Oracle Access Manager 11g interoperates with Windows Native Authentication (WNA). This chapter explains how to integrate with WNA with the following topics:
About Oracle Access Manager with Windows Native Authentication
Validating WNA with Oracle Access Manager-Protected Resources
A fully-configured Microsoft Active Directory authentication service should be set up with user accounts to map Kerberos services, Service Principal Names (SPNs) for those accounts, and key tab files. For more information, see Oracle Fusion Middleware Securing Oracle WebLogic Server 11g Release 1 (10.3.3) E13707-03.
Oracle Access Manager enables Microsoft Internet Explorer users to automatically authenticate to their Web applications using their desktop credentials. This is known as Windows Native Authentication (WNA).
Cross-platform authentication is achieved by emulating the negotiate behavior of native Windows-to-Windows authentication services that use the Kerberos protocol. In order for cross-platform authentication to work, non-Windows servers (in this case, Oracle Access Manager) must parse SPNEGO tokens in order to extract Kerberos tokens which are then used for authentication.
With Oracle Access Manager single sign-on combined with WNA, a Kerberos session ticket is generated that contains her login credentials, among other things. This Kerberos session ticket is not visible to the user.
However, with WNA implemented, the user can click on her Web application without another challenge for credentials. Instead, her Kerberos session ticket, which includes her credentials, is passed through the browser to the Oracle Access Manager server. The server validates the credentials by checking them against the Key Distribution Center server (KDC server) on the Windows domain server. (Note: The KDC, which is a trusted third party, uses logically separate servers to grant and process tickets, including the service server to authenticate session tickets and confirm the client's identity.)
If authentication succeeds she is granted access to her Web applications automatically.
For instance, the application must be protected by an Oracle Access Manager application domain that uses the Kerberos authentication scheme (KerbScheme) with WNA as the challenge method. In this case, credentials must be stored in a Windows Active Directory instance that is registered as a user-identify store with Oracle Access Manager.
The integration tasks are as follows:
Open the krb5.conf file, which is located in /etc/krb5.conf.
Update the file with the following entries
[Libdefaults]
default_realm = HOLMIUM.NGAM.COM
ticket_lifetime = 600
[realms]
HOLMIUM.NGAM.COM = {
kdc = holmium.us.oracle.com
admin_server = holmium.us.oracle.com
default_domain = HOLMIUM.NGAM.COM
}
[domain_realm]
.holmium.ngam.com = HOLMIUM.NGAM.COM
holmium.ngam.com = HOLMIUM.NGAM.COM
You perform this task to create an SPN and associate it with a user.
The following procedure includes an example user named testuser. The Oracle Access Manager server is deployed on a machine named mynode47.us.mycorp.com.
To create the SPN and associate it with a user
Create the user in Microsoft Active Directory.
Run ktpass to create the service principal name and associate it with this user. For example:
ktpass -princ HTTP/[email protected] -pass Oblix!@# -mapuser testuser -out D:\etc\ keytab.service
Here:
HTTP/[email protected] is a principal name associated with user testuser.
Oblix!@# is testuser's password.
The service is the name of the machine on which the Oracle Access Manager server is deployed. For example, if the service is mynode47.us.mycorp.com then the principal name is HTTP/[email protected].
The -mapuser parameter specifies a userid (samaccountname) to which this principal name is to be attached. A given principal name can only be attached to one user.
D:\etc\ keytab.service is the keytab file to be generated. Once the file is generated, this keytab file will be used on the Oracle Access Manager server.
Copy the newly created keytab.services file to the machine on which the NG server is running.
You use the kinit command to obtains the master Kerberos ticket that you use to get tickets for other services.
The kinit command uses the /etc/krb5.conf file; ensure that this file has the correct attributes. The basic syntax for kinit is: shown here
kinit [-k] [-t <keytab_filename>] [<principal>]
On the Oracle Access Manager server host machine, run the command from JDK_HOME/bin.
kinit –V HTTP/[email protected] –k –t /scratch/kerberos/keytab.service
where:
-V indicates verbose mode
principal name is HTTP/[email protected]
-k instructs the command to use keytab
-t is the keytab filename to use
Proceed to "Configuring Oracle Access Manager for WNA".
This section provides the following topics with steps you can follow:
Set Up the Kerberos Authentication Module in Oracle Access Manager
Set the Oracle Access Manager Authentication Scheme for Windows Native Authentication
Register Microsoft Active Directory as a User-Identity Data Store
Before you can use WNA, you must define specific values for the Kerberos authentication module in the Oracle Access Manager policy configuration oam-policy.xml file.
Users with valid Oracle Access Manager Administrator credentials can perform the following task to define specific values for the Kerberos authentication module in Oracle Access Manager.
To set up the Kerberos Authentication Module
Note:
These instructions require hand-editing a configuration file. You can also perform this task using the OAM Administration Console.Locate the oam-config.xml file in the following path:
Middleware_Home/user_projects/domains/IDMDomain/config/fmwconfig/oam-config.xml
Make a backup copy of the oam-config.xml file and store it in another location in case you need it later.
Edit the oam-config.xml file to define Kerberos module parameters and values. Examples of these parameters include the keytab file containing pairs of Kerberos principals and encrypted keys, and the krb5.conf file which contains Kerberos configuration information including the locations of KDCs. (Note: The files are created at Kerberos installation and appear in the install directory.) Edit the file as follows:
<authn-module name="Kerberos" type="KERBEROS" id="4" description="Kerberos Module"> <property value="/u01/app/oracle/install/fmw11g/Middleware/wna/<host_ name>.keytab" name="keytabfile"/> <property value="HTTP/<host_name>.oracle.com" name="principal"/> <property value="/u01/app/oracle/install/fmw11g/Middleware/wna/krb5.conf" name="krbconfigfile"/> </authn-module>
Here, "host_name" is the name of the Oracle Access Manager server host.
