Presentation is loading. Please wait.

Presentation is loading. Please wait.

SAGE Computing Services Consulting and customised training workshops Active Directory Integration AD, WLS & ADF in Harmony (a case study) Ray Tindall Senior.

Published byBarrie Shelton Modified over 9 years ago

Similar presentations

Presentation on theme: "SAGE Computing Services Consulting and customised training workshops Active Directory Integration AD, WLS & ADF in Harmony (a case study) Ray Tindall Senior."— Presentation transcript:

1 SAGE Computing Services Consulting and customised training workshops Active Directory Integration AD, WLS & ADF in Harmony (a case study) Ray Tindall Senior Systems Consultant www.sagecomputing.com.au

2 Things have changed since 2006 www.sagecomputing.com.au Active Directory Integration “OID & AD in Harmony?” WLS SSO Portal

3 Things have changed since 2006 www.sagecomputing.com.au Synchronisation of OID & AD AD LDAP Provider SSO Delegated Authentication ADF Security Windows Native Authentication with SSO Kerberos with WLS Forms

4 Agenda Overview Who, What &Why The primary Goal Resources & References IBM The Plan & The Path Implementation How we did it – How you can do it Testing Troubleshooting & Hints Wrap up Where are we now IBM???

5 Who, What & Why www.sagecomputing.com.au Who? What? The System Why? The Wishlist  Weblogic Server 10.3.2.  ADF 11.1.1.2.  Active Directory on Windows Server 2003 (now 2008 R2)  Windows workstations with IE 7  Seamless & transparent authentication (login) against AD  Authorisation against AD (Groups)  Forms to ADF interoperability  Scope to expand

6 The Primary Goal www.sagecomputing.com.au

7 Resources & References www.sagecomputing.com.au Administering the SPNEGO TAI: Tips on using Kerberos service principal names by Martin Lansche, IBM Configuring Kerberos with Weblogic Server by Faisal Khan, SecureZone Troubleshooting Kerberos issues with Weblogic server by Faisal Khan, SecureZone Configuring WLS With MS Active Directory by Chris Muir, SAGE Computing Configuring a JDev 11g ADF Security app on standalone WLS against MS Active Directory by Chris Muir, SAGE Computing Oracle® Fusion Middleware Securing Oracle WebLogic Server, 11g Release 1 (10.3.1), 6 Configuring Single Sign-On with Microsoft Clients This “is” 10.3.2 !

8 The Plan & The Path www.sagecomputing.com.au Proof of Concept – DEV New system on new infrastructure Target Apps – DEV WLS on VM – Snapshots Risks: Production AD only! Load Balancing – PROD only

9 How to Get There www.sagecomputing.com.au Implementation Key Concepts AD LDAP Provider Kerberos with WLS ADF Security

10 How to Get There www.sagecomputing.com.au Implementation Task Overview Network & AD preparation WLS AD Authentication WLS Host Kerberos configuration WLS Kerberos configuration Clients (Browser/s) configuration Apps (ADF Application) configuration Test (with your favourite beverage at hand) Troubleshoot (with your favourite beverage at hand)

11 Environment Specifics www.sagecomputing.com.au KDC server: OURKDC(.dtf.wa.gov.au) Windows domain controller serving as Key Distribution Centre Most doco (inc Official) implies to use IP but use DNS instead! Default AD domain: dtf.wa.gov.au Kerberos Realm: DTF.WA.GOV.AU Uppercase of Domain WLS AD account: wlskerberosadacc / obscurepwd “User" AD account used for WLS Host & to map Service Principal Official doco says just use simple machine name NO! - Bad idea; make it different and make it descriptive WLS Virtual Host DNS: ourvirtualwls (.dtf.wa.gov.au) URL you will use to access your Web Applications Also serves as the basis of the Service Principal Official doco doesn't even mention Virtual Host as consideration BUT! - Critical for same Domain Windows WLS host* & good idea in other cases anyway. *The machine name URL will already exist in a Windows Domain, being HOST\machine.dtf.wa.gov.au, as a Service Principal against the Machine Computer account in AD. At runtime Kerberos will derive the basis of the Service Principal from the browser URL. AD will find and default to the HOST\ Service Principal and try to use the “computer” account instead of finding our HTTP\ Service Principal and using our WLS “user” AD account. The credentials in your Keytab will not match the ticket returned by AD. Bottom line: ignoring the protocol HTTP\, the URL of the Service Principal that will be used to access your Web Applications should exist in AD only once! *The machine name URL will already exist in a Windows Domain, being HOST\machine.dtf.wa.gov.au, as a Service Principal against the Machine Computer account in AD. At runtime Kerberos will derive the basis of the Service Principal from the browser URL. AD will find and default to the HOST\ Service Principal and try to use the “computer” account instead of finding our HTTP\ Service Principal and using our WLS “user” AD account. The credentials in your Keytab will not match the ticket returned by AD. Bottom line: ignoring the protocol HTTP\, the URL of the Service Principal that will be used to access your Web Applications should exist in AD only once!

