SAGE Computing Services Consulting and customised training workshops Active Directory Integration AD, WLS & ADF in Harmony (a case study) Ray Tindall Senior Systems Consultant

Things have changed since Active Directory Integration “OID & AD in Harmony?” WLS SSO Portal

Things have changed since Synchronisation of OID & AD AD LDAP Provider SSO Delegated Authentication ADF Security Windows Native Authentication with SSO Kerberos with WLS Forms

Agenda Overview Who, What &Why The primary Goal Resources & References IBM The Plan & The Path Implementation How we did it – How you can do it Testing Troubleshooting & Hints Wrap up Where are we now IBM???

Who, What & Why Who? What? The System Why? The Wishlist  Weblogic Server  ADF  Active Directory on Windows Server 2003 (now 2008 R2)  Windows workstations with IE 7  Seamless & transparent authentication (login) against AD  Authorisation against AD (Groups)  Forms to ADF interoperability  Scope to expand

The Primary Goal

Resources & References Administering the SPNEGO TAI: Tips on using Kerberos service principal names by Martin Lansche, IBM Configuring Kerberos with Weblogic Server by Faisal Khan, SecureZone Troubleshooting Kerberos issues with Weblogic server by Faisal Khan, SecureZone Configuring WLS With MS Active Directory by Chris Muir, SAGE Computing Configuring a JDev 11g ADF Security app on standalone WLS against MS Active Directory by Chris Muir, SAGE Computing Oracle® Fusion Middleware Securing Oracle WebLogic Server, 11g Release 1 (10.3.1), 6 Configuring Single Sign-On with Microsoft Clients This “is” !

The Plan & The Path Proof of Concept – DEV New system on new infrastructure Target Apps – DEV WLS on VM – Snapshots Risks: Production AD only! Load Balancing – PROD only

How to Get There Implementation Key Concepts AD LDAP Provider Kerberos with WLS ADF Security

How to Get There Implementation Task Overview Network & AD preparation WLS AD Authentication WLS Host Kerberos configuration WLS Kerberos configuration Clients (Browser/s) configuration Apps (ADF Application) configuration Test (with your favourite beverage at hand) Troubleshoot (with your favourite beverage at hand)

Environment Specifics KDC server: OURKDC(.dtf.wa.gov.au) Windows domain controller serving as Key Distribution Centre Most doco (inc Official) implies to use IP but use DNS instead! Default AD domain: dtf.wa.gov.au Kerberos Realm: DTF.WA.GOV.AU Uppercase of Domain WLS AD account: wlskerberosadacc / obscurepwd “User" AD account used for WLS Host & to map Service Principal Official doco says just use simple machine name NO! - Bad idea; make it different and make it descriptive WLS Virtual Host DNS: ourvirtualwls (.dtf.wa.gov.au) URL you will use to access your Web Applications Also serves as the basis of the Service Principal Official doco doesn't even mention Virtual Host as consideration BUT! - Critical for same Domain Windows WLS host* & good idea in other cases anyway. *The machine name URL will already exist in a Windows Domain, being HOST\machine.dtf.wa.gov.au, as a Service Principal against the Machine Computer account in AD. At runtime Kerberos will derive the basis of the Service Principal from the browser URL. AD will find and default to the HOST\ Service Principal and try to use the “computer” account instead of finding our HTTP\ Service Principal and using our WLS “user” AD account. The credentials in your Keytab will not match the ticket returned by AD. Bottom line: ignoring the protocol HTTP\, the URL of the Service Principal that will be used to access your Web Applications should exist in AD only once! *The machine name URL will already exist in a Windows Domain, being HOST\machine.dtf.wa.gov.au, as a Service Principal against the Machine Computer account in AD. At runtime Kerberos will derive the basis of the Service Principal from the browser URL. AD will find and default to the HOST\ Service Principal and try to use the “computer” account instead of finding our HTTP\ Service Principal and using our WLS “user” AD account. The credentials in your Keytab will not match the ticket returned by AD. Bottom line: ignoring the protocol HTTP\, the URL of the Service Principal that will be used to access your Web Applications should exist in AD only once!

