Monday, January 17, 2011

The (Windows) Natives Are Restless

From Brian:  I'm adding this excellent post by Matt to our OAM 11g Academy series. To view the first post in the series which will be updated throughout to contain links to the entire series, click here: 
 OAM 11g has the ability to do Windows Native Authentication to give a Windows client desktop SSO to the OAM-protected application. This was possible in OAM 10g as well, but it required an IIS server to do the heavy lifting of getting the Kerberos ticket and authenticating the user. In 11g, Oracle does not require IIS to accomplish desktop SSO. WebLogic also had this capability by using its SPNEGO Identity Asserter, but this approach gives one SSO to any other OAM-protected application as well. The documentation is in chapter 7 of the Integration Guide.
For the krb5.conf file my example is (showing all the edited parts; there were other pieces that came with my Amazon images that I left alone):
kdc = ip-10-116-199-182.ec2.internal
admin_server = ip-10-116-199-182.ec2.internal
default_domain = IAM.COM
[domain_realm] = IAM.COM = IAM.COM
On the KDC (Active Directory), I created a user named “idam11g”. This is the WebGate host, what you’re going to use in the browser. I ran the following to create the keytab:
C:\>ktpass -princ HTTP/idam11g@IAM.COM -pass P@ssw0rd -mapuser idam11g -out c:\logs\keytab.service
Make sure that your User Login name in the Active Directory looks like “HTTP/idam11g”
Copy the keytab.service file to your OAM server.
Test on your OAM Server box that you can generate the Kerberos token by using the kinit command:
$ kinit HTTP/idam11g@IAM.COM -k -t /oracle/stage/wna/keytab.service
Now make the changes to OAM to tell it how to contact the KDC. Here is the oam.config.xml entry:
<Setting Name="KerberosModules" Type="htf:map">
<Setting Name="6DBSE52C" Type="htf:map">
<Setting Name="principal" Type="xsd:string">HTTP/idam11g@IAM.COM</Setting>
<Setting Name="name" Type="xsd:string">Kerberos</Setting>
<Setting Name="keytabfile" Type="xsd:string">/oracle/stage/wna/keytab.service</Setting>
<Setting Name="krbconfigfile" Type="xsd:string">/etc/krb5.conf</Setting>
NOTE: The docs are off on the contents of oam-config.xml. Also, if you make changes to the oam-config.xml, these changes may get reset if you make other changes in OAM through the console. I’ve heard of similar problems when doing the OAM-OAAM integration. I think you are better off making this edit through the console. You can configure this through the console by going to System Configuration (tab)->Authentication Modules->Kerberos Authentication Modules->Kerberos:

While in the oamconsole, you want to configure AD to be the Primary Identity Store. This is located at System Configuration (tab)->Data Sources->User Identity Stores.

A word about Role Mapping: The “OAM Administrator’s Role” field is looking for an existing group in AD. Users in that group will be able to login to oamconsole once AD becomes the primary identity store. Don’t forget to press the “Set as Primary” button. Once you do this, you should be able to authenticate to your default web page with AD users’ credentials.
I recommend creating a separate Authentication Policy for WNA with a OnAuthFailure redirect so you can see when you are getting an OAM Auth failure vs. other reasons. I used the existing “KerbScheme” for the Authentication Scheme as is, without editing.

I configured an 11g WebGate on 11g OHS via standard means.
For IE7, here is the process for setting Integrated Windows Authentication for the client:
  • Select Tools, Internet Options.
  • Select the Security tab.
  • Ensure that your WebGate-protected OHS site is in the list of trusted “Sites”
  • Select Local intranet and click Custom Level....
  • In the Security Settings dialog box, scroll to the User Authentication section.
  • Select “Automatic logon only in Intranet zone”.
  • Click OK.
  • Select the Advanced tab.
  • Scroll to the Security section.
  • Make sure that Enable Integrated Windows Authentication option is checked and click OK.
  • If this option was not checked, restart the client.

Tools like isHTTPHeaders can help you determine whether the Negotiate token is being issued. It should look something like:
GET /oam/CredCollectServlet/WNA?request_id=-3931587206375492112&error_code=OAM-1001&redirect_url=http%3A%2F%2Fip-10-124-122-41%3A7777%2Fwna%2Findex.html HTTP/1.1
Authorization: Negotiate
<Long encrypted string of about 1600 chars>
For OAM troubleshooting, you want to be able to turn on some tracing via WLST:
cd <MW_HOME>/Oracle_IDM1/common bin
setLogLevel(logger=”oracle.oam”,level=”TRACE:32”, persist=”0”, target=”oam_server1”)
You can then check your diagnostics log at <IDM_DOMAIN>/servers/oam_server1/logs/oam_server1-diagnostic.log.
A successful transaction should look something like:
[2011-01-13T12:34:40.730-05:00] [oam_server1] [TRACE:16] [] [oracle.oam.controller] [tid: [ACTIVE].ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: ] [ecid: 0000Iq0SORD1rYspkgg8yZ1DBnSC00000R,0] [SRC_CLASS:] [APP: oam_server] [dcid: d03843071ed98d9b:6369d65b:12d806f7606:-8000-0000000000000015] [SRC_METHOD: createSubject] RETURN, Subject: [{ Subject: Subject:[[
Principal: username@IAM.COM
Principal: CN=User Name,cn=users,dc=iam,dc=com
Principal: \4f\81\08\d9\90\14\29\43\81\fd\2b\a2\59\c3\21\ab
, GroupsLoaded: false, UpdateSession: false, isAnonymous: false }], Subject Attrs: [String Map: {}], User Id: will.laase@IAM.COM, User DN: CN=Will Laase,cn=users,dc=iam,dc=com, GUID: \4f\81\08\d9\90\14\29\43\81\fd\2b\a2\59\c3\21\ab, Auth Level: 2, Auth Scheme: KerbScheme
The documentation talks about doing the same with Firefox, by browsing to about:config and setting:
network.negotiate-auth.trusted-uris =http://idam11g:7777
I was not able to get firefox to work. If anyone can comment on a success path here, that would be appreciated.


  1. You mention that " want to configure AD to be the Primary Identity Store". is this a requirement or a suggestion? The reason I ask is because there seems to be no way of associating an Identity Store with Kerberos Authentication. Identity Stores are tied only to LDAP authentication types. Therefore it appears that you can have a protected resource authenticate with Kerberos, but all management of OAM/WLS can still be in OID, OVD or even the Embedded LDAP.

  2. Configure Firefox for Kerberos authentication though about:config.

    Set the WCF host in "network.negotiate-auth.trusted-uris". This should allow Firefox to pass along the Kerberos tickets to the web-server like IE native Windows Authentication.

  3. Pls let me know whether WNA can be configured with OAM I am not able to configure WNA with OAM11g. When I try to access the protected resource it is asking for authentication which should not happen.


  4. Karthik,

    I'm not aware of any limitations with OAM with regards to WNA. There are a number of blog entries here by Chris Johnson to review. If you're to the point where kinit is working, I recommend putting OAM auth engine in TRACE:32 and you should get some visibility into what's going on. Check Trace checkbox in enterprise manager and find the ECID that corresponds with the request.


Note: Only a member of this blog may post a comment.