SSO With XI 3.0 on IIS

Similar Messages

• 10g - how to configure sso with iis-

  hi, experts, I have followed Oracle® Business Intelligence Enterprise Edition Deployment Guide to configure SSO with IIS.
  but I always meet this message.
  Not Logged In
  You are not currently logged in to the Oracle BI Server.
  If you have already logged in, your connection might have timed out, or a communications or server error may have occurred
  what steps are missing?
  how to check?

  hi, experts,
  I checked C:\OracleBIData\web\log\sawlog0.log on the obi server (windows server 2003 standard).
  at Thu Feb 17 14:48:46 2011 , I logined OBI on another machine (not via the browser on the obi server).
  however, the log shows the login user is the administrator of the obiserver (obiserver\administrator ).
  any setup on IIS are wrong? thank you very much!
  =========================================================================================
  Running job 'MinutelyMonitor' took 7422 milliseconds, 12.3% of job's frequency (60 seconds).
  Type: Error
  Severity: 40
  Time: Thu Feb 17 14:48:46 2011
  File: project/webodbcaccess/odbcconnectionimpl.cpp Line: 371
  Properties: ConnId-1,1;ThreadID-1796
  Location:
       saw.odbc.connection.open
       saw.connectionPool.getConnection
       saw.subsystem.security.checkAuthenticationImpl
       saw.threadPool
       saw.threads
  Odbc driver returned an error (SQLDriverConnectW).
  State: 08004. Code: 10018. [NQODBC] [SQL_STATE: 08004] [nQSError: 10018] Access for the requested connection is refused.
  [nQSError: 43001] Authentication failed for obiserver\administrator in repository Star: invalid user/password. (08004)
  Type: Error
  Severity: 42
  Time: Thu Feb 17 14:48:46 2011
  File: project/webconnect/connection.cpp Line: 276
  Properties: ThreadID-1796
  Location:
       saw.connectionPool.getConnection
       saw.subsystem.security.checkAuthenticationImpl
       saw.threadPool
       saw.threads
  Authentication Failure.
  Odbc driver returned an error (SQLDriverConnectW).
  ---------------------------------------

• SSO with Logon Ticket to non-SAP Unix based application

  Hi all,
  Anyone has implemented SSO with Logon Ticket to a Unix box ?
  We need to achieve Single Sign On between our EP5.0 SP5 Portal and a third-party web application with a front-end on a Unix AIX machine with Apache.
  We achieved SSO with non-SAP applications with Logon Tickets, but one was to an IIS system in another domain (we therefore used the standard Web Filter for IIS and declared it in usermanagement for cross-domain support) and another one running on Windows platform (we used the C libraries provided in the "Logon Ticket Toolkit": NT or Linux only).
  From what we understand and found on the web sites, we cannot reuse any standard web filter (none for Unix, am I correct ???) and want to implement custom code using SAP libraries, if possible using Java
  -> Are there any Java libraries that are available to both:
  . verify the logon ticket with the deployed Portal public key
  . decrypt/extract the authenticated username from this ticket ??
  I've seen a mention of Java libraries, and Unix, in a SAP EP 6.0 document but I'm not sure where to find them...
  Is the SAP Logon Ticket issued the same way in EP 5.0 and EP 6.0 ?
  I managed to find something called SAPSSOEXT, for AIX, which contains some partial library and a sample, but it is dated 2000 !! Anyone has more information about this ?
  Any hint is very much appreciated.
  Thanks a lot
  Olivier

  Check these links for reference regarding AIX and Apache using X.509 certificates:
  http://publib16.boulder.ibm.com/pseries/en_US/aixbman/security/cas_pki.htm
  And just using cookies -
  http://forums.devshed.com/archive/t-105611 (perl based)
  You can also use mod_ssl built into your Apache to facilitate both certificate based authentication as well as encryption.
  The mod_ssl route is most secure (because of the encryption), the IBM link is comprehensive but requires extra infrastructure (LDAP).
  Nick
  Nick