12 Network & AD preparation www.sagecomputing.com.au Implementation Steps: 1.Create Virtual Host DNS 2.Create WLS Service AD “user” account 3.Map SPN (Service Principal) with setspn & generate Keytab with ktab Linux – use ktpass instead

13 Implementation Steps: 1.Create Virtual Host DNS 2.Create WLS Service AD “user” account 3.Map SPN (Service Principal) with setspn & generate Keytab with ktab Linux – use ktpass instead

14 Implementation Steps: 1.Create Virtual Host DNS 2.Create WLS Service AD “user” account 3.Map SPN (Service Principal) with setspn & generate Keytab with ktab Linux – use ktpass instead Not computer! Not strictly needed with JDK 1.5+

15 Implementation Steps: 1.Create Virtual Host DNS 2.Create WLS Service AD “user” account 3.Map SPN (Service Principal) with setspn & generate Keytab with ktab Linux – use ktpass instead Must be your user service account. Get it right. Not validated!

16 WLS AD Authentication www.sagecomputing.com.au Implementation Steps: 4.Create WLS AD Authentication Provider WLS LDAPAuthenticator 5.Test Authentication Provider Configuring a JDev 11g ADF Security app on standalone WLS against MS Active Directory by Chris Muir, SAGE Computing

17 Implementation Steps: 4.Create WLS AD Authentication Provider WLS LDAPAuthenticator 5.Test Authentication Provider Configuring a JDev 11g ADF Security app on standalone WLS against MS Active Directory by Chris Muir, SAGE Computing Remove! Remove?

18 Implementation Steps: 4.Create WLS AD Authentication Provider WLS LDAPAuthenticator 5.Test Authentication Provider Configuring a JDev 11g ADF Security app on standalone WLS against MS Active Directory by Chris Muir, SAGE Computing

19 WLS Host Kerberos configuration www.sagecomputing.com.au Implementation Steps: 6.Create krb5.ini 7.Copy Keytab to WLS for Linux ftp – note this is a binary file 8.Test Host Kerberos with kinit Go no further if this no worky!

20 Implementation Steps: 6.Create krb5.ini 7.Copy Keytab to WLS for Linux ftp – note this is a binary file 8.Test Host Kerberos with kinit Not strictly needed with JDK 1.5+ Case sensitive

21 Implementation Steps: 6.Create krb5.ini 7.Copy Keytab to WLS for Linux ftp – note this is a binary file 8.Test Host Kerberos with kinit

22 Implementation Steps: 6.Create krb5.ini 7.Copy Keytab to WLS for Linux ftp – note this is a binary file 8.Test Host Kerberos with kinit

23 WLS Kerberos configuration www.sagecomputing.com.au Implementation Steps: 9.Create krb5Login.conf 10.Add WLS Kerberos startup parameters startWebLogic.cmd 11.Create Identity Assertion Provider WLS NegotiateIdentityAsserter

24 Implementation Steps: 9.Create krb5Login.conf 10.Add WLS Kerberos startup parameters startWebLogic.cmd 11.Create Identity Assertion Provider WLS NegotiateIdentityAsserter

25 Implementation Steps: 9.Create krb5Login.conf 10.Add WLS Kerberos startup parameters startWebLogic.cmd 11.Create Identity Assertion Provider WLS NegotiateIdentityAsserter

