Tuesday, 27 August 2013
Windows Native Authentication: What is this Windows Native Authentication ?? It i...
Windows Native Authentication: What is this Windows Native Authentication ?? It i...: What is this Windows Native Authentication ?? It is a simple but very affective feature which provides an authentication (Other words--...
Saturday, 23 June 2012
What is this Windows Native Authentication ??
It is a simple but very affective feature which provides an authentication (Other words-- Passwords :) to the application on your behalf).
This feature is enabled in OracleAS Single Sign-On, users log in to single sign-on partner applications automatically using Kerberos credentials obtained when the user logs in to a Windows.
So how it works, what mechanism it follows ??
Diagram looks like confused, can you please elaborate this??
This feature is enabled in OracleAS Single Sign-On, users log in to single sign-on partner applications automatically using Kerberos credentials obtained when the user logs in to a Windows.
So how it works, what mechanism it follows ??
Diagram looks like confused, can you please elaborate this??
-
The user logs in to a Kerberos realm, or domain, on a Windows computer.
-
The user attempts to access a single-sign-on partner application using Internet Explorer.
-
The application redirects the user to the single sign-on server for
authentication. As part of this redirection, the following occurs:
-
The browser obtains a Kerberos session ticket from the Key Distribution Center (KDC).
-
The single sign-on server verifies the Kerberos session ticket and returns the user to the requested URL.
-
The browser obtains a Kerberos session ticket from the Key Distribution Center (KDC).
-
The application provides content to the user.
Really, Where can we use this?
We can use this features on Internet Explorer on Windows.
Oh Yes, most importantly WNA is used for authenticating Single Sign On pattern application through Kerberos Credentials.
Wow.. This is interesting, how can i use this??
For IE, you have to go to tools --> Options --> Advanced --> Enable Windows native Authentication.
For SSO pattern, you have to be more patience, I am going to tell how to configure it.
Let me tell you I faced so many issues in configuring this, but you don't have to worry because i already faced them, I will not let Windows Native Authentication to trouble you.
So are you Ready?
Lets make us safe and backup the below necessary files.$ORACLE_HOME/opmn/conf/opmn.xml
$ORACLE_HOME/j2ee/OC4J_SECURITY/config/jazn.xml
$ORACLE_HOME/j2ee/OC4J_SECURITY/config/jazn-data.xml
$ORACLE_HOME/j2ee/OC4J_SECURITY/applications/sso/web/WEB-INF/web.xml
$ORACLE_HOME/j2ee/OC4J_SECURITY/application-deployments/sso/orion-application.xml
$ORACLE_HOME/sso/conf/policy.properties
We are safe to GO, but need to gather some information, Lets do it Quickly.
Some terminology we will use frequently, if you don't have those details, Please contact Active Directory Team, You will get maximum information from there, if left anything, Please post me.
I hope you have gathered the information easily, after generating this keytab file, it is important to test whether file is working correctly or not, its quite easy, but it troubled me alot, although using the above command and including all the domains in "krb5.conf" (I missed some domains while configuring it.) is successful completion for me.
Active
Directory server & port
Kerberos
Server
Kerberos Server Port
for TCP & UDP: generally uses Port 88
Active
Directory Realm
Active
Directory User Account for SSO Service principal
(This
user account is used by AD to map to the Oracle SSO service principal name.
Ensure that the account is set to not expire password and uses DES encryption
only. )
SSO Mid-Tier Setup
On each mid-tier host the following system files need to
be edited identically.
Step 1:
The Kerberos service listen port on AD server is required
to be setup on SSO Mid-Tier. Modify the /etc/services
kerberos 88/tcp kerberos5 krb5 kdc # Kerberos v5 (added kdc, gnp)
kerberos 88/udp kerberos5 krb5 kdc # Kerberos v5 (added kdc, gnp)
Step 2:
Edit the /etc/krb5.conf file to configure the Kerberos
Service on the SSO Mid-tier.
I am putting a sample file for you, Please make sure to mention all the domains to avoid errors.
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = Active directory realm as discusses in AD pre-requisties
dns_lookup_realm = false
dns_lookup_kdc = false
clockskew = 600
[realms]
AD realm name = {
kdc = active directory server you are mapped to:88
} Please note: one of the realm was missing and i struggled a lot
[domain_realm]
SSO Domain name = AD realm name (add all the sso domain name and AD realm you are pointing to)
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = Active directory realm as discusses in AD pre-requisties
dns_lookup_realm = false
dns_lookup_kdc = false
clockskew = 600
[realms]
AD realm name = {
kdc = active directory server you are mapped to:88
} Please note: one of the realm was missing and i struggled a lot
[domain_realm]
SSO Domain name = AD realm name (add all the sso domain name and AD realm you are pointing to)
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
Step 3:
Generate KEYTAB File
The
keytab file contains the shared secret and is used by KDC and the Oracle SSO
server during the Kerberos protocol exchange at authentication. (Need to run on Active Directory side)
The best syntax i have seen is:
ktpass /princ HTTP/<sso_host.domain>@<ad_default_realm> /mapuser <ad_user_account> /crypto all /ptype KRB5_NT_PRINCIPAL /mapop set +desonly
/pass ****** /out Keytabfilename.keytab
So lets move the file to its destination, <Oracle Home or > <SSO_MID>/j2ee/OC4J_SECURITY/config
Lets test, we are OK to GO or not. Use the below 3 commands, if any command fails, you have to recheck, the configuration details (Most importantly -- AD Pre-requisites should be correct and complete), Please follow the same Order of commands.
