Saturday, 23 June 2012

What is this Windows Native Authentication ??
 It is a simple but very affective feature which provides an authentication (Other words-- Passwords :) to the application on your behalf).
This feature is enabled in OracleAS Single Sign-On, users log in to single sign-on partner applications automatically using Kerberos credentials obtained when the user logs in to a Windows.

So how it works, what mechanism it follows ??


Diagram looks like confused, can you please elaborate this??
  1. The user logs in to a Kerberos realm, or domain, on a Windows computer.
  2. The user attempts to access a single-sign-on partner application using Internet Explorer.
  3. The application redirects the user to the single sign-on server for authentication. As part of this redirection, the following occurs:
    1. The browser obtains a Kerberos session ticket from the Key Distribution Center (KDC).
    2. The single sign-on server verifies the Kerberos session ticket and returns the user to the requested URL.
  4. The application provides content to the user.
Really, Where can we use this?
We can use this features on Internet Explorer on Windows.
Oh Yes, most importantly WNA is used for authenticating Single Sign On pattern application through Kerberos Credentials.

Wow.. This is interesting, how can i use this??
For IE, you have to go to tools --> Options --> Advanced --> Enable Windows native Authentication.

For SSO pattern, you have to be more patience, I am going to tell how to configure it.

Please Note:- There is only one way to rollback the changes and that is backup the files that are going to change, so that when a rollback is required just put them back.

Let me tell you I faced so many issues in configuring this, but you don't have to worry because i already faced them, I will not let Windows Native Authentication to trouble you.

So are you Ready?
Lets make us safe and backup the below necessary files.
$ORACLE_HOME/opmn/conf/opmn.xml
$ORACLE_HOME/j2ee/OC4J_SECURITY/config/jazn.xml
$ORACLE_HOME/j2ee/OC4J_SECURITY/config/jazn-data.xml
$ORACLE_HOME/j2ee/OC4J_SECURITY/applications/sso/web/WEB-INF/web.xml
$ORACLE_HOME/j2ee/OC4J_SECURITY/application-deployments/sso/orion-application.xml
$ORACLE_HOME/sso/conf/policy.properties

We are safe to GO, but need to gather some information, Lets do it Quickly.
Some terminology we will use frequently, if you don't have those details, Please contact Active Directory Team, You will get maximum information from there, if left anything, Please post me.

  
            Active Directory server & port         
            Kerberos Server                                  
            Kerberos Server Port for TCP & UDP: generally uses Port 88
            Active Directory Realm                     
            Active Directory User Account for SSO Service principal
 (This user account is used by AD to map to the Oracle SSO service principal name. Ensure that the account is set to not expire password and uses DES encryption only. )

SSO Mid-Tier Setup
On each mid-tier host the following system files need to be edited identically.
Step 1:
The Kerberos service listen port on AD server is required to be setup on SSO Mid-Tier. Modify the /etc/services
kerberos        88/tcp          kerberos5 krb5 kdc      # Kerberos v5 (added kdc, gnp)
kerberos        88/udp         kerberos5 krb5 kdc      # Kerberos v5 (added kdc, gnp)
Step 2:
Edit the /etc/krb5.conf file to configure the Kerberos Service on the SSO Mid-tier.
I am putting a sample file for you, Please make sure to mention all the domains to avoid errors.

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = Active directory realm as discusses in AD pre-requisties
dns_lookup_realm = false
dns_lookup_kdc = false
clockskew = 600

[realms]
AD realm name = {
kdc = active directory server you are mapped to:88
} Please note: one of the realm was missing and i struggled a lot

[domain_realm]
SSO Domain name = AD realm name (add all the sso domain name  and AD realm you are pointing to)

[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}

Step 3:
Generate KEYTAB File

The keytab file contains the shared secret and is used by KDC and the Oracle SSO server during the Kerberos protocol exchange at authentication. (Need to run on Active Directory side)
The best syntax i have seen is: 

ktpass /princ HTTP/<sso_host.domain>@<ad_default_realm>  /mapuser <ad_user_account> /crypto all /ptype KRB5_NT_PRINCIPAL /mapop set +desonly /pass ****** /out Keytabfilename.keytab
            
I hope you have gathered the information easily, after generating this keytab file, it is important to test whether file is working correctly or not, its quite easy, but it troubled me alot, although using the above command and including all the domains in "krb5.conf" (I missed some domains while configuring it.) is successful completion for me.
 
