Oracle Access Manager Integration with Microsoft Active Directory for Zero Sign-on

Oracle Access Managerintegration with

WNA/AD

122nd November 2015 Hyderabad, India #AIOUG #SANGAM15

SANGAM 15

Sumit Gupta

. . . . meeting of minds

Introduction

• Presenter – Sumit Gupta

• 10+ Years experience in Oracle Fusion Middleware

• OPN Certified IAM Expert– Oracle Identity Manager 11g Certified

Implementation Specialist– Oracle Access Management Suite Plus 11g

Implementation Specialist– Oracle Certified Associate, Oracle Weblogic Server 12c

administrator

• Presenter – UKOUG Tech 14 – Liverpool, UK– Middleware SIG – Reading, UK– Sangam 2015 – Hyderabad, India– UKOUG Tech 15 – Birmingham, UK

• Blogger (www.OraWorld.co.uk)– More than 150 articles– 1200 + subscribers

www.OraWorld.co.ukwww.OraWorld.co.uk

2Copyright © 2015, OraWorld Ltd. All rights reseved

http://www.OraWorld.co.uk

Agenda

• Windows Native Authentication Overview

• Kerberos Basics

• WNA Configurations

• WNA Testing (Demo Viewlet)

• WNA Sequence Flow

• Lessons Learnt

• References

• QnA Session

www.OraWorld.co.uk

Copyright © 2015, OraWorld Ltd. All rights reserved 3

Windows Native Authentication

www.OraWorld.co.uk


Kerberos Basics

www.OraWorld.co.uk


• Native authentication protocol in Active Directory

• Kerberos Domain

• Principal (Machines, Services & Users)

– Service Principal Name (SPN)• PROTOCOL/hostname for services

• username@DOMAIN for users

• Key Distribution Center (KDC)

• Ticket Granting Ticket (TGT)

• Service Ticket (ST)

Kerberos Basics

www.OraWorld.co.uk


Kerberos Basics

www.OraWorld.co.uk


Kerberos Basics

www.OraWorld.co.uk


Kerberos Basics

www.OraWorld.co.uk


Kerberos Basics

www.OraWorld.co.uk


Kerberos Basics

www.OraWorld.co.uk


Kerberos Basics

www.OraWorld.co.uk


Kerberos Basics

www.OraWorld.co.uk


Kerberos Basics

www.OraWorld.co.uk


Kerberos Basics

www.OraWorld.co.uk


Kerberos Basics

www.OraWorld.co.uk


Kerberos Basics

www.OraWorld.co.uk


Kerberos Basics

www.OraWorld.co.uk


Kerberos Basics

www.OraWorld.co.uk


Kerberos Basics

www.OraWorld.co.uk


Kerberos Basics

www.OraWorld.co.uk


Kerberos Basics

www.OraWorld.co.uk


WNA High Level Steps

• Tasks on the Windows domain controller:

- Configuring the domain controller to support Kerberos Authentication

- Generating a keytab file for a service user

• Tasks on the Oracle Access Manager server:

- Configuring an Active Directory identity store

- Configuring a Kerberos authentication module

- Defining a policy that uses the Kerberos authentication module to protect resources

• Configuring end-user browsers

23

www.OraWorld.co.uk

Copyright © 2015, OraWorld Ltd. All rights reserved

WNA Configuration

• Create a service user in Windows

AD Server.

www.OraWorld.co.uk


AD Server

WNA Configuration

• KeyTab generation – contains shared secret key of the service

ktpass.exe -princ HTTP/<OHS hostname>@<AD Server Domain>

-pass <Password of the user created to be mapped> –

mapuser <AD DOMAIN\sAMAccountName of the user created > –

out <Location_of_keytab_file>

www.OraWorld.co.uk


AD Server

WNA Configuration

www.OraWorld.co.uk


AD Server

WNA Configuration

• Copy generated keytab

(binary file) to OAM Server

• Set up krb5.conf

- Unix : /etc/krb5.conf on unix

- Windows: C:\windows\krb5.conf

• KRB5_CONFIG env variable

www.OraWorld.co.uk


OAM Server[logging]default = FILE:/u01/app/oracle/middleware/Oracle_IAM1/wna/krb5libs.logkdc = FILE:/u01/app/oracle/middleware/Oracle_IAM1/wna/krb5kdc.logadmin_server = FILE:/var/log/kadmind.log

