Upload
sumit-gupta
View
2.643
Download
0
Embed Size (px)
Citation preview
Oracle Access Managerintegration with
WNA/AD
122nd November 2015 Hyderabad, India #AIOUG #SANGAM15
SANGAM 15
Sumit Gupta
. . . . meeting of minds
Introduction
• Presenter – Sumit Gupta
• 10+ Years experience in Oracle Fusion Middleware
• OPN Certified IAM Expert– Oracle Identity Manager 11g Certified
Implementation Specialist– Oracle Access Management Suite Plus 11g
Implementation Specialist– Oracle Certified Associate, Oracle Weblogic Server 12c
administrator
• Presenter – UKOUG Tech 14 – Liverpool, UK– Middleware SIG – Reading, UK– Sangam 2015 – Hyderabad, India– UKOUG Tech 15 – Birmingham, UK
• Blogger (www.OraWorld.co.uk)– More than 150 articles– 1200 + subscribers
www.OraWorld.co.ukwww.OraWorld.co.uk
2Copyright © 2015, OraWorld Ltd. All rights reseved
Agenda
• Windows Native Authentication Overview
• Kerberos Basics
• WNA Configurations
• WNA Testing (Demo Viewlet)
• WNA Sequence Flow
• Lessons Learnt
• References
• QnA Session
www.OraWorld.co.uk
Copyright © 2015, OraWorld Ltd. All rights reserved 3
Windows Native Authentication
www.OraWorld.co.uk
Copyright © 2015, OraWorld Ltd. All rights reserved 4
Kerberos Basics
www.OraWorld.co.uk
Copyright © 2015, OraWorld Ltd. All rights reserved 5
• Native authentication protocol in Active Directory
• Kerberos Domain
• Principal (Machines, Services & Users)
– Service Principal Name (SPN)• PROTOCOL/hostname for services
• username@DOMAIN for users
• Key Distribution Center (KDC)
• Ticket Granting Ticket (TGT)
• Service Ticket (ST)
Kerberos Basics
www.OraWorld.co.uk
Copyright © 2015, OraWorld Ltd. All rights reserved 6
Kerberos Basics
www.OraWorld.co.uk
Copyright © 2015, OraWorld Ltd. All rights reserved 7
Kerberos Basics
www.OraWorld.co.uk
Copyright © 2015, OraWorld Ltd. All rights reserved 8
Kerberos Basics
www.OraWorld.co.uk
Copyright © 2015, OraWorld Ltd. All rights reserved 9
Kerberos Basics
www.OraWorld.co.uk
Copyright © 2015, OraWorld Ltd. All rights reserved 10
Kerberos Basics
www.OraWorld.co.uk
Copyright © 2015, OraWorld Ltd. All rights reserved 11
Kerberos Basics
www.OraWorld.co.uk
Copyright © 2015, OraWorld Ltd. All rights reserved 12
Kerberos Basics
www.OraWorld.co.uk
Copyright © 2015, OraWorld Ltd. All rights reserved 13
Kerberos Basics
www.OraWorld.co.uk
Copyright © 2015, OraWorld Ltd. All rights reserved 14
Kerberos Basics
www.OraWorld.co.uk
Copyright © 2015, OraWorld Ltd. All rights reserved 15
Kerberos Basics
www.OraWorld.co.uk
Copyright © 2015, OraWorld Ltd. All rights reserved 16
Kerberos Basics
www.OraWorld.co.uk
Copyright © 2015, OraWorld Ltd. All rights reserved 17
Kerberos Basics
www.OraWorld.co.uk
Copyright © 2015, OraWorld Ltd. All rights reserved 18
Kerberos Basics
www.OraWorld.co.uk
Copyright © 2015, OraWorld Ltd. All rights reserved 19
Kerberos Basics
www.OraWorld.co.uk
Copyright © 2015, OraWorld Ltd. All rights reserved 20
Kerberos Basics
www.OraWorld.co.uk
Copyright © 2015, OraWorld Ltd. All rights reserved 21
Kerberos Basics
www.OraWorld.co.uk
Copyright © 2015, OraWorld Ltd. All rights reserved 22
WNA High Level Steps
• Tasks on the Windows domain controller:
- Configuring the domain controller to support Kerberos Authentication
- Generating a keytab file for a service user
• Tasks on the Oracle Access Manager server:
- Configuring an Active Directory identity store
- Configuring a Kerberos authentication module
- Defining a policy that uses the Kerberos authentication module to protect resources
• Configuring end-user browsers
23
www.OraWorld.co.uk
Copyright © 2015, OraWorld Ltd. All rights reserved
WNA Configuration
• Create a service user in Windows
AD Server.
