SAGE Computing Services
Consulting and customised training workshops
Active Directory Integration
AD, WLS & ADF in Harmony
(a case study)
Ray Tindall
Senior Systems Consultant
www.sagecomputing.com.au
Things have changed since 2006
Active Directory Integration
“OID & AD in Harmony?”
SSO
www.sagecomputing.com.au
Portal
Things have changed since 2006
Synchronisation of OID & AD
AD LDAP Provider
SSO Delegated Authentication
ADF Security
Forms
Windows Native Authentication with SSO
Kerberos with WLS
www.sagecomputing.com.au
Agenda Overview
Who, What &Why
The primary Goal
Resources & References
IBM
The Plan & The Path
Implementation
How we did it – How you can do it
Testing
Troubleshooting & Hints
Wrap up
Where are we now
IBM???
Who, What & Why
Who?
What?
The System
Why?
The Wishlist
www.sagecomputing.com.au
 Weblogic
SeamlessServer
& transparent
10.3.2.
 authentication
ADF 11.1.1.2. (login) against AD
 Authorisation
Active Directory
against AD
on Windows Server 2003
(Groups)
 Forms
(now 2008
to ADF
R2)interoperability
 Scope
Windows
to expand
workstations
with IE 7
The Primary Goal
www.sagecomputing.com.au
Resources & References
Administering the SPNEGO TAI:
Tips on using Kerberos service principal names
by Martin Lansche, IBM
Configuring Kerberos with Weblogic Server
by Faisal Khan, SecureZone
Troubleshooting Kerberos issues with Weblogic server
by Faisal Khan, SecureZone
Configuring WLS With MS Active Directory
by Chris Muir, SAGE Computing
Configuring a JDev 11g ADF Security app on standalone WLS against MS
Active Directory
by Chris Muir, SAGE Computing
This “is” 10.3.2 !
Oracle® Fusion Middleware Securing Oracle WebLogic Server, 11g Release 1
(10.3.1), 6 Configuring Single Sign-On with Microsoft Clients
www.sagecomputing.com.au
The Plan & The Path
Proof of Concept – DEV
New system on new infrastructure
Target Apps – DEV
WLS on VM – Snapshots
Risks:
Production AD only!
Load Balancing – PROD only
www.sagecomputing.com.au
How to Get There
Implementation Key Concepts
AD LDAP Provider
Kerberos with WLS
ADF Security
www.sagecomputing.com.au
How to Get There
Implementation Task Overview
Network & AD preparation
WLS AD Authentication
WLS Host Kerberos configuration
WLS Kerberos configuration
Clients (Browser/s) configuration
Apps (ADF Application) configuration
Test (with your favourite beverage at hand)
Troubleshoot (with your favourite beverage at hand)
www.sagecomputing.com.au
Environment Specifics
KDC server: OURKDC(.dtf.wa.gov.au)
Windows domain controller serving as Key Distribution Centre
Most doco (inc Official) implies to use IP but use DNS instead!
*The machine name URL will already exist in a Windows Domain, being
Default AD domain: dtf.wa.gov.au
HOST\machine.dtf.wa.gov.au,
as a Service Principal against the Machine
Computer
account
in AD. DTF.WA.GOV.AU
Kerberos
Realm:
At runtime
Kerberosofwill
derive the basis of the Service Principal from the
Uppercase
Domain
browser URL.
AD
wlskerberosadacc
obscurepwd
ADWLS
will find
andaccount:
default to the
HOST\ Service Principal/ and
try to use the
“User"
AD account
for WLS
& Service
to map Service
“computer”
account
insteadused
of finding
our Host
HTTP\
PrincipalPrincipal
and using
says justThe
usecredentials
simple machine
our WLSOfficial
“user” doco
AD account.
in yourname
Keytab will not match
NO! - by
Bad
idea; make it different and make it descriptive
the ticket returned
AD.
WLS Virtual Host DNS: ourvirtualwls(.dtf.wa.gov.au)
Bottom line: ignoring the protocol HTTP\, the URL of the Service Principal that
URL you will use to access your Web Applications
will be used to access your Web Applications should exist in AD only once!
Also serves as the basis of the Service Principal
Official doco doesn't even mention Virtual Host as consideration
BUT! - Critical for same Domain Windows WLS host*
& good idea in other cases anyway.
www.sagecomputing.com.au
Network & AD preparation
Implementation Steps:
1. Create Virtual Host DNS
2. Create WLS Service AD “user” account
3. Map SPN (Service Principal) with setspn
& generate Keytab with ktab
Linux – use ktpass instead
www.sagecomputing.com.au
Implementation Steps:
1. Create Virtual Host DNS
2. Create WLS Service AD “user” account
3. Map SPN (Service Principal) with setspn
& generate Keytab with ktab
Linux – use ktpass instead
Implementation Steps:
Not
computer!