[libdefaults]default_realm = OWAD.LOCALdns_lookup_realm = falsedns_lookup_kdc = falseticket_lifetime = 600

clock_skew= 600udp_preference_limit= 1default_tkt_enctypes = RC4-HMACdefault_tgs_enctypes = RC4-HMAC

[realms]OWAD.LOCAL = { kdc = owwin-ad.owad.localadmin_server = owwin-ad.owad.localdefault_domain = OWAD.LOCAL

}

[domain_realm].owad.local = OWAD.LOCALowad.local = OWAD.LOCAL

WNA Configuration

www.OraWorld.co.uk


OAM Server

• Klist commands [orafmw@iam ~]$ klist -eklist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_500)

Kerberos 4 ticket cache: /tmp/tkt500klist: You have no tickets cached

[orafmw@iam ~]$ klist -k /u01/app/oracle/middleware/Oracle_IAM1/wna/oraworld.keytab -t -K -eKeytab name: FILE:/u01/app/oracle/middleware/Oracle_IAM1/wna/oraworld.keytabKVNO Timestamp Principal---- ----------------- --------------------------------------------------------

3 01/01/70 01:00:00 HTTP/[email protected] (ArcFour with HMAC/md5) (0x1d1b117a1db40dc241f7838b083a6b9d)

mailto:[email protected]

WNA Configuration

www.OraWorld.co.uk


OAM Server

• Kinit command[orafmw@iam ~]$ kinit -V HTTP/[email protected] -k -t /u01/app/oracle/middleware/Oracle_IAM1/wna/oraworld.keytab

Authenticated to Kerberos v5

[orafmw@iam ~]$ klist -eTicket cache: FILE:/tmp/krb5cc_500Default principal: HTTP/[email protected]

Valid starting Expires Service principal06/22/15 11:47:22 06/22/15 21:47:27 krbtgt/[email protected] until 06/23/15 11:47:22, Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5

Kerberos 4 ticket cache: /tmp/tkt500klist: You have no tickets cached




WNA Configuration

www.OraWorld.co.uk


OAM Server

WNA Configuration

www.OraWorld.co.uk


OAM Server

WNA Configuration

www.OraWorld.co.uk


OAM Server

WNA Configuration

www.OraWorld.co.uk


OAM Server

WNA Configuration

www.OraWorld.co.uk


OAM Server

WNA Configuration

www.OraWorld.co.uk


OAM Server

WNA Configuration

www.OraWorld.co.uk


OAM Server

WNA Configuration

www.OraWorld.co.uk


OAM Server

WNA Configuration

www.OraWorld.co.uk


OAM Server

Browser Configuration

www.OraWorld.co.uk39


• Open Internet Explorer

• Go to Tools > Internet Options > Security > Local Intranet > Advanced

• Add OAM Server host name

Internet Explorer




Internet Explorer




Internet Explorer




• Go to Advanced tab > Security

• Check the box besides –

Enable Integrated Windows Authentication

Internet Explorer




Internet Explorer




• Go to Security > Local Intranet > Custom Level

• Select Automatic logon only in Intranet zone

• Restart Internet Explorer

Internet Explorer




Internet Explorer




• Google Chrome uses the Internet Explorer settings.

Chrome




• about:config

• Set network.negotiate-auth.trusted-uris to OAMHOST.DOMAIN.