Network & AD preparation Implementation Steps: 1.Create Virtual Host DNS 2.Create WLS Service AD “user” account 3.Map SPN (Service Principal) with setspn & generate Keytab with ktab Linux – use ktpass instead

Implementation Steps: 1.Create Virtual Host DNS 2.Create WLS Service AD “user” account 3.Map SPN (Service Principal) with setspn & generate Keytab with ktab Linux – use ktpass instead

Implementation Steps: 1.Create Virtual Host DNS 2.Create WLS Service AD “user” account 3.Map SPN (Service Principal) with setspn & generate Keytab with ktab Linux – use ktpass instead Not computer! Not strictly needed with JDK 1.5+

Implementation Steps: 1.Create Virtual Host DNS 2.Create WLS Service AD “user” account 3.Map SPN (Service Principal) with setspn & generate Keytab with ktab Linux – use ktpass instead Must be your user service account. Get it right. Not validated!

WLS AD Authentication Implementation Steps: 4.Create WLS AD Authentication Provider WLS LDAPAuthenticator 5.Test Authentication Provider Configuring a JDev 11g ADF Security app on standalone WLS against MS Active Directory by Chris Muir, SAGE Computing

Implementation Steps: 4.Create WLS AD Authentication Provider WLS LDAPAuthenticator 5.Test Authentication Provider Configuring a JDev 11g ADF Security app on standalone WLS against MS Active Directory by Chris Muir, SAGE Computing Remove! Remove?

Implementation Steps: 4.Create WLS AD Authentication Provider WLS LDAPAuthenticator 5.Test Authentication Provider Configuring a JDev 11g ADF Security app on standalone WLS against MS Active Directory by Chris Muir, SAGE Computing

WLS Host Kerberos configuration Implementation Steps: 6.Create krb5.ini 7.Copy Keytab to WLS for Linux ftp – note this is a binary file 8.Test Host Kerberos with kinit Go no further if this no worky!

Implementation Steps: 6.Create krb5.ini 7.Copy Keytab to WLS for Linux ftp – note this is a binary file 8.Test Host Kerberos with kinit Not strictly needed with JDK 1.5+ Case sensitive

Implementation Steps: 6.Create krb5.ini 7.Copy Keytab to WLS for Linux ftp – note this is a binary file 8.Test Host Kerberos with kinit

Implementation Steps: 6.Create krb5.ini 7.Copy Keytab to WLS for Linux ftp – note this is a binary file 8.Test Host Kerberos with kinit

WLS Kerberos configuration Implementation Steps: 9.Create krb5Login.conf 10.Add WLS Kerberos startup parameters startWebLogic.cmd 11.Create Identity Assertion Provider WLS NegotiateIdentityAsserter

Implementation Steps: 9.Create krb5Login.conf 10.Add WLS Kerberos startup parameters startWebLogic.cmd 11.Create Identity Assertion Provider WLS NegotiateIdentityAsserter

Implementation Steps: 9.Create krb5Login.conf 10.Add WLS Kerberos startup parameters startWebLogic.cmd 11.Create Identity Assertion Provider WLS NegotiateIdentityAsserter

Implementation Steps: 9.Create krb5Login.conf 10.Add WLS Kerberos startup parameters startWebLogic.cmd 11.Create Identity Assertion Provider WLS NegotiateIdentityAsserter

Client (Browser/s) configuration Implementation Steps: 12.Configure Windows Native Authentication Auto logon for Intranet IE Firefox …

Implementation Steps: 12.Configure Windows Native Authentication Auto logon for Intranet IE Firefox …

Implementation Steps: 12.Configure Windows Native Authentication Auto logon for Intranet IE Firefox …

Apps (ADF Application) configuration Implementation Steps: 13.Configure ADF Application Security Run - Configure ADF Security Wizard Enterprise Roles (AD)  Application Roles (ADF) Web.xml CLIENT-CERT 13 steps; hmmm; is this a sign?

Implementation Steps: 13.Configure ADF Application Security Run - Configure ADF Security Wizard Enterprise Roles (AD)  Application Roles (ADF) Web.xml CLIENT-CERT

Testing LDAP Provider Kinit (with keytab) Bringing it all together ADF Application Transparent login Wha…? I followed the Instructions!