Let me tell you what 1st command is for
This will register the SSO service principal to the Key Distribution Centre so that we can share the "shared secret" key, that is the first step for WNA to work.
After running the command, there should not be any error, it should go to the next command prompt.
Command 1)
kinit -k -t $ORACLE_HOME/j2ee/OC4J_SECURITY/config/keytabfilename.keytab HTTP/<sso_host.domain>@<ad_default_realm>
Now since command 1) is working fine, Lets get the kerberos ticket with the command 2).
Kerberos ticket should be of the format some thing like below.
Command 2) klist -5 -f -c (from the location of keytab file)
Output: -
[atiwari@dm2c8x] /home/edward$ klist -5 -f
-c
Ticket cache: FILE:/tmp/krb5cc_2004
Default principal: HTTP/<sso_host.domain>@<ad_default_realm>
Valid starting
Expires
Service principal
01/08/12 12:52:52 01/08/12
22:52:52 krbtgt/<sso_host.domain>@<ad_default_realm>
renew until 01/09/12 12:52:52, Flags: RIA
If command 2) is not working, try the 3rd one, actually both are same but a different way
Command 3)
$ORACLE_HOME/jdk/bin/klist -k -t -K -e $ORACLE_HOME/j2ee/OC4J_SECURITY/config/Keytabfilename.keytab
Let me tell you something, if keytab file doesn't work, you can get the following error in the logs, and to overcome these errors, need to check 2 things, 1)/etc/krb5.conf 2) Keytab file (This will resolve in this two files irrespective of the logs). "ORACLE_HOME/opmn/logs/OC4J~OC4J_SECURITY~default_island~1"
12/01/03 09:59:32 GSSException: No valid credentials provided (Mechanism
level: Attempt to obtain new ACCEPT credentials failed!)
12/01/03 09:59:32 at sun.security.jgss.krb5.Krb5AcceptCredential.getKeyFromSubject(Krb5AcceptCredential.java:189)
12/01/03 09:59:32 at sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:80)
12/01/03 09:59:32 at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:75)
12/01/03 09:59:32 at sun.security.jgss.krb5.Krb5AcceptCredential.getKeyFromSubject(Krb5AcceptCredential.java:189)
12/01/03 09:59:32 at sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:80)
12/01/03 09:59:32 at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:75)
Oops I forgot to mention most important thing, that is "CLOCK SYNC" that can be done in two ways either set the same time on both AD server and your server or configure NTP (Network time Protocol) which will synchronize both the servers clock.
Please Note: If clocks are not synced you will get "Clock skew too Great" error.
Finally All the pre- configurations are done. and We are good to GO to conquer the battle, As journey was not easy for me, but its easy for you.
Lets go to the directory: $ORACLE_HOME/sso/bin and run the below command.
./ssoca wna -mode sso -oh $ORACLE_HOME -ad_realm example.com -kdc_host_port xyz.example.com:88 -keytab $ORACLE_HOME/j2ee/OC4J_SECURITY/config/keytabfile.keytab -ssohost "use your ssohost name " -oid ldap://"use your OID server":389 -verbose
Error 1)
Setting up DCM context...
Exception occured.
oracle.ias.sysmgmt.exception.MissingAttributeException: Base Exception:
An expected attribute is missing from an entity.
Resolution:
Please check metadata or code base.
at oracle.ias.sysmgmt.entity.Entity.getAttribute(Unknown Source)
at oracle.ias.sysmgmt.entity.Entity.getValue(Unknown Source)
at oracle.ias.sysmgmt.smi.SMIEntityWrapper.getValue(Unknown Source)
at oracle.ias.sysmgmt.smi.SMIEntityWrapper.getValueAsString(Unknown Source)
at oracle.security.sso.IMWNAConfig.init(IMWNAConfig.java:246)
at oracle.security.sso.IMWNAConfig.work(IMWNAConfig.java:60)
at oracle.security.sso.SSOConfigAssistant.wnaConfig(SSOConfigAssistant.java:250)
at oracle.security.sso.SSOConfigAssistant.main(SSOConfigAssistant.java:225)
Exception occured.
oracle.ias.sysmgmt.exception.MissingAttributeException: Base Exception:
An expected attribute is missing from an entity.
