Agenda: Process to configure WNA Authentication in Oracle Access Manager 11GR2 PS2.
Process:
- Create new service account in Active Directory domain controller. User should not have any password expiry.
- Open the command prompt in AD machine and execute the below command to generate the keytab file.
"ktpass -princ HTTP/<oamHostName>@<adDomainName> -mapuser <adDomain>\<username> -pass <userPassword> -out <path>"
- Check the success message as shown in the below screen shot.
- Open the user account in AD and click on the Account tab. Verify that principle name as shown in the below screen.
- Copy the keytab file from AD machine to OAM machine.
- Login as a root user and edit the /etc/krb5.conf file
- Please verify the below screen for your reference.
- Execute the klist command in OAM machine as shown in the below screen. Find the Syntax below.
"klist -k -t -K -e FILE:/<keytab file path>"
- Execute the kinit command in OAM machine as shown in the below screen. Find the syntax below.
"kinit -V <Principle Name> -k -t <keytab file path>"
- Execute the klist command in OAM machine as shown in the below screen.
- Login to the access manager admin console.
- Navigate to Authentication modules > Kerberos
- Provide the required parameters as shown below.
- Create new data store for AD in OAM.
- Create Authentication policy with Kerberos schema.
- For your reference verify the Kerberos authentication schema as shown in the below screen.
- NTLM Changes.
- Login to the server and navigate to the directory /<weblogic_domain>/config/fmwconfig/
- Modify the NTLM Response from DEFAULT to BASIC.
- Restart the Weblogic Admin server and OAM Managed server.
Testing:
- Login to the AD Domain machine.
- Open command prompt and execute command "klist" to check the kerberos tokens are generated or not.
- Open IE browser then open Internet options and navigate to Advanced tab. Scroll down and verify "Enable Integrated Windows Authentication" is selected.
- Try to access the application which is protected by OAM Kerberos authentication.
-- Kiran Pokuri