Wednesday, April 2, 2014

Windows Native Authentication(WNA) configuration in Oracle Access Manager 11g R2 PS2


Agenda: Process to configure WNA Authentication in Oracle Access Manager 11GR2 PS2.

Process:

  • Create new service account in Active Directory domain controller. User should not have any password expiry.


  • Open the command prompt in AD machine and  execute the below command to generate the keytab file.
"ktpass -princ HTTP/<oamHostName>@<adDomainName> -mapuser <adDomain>\<username> -pass <userPassword> -out <path>"


  •  Check the success message as shown in the below screen shot. 


  •  Open the user account in AD and click on the Account tab. Verify that principle name as shown in the below screen.

  • Copy the keytab file from AD machine to OAM machine. 

  •  Login as a root user and edit the /etc/krb5.conf file


  •  Please verify the below screen for your reference.


  •  Execute the klist command in OAM machine as shown in the below screen.  Find the Syntax below.
"klist -k -t -K -e FILE:/<keytab file path>"


  •  Execute the kinit command in OAM machine as shown in the below screen. Find the syntax below.
"kinit -V <Principle Name> -k -t <keytab file path>"

  •  Execute the klist command in OAM machine as shown in the below screen. 


  •  Login to the access manager admin console.
  • Navigate to Authentication modules > Kerberos
  • Provide the required parameters as shown below.


  •  Create new data store for AD in OAM.


  •  Create Authentication policy with Kerberos schema.


  •  For your reference verify the Kerberos authentication schema as shown in the below screen. 


  •  NTLM Changes.
  • Login to the server and navigate to the directory /<weblogic_domain>/config/fmwconfig/
  • Modify the NTLM Response from DEFAULT to BASIC. 


  •  Restart the Weblogic Admin server and OAM Managed server.

Testing:


  • Login to the AD Domain machine. 
  • Open command prompt and execute command "klist" to check the kerberos tokens are generated or not.


  •  Open IE browser then open Internet options and navigate to Advanced tab. Scroll down and verify "Enable Integrated Windows Authentication" is selected. 

  • Try to access the application which is protected by OAM Kerberos authentication.

-- Kiran Pokuri 

7 comments:

  1. Thanks for sharing!
    I have configured WNA using the same steps (r2 ps2) however, I am getting system-error when tried to access the protected resource.

    The logs show :

    [2014-04-21T14:15:21.288+04:00] [oam_server1] [WARNING] [OAM-000011] [oracle.oam.binding] [tid: [ACTIVE].ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: ] [ecid: d788e5b17cf1303b:-52d238b1:14583be2b22:-8000-000000000000009a,0] [APP: oam_server#11.1.2.0.0] [DSID: 0000KM3m1161zWJLmm_AiZ1JLEoP000004] Cannot parse the request token sent from client with User Agent Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E) and IP Address 10.115.103.134.
    [2014-04-21T14:15:21.289+04:00] [oam_server1] [WARNING] [OAM-02074] [oracle.oam.controller] [tid: [ACTIVE].ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: ] [ecid: d788e5b17cf1303b:-52d238b1:14583be2b22:-8000-000000000000009a,0] [APP: oam_server#11.1.2.0.0] [DSID: 0000KM3m1161zWJLmm_AiZ1JLEoP000004] Error while checking if the resource null is protected or not.
    [2014-04-21T14:15:21.289+04:00] [oam_server1] [WARNING] [] [oracle.oam.binding] [tid: [ACTIVE].ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: ] [ecid: d788e5b17cf1303b:-52d238b1:14583be2b22:-8000-000000000000009a,0] [APP: oam_server#11.1.2.0.0] [DSID: 0000KM3m1161zWJLmm_AiZ1JLEoP000004] OAM-02073

    ReplyDelete
    Replies
    1. Hi Purva,

      Looks like you are accessing Application login page directly instead of the protected resource...

      Usually you will get error message "Error while checking if the resource null is protected or not" when you access SSO login page directly.

      What was the error message you see in the screen?

      -- Siva Pokuri.

      Delete
  2. Hi Siva,
    Same issue I am getting after following step by step this page, i.e., 'Error while checking if the resource null is protected or not.'

    Following message is on the error page,
    Error
    System error. Please re-try your action. If you continue to get this error, please contact the Administrator

    ReplyDelete
  3. Any error message you see in OAM diagnostic logs??

    If you have not already enabled OAM TRACE can you please reproduce the issue by enabling OAM TRACE and post the error here.

    -- Siva Pokuri.

    ReplyDelete
  4. Error while checking if the resource null is protected or not.

    This is the message in the oam_server1-diagnostics.log file.

    when we access the ebs application url http://ebsserver1:8000 it prompts for username/password screen but actually it should not since WNA configuration steps are done.

    Please advise.

    ReplyDelete
  5. Hi Siva,

    We have a sitution where we want to migrate from opensso over to oam. We try to use the opensso-proxy, however when trying to access http://oam:14100/opensso/UI/Login?goto=www.mycompany.com/protectedresource we also get the same error message as above (Error while checking if the resource null is protected or not)
    You wrote, the error is to directly access the login page instead of the protected resource. However this was possible back in opensso (and by specifying a goto-parameter you could tell where to go after sucessfull authentication) and in our situation the "enforcing agent" is not webgate or and old opensso-agent, but some custom piece of software. Is there a way to go directly to the loginpage at all?

    Thanks for your help

    ReplyDelete
  6. Hi,

    I am continuously getting this error in OAM diagnostic logs "GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)" and page cannot be displayed for the protected application. Please help.
    Thanks

    ReplyDelete