Integrating with Microsoft Active Directory 18-13

10. From the menu bar, select Tools, then, from the Tools menu, select Internet

Options .

11. In the Internet Options dialog box, select the Connections tab.

12. On the Connections tab page, choose LAN Settings.

13. Confirm that the correct address and port number for the proxy server are entered, then choose Advanced.

14. In the Proxy Settings dialog box, in the Exceptions section, enter the domain name

for the OracleAS Single Sign-On Server MyCompany.com in the example.

15. Click OK to exit the Proxy Settings dialog box.

Internet Explorer 6.0 Only If you are using Internet Explorer 6.0, perform steps 1 through 12 in Internet Explorer 5.0 and Later ; then perform the following steps:

1. From the menu bar, select Tools, then, from the Tools menu, select Internet

Options .

2. In the Internet Options dialog box, select the Advanced tab.

3. On the Advanced tab page, scroll down to the Security section.

4. Select Enable Integrated Windows Authentication requires restart.

Task 3: Reconfigure Local Accounts After configuring Windows Native Authentication, you must reconfigure accounts for the Oracle Internet Directory administrator orcladmin and other local Windows users whose accounts are in Oracle Internet Directory. If you omit this task, then these users will not be able to log in. Use the Oracle Directory Services Manager interface for Oracle Internet Directory to perform these steps: 1. Add the orclADUser class to the local user entry in Oracle Internet Directory. 2. Add the login ID of the local user to the orclSAMAccountName attribute in the user’s entry. For example, the login ID of the orcladmin account is orcladmin. 3. Add the local user to the exceptionEntry property of the external authentication plug-in. 18.5.4 Configuring Windows Native Authentication with Multiple Microsoft Active Directory Domains or Forests This section describes how to configure Windows Native Authentication with multiple Microsoft Active Directory domains or forests in the following types of deployments: ■ Parent-child Microsoft Active Directory domains ■ Microsoft Active Directory domains in the same forest with an established tree-root trust type ■ Domains in different forests with an established forest trust type See: The Oracle Fusion Middleware Administrators Guide for Oracle Internet Directory for information about using Oracle Directory Services Manager to configure Oracle Internet Directory. 18-14 Oracle Fusion Middleware Administrators Guide for Oracle Directory Integration Platform To configure Windows Native Authentication with multiple Microsoft Active Directory domains or forests, perform the following tasks in the order listed: Task 1: Verify that Trust is Established Between the Microsoft Active Directory Domains Refer to your Microsoft Active Directory documentation for information on how to verify trust between multiple Microsoft Active Directory domains. Task 2: Enabling Windows Native Authentication with Oracle Application Server Single Sign-On through a Load Balancer or Reverse Proxy Configure the Oracle Application Server Single Sign-On server to run behind a load balance or through reverse proxy by following the instructions in the advanced deployment options chapter of the Oracle Fusion Middleware Administrators Guide for Oracle Single Sign-On Task 3: Configure the OracleAS Single Sign-On Server Configure each Oracle Application Server Single Sign-On server by following the instructions in Task 1: Configure the OracleAS Single Sign-On Server on page 18-9. Be sure to use the same Microsoft Active Directory realm and corresponding key distribution center KDC when configuring each physical Oracle Application Server Single Sign-On server instance. Also, be sure to use the load balance or reverse proxy name as the logical Oracle Application Server Single Sign-On host name. Task 4: Configure Internet Explorer for Windows Native Authentication Configure the Oracle Application Server Single Sign-On server by following the instructions in Task 2: Configure Internet Explorer for Windows Native Authentication on page 18-12.

18.5.5 Implementing Fallback Authentication

The only browsers that support SPNEGO-Kerberos authentication are Internet Explorer 5.0 or later. OracleAS Single Sign-On Server provides fallback authentication support for unsupported browsers such as Netscape Communicator. Depending upon the type of browser and how it is configured, the user is presented with the OracleAS Single Sign-On Server login form or the HTTP basic authentication dialog box. In either case, the user must provide a user name and password. The user name consists Note: Forest trust types are only supported in Windows Server 2003 and later versions of Windows operating systems. Note: With multiple Microsoft Active Directory forests, the Oracle Application Server Single Sign-On server’s logical host name must belong to one of the Microsoft Active Directory domains. For example, assume you have two Microsoft Active Directory forests and each forest contains a single domain. The domain in the first forest is named engineering.mycompany.com and the domain in the second forest is named finance.mycompany.com. The Oracle Application Server Single Sign-On server’s logical host name must reside in either the engineering.mycompany.com or the finance.mycompany.com domain.