Active Directory Integration: SAGE Computing Services

SAGE Computing Services
Consulting and customised training workshops

Active Directory Integration

AD, WLS & ADF in Harmony
(a case study)
Ray Tindall
Senior Systems Consultant

www.sagecomputing.com.au
Things have changed since 2006
Active Directory Integration

OID & AD in Harmony?

SSO Portal
Things have changed since 2006
Synchronisation of OID & AD
AD LDAP Provider

SSO Delegated Authentication
ADF Security

Windows Native Authentication with SSO
Kerberos with WLS
Forms
Agenda Overview
Who, What &Why
The primary Goal
Resources & References
IBM
The Plan & The Path
Implementation
How we did it How you can do it
Testing
Troubleshooting & Hints
Wrap up
Where are we now

IBM???
Who, What & Why
Who?

What?
The System

Why?
The Wishlist
Weblogic Server 10.3.2.
ADF 11.1.1.2.
Active Directory
on Windows Server 2003
(now 2008 R2)
Windows workstations
with IE 7
Seamless & transparent
authentication (login) against AD
Authorisation against AD
(Groups)
Forms to ADF interoperability
Scope to expand
The Primary Goal
Resources & References
Administering the SPNEGO TAI:
Tips on using Kerberos service principal names
by Martin Lansche, IBM
Configuring Kerberos with Weblogic Server
by Faisal Khan, SecureZone
Troubleshooting Kerberos issues with Weblogic server
by Faisal Khan, SecureZone
Configuring WLS With MS Active Directory
by Chris Muir, SAGE Computing
Configuring a JDev 11g ADF Security app on standalone WLS against MS
Active Directory
Oracle Fusion Middleware Securing Oracle WebLogic Server, 11g Release 1
(10.3.1), 6 Configuring Single Sign-On with Microsoft Clients
This is 10.3.2 !
The Plan & The Path
Proof of Concept DEV
New system on new infrastructure
Target Apps DEV
WLS on VM Snapshots

Risks:
Production AD only!
Load Balancing PROD only
How to Get There
Implementation Key Concepts
AD LDAP Provider

Kerberos with WLS

ADF Security
How to Get There
Implementation Task Overview
Network & AD preparation
WLS AD Authentication
WLS Host Kerberos configuration
WLS Kerberos configuration
Clients (Browser/s) configuration
Apps (ADF Application) configuration

Test (with your favourite beverage at hand)
Troubleshoot (with your favourite beverage at hand)
Environment Specifics
KDC server: OURKDC(.dtf.wa.gov.au)
Windows domain controller serving as Key Distribution Centre
Most doco (inc Official) implies to use IP but use DNS instead!
Default AD domain: dtf.wa.gov.au
Kerberos Realm: DTF.WA.GOV.AU
Uppercase of Domain
WLS AD account: wlskerberosadacc / obscurepwd
User" AD account used for WLS Host & to map Service Principal
Official doco says just use simple machine name
NO! - Bad idea; make it different and make it descriptive
WLS Virtual Host DNS: ourvirtualwls(.dtf.wa.gov.au)
URL you will use to access your Web Applications
Also serves as the basis of the Service Principal
Official doco doesn't even mention Virtual Host as consideration
BUT! - Critical for same Domain Windows WLS host*
& good idea in other cases anyway.

*The machine name URL will already exist in a Windows Domain, being
HOST\machine.dtf.wa.gov.au, as a Service Principal against the Machine
Computer account in AD.
At runtime Kerberos will derive the basis of the Service Principal from the
browser URL.
AD will find and default to the HOST\ Service Principal and try to use the
computer account instead of finding our HTTP\ Service Principal and using
our WLS user AD account. The credentials in your Keytab will not match
the ticket returned by AD.

Bottom line: ignoring the protocol HTTP\, the URL of the Service Principal that
will be used to access your Web Applications should exist in AD only once!
Network & AD preparation
Implementation Steps:

1. Create Virtual Host DNS

2. Create WLS Service AD user account

3. Map SPN (Service Principal) with setspn

& generate Keytab with ktab

Linux use ktpass instead













Not
computer!
Not strictly
needed with
JDK 1.5+






Must be your
user service
account.
Get it right.
Not validated!
WLS AD Authentication

4. Create WLS AD Authentication Provider

WLS LDAPAuthenticator

5. Test Authentication Provider

Configuring a JDev 11g ADF Security app
on standalone WLS against MS Active Directory






Remove!
Remove?





WLS Host Kerberos configuration

6. Create krb5.ini

7. Copy Keytab to WLS

for Linux ftp note this is a binary file

8. Test Host Kerberos with kinit

Go no further if this no worky!