www.OraWorld.co.uk
Copyright © 2015, OraWorld Ltd. All rights reserved 24
AD Server
WNA Configuration
• KeyTab generation – contains shared secret key of the service
ktpass.exe -princ HTTP/<OHS hostname>@<AD Server Domain>
-pass <Password of the user created to be mapped> –
mapuser <AD DOMAIN\sAMAccountName of the user created > –
out <Location_of_keytab_file>
www.OraWorld.co.uk
Copyright © 2015, OraWorld Ltd. All rights reserved 25
AD Server
WNA Configuration
www.OraWorld.co.uk
Copyright © 2015, OraWorld Ltd. All rights reserved 26
AD Server
WNA Configuration
• Copy generated keytab
(binary file) to OAM Server
• Set up krb5.conf
- Unix : /etc/krb5.conf on unix
- Windows: C:\windows\krb5.conf
• KRB5_CONFIG env variable
www.OraWorld.co.uk
Copyright © 2015, OraWorld Ltd. All rights reserved 27
OAM Server[logging]default = FILE:/u01/app/oracle/middleware/Oracle_IAM1/wna/krb5libs.logkdc = FILE:/u01/app/oracle/middleware/Oracle_IAM1/wna/krb5kdc.logadmin_server = FILE:/var/log/kadmind.log
[libdefaults]default_realm = OWAD.LOCALdns_lookup_realm = falsedns_lookup_kdc = falseticket_lifetime = 600
clock_skew= 600udp_preference_limit= 1default_tkt_enctypes = RC4-HMACdefault_tgs_enctypes = RC4-HMAC
[realms]OWAD.LOCAL = { kdc = owwin-ad.owad.localadmin_server = owwin-ad.owad.localdefault_domain = OWAD.LOCAL
}
[domain_realm].owad.local = OWAD.LOCALowad.local = OWAD.LOCAL
WNA Configuration
www.OraWorld.co.uk
Copyright © 2015, OraWorld Ltd. All rights reserved 28
OAM Server
• Klist commands [orafmw@iam ~]$ klist -eklist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_500)
Kerberos 4 ticket cache: /tmp/tkt500klist: You have no tickets cached
[orafmw@iam ~]$ klist -k /u01/app/oracle/middleware/Oracle_IAM1/wna/oraworld.keytab -t -K -eKeytab name: FILE:/u01/app/oracle/middleware/Oracle_IAM1/wna/oraworld.keytabKVNO Timestamp Principal---- ----------------- --------------------------------------------------------
3 01/01/70 01:00:00 HTTP/[email protected] (ArcFour with HMAC/md5) (0x1d1b117a1db40dc241f7838b083a6b9d)
WNA Configuration
www.OraWorld.co.uk
Copyright © 2015, OraWorld Ltd. All rights reserved 29
OAM Server
• Kinit command[orafmw@iam ~]$ kinit -V HTTP/[email protected] -k -t /u01/app/oracle/middleware/Oracle_IAM1/wna/oraworld.keytab
Authenticated to Kerberos v5
[orafmw@iam ~]$ klist -eTicket cache: FILE:/tmp/krb5cc_500Default principal: HTTP/[email protected]
Valid starting Expires Service principal06/22/15 11:47:22 06/22/15 21:47:27 krbtgt/[email protected] until 06/23/15 11:47:22, Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5
Kerberos 4 ticket cache: /tmp/tkt500klist: You have no tickets cached
WNA Configuration
www.OraWorld.co.uk
Copyright © 2015, OraWorld Ltd. All rights reserved 30
OAM Server
WNA Configuration
www.OraWorld.co.uk
Copyright © 2015, OraWorld Ltd. All rights reserved 31
OAM Server
WNA Configuration
www.OraWorld.co.uk
Copyright © 2015, OraWorld Ltd. All rights reserved 32
OAM Server
WNA Configuration
www.OraWorld.co.uk
Copyright © 2015, OraWorld Ltd. All rights reserved 33
OAM Server
WNA Configuration
www.OraWorld.co.uk
Copyright © 2015, OraWorld Ltd. All rights reserved 34
