tag:blogger.com,1999:blog-1816408742331555186.post1342761100309924759..comments2023-05-22T03:03:54.478-07:00Comments on Oracle Fusion Middleware Security: Integrating Oracle Access Manager with Kerberos authentication with fallback to an HTML formChris Johnson (Oracle)http://www.blogger.com/profile/13331466366556759355noreply@blogger.comBlogger4125tag:blogger.com,1999:blog-1816408742331555186.post-29373728782541960092010-11-09T12:23:56.922-08:002010-11-09T12:23:56.922-08:00Have you done this on 11g OAM? I am trying on wind...Have you done this on 11g OAM? I am trying on windows 2003 server with AD but it prompts for basic authentication. Any doucumnet to do this.<br />Ofcourse the document in the oracle documents is not good enough. I tried the steps in that and ended up with username password basic auth prompt.venkathttps://www.blogger.com/profile/11297057208793867866noreply@blogger.comtag:blogger.com,1999:blog-1816408742331555186.post-12981948727086692902010-06-02T16:44:37.291-07:002010-06-02T16:44:37.291-07:00Bernie,
I recently had cause to set this up and t...Bernie,<br /><br />I recently had cause to set this up and the instructions above are incomplete. There's a new post up at http://fusionsecurity.blogspot.com/2010/06/oracle-access-manager-and-kerberos.html that goes into more detail and covers the problems I had.Chris Johnson (Oracle)https://www.blogger.com/profile/13331466366556759355noreply@blogger.comtag:blogger.com,1999:blog-1816408742331555186.post-52401494610960265472010-05-24T10:51:38.032-07:002010-05-24T10:51:38.032-07:00Bernie:
Your use case is a little harder to do au...Bernie:<br /><br />Your use case is a little harder to do automatically. The problem you're facing is one of the limitations of the HTTP specification.<br /><br />Basically what happens when you access a URL that is protected by Kerberos is that your browser says "please give me this file" and in response the server says "No (401). Try again with a Kerberos ticket". If your browser knows how to 'do' Kerberos it automatically resubmits the request with the Kerberos ticket and everything proceeds as normal.<br /><br />Which suggests that it can't be done.<br /><br />But it CAN.<br /><br />What you do is tweak the 401 error page that goes back to the browser when the server says "gimme a Keberos token". IIS normally sends a really simple page back that just says something like "authentication required". If you customize that page you can use JavaScript to kick off an OAM HTML forms login or even turn it into an OAM HTML forms login page itself. I'd lean towards the former since you probably already have the HTML login pages setup somewhere else.<br /><br />Hope this helps!Chris Johnson (Oracle)https://www.blogger.com/profile/13331466366556759355noreply@blogger.comtag:blogger.com,1999:blog-1816408742331555186.post-68851516099602837942010-05-21T04:49:15.013-07:002010-05-21T04:49:15.013-07:00Chris,
Thanks for this - just what I was looking f...Chris,<br />Thanks for this - just what I was looking for however....<br />I have an existing authentication scheme that uses forms auth and would like to add Kerberos in front of this. If I follow your steps above then I still get the Form login page even when I have a valid ticket and have added the login URL to my trusted sites.<br /><br />Any further help would be greatly appreciated.<br /><br />Thanks,<br /><br />BernieBerniehttps://www.blogger.com/profile/03607285932800258451noreply@blogger.com