I used this piece of software in an earlier setup, and much to my surprise, there's even a Metalink note, that references the product.
Anyway, download it here, documentation can be found here.
Friday, December 07, 2007
Thursday, December 06, 2007
How to setup WNA with Oracle
Just a short note on how to set up Windows Native Authentication (WNA) with Oracle Internet Directory (OID), V10.1.2.2 (patched 10G Rel 2).
Of course, it requires you have your setup done, that is, OID is in place, it synchronises with Actice Directory (from AD to OID minimal, or two way), and the external authentication plugin works. Maybe I will publish on those steps and update this entry with the links. (I did, I did! See this entry on OID AD sync in 10.1.4)
Of course, it requires you have your setup done, that is, OID is in place, it synchronises with Actice Directory (from AD to OID minimal, or two way), and the external authentication plugin works. Maybe I will publish on those steps and update this entry with the links. (I did, I did! See this entry on OID AD sync in 10.1.4)
- Create an account in Active Directory for your Single Sign On server. The accout is the short name, i.e. login.home.local should be created in AD as login.
- Generate a keytab file for this account on the AD machine; take care, the process is highly case-sensitive!
ktpass -princ HTTP/login.home.local@BORTEL.AD.LOCAL -pass <ad_passwd> -ptype KRB5_NT_PRINCIPAL +desonly -crypto des-cbc-md5 -mapuser login -out login.keytab
The entry, following the "-princ" flag is uppercase "HTTP/", followed by the fully qualified domain name (FQDN) of your Single Sign On server in lower case, followed by "@YOUR_AD_DOMAIN", where your Active Directory entry should be in uppercase. - Transfer the generated keytab file (in this example, login.keytab) in binary(!) mode to your Single Sign On server. the location is $ORACLE_HOME/j2ee/OC4J_SECURITY/config
- Create the Kerberos configuration file, krb5.conf. Many Unixes locate the file in /etc. The contents of the file:
[libdefaults]
default_realm = BORTEL.AD.LOCAL
[realms]
BORTEL.AD.LOCAL = {
kdc = pdc01.bortel.ad.local:88
}
[domain_realm]
.home.local = BORTEL.AD.LOCAL
Don't be fooled with the "LOCAL" stuff; default_realm is the Active Directory realm (domain, in Windows terminology), the realms entry tells how your AD server is called, and on what port it listens - port 88 is the default for Kerberos.
The last line is very important: it explains the mapping between your default OID context and AD - mind the leading dot. The login account, created in step 1 is login@BORTEL.AD.LOCAL, so users can be found 'under' BORTEL.AD.LOCAL. Similar for OID: the corresponding entries for other users can be found in OID under dc=home, dc=local.
Your setup will differ, and your AD domain probably has an internal named domain, whereas your OID probably has "company_name.com". - Check time on AD and SSO servers; time should be (almost) the same!
- Test your Kerberos config:
kinit –k –t $ORACLE_HOME/j2ee/OC4J_SECURITY/config/login.keytab HTTP/login.home.local
It should not respond with anything, just give back the cursor.
I did get the following error, though:The solution is listed in Microsoft KB832572, and is simply setting the 'Do not require Kerberos preauthentication' option with AD for the 'login' account. It's located under Account options on the Account details tab - last entry (you will need to scroll down in the option).
kinit: KRB5 error code 52 while getting initial credentials" - Make a copy of the configuration files for safekeeping:cp $ORACLE_HOME/sso/conf/policy.properties $ORACLE_HOME/sso/conf/policy.properties.org
cp $ORACLE_HOME/j2ee/OC4J_SECURITY/config/jazn.xml $ORACLE_HOME/j2ee/OC4J_SECURITY/config/jazn.xml.org
cp $ORACLE_HOME/opmn/conf/opmn.xml $ORACLE_HOME/opmn/conf/opmn.xml.org
cp $ORACLE_HOME/j2ee/OC4J_SECURITY/config/jazn-data.xml $ORACLE_HOME/j2ee/OC4J_SECURITY/config/jazn-data.xml.org
cp $ORACLE_HOME/j2ee/OC4J_SECURITY/applications/sso/web/WEB-INF/web.xml $ORACLE_HOME/j2ee/OC4J_SECURITY/applications/sso/web/WEB-INF/web.xml.org
cp $ORACLE_HOME/j2ee/OC4J_SECURITY/application-deployments/sso/orion-application.xml $ORACLE_HOME/j2ee/OC4J_SECURITY/application-deployments/sso/orion-application.xml.org - Run the ssoca shell:cd $ORACLE_HOME/sso/bin
./ssoca
[snip]
Usage5: To configure the Single Sign-On server to enable Windows Native Authentication, do:
java -jar ossoca.jar wna -mode sso -oh-ad_realm -kdc_host_port -keytab -ssohost -oid -verbose
where:
oh = Oracle Home Path, AD_realm = Active Directory Realm Name, kdc = Kerberos KDC in the format "hostname:port", keytab = path of the keytab file that you created for the SSO server, sso_host = SSO server hostname with domain, oid_server = OID server in the format "ldap://oid.acme.com:389"
The actual command will become:./ssoca wna –mode sso –oh $ORACLE_HOME \
–ad_realm BORTEL.AD.LOCAL –kdc_host_port pdc01.bortel.ad.local:88 \
-keytab $ORACLE_HOME/j2ee/OC4J_SECURITY/config/login.keytab \
–verbose - Test your WNA - you should now be able to go to the OIDDAS pages without being asked to login.
Labels:
Active Directory,
enterprise,
howto,
OID,
WNA
Wednesday, December 05, 2007
How to log on as orcladmin with WNA?
Finally have WNA working, but now there is another "problem": how can I login as orcladmin (or any other user, for that matter)? Because every time, I switch to anything administrative on my oiddas page, Windows Native Authentication kicks in, and presents me with less privileged pages.
The only workaround I have found so far, is to disable WNA for the time being.
In IE, it is located in the Advanced Options (Enable Integrated Windows Authentication, under Security), under FireFox, you would have to remove the Single Sign On server from network.negotiate-auth.trusted-uris, in the about:config.
If anyone has another solution, please comment!
The only workaround I have found so far, is to disable WNA for the time being.
In IE, it is located in the Advanced Options (Enable Integrated Windows Authentication, under Security), under FireFox, you would have to remove the Single Sign On server from network.negotiate-auth.trusted-uris, in the about:config.
If anyone has another solution, please comment!
Subscribe to:
Posts (Atom)