1. Create Virtual Host DNS
2. Create WLS Service AD “user” account
Not strictly
needed with
JDK 1.5+
3. Map SPN (Service Principal) with setspn
& generate Keytab with ktab
Linux – use ktpass instead
Implementation Steps:
1. Create Virtual Host DNS
2. Create WLS Service AD “user” account
Get it right.
Not validated!
3. Map SPN (Service Principal) with setspn
& generate Keytab with ktab
Linux – use ktpass instead
Must be your
user service
account.
WLS AD Authentication
Implementation Steps:
4. Create WLS AD Authentication Provider
WLS LDAPAuthenticator
5. Test Authentication Provider
Configuring a JDev 11g ADF Security app
on standalone WLS against MS Active Directory
by Chris Muir, SAGE Computing
www.sagecomputing.com.au
Implementation Steps:
4. Create WLS AD Authentication Provider
WLS LDAPAuthenticator
Remove?
5. Test Authentication Provider
Remove!
Configuring a JDev 11g ADF Security app
on standalone WLS against MS Active Directory
by Chris Muir, SAGE Computing
Implementation Steps:
4. Create WLS AD Authentication Provider
WLS LDAPAuthenticator
5. Test Authentication Provider
Configuring a JDev 11g ADF Security app
on standalone WLS against MS Active Directory
by Chris Muir, SAGE Computing
WLS Host Kerberos configuration
Implementation Steps:
6. Create krb5.ini
7. Copy Keytab to WLS
for Linux ftp – note this is a binary file
8. Test Host Kerberos with kinit
Go no further if this no worky!
www.sagecomputing.com.au
Implementation Steps:
6. Create krb5.ini
Not strictly
needed with
JDK 1.5+
7. Copy Keytab to WLS
for Linux ftp – note this is a binary file
8. Test Host Kerberos with kinit
Case
sensitive
Implementation Steps:
6. Create krb5.ini
7. Copy Keytab to WLS
for Linux ftp – note this is a binary file
8. Test Host Kerberos with kinit
Implementation Steps:
6. Create krb5.ini
7. Copy Keytab to WLS
for Linux ftp – note this is a binary file
8. Test Host Kerberos with kinit
WLS Kerberos configuration
Implementation Steps:
9. Create krb5Login.conf
10. Add WLS Kerberos startup parameters
startWebLogic.cmd
11. Create Identity Assertion Provider
WLS NegotiateIdentityAsserter
www.sagecomputing.com.au
Implementation Steps:
9. Create krb5Login.conf
10. Add WLS Kerberos startup parameters
startWebLogic.cmd
11. Create Identity Assertion Provider
WLS NegotiateIdentityAsserter
Implementation Steps:
9. Create krb5Login.conf
10. Add WLS Kerberos startup parameters
startWebLogic.cmd
11. Create Identity Assertion Provider
WLS NegotiateIdentityAsserter
Implementation Steps:
9. Create krb5Login.conf
10. Add WLS Kerberos startup parameters
startWebLogic.cmd
11. Create Identity Assertion Provider
WLS NegotiateIdentityAsserter
Client (Browser/s) configuration
Implementation Steps:
12. Configure Windows Native Authentication
Auto logon for Intranet
IE
Firefox
…
www.sagecomputing.com.au
Implementation Steps:
12. Configure Windows Native Authentication
Auto logon for Intranet
IE
Firefox
…
Implementation Steps:
12. Configure Windows Native Authentication
Auto logon for Intranet
IE
Firefox
…
Apps (ADF Application) configuration
Implementation Steps:
13 steps; hmmm; is this a sign?
13. Configure ADF Application Security
Run - Configure ADF Security Wizard
Enterprise Roles (AD)  Application Roles (ADF)
Web.xml
<login-config>
<auth-method>CLIENT-CERT
www.sagecomputing.com.au
Implementation Steps:
13. Configure ADF Application Security
Run - Configure ADF Security Wizard
Enterprise Roles (AD)  Application Roles (ADF)
Web.xml
<login-config>
<auth-method>CLIENT-CERT
Testing
LDAP Provider
Kinit (with keytab)
Bringing it all together
ADF Application
Transparent login
www.sagecomputing.com.au
Wha…?
I followed the
Instructions!
LDAP Provider
Kinit (with keytab)
Bringing it all together
ADF Application
Transparent login
Troubleshooting
When things just don’t go your way!