26 Implementation Steps: 9.Create krb5Login.conf 10.Add WLS Kerberos startup parameters startWebLogic.cmd 11.Create Identity Assertion Provider WLS NegotiateIdentityAsserter

27 Client (Browser/s) configuration www.sagecomputing.com.au Implementation Steps: 12.Configure Windows Native Authentication Auto logon for Intranet IE Firefox …

28 Implementation Steps: 12.Configure Windows Native Authentication Auto logon for Intranet IE Firefox …

29 Implementation Steps: 12.Configure Windows Native Authentication Auto logon for Intranet IE Firefox …

30 Apps (ADF Application) configuration www.sagecomputing.com.au Implementation Steps: 13.Configure ADF Application Security Run - Configure ADF Security Wizard Enterprise Roles (AD)  Application Roles (ADF) Web.xml CLIENT-CERT 13 steps; hmmm; is this a sign?

31 Implementation Steps: 13.Configure ADF Application Security Run - Configure ADF Security Wizard Enterprise Roles (AD)  Application Roles (ADF) Web.xml CLIENT-CERT

32 Testing www.sagecomputing.com.au LDAP Provider Kinit (with keytab) Bringing it all together ADF Application Transparent login Wha…? I followed the Instructions!

33 LDAP Provider Kinit (with keytab) Bringing it all together ADF Application Transparent login

34 Troubleshooting www.sagecomputing.com.au When things just don’t go your way! WLS Security debug WLS log level – standard out Utilities checks (with verbose debug) Check AD user account inc SPN mapping Config files krb5.ini krb5Login.conf config.xml AD LDAP Provider base DNs, filters, search scopes Wireshark... – in extreme cases

35 When things just don’t go your way! WLS Security debug WLS log level – standard out Utilities checks (with verbose debug) Check AD user account inc SPN mapping Config files krb5.ini krb5Login.conf config.xml AD LDAP Provider base DNs, filters, search scopes Wireshark... – in extreme cases + standard out log level >= notice Due to CLIENT-CERT,FORM

36 When things just don’t go your way! WLS Security debug WLS log level – standard out Utilities checks (with verbose debug) Check AD user account inc SPN mapping Config files krb5.ini krb5Login.conf config.xml AD LDAP Provider base DNs, filters, search scopes Wireshark... – in extreme cases Best to have 1 only Don’t be fooled. Normal! Success

37 When things just don’t go your way! WLS Security debug WLS log level – standard out Utilities checks (with verbose debug) Check AD user account inc SPN mapping Config files krb5.ini krb5Login.conf config.xml AD LDAP Provider base DNs, filters, search scopes Wireshark... – in extreme cases Server Admin Pack Softerra LDAP Browser

38 When things just don’t go your way! WLS Security debug WLS log level – standard out Utilities checks (with verbose debug) Check AD user account inc SPN mapping Config files krb5.ini krb5Login.conf config.xml AD LDAP Provider base DNs, filters, search scopes Wireshark... – in extreme cases Case sensitivity Syntax Linux? Has this changed? No krb5. prior to JDK 6.0 Include prior options

39 When things just don’t go your way! WLS Security debug WLS log level – standard out Utilities checks (with verbose debug) Check AD user account inc SPN mapping Config files krb5.ini krb5Login.conf config.xml AD LDAP Provider base DNs, filters, search scopes Wireshark... – in extreme cases

40 When things just don’t go your way! WLS Security debug WLS log level – standard out Utilities checks (with verbose debug) Check AD user account inc SPN mapping Config files krb5.ini krb5Login.conf config.xml AD LDAP Provider base DNs, filters, search scopes Wireshark... – in extreme cases Debug = java kinit Success Checksum failed! ?