Firefox




Firefox

WNA Testing

www.OraWorld.co.uk


• Demo Viewlet Link• https://www.youtube.com/watch?v=C-HKAN2InyY

https://www.youtube.com/watch?v=C-HKAN2InyY

WNA Sequence Diagram

www.OraWorld.co.uk



www.OraWorld.co.uk


OAM Server Log.

<11-Jun-2015 13:03:12 o'clock BST> <Notice> <LoggingService> <BEA-320401> <The log file has been rotated to /u01/app/oracle/middleware/user_projects/domains/iam_domain/servers/oam_server1/logs/oam_server1.log00059. Log messages will continue to be logged in /u01/app/oracle/middleware/user_projects/domains/iam_domain/servers/oam_server1/logs/oam_server1.log.>

>>> KeyTabInputStream, readName(): OWAD.LOCAL>>> KeyTabInputStream, readName(): HTTP>>> KeyTabInputStream, readName(): oraworld.com>>> KeyTab: load() entry length: 63; type: 23Added key: 23version: 3Ordering keys wrt default_tkt_enctypes listdefault etypes for default_tkt_enctypes: 23.0: EncryptionKey: keyType=23 kvno=3 keyValue (hex dump)=0000: 1D 1B 11 7A 1D B4 0D C2 41 F7 83 8B 08 3A 6B 9D ...z....A....:k.


www.OraWorld.co.uk


http://oraworld.com:7777/secured/index.html

GET /secured/index.html HTTP/1.1Host: oraworld.com:7777User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alive

HTTP/1.1 302 FoundDate: Mon, 29 Jun 2015 11:48:49 GMTServer: Oracle-Application-Server-11gSet-Cookie: OAMAuthnHintCookie=0@1435578529; httponly; path=/; domain=.comSet-Cookie: OAMRequestContext_oraworld.com:7777_505353=PSSttVqN64gXBgIbzgp8jA==;max-age=300; httponly; path=/Location: http://oraworld.com:14100/oam/server/obrareq.cgi?encquery%3DxjRnrPN5vUi8FDE0h2Os3fXf <Trimmed>Content-Length: 652Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: text/html; charset=iso-8859-1



www.OraWorld.co.uk


http://oraworld.com:14100/oam/server/obrareq.cgi?encquery%<Trimmed>

GET /oam/server/obrareq.cgi?encquery%3DxjRn<Trimmed>HTTP/1.1Host: oraworld.com:14100User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCookie: OAMRequestContext_oraworld.com:7777_505353=PSSttVqN64gXBgIbzgp8jA==Connection: keep-alive

HTTP/1.1 302 Moved TemporarilyConnection: closeDate: Mon, 29 Jun 2015 11:48:49 GMTTransfer-Encoding: chunkedLocation:

http://oraworld.com:14100/oam/CredCollectServlet/WNA?authn_try_count=0&spnegotoken=string&challenge_url=%2Foa

m%2FCredCollectServlet%2FWNA&request_id=-276341910699531784&locale=en_US&resource_url=http%253A%252F%252Foraworld.com%253A7777%252Fsecured%252Findex.htmlSet-Cookie: OAM_REQ_0=VERSION_4~ugKPHSCILJo%<Trimmed>; path=/; HttpOnlySet-Cookie: OAM_REQ_COUNT=VERSION_4~1; path=/; HttpOnlyX-ORACLE-DMS-ECID: 74645cb114abea27:-3751213f:14dfcde14b8:-8000-0000000000029fd1


www.OraWorld.co.uk


http://oraworld.com:14100/oam/CredCollectServlet/WNA?authn_try_count=0&spnegotoken=string&challenge_url=%2Foam%2FCredCollectServlet%2FWNA&request_id=-276341910699531784&locale=en_US&resource_url=http%253A%252F%252Foraworld.com%253A7777%252Fsecured%252Findex.html

GET

/oam/CredCollectServlet/WNA?authn_try_count=0&spnegotoken=string&challenge_url=%2Foam%2FCredCollectServlet%2