So lets move the file to its destination, <Oracle Home or  > <SSO_MID>/j2ee/OC4J_SECURITY/config
 
Lets test, we are OK to GO or not. Use the below 3 commands, if any command fails, you have to recheck, the configuration details (Most importantly -- AD Pre-requisites should be correct and complete), Please follow the same Order of commands.
 
 Let me tell you what 1st command is for
This will register the SSO service principal to the Key Distribution Centre so that we can share the "shared secret" key, that is the first step for WNA to work. 
After running the command, there should not be any error, it should go to the next command prompt.
 
Command 1)  
kinit -k -t $ORACLE_HOME/j2ee/OC4J_SECURITY/config/keytabfilename.keytab HTTP/<sso_host.domain>@<ad_default_realm>

Now since command 1) is working fine, Lets get the kerberos ticket with the command 2).
Kerberos ticket should be of the format some thing like below.

Command 2) klist -5 -f -c  (from the location of keytab file)
Output: -
[atiwari@dm2c8x] /home/edward$ klist -5 -f -c
Ticket cache: FILE:/tmp/krb5cc_2004
Default principal: HTTP/<sso_host.domain>@<ad_default_realm>

Valid starting     Expires            Service principal
01/08/12 12:52:52  01/08/12 22:52:52  krbtgt/<sso_host.domain>@<ad_default_realm>
        renew until 01/09/12 12:52:52, Flags: RIA

If command 2) is not working, try the 3rd one, actually both are same but a different way

Command 3) 
$ORACLE_HOME/jdk/bin/klist -k -t -K -e $ORACLE_HOME/j2ee/OC4J_SECURITY/config/Keytabfilename.keytab 

Let me tell you something, if keytab file doesn't work, you can get the following error in the logs, and to overcome these errors, need to check 2 things, 1)/etc/krb5.conf   2) Keytab file  (This will resolve in this two files irrespective of the logs). "ORACLE_HOME/opmn/logs/OC4J~OC4J_SECURITY~default_island~1"

12/01/03 09:59:32 GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT credentials failed!)
12/01/03 09:59:32 at sun.security.jgss.krb5.Krb5AcceptCredential.getKeyFromSubject(Krb5AcceptCredential.java:189)
12/01/03 09:59:32 at sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:80)
12/01/03 09:59:32 at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:75)

Oops I forgot to mention most important thing, that is "CLOCK SYNC" that can be done in two ways either set the same time on both AD server and your server or configure NTP (Network time Protocol) which will synchronize both the servers clock.

Please Note: If clocks are not synced you will get "Clock skew too Great" error.

Finally All the pre- configurations are done. and We are good to GO to conquer the battle, As journey was not easy for me, but its easy for you.

Lets go to the directory: $ORACLE_HOME/sso/bin and run the below command.

./ssoca wna -mode sso -oh $ORACLE_HOME -ad_realm example.com -kdc_host_port xyz.example.com:88 -keytab $ORACLE_HOME/j2ee/OC4J_SECURITY/config/keytabfile.keytab -ssohost "use your ssohost name " -oid ldap://"use your OID server":389 -verbose

Error 1) 

Setting up DCM context...
Exception occured.
oracle.ias.sysmgmt.exception.MissingAttributeException: Base Exception:
An expected attribute is missing from an entity.
Resolution:
Please check metadata or code base.
at oracle.ias.sysmgmt.entity.Entity.getAttribute(Unknown Source)
at oracle.ias.sysmgmt.entity.Entity.getValue(Unknown Source)
at oracle.ias.sysmgmt.smi.SMIEntityWrapper.getValue(Unknown Source)
at oracle.ias.sysmgmt.smi.SMIEntityWrapper.getValueAsString(Unknown Source)
at oracle.security.sso.IMWNAConfig.init(IMWNAConfig.java:246)
at oracle.security.sso.IMWNAConfig.work(IMWNAConfig.java:60)
at oracle.security.sso.SSOConfigAssistant.wnaConfig(SSOConfigAssistant.java:250)
at oracle.security.sso.SSOConfigAssistant.main(SSOConfigAssistant.java:225)
Cannot get default-realm value for jazn home instance.
Please correct the exception reported above and try again.
WNA Config Tool failed.
 