WLS Security debug
WLS log level – standard out
Utilities checks (with verbose debug)
Check AD user account
inc SPN mapping
Config files
krb5.ini krb5Login.conf config.xml
AD LDAP Provider
base DNs, filters, search scopes
Wireshark... – in extreme cases
www.sagecomputing.com.au
When things just don’t go your way!
WLS Security debug
WLS log level – standard out
Utilities checks (with verbose debug)
Check AD user account
inc SPN mapping
Config files
Due to
krb5.ini krb5Login.conf config.xml
CLIENT-CERT,FORM
AD LDAP Provider
base DNs, filters, search scopes
Wireshark... – in extreme cases
+ standard out
log level
>= notice
When things just don’t go your way!
Don’t be fooled.
Normal!
WLS Security debug
WLS log level – standard out
Utilities checks (with verbose debug)
Check AD user account
inc SPN mapping
Best to have
1 only
Config files
krb5.ini krb5Login.conf config.xml
AD LDAP Provider
base DNs, filters, search scopes
Wireshark... – in extreme cases
Success
Softerra
Server
LDAP
AdminBrowser
Pack
When things just don’t go your way!
WLS Security debug
WLS log level – standard out
Utilities checks (with verbose debug)
Check AD user account
inc SPN mapping
Config files
krb5.ini krb5Login.conf config.xml
AD LDAP Provider
base DNs, filters, search scopes
Wireshark... – in extreme cases
When things just don’t go your way!
No krb5.
prior to JDK 6.0
WLS Security debug
Include prior
options
WLS log level – standard out
Utilities checks (with verbose debug)
Check AD user account
inc SPN mapping
Linux?
ConfigHasfiles
this changed?
krb5.ini krb5Login.conf config.xml
AD LDAP Provider
base DNs, filters, search scopes
Wireshark... – in extreme cases
Case sensitivity
Syntax
When things just don’t go your way!
WLS Security debug
WLS log level – standard out
Utilities checks (with verbose debug)
Check AD user account
inc SPN mapping
Config files
krb5.ini krb5Login.conf config.xml
AD LDAP Provider
base DNs, filters, search scopes
Wireshark... – in extreme cases
When things just don’t go your way!
WLS Security debug
Debug = java kinit
WLS log level – standard out
Utilities checks (with verbose debug)
Check AD user account
inc SPN mapping
Config files
krb5.ini krb5Login.conf config.xml
AD LDAP Provider
Success
base DNs, filters, search scopes
Wireshark... – in extreme cases
Checksum failed!
?
Traps
Naming & Case sensitivity
Don’t name AD account same as WLS Host
Mind case sensitivity & syntax (especially krb5.ini)
Must be only “one” SPN URL in AD
ldifde to check for duplicates
setspn –D to remove bad or duplicate SPNs
Kerberos / WLS can’t find config files (krb5.ini keytab krb5Login.conf)
Know & use default locations for them
Try absolute paths where referenced in dependant config
Try WLS/Host reboot
Order of WLS Providers
Asserter followed by LDAP Provider then defaults
Use Virtual URL - not host URL
Configure 2nd DNS – not DNS alias
Clear Browser cache/s
Clock Skew - AD, WLS, Client within 2mins
Does host need WA Daylight Saving patch
www.sagecomputing.com.au
Note: Does not
require WLS VH
definition
Hints & Tips
WLS / Host reboots at critical points
Check full range of options for utilities (kinit ktab klist)
java core of these for verbose debug output
Use CLIENT-CERT only in ADF Security for troubleshooting
CLIENT-CERT,FORM may not produce debug message output
Use client local hosts in lieu of no DNS
Also useful to test specific node in Load Balanced scenario
Load Balanced / Proxy scenario - same keytab / setup on each node
DNS/Virtual URL (for SPN) is the URL the LBR/Proxy routes
Performance hits
Mind recursive & deep Group searching
Check & turn off all DEBUG once happy
Multiple technologies – look outside the Oracle box
Linux – ktpass changes AD account
Name changes to HTTP/former_name
Mind this for kinit & krb5Login.conf setup
www.sagecomputing.com.au
Job Done!
“Celebrate”
www.sagecomputing.com.au
Current Status
Proof of Concept – DEV
TEST
UAT
PROD
Go Live – coming weekend
www.sagecomputing.com.au
Friends?
No Problem!
SAGE Computing Services
Consulting and customised training workshops
Thankyou!
Questions?
Peace
&
Harmony
Presentations are available from our website:
www.sagecomputing.com.au
ray@sagecomputing.com.au