LDAP Provider Kinit (with keytab) Bringing it all together ADF Application Transparent login

Troubleshooting When things just don’t go your way! WLS Security debug WLS log level – standard out Utilities checks (with verbose debug) Check AD user account inc SPN mapping Config files krb5.ini krb5Login.conf config.xml AD LDAP Provider base DNs, filters, search scopes Wireshark... – in extreme cases

When things just don’t go your way! WLS Security debug WLS log level – standard out Utilities checks (with verbose debug) Check AD user account inc SPN mapping Config files krb5.ini krb5Login.conf config.xml AD LDAP Provider base DNs, filters, search scopes Wireshark... – in extreme cases + standard out log level >= notice Due to CLIENT-CERT,FORM

When things just don’t go your way! WLS Security debug WLS log level – standard out Utilities checks (with verbose debug) Check AD user account inc SPN mapping Config files krb5.ini krb5Login.conf config.xml AD LDAP Provider base DNs, filters, search scopes Wireshark... – in extreme cases Best to have 1 only Don’t be fooled. Normal! Success

When things just don’t go your way! WLS Security debug WLS log level – standard out Utilities checks (with verbose debug) Check AD user account inc SPN mapping Config files krb5.ini krb5Login.conf config.xml AD LDAP Provider base DNs, filters, search scopes Wireshark... – in extreme cases Server Admin Pack Softerra LDAP Browser

When things just don’t go your way! WLS Security debug WLS log level – standard out Utilities checks (with verbose debug) Check AD user account inc SPN mapping Config files krb5.ini krb5Login.conf config.xml AD LDAP Provider base DNs, filters, search scopes Wireshark... – in extreme cases Case sensitivity Syntax Linux? Has this changed? No krb5. prior to JDK 6.0 Include prior options

When things just don’t go your way! WLS Security debug WLS log level – standard out Utilities checks (with verbose debug) Check AD user account inc SPN mapping Config files krb5.ini krb5Login.conf config.xml AD LDAP Provider base DNs, filters, search scopes Wireshark... – in extreme cases

When things just don’t go your way! WLS Security debug WLS log level – standard out Utilities checks (with verbose debug) Check AD user account inc SPN mapping Config files krb5.ini krb5Login.conf config.xml AD LDAP Provider base DNs, filters, search scopes Wireshark... – in extreme cases Debug = java kinit Success Checksum failed! ?

Traps Naming & Case sensitivity Don’t name AD account same as WLS Host Mind case sensitivity & syntax (especially krb5.ini) Must be only “one” SPN URL in AD ldifde to check for duplicates setspn –D to remove bad or duplicate SPNs Kerberos / WLS can’t find config files (krb5.ini keytab krb5Login.conf) Know & use default locations for them Try absolute paths where referenced in dependant config Try WLS/Host reboot Order of WLS Providers Asserter followed by LDAP Provider then defaults Use Virtual URL - not host URL Configure 2nd DNS – not DNS alias Clear Browser cache/s Clock Skew - AD, WLS, Client within 2mins Does host need WA Daylight Saving patch Note: Does not require WLS VH definition

Hints & Tips WLS / Host reboots at critical points Check full range of options for utilities (kinit ktab klist) java core of these for verbose debug output Use CLIENT-CERT only in ADF Security for troubleshooting CLIENT-CERT,FORM may not produce debug message output Use client local hosts in lieu of no DNS Also useful to test specific node in Load Balanced scenario Load Balanced / Proxy scenario - same keytab / setup on each node DNS/Virtual URL (for SPN) is the URL the LBR/Proxy routes Performance hits Mind recursive & deep Group searching Check & turn off all DEBUG once happy Multiple technologies – look outside the Oracle box Linux – ktpass changes AD account Name changes to HTTP/former_name Mind this for kinit & krb5Login.conf setup

Job Done! “Celebrate”

Current Status Friends? No Problem! Proof of Concept – DEV TEST UAT PROD Go Live – coming weekend

Thankyou! Questions? Presentations are available from our website: SAGE Computing Services Consulting and customised training workshops Peace & Harmony