRS”, has “Allow” for “Modify”
  3. Verify user “NETWORK”, has “Allow” for “Modify”
  4. Verify user “NETWORK SERVICE”, has “Allow” for “Modify”
  5. Verify if group “Administrators” has “Allow” for “Modify”
  • Goto Site. Double click Authentication
  • Right click on Anonymous Authentication and disable it. Right click on Windows Authentication and enable it
  • Restart IIS using iisreset

 

About the Author Mahendra

I am engulfed in Oracle Identity & Access Management domain. I have expertise on providing the optimized solutions for user provisioning, web access management, Single Sign-On and federation capabilities etc., I am also well versed with complex integrations within Identity Management and other product domains. I have expertise on building demos and implementation experience on products Oracle Access Manager, Oracle Adaptive Access Manager, Oracle Entitlement Server, Oracle Virtual Directory, Oracle Internet Directory etc., Look @ my blog: http://talkidentity.blogspot.com