Resolution:
Please check metadata or code base.
at oracle.ias.sysmgmt.entity.Entity.getAttribute(Unknown Source)
at oracle.ias.sysmgmt.entity.Entity.getValue(Unknown Source)
at oracle.ias.sysmgmt.smi.SMIEntityWrapper.getValue(Unknown Source)
at oracle.ias.sysmgmt.smi.SMIEntityWrapper.getValueAsString(Unknown Source)
at oracle.security.sso.IMWNAConfig.init(IMWNAConfig.java:246)
at oracle.security.sso.IMWNAConfig.work(IMWNAConfig.java:60)
at oracle.security.sso.SSOConfigAssistant.wnaConfig(SSOConfigAssistant.java:250)
at oracle.security.sso.SSOConfigAssistant.main(SSOConfigAssistant.java:225)
Cannot get default-realm value for jazn home instance.
Please correct the exception reported above and try again.
WNA Config Tool failed.
Please correct the exception reported above and try again.
WNA Config Tool failed.
Resolution 1)
It is trying to find the default realm from $ORACLE_HOME/j2ee/home/config/jazn.xml.
<?xml version = '1.0' encoding = 'UTF-8' standalone = 'yes'?>
<!DOCTYPE jazn PUBLIC "JAZN Config" "http://xmlns.oracle.com/ias/dtds/jazn-9_04.
dtd">
<jazn provider="XML" location="./jazn-data.xml"/>
<!--
<jazn provider="LDAP" location="ldap://myoid.us.oracle.com:389" />
-->
To overcome this problem, first backup the original file and do a Ftp a copy of $MTIER_ORACLE_HOME/j2ee/home/config/jazn.xml from other servers same version of the AS10G as the Infrastructure.
Now content should be as follows:
<?xml version = '1.0' encoding = 'UTF-8' standalone = 'yes'?>
<!DOCTYPE jazn PUBLIC "JAZN Config" "http://xmlns.oracle.com/ias/dtds/jazn-9_04.
dtd">
<jazn provider="LDAP" default-realm="us">
<property name="ldap.user" value="orclApplicationCommonName=jaznadmin2,cn=JAZ
NContext,cn=products,cn=OracleContext"/>
<property name="ldap.password" value="{903}DyTUKmSB2AstdN8mqMYRag0M8cFEWHIz5b
cRKWlrC1A="/>
</jazn>
Error 2:
Setting up DCM context...
Updating OPMN config file opmn.xml...
Successfully updated OPMN config file opmn.xml.
Updating jazn.xml for OC4J_SECURITY component...
Successfully updated jazn.xml for OC4J_SECURITY component.
Updating jazn-data.xml for OC4J_SECURITY component...
Successfully updated jazn-data.xml for OC4J_SECURITY component.
Updating web.xml for sso web application...
Backing up original web.xml file to: /app/oracle/im1012/j2ee/OC4J_SECURITY/applications/sso/web/WEB-INF/web.xml.bak
Successfully updated web.xml for sso web application.
Updating orion-application.xml for SSO web application...
Cannot get entry for web application sso. Please check the config data.
WNA Config Tool failed.
Updating OPMN config file opmn.xml...
Successfully updated OPMN config file opmn.xml.
Updating jazn.xml for OC4J_SECURITY component...
Successfully updated jazn.xml for OC4J_SECURITY component.
Updating jazn-data.xml for OC4J_SECURITY component...
Successfully updated jazn-data.xml for OC4J_SECURITY component.
Updating web.xml for sso web application...
Backing up original web.xml file to: /app/oracle/im1012/j2ee/OC4J_SECURITY/applications/sso/web/WEB-INF/web.xml.bak
Successfully updated web.xml for sso web application.
Updating orion-application.xml for SSO web application...
Cannot get entry for web application sso. Please check the config data.
WNA Config Tool failed.
Resolution2)
SSO information is missing from the following two files, Please update it and restart the OPMN instances.
$ORACLE_HOME/j2ee/OC4J_SECURITY/config/jazn.xml
$ORACLE_HOME/j2ee/OC4J_SECURITY/application-deployments/sso/orion-application.xml
$ORACLE_HOME/j2ee/OC4J_SECURITY/application-deployments/sso/orion-application.xml
Finally running the ssoca command, WNA tool is configured successfully :)
Now the thing is how will you confirm everything is working??
1) Open your application and it should not prompt for the SSO password.
2) Format below two URL's according to your sso server and try to login with SSO passwords, if you are able to login that means WNA is working fine.
http://SSOHOSTNAME:7777/pls/orasso
http://SSOHOSTNAME:7777/oiddas
http://SSOHOSTNAME:7777/oiddas
Hope this will help you, for any queries or suggestions, Please comment or send your feed backs to "anshul.ansul@gmail.com"
Refrences:: Those helped me a lot.
Oracle Documents:
Doc ID 557527.1--How to Disable SSO/WNA
(Doc ID 283268.1)--Troubleshooting SSO Windows Native Authentication (WNA)
264666.1 - Configuring Windows Native Authentication for Oracle Application Server 10g (9.0.4) on Unix/Linux
Subscribe to:
Comments (Atom)