• SSO with KRB/ADS on Enterprise Portal 7

  Dear All
  while i am trying to configure SSO with KRB/ADS on Enterprise Portal 7 i am getting this on the trace file..completed the configuration through SpNego and when i try to log in its promting for user name password..
  i have attched the trace file extract for  your advice..
  Regards
  Buddhike
  #1.5 #001CC45E6DA0008000000004000054FC00044F76844D9013#1213270351029#com.sap.engine.services.security.authentication.logincontext#
  sap.com/com.sap.security.core.admin
  #com.sap.engine.services.security.authentication.logincontext#Guest#0####3e642d50387311ddc2a0001cc45e6da0#Thread[Thread-110,5,SAPEngine_Application_Thread[impl:3]_Group]#
  #0#0#Error#1#/System/Security/Authentication#Plain###
  LOGIN.FAILED User:N/A Authentication Stack:com.sun.security.jgss.accept
  *Login Module                                                               Flag        Initialize  Login      Commit     Abort      Details*1. com.sun.security.auth.module.Krb5LoginModule                            OPTIONAL    ok          exception             false      null#
  #1.5 #001CC45E6DA0006E00000029000054FC00044F76844D95C5#1213270351029#com.sap.engine.services.security.authentication.loginmodule.spnego.SPNegoLoginModule#sap.com/com.sap.security.core.admin#com.sap.engine.services.security.authentication.loginmodule.spnego.SPNegoLoginModule#Guest#0####3e669e50387311dda053001cc45e6da0#SAPEngine_Application_Thread[impl:3]_2##0#0#Error##Java###Acquiring credentials for realm KEELLS.INT failed
  [EXCEPTION]
  #1#GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT credentials failed!)     at sun.security.jgss.krb5.Krb5AcceptCredential.getKeyFromSubject(Krb5AcceptCredential.java:189)
       at sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:80)
       at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:75)
       at sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:149)
       at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:334)
       at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:44)
       at sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:102)
       at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper.acquireCredentialsInCurrentThread(ConfigurationHelper.java:236)
       at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper.access$000(ConfigurationHelper.java:29)
       at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper$RunnableHelper.run(ConfigurationHelper.java:337)
  Caused by: com.sap.engine.services.security.exceptions.BaseLoginException: Access Denied.     at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:297)
       at com.sap.engine.system.SystemLoginModule.login(SystemLoginModule.java:90)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:324)
       at javax.security.auth.login.LoginContext.invoke(LoginContext.java:675)
       at javax.security.auth.login.LoginContext.access$000(LoginContext.java:129)
       at javax.security.auth.login.LoginContext$4.run(LoginContext.java:610)
       at java.security.AccessController.doPrivileged(Native Method)
       at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607)
       at javax.security.auth.login.LoginContext.login(LoginContext.java:534)
       at sun.security.jgss.LoginUtility.run(LoginUtility.java:57)
       at java.security.AccessController.doPrivileged(Native Method)
       at sun.security.jgss.krb5.Krb5AcceptCredential.getKeyFromSubject(Krb5AcceptCredential.java:186)
       ... 9 more
  Caused by: com.sap.engine.services.security.exceptions.BaseSecurityException: Internal server error. An error log with ID [001CC45E6DA0008000000001000054FC00044F76844D8A3F] is created. For more information contact your system administrator.
       at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:156)
       at java.security.AccessController.doPrivileged(Native Method)
       at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:181)
       ... 23 more

  Hi,
  please check if the options defined in the KRB5LoginModule are correct.
  First of all check for the option prinicpal. Did you provide this option and also provided the correct value?
  This error often occurs if you provided a wrong value for option prinicpal
  Cheers

• SSO with ITS & Webenabling WEBGui

  Hello,
  We have configured SSO with R/3 system. It works fine.
  The requirement is, we have to webenable R/3 system thru SAP GUI For Windows and SAP GUI For HTML.
  We are able to do both on developement environment where both R/3 and portal has got the same host names.
  But in the qa environment, we are able to webenable R/3 with SAP GUI For Windows and the SSO also works fine. But when we try to using SAP GUI For Html, it asks for the username and pwd again. Here the portal and R/3 has different host names.
  Otherwise the settings in dev and test are exactly the same. Has anybody got a clue why is it not working?
  Regards,
  Rukmani

  Hi all,
  it is always good to start with a good checklist. Here is probably the best one: https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/documents/a1-8-4/sso checklist.html
  My suggestion is: do not skip even simple steps, sometimes problem appears there
  Regards,
  Pavol

• SSO with EP 6.0 and R/3 as backened not working

  Hi , 
      I am implementing ESS in EP 6.0 and r/3 4.7c as backend. SSO is working with UIPWD. but when I try with LogonTickets it does not work.
  I tried with ordinary SAP transaction SSO with logon tickets works. But through ITS if I call a ESS transaction service It asks me for login user and password.
  What are the setting to be done in ITS for SSO towork. I have set the parameter
  msapcomusesso2cookie = 1 in the global.svrc file.
  I do not know what is wrong. Please help.
  Regards,
  Ramesh