FWNA&request_id=-276341910699531784&locale=en_US&resource_url=http%253A%252F%252Foraworld.com%253A7777%252Fsecured%252Findex.html HTTP/1.1

Host: oraworld.com:14100User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCookie: OAMRequestContext_oraworld.com:7777_505353=<Trimmed>OAM_REQ_COUNT=VERSION_4~1Connection: keep-alive

HTTP/1.1 401 UnauthorizedCache-Control: no-cache, no-storeDate: Mon, 29 Jun 2015 11:48:50 GMTPragma: no-cacheContent-Length: 0Content-Type: text/html; charset=UTF-8Expires: 0

WWW-Authenticate: NegotiateWWW-Authenticate: Basic realm="OAM 11g"

http://oraworld.com:14100/oam/CredCollectServlet/WNA?authn_try_count=0&spnegotoken=string&challenge_url=/oam/CredCollectServlet/WNA&request_id=-276341910699531784&locale=en_US&resource_url=http://oraworld.com:7777/secured/index.html


www.OraWorld.co.uk


http://oraworld.com:14100/oam/CredCollectServlet/WNA?authn_try_count=0&spnegotoken=string&challenge_url=%2Foam%2FCredCollectServlet%2FWNA&request_id=-23&locale=en_US&resource_url=http%253A%252F%252Foraworld.com%253A7777%252Fsecured%252Findex.html

GET /oam/CredCollectServlet/WNA?authn_try_count=0&spnegotoken=string&challenge_url=%2Foam%2FCredCollectServlet%2FWNA&request_id=-27784&locale=en_US&resource_url=http%253A%252F%252Foraworld.com777%252Fsecured?Findex.html HTTP/1.1Host: oraworld.com:14100User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.5Cookie: OAMRequestContext_oraworld.com:7777_50<Trimmed>LJeWMsd; OAM_REQ_COUNT=VERSION_4~1Connection: keep-alive

Authorization: Negotiate YIIGlgYGKwYBBQUCoIIGijCCBoagMDA<Trimmed>==

HTTP/1.1 302 Moved TemporarilyConnection: closeDate: Mon, 29 Jun 2015 11:48:50 GMTTransfer-Encoding: chunkedLocation: http://oraworld.com:7777/obrar.cgi?encreply=<Trimmed>

Set-Cookie: OAM_ID=VERSION_4~SrAPo4Sh9v3M<Trimmed>; path=/; HttpOnlySet-Cookie: OAM_GITO=v1~uid:Wnauser1r&<Trimmed>c-oraworld.c&; path=/; HttpOnly; expires=Thu, 01-Jan-1970 01:00:00 GMTSet-Cookie: OAM_REQ_0=invalid; path=/; HttpOnlyX-ORACLE-DMS-ECID: 74645cb114abea27:-3751213f:14dfcde14b8:-8000-0000000000029fd6

http://oraworld.com:14100/oam/CredCollectServlet/WNA?authn_try_count=0&spnegotoken=string&challenge_url=/oam/CredCollectServlet/WNA&request_id=-276341910699531784&locale=en_US&resource_url=http://oraworld.com:7777/secured/index.html


www.OraWorld.co.uk



www.OraWorld.co.uk


http://oraworld.com:7777/obrar.cgi?encreply=<Trimmed>

GET /obrar.cgi?encreply=<Trimmed>k%3D HTTP/1.1Host: oraworld.com:7777User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCookie: OAMRequestContext_oraworld.com:7777_505353=PSSt<Trimmed>rr2SMpNMOF2B/DbQk3/N1Ua1onzJConnection: keep-alive

HTTP/1.1 302 FoundDate: Mon, 29 Jun 2015 11:48:52 GMTServer: Oracle-Application-Server-11gSet-Cookie: OAMRequestContext_oraworld.com:7777_505353=;expires=thursday, 01-jan-1970 01:00:00 gmt; httponly; path=/