OAM Server
WNA Configuration
www.OraWorld.co.uk
Copyright © 2015, OraWorld Ltd. All rights reserved 35
OAM Server
WNA Configuration
www.OraWorld.co.uk
Copyright © 2015, OraWorld Ltd. All rights reserved 36
OAM Server
WNA Configuration
www.OraWorld.co.uk
Copyright © 2015, OraWorld Ltd. All rights reserved 37
OAM Server
WNA Configuration
www.OraWorld.co.uk
Copyright © 2015, OraWorld Ltd. All rights reserved 38
OAM Server
Browser Configuration
www.OraWorld.co.uk39
Copyright © 2015, OraWorld Ltd. All rights reserved 39
• Open Internet Explorer
• Go to Tools > Internet Options > Security > Local Intranet > Advanced
• Add OAM Server host name
Internet Explorer
Browser Configuration
www.OraWorld.co.uk40
Copyright © 2015, OraWorld Ltd. All rights reserved 40
Internet Explorer
Browser Configuration
www.OraWorld.co.uk41
Copyright © 2015, OraWorld Ltd. All rights reserved 41
Internet Explorer
Browser Configuration
www.OraWorld.co.uk42
Copyright © 2015, OraWorld Ltd. All rights reserved 42
• Go to Advanced tab > Security
• Check the box besides –
Enable Integrated Windows Authentication
Internet Explorer
Browser Configuration
www.OraWorld.co.uk43
Copyright © 2015, OraWorld Ltd. All rights reserved 43
Internet Explorer
Browser Configuration
www.OraWorld.co.uk44
Copyright © 2015, OraWorld Ltd. All rights reserved 44
• Go to Security > Local Intranet > Custom Level
• Select Automatic logon only in Intranet zone
• Restart Internet Explorer
Internet Explorer
Browser Configuration
www.OraWorld.co.uk45
Copyright © 2015, OraWorld Ltd. All rights reserved 45
Internet Explorer
Browser Configuration
www.OraWorld.co.uk46
Copyright © 2015, OraWorld Ltd. All rights reserved 46
• Google Chrome uses the Internet Explorer settings.
Chrome
Browser Configuration
www.OraWorld.co.uk47
Copyright © 2015, OraWorld Ltd. All rights reserved 47
• about:config
• Set network.negotiate-auth.trusted-uris to OAMHOST.DOMAIN.
Firefox
Browser Configuration
www.OraWorld.co.uk48
Copyright © 2015, OraWorld Ltd. All rights reserved 48
Firefox
WNA Testing
www.OraWorld.co.uk
Copyright © 2015, OraWorld Ltd. All rights reserved 49
• Demo Viewlet Link• https://www.youtube.com/watch?v=C-HKAN2InyY
WNA Sequence Diagram
www.OraWorld.co.uk
Copyright © 2015, OraWorld Ltd. All rights reserved 50
WNA Sequence Diagram
www.OraWorld.co.uk
Copyright © 2015, OraWorld Ltd. All rights reserved 51
OAM Server Log.
<11-Jun-2015 13:03:12 o'clock BST> <Notice> <LoggingService> <BEA-320401> <The log file has been rotated to /u01/app/oracle/middleware/user_projects/domains/iam_domain/servers/oam_server1/logs/oam_server1.log00059. Log messages will continue to be logged in /u01/app/oracle/middleware/user_projects/domains/iam_domain/servers/oam_server1/logs/oam_server1.log.>
>>> KeyTabInputStream, readName(): OWAD.LOCAL>>> KeyTabInputStream, readName(): HTTP>>> KeyTabInputStream, readName(): oraworld.com>>> KeyTab: load() entry length: 63; type: 23Added key: 23version: 3Ordering keys wrt default_tkt_enctypes listdefault etypes for default_tkt_enctypes: 23.0: EncryptionKey: keyType=23 kvno=3 keyValue (hex dump)=0000: 1D 1B 11 7A 1D B4 0D C2 41 F7 83 8B 08 3A 6B 9D ...z....A....:k.
