18-8 Oracle Fusion Middleware Administrators Guide for Oracle Directory Integration Platform To modify the import synchronization profile to use the DirSync change tracking approach: 1. You can use the activeimp.cfg.master file, located in your ORACLE_ HOMEldapodiconf directory, to change the import synchronization profile from the USN-Changed approach to DirSync. Use the following command to update the profile: manageSyncProfiles update -h host -p port -D WLS_login_ID -pf Profile_Name -params odip.profile.configfile ORACLE_ HOMEldapodiconfactiveimp.cfg.master 2. Update the last change number by running the following command: manageSyncProfiles updatechgnum -h host -p port -D WLS_login_ID -pf Profile_Name

18.5 Configuring Windows Native Authentication

This section describes the system requirements and tasks for configuring Windows Native Authentication. It contains these topics: ■ What are the System Requirements for Windows Native Authentication? ■ Avoiding HTTP-401 Errors and Repeat Login Challenges for External Users ■ Configuring Windows Native Authentication with a Single Microsoft Active Directory Domain ■ Configuring Windows Native Authentication with Multiple Microsoft Active Directory Domains or Forests ■ Implementing Fallback Authentication ■ Understanding the Possible Login Scenarios 18.5.1 What are the System Requirements for Windows Native Authentication? Windows Native Authentication is intended for intranet Web applications. Your intranet deployment must include the following: ■ Windows 2000 server with Microsoft Active Directory ■ Kerberos service account established for OracleAS Single Sign-On Server ■ Oracle Application Server 11g Release 1 11.1.1 infrastructure installed ■ OracleAS Single Sign-On Server middle tier configured to use a Kerberos realm ■ Synchronization of Microsoft Active Directory with Oracle Internet Directory ■ Oracle Internet Directory configured to use the Windows external authentication plug-in Note: Although the sample configurations in this section are for UNIXLinux, Oracle Fusion Middleware can also be installed on Microsoft Windows. Integrating with Microsoft Active Directory 18-9

18.5.2 Avoiding HTTP-401 Errors and Repeat Login Challenges for External Users

If only one Single Sign-On SSO server is configured, you cannot avoid the HTTP-401 response from the SSO server that is configured for Windows Native Authentication WNA for a website that can be accessed both internally by users who are Windows authenticated and also externally by users who are not in a Windows domain. If you are planning to use Windows Native Authentication, consider using a configuration comprised of two SSO servers, each with different IP addresses, to avoid HTTP-401 errors being sent to external users browsers and being presented with multiple login challenges.

18.5.3 Configuring Windows Native Authentication with a Single Microsoft Active Directory Domain

To set up Windows Native Authentication, configure Oracle Internet Directory, the OracleAS Single Sign-On Server, and the user’s browser by performing the following tasks in the order listed. Task 1: Configure the OracleAS Single Sign-On Server To configure the single sign-on server, complete the tasks described in these topics: ■ Set Up a Kerberos Service Account for the OracleAS Single Sign-On Server ■ Update the krb5.conf File ■ Run the OracleAS Single Sign-On Server Configuration Assistant on each Oracle Application Server Single Sign-On Host Set Up a Kerberos Service Account for the OracleAS Single Sign-On Server Create a service account for the OracleAS Single Sign-On Server in Microsoft Active Directory, then create a keytab file for the server, and map the service principal the server to the account name. The keytab file stores the server’s secret key. This file enables the server to authenticate to the KDC. The service principal is the entity, in this case, the single sign-on server, to which the KDC grants session tickets.

1. Synchronize system clocks. The OracleAS Single Sign-On Server middle tier and

the Windows 2000 server must match. If you omit this step, then authentication fails because there is a difference in the system time.Be sure the time, the date, and the time zones are synchronized.

2. Check the port number of the Kerberos server on the Microsoft Active Directory

host. The port where the Kerberos server listens is selected from etcservices by default. On Windows systems, the services file is found at system_ drive:\WINNT\system32\drivers\etc. The service name is Kerberos. Typically the port is set to 88udp and 88tcp on the Windows 2000 server. When added correctly to the services file, the entries for these port numbers are: kerberos5 88udp kdc Kerberos key server kerberos5 88tcp kdc Kerberos key server

3. In the hosts file located in the same directory as the services file, check the entry

for the single sign-on middle tier. The fully qualified host name, which refers to the physical host name of the Oracle Application Server Single Sign-On server, See Also: Refer to Note 417620.1 in My Oracle Support formerly MetaLink for more information. You can access My Oracle Support at: http:metalink.oracle.com