Set-Cookie: OAMAuthnCookie_oraworld.com:7777=<Trimmed>%3D;httponly; path=/

Set-Cookie: OAMAuthnHintCookie=X; httponly; path=/

Location: /secured/index.htmlContent-Length: 230Keep-Alive: timeout=5, max=99Connection: Keep-AliveContent-Type: text/html; charset=iso-8859-1

http://oraworld.com:7777/obrar.cgi?encreply=<Trimmed


www.OraWorld.co.uk



GET /secured/index.html HTTP/1.1Host: oraworld.com:7777User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCookie: OAM_REQ_0=invalid; OAM_REQ_COUNT=VERSION_4~1;

OAM_ID=VERSION_4~SrAPo4Sh9v3Mz9YtR0IUJQ==~<Trimmed<; OAMAuthnHintCookie=X

Connection: keep-alive

HTTP/1.1 200 OKDate: Mon, 29 Jun 2015 11:48:52 GMTServer: Oracle-Application-Server-11gSet-Cookie: OAMAuthnHintCookie=;expires=thursday, 01-jan-1970 01:00:00 gmt; httponly; path=/Set-Cookie: OAMAuthnHintCookie=1; httponly; path=/; domain=.comCache-Control: no-cachePragma: no-cacheLast-Modified: Tue, 23 Jun 2015 19:07:39 GMTEtag: "bc06de-3cd-519341a9c54c0”Accept-Ranges: bytesContent-Length: 973Connection: Keep-AliveContent-Type: text/htmlContent-Language: en


• NTLM versus Kerberos

- SPNEGO token can contain either NTLM or Kerberos token

depending on the Windows client capabilities. All

pre–Windows 2000 clients use NTLM. AD domains by default

support “mixed” mode.

- If Kerberos fails, the client falls back to NTLM.

- HTTP header logger or Fiddler are best to diagnose this. Browser logging can also help.

• Clock Skew Errors

- Synchronize clocks on both your OAM Server and the AD server.

59 59www.OraWorld.co.uk


Lessons Learnt

• Error:

- kinit(v5): Key table entry not found while getting initial credentials

- kinit(v5): Preauthentication failed while getting initial credentials

- kinit(v5): KDC reply did not match expectations while getting initial credentials

• PROTOCOL and DOMAIN NAME are always in CAPITAL LETTERS.

• hostname and username are always in lower case.

60 60www.OraWorld.co.uk


Lessons Learnt

• Configuring Access Manager for Windows Native AuthenticationOAM 11g WNA Step by Step Setup Guide (Doc ID 1416860.1)

• WNA Basics• WNA for multiple AD forest.• Oracle Access Manager 11g WNA Quick Start Guide (Doc ID

1416903.1)• http://tools.ietf.org/html/rfc4559• Trouble Shooting OAM 11g WNA Issues Quick Start Guide (Doc ID

1433554.1)• Blogs: Enable Logging & Lessons Learnt• Kerberos Basics

www.OraWorld.co.uk


References

http://docs.oracle.com/cd/E40329_01/admin.1112/e27239/wna.htm#AIAAG6882

https://support.oracle.com/epmos/faces/DocumentDisplay?id=1416860.1&_adf.ctrl-state=10e624yw5n_57&_afrLoop=465948536340058

http://fusionsecurity.blogspot.co.uk/2013/02/part-1-under-covers-of-oam11g-wna.html

http://fusionsecurity.blogspot.co.uk/2013/02/part-2-how-to-configure-oam11g-wna-for.html

http://tools.ietf.org/html/rfc4559

http://www.oraworld.co.uk/category/wna/

http://idmrockstar.com/blog/2012/05/wna-kerberos-setup-with-oam-11g-lessons-learned/

https://www.youtube.com/watch?v=kp5d8Yv3-0c

QnA

www.OraWorld.co.uk


Education

Oracle Access Manager Integration with Microsoft Active Directory for Zero Sign-on