  Hi,
    I am using a standalone ITS for a R/3 4.7 system.
  How should I maintain a FQDN for ITS?
  You are right,
  now it is not of the format hostname.domain.com:port format. It is of the format hostname:port.
  But where should I change this format. The host name of the system where the ITS is setup is <hostname> only.
  can you please tell me as to where should I maintain the FQDN as the specific format you suggested.
  Regards,
  Ramesh

• SSO with SAP logon tickets to non-SAP web app

  I am trying to implement SSO to an oracle portal based web application using SAP logon tickets, but can't seem to find a way for it to work.  I thought maybe it would be a web server filter, but am unsure if this would work for oracle portal.  Anyone tried similar?
  Cindy

  Hi Cindy,
  If it is EP6 SP2 probably you can checkout the following document.
  http://service.sap.com/ep60
  Go to Documentation Help>How-To-Guides>Current How To Guides section.
  checkout the following how to guide.
  Perform Cross Domain SSO with SAP Logon tickets zip file.
  If you want the zip file please send an e-mail to
  [email protected]
  Regards
  -Venkat Malempati

• SSO with XI 3.1

  I have BO XI 3.1 SP3 installed on a Windows 2008 4 bit server. I enabled SSO with Tomcat, it is working but not all the times.
  I configured SSO, when users go to Infoview it dosen't prompt them for user credentials but this is not happening all the time. I would say 50% it doesn't, 50% it does prompt, it is not consistent. Any one has seen this problem.
  Thanks.

  What documentatin are you using, also what are the desktop OS's? SSO occurs on the client workstation and when intermittent issues occur usually it's the client however their are some best practices that are in the current documentation. KB 1483762 should be used if possible.
  Regards,
  Tim

• Jabber for Windows SSO with CWMS

  We've configured our WebEx Meetings Server 2.0 for SSO with ADFS 3.0 and it works in various browsers.  The docs for Jabber for Windows say that it can do SSO to WebEx Meetings Server but there are no details in the configuration guide and I haven't been able to get it to work. After I turn on SSO, Jabber won't authenticate with the Meetings Server.  All the guide says is
  If you configure SSO with Cisco WebEx Meetings Server, Cisco Jabber can seamlessly integrate with the SSO environment. In this case, you do not need to specify credentials in order for users to authenticate with Cisco WebEx Meetings Server.
  Any ideas?

  Hi Eric,
  No specific configuration is done on CWMS for Jabber for Windows integration. All this is done on Jabber side. I would advise you to reach out to Jabber Clients community or open a TAC ticket with Jabber for Windows team.
  -Dejan

• SSO with Hybrid Cloud-Based Deployments

  Hi
  I´m wondering, how SSO works with Hybrid Cloud-Based Deployments.
  I want to use Jabber for Windows with WebEx Connect and Unified Communications integration with Cisco WebEx.
  Questions:
  How can I configure Jabber for Windows to use SSO with WebEx Connect after Client-Installation?
  I´ve read, that SSO username with WebEx Connect will be [email protected] Correct?
  I´ve read, that I have to create a jabber-config.xml with a follows to enforce Jabber for Windows to use the Webex-Connect login credentials also for Phone Services. Correct?
  <CUCM>     <PhoneService_UseCredentialsFrom>presence</PhoneService_UseCredentialsFrom>   </CUCM>
  If this is correct, Jabber for Windows will use [email protected] to authenticate with CUCM, but CUCM would need only the username without the domain. From my point of view, Jabber for Windows will not be able to authenticate with CUCM for Phone Services.
  Any thoughts?
  thank you
  Tino

  Hi Maqsood
  Thanks for your info. I´ve tested the "PhoneService_UseCredentialsFrom" attribute in my hybrid deployment and it seems, that it effects the jabber also in this scenario: the credentials form in the jabber options menu are not displayed.
  My understanding of the admin guide is, that it should work:
  Authentication in Hybrid Cloud-Based Deployments
  If the client authentication credentials are the same as the voicemail service credentials on Cisco Unity Connection, you can specify the VoicemailService_UseCredentialsFrom parameter in the Cisco Jabber for Windowsconfiguration file. This parameter uses the client authentication credentials to access voicemail services. As a result, Cisco Jabber for Windows users do not need to enter their credentials for voicemail services in the client.
  You should ensure that the sign in credentials and voicemail service credentials are the same for the Cisco Jabber for Windows users. If you set this parameter, the Voicemail section is not available on the Phone accounts tab in the Options window.
  thanks,
  Tino

