SAGE Computing Services Consulting and customised training workshops Active Directory Integration AD, WLS & ADF in Harmony (a case study) Ray Tindall Senior.

Slides:



Advertisements
Similar presentations
Welcome to Middleware Joseph Amrithraj
Advertisements

Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.
Active Directory and NT Kerberos Rooster JD Glaser.
UAG Authentication and Authorization- part1
© 2009 GroundWork Open Source, Inc. PROPRIETARY INFORMATION: Information contained herein is not for use or disclosure outside of GroundWork Open Source,
Week 6: Chapter 6 Agenda Automation of SQL Server tasks using: SQL Server Agent Scheduling Scripting Technologies.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 6 Managing and Administering DNS in Windows Server 2008.
Deploying and Managing Active Directory Certificate Services
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
Windows Server 2008 Kerberos Michiko Short Program Manager Microsoft Corporation.
Implementing and Administering AD FS
Module 10: Troubleshooting Network Access. Overview Troubleshooting Network Access Resources Troubleshooting LAN Authentication Troubleshooting Remote.
15.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 15: Configuring a Windows.
Module 5: Configuring Access to Internal Resources.
14.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
15.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
Report Distribution Report Distribution in PeopleTools 8.4 Doug Ostler & Eric Knapp 7264.
SETUP AND CONFIGURATIONS WEBLOGIC SERVER. 1.Weblogic Installation 2.Creating domain through configuration wizard 3.Creating domain using existing template.
Authenticating REST/Mobile clients using LDAP and OERealm
Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.
Understanding Active Directory
Single Sign-on Integration (SSI) MSIT 458 – Information Security Project Part 2 Prepared for Professor Yan Chen Prepared by Team Triad Radu Bulgaru Moniza.
CRMUG ® Summit 2011 November 8-11 Caesars Palace – Las Vegas, NV Implementing CRM 2011 Claims-Based Authentication, ADFS and IFD Best Practices and Tips.
Making Apache Hadoop Secure Devaraj Das Yahoo’s Hadoop Team.
Internet Information Server 6.0. Overview  What’s New in IIS 6.0?  Built-in Accounts and IIS 6.0  IIS Pass-Through Authentication  Securing Web Traffic.
Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd
TAM STE Series 2008 © 2008 IBM Corporation WebSEAL SSO, Session 108/2008 TAM STE Series WebSEAL SSO, Session 1 Presented by: Andrew Quap.
August 25, SSO with Microsoft Active Directory Presented by: Craig Larrabee.
Ins and Outs of Authenticating Users Requests to IIS 6.0 and ASP.NET Chris Adams Program Manager IIS Product Unit Microsoft Corporation.
Understanding Integrated Authentication in IIS Chris Adams IIS Supportability Lead Microsoft Corp.
Test Review. What is the main advantage to using shadow copies?
Module 1: Introduction to Administering Accounts and Resources
Timothy Heeney| Microsoft Corporation. Discuss the purpose of Identity Federation Explain how to implement Identity Federation Explain how Identity Federation.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Extending Active Directory Authentication and Account Management To Solaris 10 Systems A HOWTO guide for joining a Solaris 10 (8/07) host to a domain in.
Copyright 2000 eMation SECURITY - Controlling Data Access with
Enterprise Identity Steve Plank – Microsoft Ivor Bright – Charteris Dave Nesbitt – Oxford Computer Group.
Integrating with UCSF’s Shibboleth system
Objectives Configure routing in Windows Server 2008 Configure Routing and Remote Access Services in Windows Server 2008 Network Address Translation 1.
Module 1: Installing and Upgrading to Exchange Server 2003.
ArcGIS Server and Portal for ArcGIS An Introduction to Security
Using AS 10g with EBS What are the Benefits of Integrating AS 10g with Oracle Applications?
Designing Authentication for a Microsoft Windows 2000 Network Designing Authentication in a Microsoft Windows 2000 Network Designing Kerberos Authentication.
Module 5 Configuring Authentication. Module Overview Lesson 1: Understanding Classic SharePoint Authentication Providers Lesson 2: Understanding Federated.
TWSd - Security Workshop Part I of III T302 Tuesday, 4/20/2010 TWS Distributed & Mainframe User Education April 18-21, 2010  Carefree Resort  Carefree,
Module 11: Implementing ISA Server 2004 Enterprise Edition.
1 Windows 2008 Configuring Server Roles and Services.
CAS Lightning Talk Jasig-Sakai 2012 Tuesday June 12th 2012 Atlanta, GA Andrew Petro - Unicon, Inc.
Windows 2000 Certificate Authority By Saunders Roesser.
Module 12 Upgrading from Exchange Server 2003 or Exchange Server 2007 to Exchange Server 2010.
Ins and Outs of Authenticating Users Requests to IIS 6.0 and ASP.NET Chris Adams Program Manager IIS Product Unit Microsoft Corporation.
Integrating and Troubleshooting Citrix Access Gateway.
Module 1: Implementing Active Directory ® Domain Services.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
1 Active Directory Administration Tasks And Tools Active Directory Administration Tasks Active Directory Administrative Tools Using Microsoft Management.
Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.
15 Copyright © 2004, Oracle. All rights reserved. Adding JAAS Security to the Client.
IBM Express Runtime Quick Start Workshop © 2007 IBM Corporation Deploying a Solution.
Active Directory and NT Kerberos. Introduction to NT Kerberos v5 What is NT Kerberos? How is it different from NTLM NT Kerberos vs MIT Kerberos Delegation.
Agenda  Microsoft Directory Synchronization Tool  Active Directory Federation Server  ADFS Proxy  Hybrid Features – LAB.
KERBEROS, SQL AND YOU Adam W. Saxton Microsoft - SQL
Kerberos Miha Pihler MVP – Enterprise Security Microsoft Certified Master | Exchange 2010.
Fermilab supports several authentication mechanisms for user and computer authentication. This talk will cover our authentication systems, design considerations,
Taming the Beast How a SQL DBA can keep Kerberos under control David Postlethwaite 29/08/2015David Postlethwaite.
Identity; What you need to know to be in the Microsoft Cloud
NAT、DHCP、Firewall、FTP、Proxy
Unit 27: Network Operating Systems
IIS.
SharePoint Online Hybrid – Configure Outbound Search
Bob Duffy 27 years in database sector, 250+ projects
Presentation transcript:

SAGE Computing Services Consulting and customised training workshops Active Directory Integration AD, WLS & ADF in Harmony (a case study) Ray Tindall Senior Systems Consultant

Things have changed since Active Directory Integration “OID & AD in Harmony?” WLS SSO Portal

Things have changed since Synchronisation of OID & AD AD LDAP Provider SSO Delegated Authentication ADF Security Windows Native Authentication with SSO Kerberos with WLS Forms

Agenda Overview Who, What &Why The primary Goal Resources & References IBM The Plan & The Path Implementation How we did it – How you can do it Testing Troubleshooting & Hints Wrap up Where are we now IBM???

Who, What & Why Who? What? The System Why? The Wishlist  Weblogic Server  ADF  Active Directory on Windows Server 2003 (now 2008 R2)  Windows workstations with IE 7  Seamless & transparent authentication (login) against AD  Authorisation against AD (Groups)  Forms to ADF interoperability  Scope to expand

The Primary Goal

Resources & References Administering the SPNEGO TAI: Tips on using Kerberos service principal names by Martin Lansche, IBM Configuring Kerberos with Weblogic Server by Faisal Khan, SecureZone Troubleshooting Kerberos issues with Weblogic server by Faisal Khan, SecureZone Configuring WLS With MS Active Directory by Chris Muir, SAGE Computing Configuring a JDev 11g ADF Security app on standalone WLS against MS Active Directory by Chris Muir, SAGE Computing Oracle® Fusion Middleware Securing Oracle WebLogic Server, 11g Release 1 (10.3.1), 6 Configuring Single Sign-On with Microsoft Clients This “is” !

The Plan & The Path Proof of Concept – DEV New system on new infrastructure Target Apps – DEV WLS on VM – Snapshots Risks: Production AD only! Load Balancing – PROD only

How to Get There Implementation Key Concepts AD LDAP Provider Kerberos with WLS ADF Security

How to Get There Implementation Task Overview Network & AD preparation WLS AD Authentication WLS Host Kerberos configuration WLS Kerberos configuration Clients (Browser/s) configuration Apps (ADF Application) configuration Test (with your favourite beverage at hand) Troubleshoot (with your favourite beverage at hand)