6. Create krb5.ini




Not strictly
needed with
JDK 1.5+
Case
sensitive

6. Create krb5.ini





6. Create krb5.ini




WLS Kerberos configuration

9. Create krb5Login.conf

10. Add WLS Kerberos startup parameters

startWebLogic.cmd

11. Create Identity Assertion Provider

WLS NegotiateIdentityAsserter




startWebLogic.cmd






startWebLogic.cmd






startWebLogic.cmd



Client (Browser/s) configuration

12. Configure Windows Native Authentication

Auto logon for Intranet

IE

Firefox




IE

Firefox




IE

Firefox

Apps (ADF Application) configuration

13. Configure ADF Application Security

Run - Configure ADF Security Wizard

Enterprise Roles (AD) Application Roles (ADF)

Web.xml
<login-config>
<auth-method>CLIENT-CERT

13 steps; hmmm; is this a sign?

13. Configure ADF Application Security

Run - Configure ADF Security Wizard

Enterprise Roles (AD) Application Roles (ADF)

Web.xml
<login-config>
<auth-method>CLIENT-CERT

Testing
LDAP Provider

Kinit (with keytab)

Bringing it all together

ADF Application

Transparent login
Wha?
I followed the
Instructions!
LDAP Provider

Kinit (with keytab)

Bringing it all together

ADF Application

Transparent login
Troubleshooting
When things just dont go your way!
WLS Security debug
WLS log level standard out
Utilities checks (with verbose debug)
Check AD user account
inc SPN mapping
Config files
krb5.ini krb5Login.conf config.xml
AD LDAP Provider
base DNs, filters, search scopes
Wireshark... in extreme cases
WLS Security debug
inc SPN mapping
Config files
AD LDAP Provider
+ standard out
log level
>= notice
Due to
CLIENT-CERT,FORM
WLS Security debug
inc SPN mapping
Config files
AD LDAP Provider
Best to have
1 only
Dont be fooled.
Normal!
Success
WLS Security debug
inc SPN mapping
Config files
AD LDAP Provider
Server
Admin Pack
Softerra
LDAP Browser
WLS Security debug
inc SPN mapping
Config files
AD LDAP Provider
Case sensitivity
Syntax
Linux?
Has this changed?
No krb5.
prior to JDK 6.0
Include prior
options
WLS Security debug
inc SPN mapping
Config files
AD LDAP Provider
WLS Security debug
inc SPN mapping
Config files
AD LDAP Provider
Debug = java kinit
Success
Checksum failed!
?
Traps
Naming & Case sensitivity
Dont name AD account same as WLS Host
Mind case sensitivity & syntax (especially krb5.ini)
Must be only one SPN URL in AD
ldifde to check for duplicates
setspn D to remove bad or duplicate SPNs
Kerberos / WLS cant find config files (krb5.ini keytab krb5Login.conf)
Know & use default locations for them
Try absolute paths where referenced in dependant config
Try WLS/Host reboot
Order of WLS Providers
Asserter followed by LDAP Provider then defaults
Use Virtual URL - not host URL
Configure 2nd DNS not DNS alias
Clear Browser cache/s
Clock Skew - AD, WLS, Client within 2mins
Does host need WA Daylight Saving patch

Note: Does not
require WLS VH
definition
Hints & Tips
WLS / Host reboots at critical points
Check full range of options for utilities (kinit ktab klist)
java core of these for verbose debug output
Use CLIENT-CERT only in ADF Security for troubleshooting
CLIENT-CERT,FORM may not produce debug message output
Use client local hosts in lieu of no DNS
Also useful to test specific node in Load Balanced scenario
Load Balanced / Proxy scenario - same keytab / setup on each node
DNS/Virtual URL (for SPN) is the URL the LBR/Proxy routes
Performance hits
Mind recursive & deep Group searching
Check & turn off all DEBUG once happy
Multiple technologies look outside the Oracle box
Linux ktpass changes AD account
Name changes to HTTP/former_name
Mind this for kinit & krb5Login.conf setup
Job Done!
Celebrate
Current Status
Friends?
No Problem!
Proof of Concept DEV

TEST

UAT

PROD
Go Live coming weekend

Thankyou!
Questions?

Presentations are available from our website:

ray@sagecomputing.com.au

SAGE Computing Services
Consulting and customised training workshops

Peace
&
Harmony

Active Directory Integration: SAGE Computing Services

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Active Directory Integration: SAGE Computing Services

Hochgeladen von

Copyright:

Verfügbare Formate

SAGE Computing Services

Consulting and customised training workshops

Das könnte Ihnen auch gefallen