• BO XI 3.1 SP3 SSO with CMC and Webi Rich Client

  Hello,
  Is it possible in BO XI 3.1 SP3 to use SSO with CMC and Webi Rich Client ?
  It works fine with InfoView, Designer and Desktop Intelligence.
  Regards

  Hi,
  What kind of SSO authentication are you trying to set up? (AD, LDAP,...)
  I think it's AD regarding your command line.
  But be aware that in SSO, you don't need to configure the command line to run the client.
  Have a look at the following guide.
  [Configuring Manual Kerberos Authentication and-or SSO in Distributed Environments with XI 3.1 SP3.pdf|https://bosap-support.wdf.sap.corp/sap/support/sapnotes/public/services/attachment.htm?iv_key=002007204200000183782010&iv_version=0005&alt=2BCE4CB10DF674B172F4F3F7B32A284F49333135358877720E883731B332AF34CACD2AB52C0A2C8DCACA09084EF4CB494E4E0F2ECE8E2F89772908C9CE70CD2DF77675F7F2D1750C09514BCECFCFCE4C8DCF4BCC4DB5F575F4F4F3F57771F571F6F70B01B25D83D4120B0A722092A599504EB16D715E3E00&iv_guid=DF838310BFAAE8F1B486001A64C54696]
  Regarding accessing CMC with SSO, it's not recomended at all as if you break this access, than you can't connect anymore to the CMC and modify settings.
  Regards,
  Philippe
  Edited by: Philippe Tavares on Feb 15, 2011 4:11 PM

