Third-Party Directory Integration Concepts and Considerations 16-21

16.3.2 Requirement for Using WebDAV Protocol

If you are using the WebDAV protocol, you must configure your applications for SSL. Basic authentication is necessary because the only way for Oracle Internet Directory to authenticate the end user is to pass the plain text password to Active Directory for verification. When basic authentication is not present, digest authentication is used. But with digest authentication, Oracle Internet Directory does not have the plain text password to pass to Active Directory for verification, and therefore, end users cannot Required user privileges Requires the user to have the Replicate Changes privilege on the naming context of interest. This enables reading all objects and attributes in Microsoft Active Directory regardless of the access protections on them. See Also: The Microsoft Knowledge Base Article 303972 available at http:support.microsoft.com for instructions on how to assign privileges to Microsoft Active Directory users when using the DirSync approach. Apply to this context the instructions used for Microsoft Active Directory management agent in this article. Requires the Microsoft Active Directory user to have the privilege to read all required attributes to be synchronized to Oracle Internet Directory. See Also: Microsoft networking and directory documentation available in the Microsoft library at the following URL: http:msdn.microsoft.com for instructions about how to assign privileges to Microsoft Active Directory users when using the USN-Changed approach. Support of multiple domains Requires separate connections to different domain controllers to read changes made to the entries in different domains. Can obtain changes made to the multiple domains by connecting to the Global Catalog server. See Also: Synchronizing with a Multiple-Domain Microsoft Active Directory Environment on page 16-25 Synchronization from a replicated directory when switching to a different Microsoft Active Directory domain controller Synchronization can continue. The synchronization key is the same when connecting to a replicated environment. Requires: ■ Full synchronizing to a known point ■ Updating the USNChanged value ■ Starting synchronization with the failover directory See Also: Switching to a Different Microsoft Active Directory Domain Controller in the Same Domain on page 18-19 Synchronization scope Reads all changes in the directory, filters out changes to the required entries, and propagates to Oracle Internet Directory Enables synchronization of changes in any specific subtree Usability in an environment with multiple Microsoft Active Directory servers behind a load balancer - Either connect to a specific Microsoft Active Directory domain controller, or connect to a Global Catalog. Connect to Global Catalog if: ■ You are interested in import operations only ■ The Global Catalog contains all entries and attributes to be synchronized ■ Performance of the Global Catalog is acceptable See Also: Synchronizing from Oracle Internet Directory to a Connected Directory on page 5-3 Table 16–3 Cont. Comparing the DirSync Approach to the USN-Changed Approach Considerations DirSync Approach USN-Changed Approach 16-22 Oracle Fusion Middleware Administrators Guide for Oracle Directory Integration Platform be authenticated. Basic authentication is not supported over HTTP without secure sockets layer SSL, because the communications channel between the end user and the server would not be encrypted and the end user password would be transmitted similarly unencrypted.

16.3.3 Windows Native Authentication

This section describes how Windows Native Authentication can be used with the Oracle Directory Integration Platform. It contains these topics: ■ Understanding Windows Native Authentication ■ Authenticating Users Against Multiple Microsoft Active Directory Domains ■ Overriding an Application Authentication Mechanism with Windows Native Authentication

16.3.3.1 Understanding Windows Native Authentication

Windows Native Authentication is an authentication scheme for users of Microsoft Internet Explorer on Microsoft Windows. When this feature is enabled in OracleAS Single Sign-On Server, users log in to OracleAS Single Sign-On Server partner applications automatically. To do this, they use Kerberos credentials obtained when the user logged in to a Windows domain. Using the Simple and Protected GSS-API Negotiation Mechanism SPNEGO protocol, Internet Explorer version 5.0 and later can automatically pass the user’s Kerberos credentials to a requesting Kerberos-enabled Web server. The Web server can then decode the credentials and authenticate the user. You cannot use Microsoft integrated security or any other type of security mechanism when integrating Oracle Application Server Single Sign-On with Windows Native Authentication. Although the SPNEGO protocol supports both Kerberos version 5 and NT Lan Manager NTLM authentication schemes, Oracle Application Server 11g Release 1 11.1.1 supports only Kerberos V5 with SPNEGO. The following steps, shown in Figure 16–5 on page 16-23, describe what happens when a user tries to access a single-sign-on-protected application: 1. The user logs in to a Kerberos realm, or domain, on a Windows computer. 2. The user attempts to access a single-sign-on partner application using Internet Explorer. 3. The application routes the user to the single sign-on server for authentication. As part of this routing, the following occurs: a. The browser obtains a Kerberos session ticket from the Key Distribution Center KDC. b. The OracleAS Single Sign-On Server verifies the Kerberos session ticket and, if the user is authorized, then the user is allowed to access the requested URL. Note: Although this chapter refers only to Windows 2000, Windows Native Authentication is also supported on the Windows XP platform. If the browser is not Internet Explorer 5.0 or higher, then Oracle Identity Management authenticates the user by using OracleAS Single Sign-On Server. Authentication to an external directory is performed by using an external authentication plug-in.