Save the file.
Proceed with "Set the Oracle Access Manager Authentication Scheme for Windows Native Authentication".
Users with valid Oracle Access Manager administrator credentials can perform the following task to define specific values for the Kerberos authentication module in Oracle Access Manager.
You can use the Oracle Access Manager Administration Console to ensure that the authentication policy for the protected page is set to use the Kerberos authentication scheme and that the scheme uses the Windows Native Authentication challenge method.
To set the Kerberos authentication scheme
Configure the Kerberos authentication scheme to use WNA as a challenge method:
From the Oracle Access Manager Policy Configuration tab, navigation pane, expand the Authentication Schemes node.
Double-click KerbScheme to display the configuration details.
Change the Challenge Method to WNA, if needed.
Click Apply and close the confirmation window.
Close the page.
Configure the application domain protecting the resource to use the Kerberos authentication scheme as follows:
From the Oracle Access Manager Policy Configuration tab, navigation pane, expand the Application Domains node.
Locate the desired application domain name an expand it.
In the application domain node, expand the Authentication Policies node reveal existing policies.
Double-click your Protected Resource Policy to display the related page.
Authentication Scheme: Choose KerbScheme from the list.
Click Apply, and then close the confirmation window.
Close the page.
Proceed to "Register Microsoft Active Directory as a User-Identity Data Store".
When using Windows Native Authentication, the user credentials must reside in Microsoft Active Directory, which must be registered as the user identity store for Oracle Access Manager.
Users with valid Oracle Access Manager Administrator credentials can perform the following task to register Microsoft Active Directory as the user store for Oracle Access Manager.
A fully-configured Microsoft Active Directory authentication service should be set up with User accounts for mapping Kerberos services, Service Principal Names (SPNs) for those accounts, and Key tab files. For more information, see Oracle Fusion Middleware Securing Oracle WebLogic Server 11g Release 1 (10.3.3).
To register Microsoft Active Directory with Oracle Access Manager
From the System Configuration tab, navigation pane, expand the Data Sources node.
Click the User Identity Stores node, and then click the Add button in the tool bar.
Enter required values for your Microsoft Active Directory. For example:
UserIdentityStoreADldap://ldap_host.domain.com:389CN=Users,DC=dept,DC=domain,DC=comUserPrincipalNameCN=Users,DC=dept,DC=domain,DC=comPrimary: Click the Primary button to make this the primary user identity store for Oracle Access Manager.
Role Mapping: By default, the Oracle Access Manager administrator's role is the same as the WebLogic administrator's role (Administrators). However, you can define a new Oracle Access Manager Administrator's role in the primary user identity store for Oracle Access Manager 11g. For more information, see the Oracle Fusion Middleware Administrator's Guide for Oracle Access Manager.
Click Apply to submit the changes and dismiss the confirmation window.
Restart the Oracle Access Manager Administration Server and managed servers.
Verify that the following are specified in the oam-config.xml file:
path to the krb5.conf file
path to the keytab file
a principal to connect with KDC
Continuing the example used in earlier steps, the oam-config.xml file looks as follows:
<Setting Name="KerberosModules" Type="htf:map">
<Setting Name="6DBSE52C" Type="htf:map">
<Setting Name="principal" Type="xsd:string">HTTP/[email protected]
</Setting>
<Setting Name="name" Type="xsd:string">XYZKerberosModule</Setting>
<Setting Name="keytabfile" Type="xsd:string">/scratch/kerberos/keytab.service
</Setting>
<Setting Name="krbconfigfile" Type="xsd:string">/etc/krb5.conf</Setting>
</Setting>
</Setting>
You use the following procedures to configure the Internet Explorer or Mozilla Firefox browsers to return Kerberos tokens.
To enable Kerberos tokens in Internet Explorer
On a Windows host in the Active Directory domain, sign in as a domain user.
Open the Internet Explorer browser.
From the Tools menu, click Internet Options, click Security, click Local Intranet, click Advanced.
On the Advanced tab, Security section, check the box beside Enable Integrated Windows Authentication, and click OK.
Add Oracle Access Manager CC host or domain name to Local Intranet zone (use the format http://mynode.myhost:myport).
Restart the Internet Explorer browser so the change takes affect.
To enable Kerberos tokens in Mozilla Firefox
Point the browser to about:config.
Add Oracle Access Manager CC host or domain name under network.negotiate-auth.trusted-uris. Use the format network.negotiate-auth.trusted-uris=http://mynode.myhost:myport
WNA authentication occurs internally.
The user is redirected to the Oracle Access Manager Server for authentication.
The Oracle Access Manager Server requests authentication with a www-negotiate header.
The browser sends the Kerberos SPNEGO token to the Oracle Access Manager Server for authentication.
The Oracle Access Manager Server authenticates the user's SPNEGO token and redirects the user back to the OSSO Agent or Oracle Access Manager Agent with the cookie and gets access to the resource.
To validate WNA with Oracle Access Manager-protected resources
Login to a Windows system in the Active Directory domain as a domain user. Ensure the Internet Explorer is enabled for Integrated Windows Authentication (tools, options, Enable Integrated Windows Authentication, restart the browser).
Sign in to the Windows OS client using the Windows domain credentials stored in a hosted Active Directory that is registered with Oracle Access Manager.
Start an IE browser, and enter the URL for the OMAM-protected resource.
Confirm that access is granted with no additional login.
The Identity Store used by Oracle Access Manager might not point to Windows Active Directory. By default, the identity store is Embedded LDAP.
In the Oracle Access Manager Administration Console, review the identity store configuration: System Configuration, Data Sources, User Identity Store.
Confirm the LDAP store settings point to Active Directory.