• How to configure sso with SSL step by step

  Purpose
  In this document, you can learn how to configure SSO with SSL. After user have certificate installed in browser, he can login without input username and password.
  Overview
  In this document we will demonstrate:
  1.     How to configure OHS support SSL
  2.     How to Register SSO with SSL
  3.     Configure SSO for certificates
  Prerequisites
  Before start this document, you should have:
  1.     Oracle AS 10g infrastructure installed (10.1.2)
  2.     OCA installed
  Note:
  1.     “When you install Oracle infrastructure, please make sure you have select OCA.
  2.     How Certificate-Enabled Authentication Works:
  a.     The user tries to access a partner application.
  b.     The partner application redirects the user to the single sign-on server for authentication. As part of this redirection, the browser sends the user's certificate to the login URL of the server (2a). If it is able to verify the certificate, the server returns the user to the requested application.
  c.     The application delivers content. Users whose browsers are configured to prompt for a certificate-store password may only have to present this password once, depending upon how their browser is configured. If they log out and then attempt to access a partner application, the browser passes their certificate to the single sign-on server automatically. This means that they never really log out. To effectively log out, they must close the browser.
  Enable SSL on the Single Sign-On Middle Tier
  The following steps involve configuring the Oracle HTTP Server. Perform them on the single sign-on middle tier. In doing so, keep the following in mind:
  l     You must configure SSL on the computer where the single sign-on middle tier is running.
  l     You are configuring one-way SSL.
  l     You may enable SSL for simple network encryption; PKI authentication is not required. Note though that you must use a valid wallet and server certificate. The default wallet location is ORACLE_HOME/Apache/Apache/conf/ssl.wlt/default.
  1.     Back up the opmn.xml file, found at ORACLE_HOME/opmn/conf
  2.     In opmn.xml, change the value for the start-mode parameter to ssl-enabled. This parameter appears in boldface in the xml tag immediately following.
  <ias-component id="HTTP_Server">
  <process-type id="HTTP_Server" module-id="OHS">
  <module-data>
  <category id="start-parameters">
  <data id="start-mode" value="ssl-enabled"/>
  </category>
  </module-data>
  <process-set id="HTTP_Server" numprocs="1"/>
  </process-type>
  </ias-component>
  3.     Update the distributed cluster management database with the change: ORACLE_HOME/dcm/bin/dcmctl updateconfig -ct opmn
  4.     Reload the modified opmn configuration file:
  ORACLE_HOME/opmn/bin/opmnctl reload
  5.     Keep a non-SSL port active. The External Applications portlet communicates with the single sign-on server over a non-SSL port. The HTTP port is enabled by default. If you have not disabled the port, this step requires no action.
  6.     Apply the rule mod_rewrite to SSL configuration. This step involves modifying the ssl.conf file on the middle-tier computer. The file is at ORACLE_HOME/Apache/Apache/conf. Back up the file before editing it.
  Because the Oracle HTTP Server has to be available over both HTTP and HTTPS, the SSL host must be configured as a virtual host. Add the lines that follow to the SSL Virtual Hosts section of ssl.conf if they are not already there. These lines ensure that the single sign-on login module in OC4J_SECURITY is invoked when a user logs in to the SSL host.
  <VirtualHost ssl_host:port>
  RewriteEngine on
  RewriteOptions inherit
  </VirtualHost>
  Save and close the file.
  7.     Update the distributed cluster management database with the changes:
  ORACLE_HOME/dcm/bin/dcmctl updateconfig -ct ohs
  8.     Restart the Oracle HTTP Server:
  ORACLE_HOME/opmn/bin/opmnctl stopproc process-type=HTTP_Server
  ORACLE_HOME/opmn/bin/opmnctl startproc process-type=HTTP_Server
  9.     Verify that you have enabled the single sign-on middle tier for SSL by trying to access the OracleAS welcome page, using the format https://host:ssl_port.
  Reconfigure the Identity Management Infrastructure Database
  Change all references of http in single sign-on URLs to https within the identity management infrastructure database. When you change single sign-on URLs in the database, you must also change these URLs in the targets.xml file on the single sign-on middle tier. targets.xml is the configuration file for the various "targets" that Oracle Enterprise Manager monitors. One of these targets is OracleAS Single Sign-On.
  1.     Change Single Sign-On URLs
  Run the ssocfg script, taking care to enter the command on the computer where the single sign-on middle tier is located. Use the following syntax:
  UNIX:
  $ORACLE_HOME/sso/bin/ssocfg.sh protocol host ssl_port
  Windows:
  %ORACLE_HOME%\sso\bin\ssocfg.bat protocol host ssl_port
  In this case, protocol is https. (To change back to HTTP, use http.) The parameter host is the host name, or server name, of the Oracle HTTP listener for the single sign-on server.
  Here is an example:
  ssocfg.sh https login.acme.com 4443
  2. Restart OC4J_SECURITY instance and verify the configuration
  To determine the correct port number, examine the ssl.conf file. Port 4443 is the port number that the OracleAS installer assigns during installation.
  If you run ssocfg successfully, the script returns a status 0. To confirm that you were successful, restart the OC4J_SECURITY instance:
  ORACLE_HOME/opmn/bin/opmnctl restartproc process-type=OC4J_SECURITY
  Then try logging in to the single sign-on server at its SSL address:
  https://host:ssl_port/pls/orasso/
       3. Back up the file targets.xml:
  cp ORACLE_HOME/sysman/emd/targets.xml ORACLE_HOME/sysman/emd/targets.xml.backup
  4. Open the file and find the target type oracle_sso_server. Within this target type, locate and edit the three attributes that you passed to ssocfg:
  ·     HTTPMachine—the server host name
  ·     HTTPPort—the server port number
  ·     HTTPProtocol—the server protocol
  If, for example, you run ssocfg like this:
  ORACLE_HOME/sso/bin/ssocfg.sh http sso.mydomain.com:4443
  Update the three attributes this way:
  <Property NAME="HTTPMachine" VALUE="sso.mydomain.com"/>
  <Property NAME="HTTPPort" VALUE="4443"/>
  <Property NAME="HTTPProtocol" VALUE="HTTPS"/>
  5.Save and close the file.
  6.     Reload the OracleAS console:
       ORACLE_HOME/bin/emctl reload
  7. Issue these two commands:
  ORACLE_HOME/opmn/bin/opmnctl restartproc process-type=HTTP_Server
  ORACLE_HOME/opmn/bin/opmnctl restartproc process-type=OC4J_SECURITY
  Registering mod_osso
  1.     This command sequence that follows shows a mod_osso instance being reregistered with the single sign-on server.
  $ORACLE_HOME/sso/bin/ssoreg.sh
       -oracle_home_path $ORACLE_HOME
       -config_mod_osso TRUE
       -mod_osso_url https://myhost.mydomain.com:4443
  2.     Restarting the Oracle HTTP Server
  After running ssoreg, restart the Oracle HTTP Server:
  ORACLE_HOME/opmn/bin/opmnctl restartproc process-type=HTTP_Server
  Configuring the Single Sign-On System for Certificates
  1.     Configure policy.properties with the Default Authentication Plugin
  Update the DefaultAuthLevel section of the policy.properties file with the correct authentication level for certificate sign-on. This file is at ORACLE_HOME/sso/conf. Set the default authentication level to this value:
  DefaultAuthLevel = MediumHighSecurity
  Then, in the Authentication plugins section, pair this authentication level with the default authentication plugin:
  MediumHighSecurity_AuthPlugin = oracle.security.sso.server.auth.SSOX509CertAuth
  2.     Restart the Single Sign-On Middle Tier
  After configuring the server, restart the middle tier:
  ORACLE_HOME/opmn/bin/opmnctl restartproc process-type=HTTP_Server
  ORACLE_HOME/opmn/bin/opmnctl restartproc process-type=OC4J_SECURITY
  Bringing the SSO Users to OCA User Certificate Request URL
  The OCA server reduces the administrative and maintenance cost of provisioning a user certificate. The OCA server achieves this by authenticating users by using OracleAS SSO server authentication. All users who have an Oracle AS SSO server account can directly get a certificate by using the OCA user interface. This reduces the time normoally requidred to provision a certificate by a certificate authority.
  The URL for the SSO certificate Request is:
  https://<Oracle_HTTP_host>:<oca_ssl_port>/oca/sso_oca_link
  You can configure OCA to provide the user certificate request interface URL to SSO server for display whenever SSO is not using a sertificate to authenticate a user. After the OracleAS SSO server authenticates a user, it then display the OCA screen enabling that user to request a certificate.
  To link the OCA server to OracleAS SSO server, use the following command:
  ocactl linksso
  opmnctl stoproc type=oc4j instancename=oca
  opmnctl startproc type=oc4j instancename=oca
  You also can use ocactl unlinksso to unlink the OCA to SSO.