Environment Specifics KDC server: OURKDC(.dtf.wa.gov.au) Windows domain controller serving as Key Distribution Centre Most doco (inc Official) implies to use IP but use DNS instead! Default AD domain: dtf.wa.gov.au Kerberos Realm: DTF.WA.GOV.AU Uppercase of Domain WLS AD account: wlskerberosadacc / obscurepwd “User" AD account used for WLS Host & to map Service Principal Official doco says just use simple machine name NO! - Bad idea; make it different and make it descriptive WLS Virtual Host DNS: ourvirtualwls (.dtf.wa.gov.au) URL you will use to access your Web Applications Also serves as the basis of the Service Principal Official doco doesn't even mention Virtual Host as consideration BUT! - Critical for same Domain Windows WLS host* & good idea in other cases anyway. *The machine name URL will already exist in a Windows Domain, being HOST\machine.dtf.wa.gov.au, as a Service Principal against the Machine Computer account in AD. At runtime Kerberos will derive the basis of the Service Principal from the browser URL. AD will find and default to the HOST\ Service Principal and try to use the “computer” account instead of finding our HTTP\ Service Principal and using our WLS “user” AD account. The credentials in your Keytab will not match the ticket returned by AD. Bottom line: ignoring the protocol HTTP\, the URL of the Service Principal that will be used to access your Web Applications should exist in AD only once! *The machine name URL will already exist in a Windows Domain, being HOST\machine.dtf.wa.gov.au, as a Service Principal against the Machine Computer account in AD. At runtime Kerberos will derive the basis of the Service Principal from the browser URL. AD will find and default to the HOST\ Service Principal and try to use the “computer” account instead of finding our HTTP\ Service Principal and using our WLS “user” AD account. The credentials in your Keytab will not match the ticket returned by AD. Bottom line: ignoring the protocol HTTP\, the URL of the Service Principal that will be used to access your Web Applications should exist in AD only once!

Network & AD preparation Implementation Steps: 1.Create Virtual Host DNS 2.Create WLS Service AD “user” account 3.Map SPN (Service Principal) with setspn & generate Keytab with ktab Linux – use ktpass instead

Implementation Steps: 1.Create Virtual Host DNS 2.Create WLS Service AD “user” account 3.Map SPN (Service Principal) with setspn & generate Keytab with ktab Linux – use ktpass instead

Implementation Steps: 1.Create Virtual Host DNS 2.Create WLS Service AD “user” account 3.Map SPN (Service Principal) with setspn & generate Keytab with ktab Linux – use ktpass instead Not computer! Not strictly needed with JDK 1.5+

Implementation Steps: 1.Create Virtual Host DNS 2.Create WLS Service AD “user” account 3.Map SPN (Service Principal) with setspn & generate Keytab with ktab Linux – use ktpass instead Must be your user service account. Get it right. Not validated!

WLS AD Authentication Implementation Steps: 4.Create WLS AD Authentication Provider WLS LDAPAuthenticator 5.Test Authentication Provider Configuring a JDev 11g ADF Security app on standalone WLS against MS Active Directory by Chris Muir, SAGE Computing

Implementation Steps: 4.Create WLS AD Authentication Provider WLS LDAPAuthenticator 5.Test Authentication Provider Configuring a JDev 11g ADF Security app on standalone WLS against MS Active Directory by Chris Muir, SAGE Computing Remove! Remove?

Implementation Steps: 4.Create WLS AD Authentication Provider WLS LDAPAuthenticator 5.Test Authentication Provider Configuring a JDev 11g ADF Security app on standalone WLS against MS Active Directory by Chris Muir, SAGE Computing

WLS Host Kerberos configuration Implementation Steps: 6.Create krb5.ini 7.Copy Keytab to WLS for Linux ftp – note this is a binary file 8.Test Host Kerberos with kinit Go no further if this no worky!

Implementation Steps: 6.Create krb5.ini 7.Copy Keytab to WLS for Linux ftp – note this is a binary file 8.Test Host Kerberos with kinit Not strictly needed with JDK 1.5+ Case sensitive

Implementation Steps: 6.Create krb5.ini 7.Copy Keytab to WLS for Linux ftp – note this is a binary file 8.Test Host Kerberos with kinit

Implementation Steps: 6.Create krb5.ini 7.Copy Keytab to WLS for Linux ftp – note this is a binary file 8.Test Host Kerberos with kinit

WLS Kerberos configuration Implementation Steps: 9.Create krb5Login.conf 10.Add WLS Kerberos startup parameters startWebLogic.cmd 11.Create Identity Assertion Provider WLS NegotiateIdentityAsserter

Implementation Steps: 9.Create krb5Login.conf 10.Add WLS Kerberos startup parameters startWebLogic.cmd 11.Create Identity Assertion Provider WLS NegotiateIdentityAsserter

Implementation Steps: 9.Create krb5Login.conf 10.Add WLS Kerberos startup parameters startWebLogic.cmd 11.Create Identity Assertion Provider WLS NegotiateIdentityAsserter

Implementation Steps: 9.Create krb5Login.conf 10.Add WLS Kerberos startup parameters startWebLogic.cmd 11.Create Identity Assertion Provider WLS NegotiateIdentityAsserter

Client (Browser/s) configuration Implementation Steps: 12.Configure Windows Native Authentication Auto logon for Intranet IE Firefox …

Implementation Steps: 12.Configure Windows Native Authentication Auto logon for Intranet IE Firefox …

Implementation Steps: 12.Configure Windows Native Authentication Auto logon for Intranet IE Firefox …

Apps (ADF Application) configuration Implementation Steps: 13.Configure ADF Application Security Run - Configure ADF Security Wizard Enterprise Roles (AD)  Application Roles (ADF) Web.xml CLIENT-CERT 13 steps; hmmm; is this a sign?