WNA Sequence Diagram
www.OraWorld.co.uk
Copyright © 2015, OraWorld Ltd. All rights reserved 52
http://oraworld.com:7777/secured/index.html
GET /secured/index.html HTTP/1.1Host: oraworld.com:7777User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alive
HTTP/1.1 302 FoundDate: Mon, 29 Jun 2015 11:48:49 GMTServer: Oracle-Application-Server-11gSet-Cookie: OAMAuthnHintCookie=0@1435578529; httponly; path=/; domain=.comSet-Cookie: OAMRequestContext_oraworld.com:7777_505353=PSSttVqN64gXBgIbzgp8jA==;max-age=300; httponly; path=/Location: http://oraworld.com:14100/oam/server/obrareq.cgi?encquery%3DxjRnrPN5vUi8FDE0h2Os3fXf <Trimmed>Content-Length: 652Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: text/html; charset=iso-8859-1
WNA Sequence Diagram
www.OraWorld.co.uk
Copyright © 2015, OraWorld Ltd. All rights reserved 53
http://oraworld.com:14100/oam/server/obrareq.cgi?encquery%<Trimmed>
GET /oam/server/obrareq.cgi?encquery%3DxjRn<Trimmed>HTTP/1.1Host: oraworld.com:14100User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCookie: OAMRequestContext_oraworld.com:7777_505353=PSSttVqN64gXBgIbzgp8jA==Connection: keep-alive
HTTP/1.1 302 Moved TemporarilyConnection: closeDate: Mon, 29 Jun 2015 11:48:49 GMTTransfer-Encoding: chunkedLocation:
http://oraworld.com:14100/oam/CredCollectServlet/WNA?authn_try_count=0&spnegotoken=string&challenge_url=%2Foa
m%2FCredCollectServlet%2FWNA&request_id=-276341910699531784&locale=en_US&resource_url=http%253A%252F%252Foraworld.com%253A7777%252Fsecured%252Findex.htmlSet-Cookie: OAM_REQ_0=VERSION_4~ugKPHSCILJo%<Trimmed>; path=/; HttpOnlySet-Cookie: OAM_REQ_COUNT=VERSION_4~1; path=/; HttpOnlyX-ORACLE-DMS-ECID: 74645cb114abea27:-3751213f:14dfcde14b8:-8000-0000000000029fd1
WNA Sequence Diagram
www.OraWorld.co.uk
Copyright © 2015, OraWorld Ltd. All rights reserved 54
http://oraworld.com:14100/oam/CredCollectServlet/WNA?authn_try_count=0&spnegotoken=string&challenge_url=%2Foam%2FCredCollectServlet%2FWNA&request_id=-276341910699531784&locale=en_US&resource_url=http%253A%252F%252Foraworld.com%253A7777%252Fsecured%252Findex.html
GET
/oam/CredCollectServlet/WNA?authn_try_count=0&spnegotoken=string&challenge_url=%2Foam%2FCredCollectServlet%2
FWNA&request_id=-276341910699531784&locale=en_US&resource_url=http%253A%252F%252Foraworld.com%253A7777%252Fsecured%252Findex.html HTTP/1.1
Host: oraworld.com:14100User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCookie: OAMRequestContext_oraworld.com:7777_505353=<Trimmed>OAM_REQ_COUNT=VERSION_4~1Connection: keep-alive
HTTP/1.1 401 UnauthorizedCache-Control: no-cache, no-storeDate: Mon, 29 Jun 2015 11:48:50 GMTPragma: no-cacheContent-Length: 0Content-Type: text/html; charset=UTF-8Expires: 0
WWW-Authenticate: NegotiateWWW-Authenticate: Basic realm="OAM 11g"
WNA Sequence Diagram
www.OraWorld.co.uk
Copyright © 2015, OraWorld Ltd. All rights reserved 55
http://oraworld.com:14100/oam/CredCollectServlet/WNA?authn_try_count=0&spnegotoken=string&challenge_url=%2Foam%2FCredCollectServlet%2FWNA&request_id=-23&locale=en_US&resource_url=http%253A%252F%252Foraworld.com%253A7777%252Fsecured%252Findex.html
GET /oam/CredCollectServlet/WNA?authn_try_count=0&spnegotoken=string&challenge_url=%2Foam%2FCredCollectServlet%2FWNA&request_id=-27784&locale=en_US&resource_url=http%253A%252F%252Foraworld.com777%252Fsecured?Findex.html HTTP/1.1Host: oraworld.com:14100User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.5Cookie: OAMRequestContext_oraworld.com:7777_50<Trimmed>LJeWMsd; OAM_REQ_COUNT=VERSION_4~1Connection: keep-alive
Authorization: Negotiate YIIGlgYGKwYBBQUCoIIGijCCBoagMDA<Trimmed>==
HTTP/1.1 302 Moved TemporarilyConnection: closeDate: Mon, 29 Jun 2015 11:48:50 GMTTransfer-Encoding: chunkedLocation: http://oraworld.com:7777/obrar.cgi?encreply=<Trimmed>
