18-10 Oracle Fusion Middleware Administrators Guide for Oracle Directory Integration Platform must appear after the IP address and before the short name. The following is an example of a correct entry: 130.111.111.111 sso.MyCompany.com sso loghost 4. Perform the following tasks to create a user account and keytab file in Microsoft Active Directory that will be used by the logical Oracle Application Server Single Sign-On host: a. Log in to the Microsoft Active Directory Management tool on the Windows 2000 server, then choose Users, then New, then user. Enter the name of the OracleAS Single Sign-On Server host, omitting the domain name. For example, if the host name is sso.MyCompany.com, then enter sso. This is the account name in Microsoft Active Directory. Note the password that you assigned to the account. You will need it later. Do not select User must change password at next logon. b. Create a keytab file for the OracleAS Single Sign-On Server, and map the account name to the service principal name.You perform both tasks by running the following command on the Windows 2000 server:

C: Ktpass -princ HTTPsso.MyCompany.comMyCompany.com -pass password -mapuser sso -out sso.keytab

The -princ argument is the service principal. Specify the value for this argument by using the format HTTPsingle_sign-on_host_ name KERBEROS_REALM_NAME. Note that HTTP and the Kerberos realm must be uppercase. Note that single_sign-on_host_name can be either the OracleAS Single Sign-On Server host itself or the name of a load balancer where multiple OracleAS Single Sign-On Server middle tiers are deployed. MyCompany.com is a fictitious Kerberos realm in Microsoft Active Directory. The user container is located within this realm. The -pass argument is the account password, the -mapuser argument is the account name of the OracleAS Single Sign-On Server middle tier, and the -out argument is the output file that stores the service key. Be sure to replace the example values given with values suitable for your installation. These values appear in boldface in the example. 5. For each Oracle Application Server Single Sign-On host, copy or FTP the keytab file, sso.keytab to the OracleAS Single Sign-On Server middle tier, placing it in ORACLE_HOMEj2eeOC4J_SECURITYconfig. If you use FTP, be sure to transfer the file in binary mode. Note: ■ If the Ktpass is not found on your computer, then download the Windows Resource Kit from Microsoft to obtain the utility. ■ The default encryption type for Microsoft Kerberos tickets is RC4-HMAC. Microsoft also supports DES-CBC and DES-CBC-MD5, two DES variants used in MIT-compliant implementations. Ktpass converts the key type of the KDC account from RC4_HMAC to DES. Integrating with Microsoft Active Directory 18-11 Be sure to give the Web server a unique identifier UID on the OracleAS Single Sign-On Server middle tier and to grant read permission for the file. Update the krb5.conf File You must update the krb5.conf file krb5.ini on Windows with the following information. If you do not update the krb5.conf file with the following information, the kinit test of the newly generated keytab file will fail, and the keytab file will fail when used for Windows Native Authentication in OracleAS Single Sign-On Server. Update the krb5.conf file with the following information: ■ The default realm of the Active Directory, for example: AD.UK.ORACLE.COM ■ The hostname of the server where Active Directory resides, for example: active.uk.oracle.com ■ The hostname of the server where OracleAS Single Sign-On Server resides, for example: sso.uk.oracle.com For example, replace the marked-up text in the following text with the relevant default realm and KDC hostname, that is, the server where Active Directory resides: [libdefaults] default_realm = AD.UK.ORACLE.COM clockskew = 300 [realms] AD.UK.ORACLE.COM = { kdc = active.uk.oracle.com } [domain_realm] .uk.oracle.com = AD.UK.ORACLE.COM Run the OracleAS Single Sign-On Server Configuration Assistant on each Oracle Application Server Single Sign-On Host Running the ossoca.jar tool at this point does the following: ■ Configures the Oracle Application Server Single Sign-On server to use the Sun JAAS login module ■ Configures the server as a secured application To run the ossoca.jar tool on the OracleAS Single Sign-On Server middle tier: 1. Back up the following configuration files: ■ ORACLE_HOMEssoconfpolicy.properties ■ ORACLE_HOMEj2eeOC4J_SECURITYconfigjazn.xml ■ ORACLE_HOMEopmnconfopmn.xml ■ ORACLE_HOMEj2eeOC4J_SECURITYconfigjazn-data.xml ■ ORACLE_HOMEj2eeOC4J_ SECURITYapplicationsssowebWEB-INFweb.xml ■ ORACLE_HOMEj2eeOC4J_SECURITYapplication-deploymentssso orion-application.xml 2. Run the ossoca.jar tool: Note: The krb5.conf file is case sensitive.