Resolution 1) 
It is trying to find the default realm from $ORACLE_HOME/j2ee/home/config/jazn.xml
 
If you look at the file at above location, you will find some thing like below, that doesn't contain the correct realm.
 
<?xml version = '1.0' encoding = 'UTF-8' standalone = 'yes'?>
<!DOCTYPE jazn PUBLIC "JAZN Config" "http://xmlns.oracle.com/ias/dtds/jazn-9_04.
dtd">
<jazn provider="XML" location="./jazn-data.xml"/>
<!--
<jazn provider="LDAP" location="ldap://myoid.us.oracle.com:389" />
-->  

To overcome this problem, first backup the original file and do a Ftp a copy of $MTIER_ORACLE_HOME/j2ee/home/config/jazn.xml from other servers same version of the AS10G as the Infrastructure.

Now content should be as follows: 


<?xml version = '1.0' encoding = 'UTF-8' standalone = 'yes'?>
<!DOCTYPE jazn PUBLIC "JAZN Config" "http://xmlns.oracle.com/ias/dtds/jazn-9_04.
dtd">
<jazn provider="LDAP" default-realm="us">
   <property name="ldap.user" value="orclApplicationCommonName=jaznadmin2,cn=JAZ
NContext,cn=products,cn=OracleContext"/>
   <property name="ldap.password" value="{903}DyTUKmSB2AstdN8mqMYRag0M8cFEWHIz5b
cRKWlrC1A="/>
</jazn>

Error 2:
Setting up DCM context...
Updating OPMN config file opmn.xml...
Successfully updated OPMN config file opmn.xml.
Updating jazn.xml for OC4J_SECURITY component...
Successfully updated jazn.xml for OC4J_SECURITY component.
Updating jazn-data.xml for OC4J_SECURITY component...
Successfully updated jazn-data.xml for OC4J_SECURITY component.
Updating web.xml for sso web application...
Backing up original web.xml file to: /app/oracle/im1012/j2ee/OC4J_SECURITY/applications/sso/web/WEB-INF/web.xml.bak
Successfully updated web.xml for sso web application.
Updating orion-application.xml for SSO web application...
Cannot get entry for web application sso. Please check the config data.
WNA Config Tool failed.

Resolution2)
SSO information is missing from the following two files, Please update it and restart the OPMN instances.


$ORACLE_HOME/j2ee/OC4J_SECURITY/config/jazn.xml
$ORACLE_HOME/j2ee/OC4J_SECURITY/application-deployments/sso/orion-application.xml


Finally running the ssoca command, WNA tool is configured successfully :)

Now the thing is how will you confirm everything is working??

1) Open your application and it should not prompt for the SSO password.
2) Format below two URL's according to your sso server and try to login with SSO passwords, if you are able to login that means WNA is working fine. 
http://SSOHOSTNAME:7777/pls/orasso
http://SSOHOSTNAME:7777/oiddas

Hope this will help you, for any queries or suggestions, Please comment or send your feed backs to "anshul.ansul@gmail.com"


Refrences:: Those helped me a lot.
Oracle Documents:
Doc ID 557527.1--How to Disable SSO/WNA 
(Doc ID 283268.1)--Troubleshooting SSO Windows Native Authentication (WNA) 
264666.1 - Configuring Windows Native Authentication for Oracle Application Server 10g (9.0.4) on Unix/Linux

 





Posted by at 2 comments:
Subscribe to: Comments (Atom)