Set-Cookie: OAM_ID=VERSION_4~SrAPo4Sh9v3M<Trimmed>; path=/; HttpOnlySet-Cookie: OAM_GITO=v1~uid:Wnauser1r&<Trimmed>c-oraworld.c&; path=/; HttpOnly; expires=Thu, 01-Jan-1970 01:00:00 GMTSet-Cookie: OAM_REQ_0=invalid; path=/; HttpOnlyX-ORACLE-DMS-ECID: 74645cb114abea27:-3751213f:14dfcde14b8:-8000-0000000000029fd6
WNA Sequence Diagram
www.OraWorld.co.uk
Copyright © 2015, OraWorld Ltd. All rights reserved 56
WNA Sequence Diagram
www.OraWorld.co.uk
Copyright © 2015, OraWorld Ltd. All rights reserved 57
http://oraworld.com:7777/obrar.cgi?encreply=<Trimmed>
GET /obrar.cgi?encreply=<Trimmed>k%3D HTTP/1.1Host: oraworld.com:7777User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCookie: OAMRequestContext_oraworld.com:7777_505353=PSSt<Trimmed>rr2SMpNMOF2B/DbQk3/N1Ua1onzJConnection: keep-alive
HTTP/1.1 302 FoundDate: Mon, 29 Jun 2015 11:48:52 GMTServer: Oracle-Application-Server-11gSet-Cookie: OAMRequestContext_oraworld.com:7777_505353=;expires=thursday, 01-jan-1970 01:00:00 gmt; httponly; path=/
Set-Cookie: OAMAuthnCookie_oraworld.com:7777=<Trimmed>%3D;httponly; path=/
Set-Cookie: OAMAuthnHintCookie=X; httponly; path=/
Location: /secured/index.htmlContent-Length: 230Keep-Alive: timeout=5, max=99Connection: Keep-AliveContent-Type: text/html; charset=iso-8859-1
WNA Sequence Diagram
www.OraWorld.co.uk
Copyright © 2015, OraWorld Ltd. All rights reserved 58
http://oraworld.com:7777/secured/index.html
GET /secured/index.html HTTP/1.1Host: oraworld.com:7777User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCookie: OAM_REQ_0=invalid; OAM_REQ_COUNT=VERSION_4~1;
OAM_ID=VERSION_4~SrAPo4Sh9v3Mz9YtR0IUJQ==~<Trimmed<; OAMAuthnHintCookie=X
Connection: keep-alive
HTTP/1.1 200 OKDate: Mon, 29 Jun 2015 11:48:52 GMTServer: Oracle-Application-Server-11gSet-Cookie: OAMAuthnHintCookie=;expires=thursday, 01-jan-1970 01:00:00 gmt; httponly; path=/Set-Cookie: OAMAuthnHintCookie=1; httponly; path=/; domain=.comCache-Control: no-cachePragma: no-cacheLast-Modified: Tue, 23 Jun 2015 19:07:39 GMTEtag: "bc06de-3cd-519341a9c54c0”Accept-Ranges: bytesContent-Length: 973Connection: Keep-AliveContent-Type: text/htmlContent-Language: en
• NTLM versus Kerberos
- SPNEGO token can contain either NTLM or Kerberos token
depending on the Windows client capabilities. All
pre–Windows 2000 clients use NTLM. AD domains by default
support “mixed” mode.
- If Kerberos fails, the client falls back to NTLM.
- HTTP header logger or Fiddler are best to diagnose this. Browser logging can also help.
• Clock Skew Errors
- Synchronize clocks on both your OAM Server and the AD server.
59 59www.OraWorld.co.uk
Copyright © 2015, OraWorld Ltd. All rights reserved
Lessons Learnt
• Error:
- kinit(v5): Key table entry not found while getting initial credentials
- kinit(v5): Preauthentication failed while getting initial credentials
- kinit(v5): KDC reply did not match expectations while getting initial credentials
• PROTOCOL and DOMAIN NAME are always in CAPITAL LETTERS.
• hostname and username are always in lower case.
60 60www.OraWorld.co.uk
Copyright © 2015, OraWorld Ltd. All rights reserved
Lessons Learnt
• Configuring Access Manager for Windows Native AuthenticationOAM 11g WNA Step by Step Setup Guide (Doc ID 1416860.1)
• WNA Basics• WNA for multiple AD forest.• Oracle Access Manager 11g WNA Quick Start Guide (Doc ID
1416903.1)• http://tools.ietf.org/html/rfc4559• Trouble Shooting OAM 11g WNA Issues Quick Start Guide (Doc ID
1433554.1)• Blogs: Enable Logging & Lessons Learnt• Kerberos Basics
www.OraWorld.co.uk
Copyright © 2015, OraWorld Ltd. All rights reserved 61
References
QnA
www.OraWorld.co.uk
Copyright © 2015, OraWorld Ltd. All rights reserved 62