41 Traps www.sagecomputing.com.au Naming & Case sensitivity Don’t name AD account same as WLS Host Mind case sensitivity & syntax (especially krb5.ini) Must be only “one” SPN URL in AD ldifde to check for duplicates setspn –D to remove bad or duplicate SPNs Kerberos / WLS can’t find config files (krb5.ini keytab krb5Login.conf) Know & use default locations for them Try absolute paths where referenced in dependant config Try WLS/Host reboot Order of WLS Providers Asserter followed by LDAP Provider then defaults Use Virtual URL - not host URL Configure 2nd DNS – not DNS alias Clear Browser cache/s Clock Skew - AD, WLS, Client within 2mins Does host need WA Daylight Saving patch Note: Does not require WLS VH definition

42 Hints & Tips www.sagecomputing.com.au WLS / Host reboots at critical points Check full range of options for utilities (kinit ktab klist) java core of these for verbose debug output Use CLIENT-CERT only in ADF Security for troubleshooting CLIENT-CERT,FORM may not produce debug message output Use client local hosts in lieu of no DNS Also useful to test specific node in Load Balanced scenario Load Balanced / Proxy scenario - same keytab / setup on each node DNS/Virtual URL (for SPN) is the URL the LBR/Proxy routes Performance hits Mind recursive & deep Group searching Check & turn off all DEBUG once happy Multiple technologies – look outside the Oracle box Linux – ktpass changes AD account Name changes to HTTP/former_name Mind this for kinit & krb5Login.conf setup

43 www.sagecomputing.com.au Job Done! “Celebrate”

44 Current Status www.sagecomputing.com.au Friends? No Problem! Proof of Concept – DEV TEST UAT PROD Go Live – coming weekend

45 Thankyou! Questions? Presentations are available from our website: www.sagecomputing.com.au ray@sagecomputing.com.au SAGE Computing Services Consulting and customised training workshops Peace & Harmony

Download ppt "SAGE Computing Services Consulting and customised training workshops Active Directory Integration AD, WLS & ADF in Harmony (a case study) Ray Tindall Senior."

Similar presentations

Welcome to Middleware Joseph Amrithraj

Welcome to Middleware Joseph Amrithraj
Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.

Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.
Active Directory and NT Kerberos Rooster JD Glaser.

Active Directory and NT Kerberos Rooster JD Glaser.
UAG Authentication and Authorization- part1

UAG Authentication and Authorization- part1
© 2009 GroundWork Open Source, Inc. PROPRIETARY INFORMATION: Information contained herein is not for use or disclosure outside of GroundWork Open Source,

© 2009 GroundWork Open Source, Inc. PROPRIETARY INFORMATION: Information contained herein is not for use or disclosure outside of GroundWork Open Source,
Week 6: Chapter 6 Agenda Automation of SQL Server tasks using: SQL Server Agent Scheduling Scripting Technologies.

Week 6: Chapter 6 Agenda Automation of SQL Server tasks using: SQL Server Agent Scheduling Scripting Technologies.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 6 Managing and Administering DNS in Windows Server 2008.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 6 Managing and Administering DNS in Windows Server 2008.
Deploying and Managing Active Directory Certificate Services

Deploying and Managing Active Directory Certificate Services
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
Windows Server 2008 Kerberos Michiko Short Program Manager Microsoft Corporation.

Windows Server 2008 Kerberos Michiko Short Program Manager Microsoft Corporation.
Implementing and Administering AD FS

Implementing and Administering AD FS
Module 10: Troubleshooting Network Access. Overview Troubleshooting Network Access Resources Troubleshooting LAN Authentication Troubleshooting Remote.

Module 10: Troubleshooting Network Access. Overview Troubleshooting Network Access Resources Troubleshooting LAN Authentication Troubleshooting Remote.
15.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 15: Configuring a Windows.

15.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 15: Configuring a Windows.
Module 5: Configuring Access to Internal Resources.

Module 5: Configuring Access to Internal Resources.
14.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

14.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
15.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

15.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
Report Distribution Report Distribution in PeopleTools 8.4 Doug Ostler & Eric Knapp 7264.

Report Distribution Report Distribution in PeopleTools 8.4 Doug Ostler & Eric Knapp 7264.
SETUP AND CONFIGURATIONS WEBLOGIC SERVER. 1.Weblogic Installation 2.Creating domain through configuration wizard 3.Creating domain using existing template.

SETUP AND CONFIGURATIONS WEBLOGIC SERVER. 1.Weblogic Installation 2.Creating domain through configuration wizard 3.Creating domain using existing template.
Authenticating REST/Mobile clients using LDAP and OERealm

Authenticating REST/Mobile clients using LDAP and OERealm
Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.

Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.

Similar presentations

Ads by Google