Integrating with Microsoft Active Directory 18-9

18.5.2 Avoiding HTTP-401 Errors and Repeat Login Challenges for External Users

If only one Single Sign-On SSO server is configured, you cannot avoid the HTTP-401 response from the SSO server that is configured for Windows Native Authentication WNA for a website that can be accessed both internally by users who are Windows authenticated and also externally by users who are not in a Windows domain. If you are planning to use Windows Native Authentication, consider using a configuration comprised of two SSO servers, each with different IP addresses, to avoid HTTP-401 errors being sent to external users browsers and being presented with multiple login challenges.

18.5.3 Configuring Windows Native Authentication with a Single Microsoft Active Directory Domain

To set up Windows Native Authentication, configure Oracle Internet Directory, the OracleAS Single Sign-On Server, and the user’s browser by performing the following tasks in the order listed. Task 1: Configure the OracleAS Single Sign-On Server To configure the single sign-on server, complete the tasks described in these topics: ■ Set Up a Kerberos Service Account for the OracleAS Single Sign-On Server ■ Update the krb5.conf File ■ Run the OracleAS Single Sign-On Server Configuration Assistant on each Oracle Application Server Single Sign-On Host Set Up a Kerberos Service Account for the OracleAS Single Sign-On Server Create a service account for the OracleAS Single Sign-On Server in Microsoft Active Directory, then create a keytab file for the server, and map the service principal the server to the account name. The keytab file stores the server’s secret key. This file enables the server to authenticate to the KDC. The service principal is the entity, in this case, the single sign-on server, to which the KDC grants session tickets.

1. Synchronize system clocks. The OracleAS Single Sign-On Server middle tier and

the Windows 2000 server must match. If you omit this step, then authentication fails because there is a difference in the system time.Be sure the time, the date, and the time zones are synchronized.

2. Check the port number of the Kerberos server on the Microsoft Active Directory

host. The port where the Kerberos server listens is selected from etcservices by default. On Windows systems, the services file is found at system_ drive:\WINNT\system32\drivers\etc. The service name is Kerberos. Typically the port is set to 88udp and 88tcp on the Windows 2000 server. When added correctly to the services file, the entries for these port numbers are: kerberos5 88udp kdc Kerberos key server kerberos5 88tcp kdc Kerberos key server

3. In the hosts file located in the same directory as the services file, check the entry

for the single sign-on middle tier. The fully qualified host name, which refers to the physical host name of the Oracle Application Server Single Sign-On server, See Also: Refer to Note 417620.1 in My Oracle Support formerly MetaLink for more information. You can access My Oracle Support at: http:metalink.oracle.com 18-10 Oracle Fusion Middleware Administrators Guide for Oracle Directory Integration Platform must appear after the IP address and before the short name. The following is an example of a correct entry: 130.111.111.111 sso.MyCompany.com sso loghost 4. Perform the following tasks to create a user account and keytab file in Microsoft Active Directory that will be used by the logical Oracle Application Server Single Sign-On host: a. Log in to the Microsoft Active Directory Management tool on the Windows 2000 server, then choose Users, then New, then user. Enter the name of the OracleAS Single Sign-On Server host, omitting the domain name. For example, if the host name is sso.MyCompany.com, then enter sso. This is the account name in Microsoft Active Directory. Note the password that you assigned to the account. You will need it later. Do not select User must change password at next logon. b. Create a keytab file for the OracleAS Single Sign-On Server, and map the account name to the service principal name.You perform both tasks by running the following command on the Windows 2000 server:

C: Ktpass -princ HTTPsso.MyCompany.comMyCompany.com -pass password -mapuser sso -out sso.keytab

The -princ argument is the service principal. Specify the value for this argument by using the format HTTPsingle_sign-on_host_ name KERBEROS_REALM_NAME. Note that HTTP and the Kerberos realm must be uppercase. Note that single_sign-on_host_name can be either the OracleAS Single Sign-On Server host itself or the name of a load balancer where multiple OracleAS Single Sign-On Server middle tiers are deployed. MyCompany.com is a fictitious Kerberos realm in Microsoft Active Directory. The user container is located within this realm. The -pass argument is the account password, the -mapuser argument is the account name of the OracleAS Single Sign-On Server middle tier, and the -out argument is the output file that stores the service key. Be sure to replace the example values given with values suitable for your installation. These values appear in boldface in the example. 5. For each Oracle Application Server Single Sign-On host, copy or FTP the keytab file, sso.keytab to the OracleAS Single Sign-On Server middle tier, placing it in ORACLE_HOMEj2eeOC4J_SECURITYconfig. If you use FTP, be sure to transfer the file in binary mode. Note: ■ If the Ktpass is not found on your computer, then download the Windows Resource Kit from Microsoft to obtain the utility. ■ The default encryption type for Microsoft Kerberos tickets is RC4-HMAC. Microsoft also supports DES-CBC and DES-CBC-MD5, two DES variants used in MIT-compliant implementations. Ktpass converts the key type of the KDC account from RC4_HMAC to DES.