Implementation Steps: 13.Configure ADF Application Security Run - Configure ADF Security Wizard Enterprise Roles (AD)  Application Roles (ADF) Web.xml CLIENT-CERT

Testing LDAP Provider Kinit (with keytab) Bringing it all together ADF Application Transparent login Wha…? I followed the Instructions!

LDAP Provider Kinit (with keytab) Bringing it all together ADF Application Transparent login

Troubleshooting When things just don’t go your way! WLS Security debug WLS log level – standard out Utilities checks (with verbose debug) Check AD user account inc SPN mapping Config files krb5.ini krb5Login.conf config.xml AD LDAP Provider base DNs, filters, search scopes Wireshark... – in extreme cases

When things just don’t go your way! WLS Security debug WLS log level – standard out Utilities checks (with verbose debug) Check AD user account inc SPN mapping Config files krb5.ini krb5Login.conf config.xml AD LDAP Provider base DNs, filters, search scopes Wireshark... – in extreme cases + standard out log level >= notice Due to CLIENT-CERT,FORM

When things just don’t go your way! WLS Security debug WLS log level – standard out Utilities checks (with verbose debug) Check AD user account inc SPN mapping Config files krb5.ini krb5Login.conf config.xml AD LDAP Provider base DNs, filters, search scopes Wireshark... – in extreme cases Best to have 1 only Don’t be fooled. Normal! Success

When things just don’t go your way! WLS Security debug WLS log level – standard out Utilities checks (with verbose debug) Check AD user account inc SPN mapping Config files krb5.ini krb5Login.conf config.xml AD LDAP Provider base DNs, filters, search scopes Wireshark... – in extreme cases Server Admin Pack Softerra LDAP Browser

When things just don’t go your way! WLS Security debug WLS log level – standard out Utilities checks (with verbose debug) Check AD user account inc SPN mapping Config files krb5.ini krb5Login.conf config.xml AD LDAP Provider base DNs, filters, search scopes Wireshark... – in extreme cases Case sensitivity Syntax Linux? Has this changed? No krb5. prior to JDK 6.0 Include prior options

When things just don’t go your way! WLS Security debug WLS log level – standard out Utilities checks (with verbose debug) Check AD user account inc SPN mapping Config files krb5.ini krb5Login.conf config.xml AD LDAP Provider base DNs, filters, search scopes Wireshark... – in extreme cases

When things just don’t go your way! WLS Security debug WLS log level – standard out Utilities checks (with verbose debug) Check AD user account inc SPN mapping Config files krb5.ini krb5Login.conf config.xml AD LDAP Provider base DNs, filters, search scopes Wireshark... – in extreme cases Debug = java kinit Success Checksum failed! ?

Traps Naming & Case sensitivity Don’t name AD account same as WLS Host Mind case sensitivity & syntax (especially krb5.ini) Must be only “one” SPN URL in AD ldifde to check for duplicates setspn –D to remove bad or duplicate SPNs Kerberos / WLS can’t find config files (krb5.ini keytab krb5Login.conf) Know & use default locations for them Try absolute paths where referenced in dependant config Try WLS/Host reboot Order of WLS Providers Asserter followed by LDAP Provider then defaults Use Virtual URL - not host URL Configure 2nd DNS – not DNS alias Clear Browser cache/s Clock Skew - AD, WLS, Client within 2mins Does host need WA Daylight Saving patch Note: Does not require WLS VH definition

Hints & Tips WLS / Host reboots at critical points Check full range of options for utilities (kinit ktab klist) java core of these for verbose debug output Use CLIENT-CERT only in ADF Security for troubleshooting CLIENT-CERT,FORM may not produce debug message output Use client local hosts in lieu of no DNS Also useful to test specific node in Load Balanced scenario Load Balanced / Proxy scenario - same keytab / setup on each node DNS/Virtual URL (for SPN) is the URL the LBR/Proxy routes Performance hits Mind recursive & deep Group searching Check & turn off all DEBUG once happy Multiple technologies – look outside the Oracle box Linux – ktpass changes AD account Name changes to HTTP/former_name Mind this for kinit & krb5Login.conf setup

Job Done! “Celebrate”

Current Status Friends? No Problem! Proof of Concept – DEV TEST UAT PROD Go Live – coming weekend

Thankyou! Questions? Presentations are available from our website: SAGE Computing Services Consulting and customised training workshops Peace & Harmony