  I have read the SSO admin guide, and performed the steps for enabling SSL on the SSO, and followed the steps to configure mod_osso with virtual host on port 4443 as mentioned in the admin guide.
  The case now is that when I call my form (which is developed by forms developer suite 10g and deployed on the forms server which is SSO enabled) , it calls the SSO module on port 7777 using http (the default behaviour).
  on a URL that looks like this :
  http://myhostname:7777/pls/orasso/orasso.wwsso_app_admin.ls_login?Site2pstoreToken=.......
  and gives the error :
  ( Forbidden
  You don't have permisission to access /sso/auth on this server at port 7777)
  when I manually change the URL to :
  https://myhostname:4443/pls/orasso/orasso.wwsso_app_admin.ls_login?Site2pstoreToken=.......
  the SSO works correctly.
  The question is :
  How can I change this default behaviour and make it call SSO on port 4443 using https instead ?
  Any ideas ?
  Thanks in advance

• How to use SSO with Forms application

  Can somebody explain, how can we configure the SSO with Forms application.
  I have two application server instances. One for infrastructre and Other for application.
  Thanks

  Have a look at http://www.oracle.com/technology/products/forms/pdf/10g/frm10gsso.pdf and http://download-uk.oracle.com/docs/cd/B14099_19/web.1012/b14032/sso.htm#i1006721

• Weblogic SSO with AD - My Try - What's wrong?

  Dear All
  I'm trying to setup Weblogic to Authenticate using AD and have SSO with a Windows workstation(joined to the domain).
  I just setup an Active Directory(Win2K3), a Windows XP(SP2) and a Linux System(CentOS5) with Weblogic 10.3.
  I'm wondering what is wrong with my configuration. I can only logon on Adminstration Console using weblogics local users, and even with entering username(those which created on AD) and password AD Authentication does not work.
  Anyone has simliar experiance or any clue?
  Appreciated
  TIA
  Cheers
  Here is the setup:
  The domain is: example.com and machines are: dc.example.com (AD), winclient.example.com (Windows XP joined to the example.com domain) and weblogic.example.com (CentOS with Weblogic 10.3 installed)
  The hosts file on all three machines are filled with their FQDN, Machine Name and corresponding IP addresses. They all have ping working successfully between each two of them. Firewalls are checked to be off.
  These are the steps I came through based on documentation I could found on the net:
  h1. 0. Configuring Your Network Domain to Use Kerberos
  In Linux Machine(Weblogic Server) edit Kerberos configuration file for appropriate values:
  */etc/krb5.conf*
  \[logging\]
  default = FILE:/var/log/krb5libs.log
  kdc = FILE:/var/log/krb5kdc.log
  admin_server = FILE:/var/log/kadmind.log
  \[libdefaults\]
  default_realm = EXAMPLE.COM
  default_tkt_enctypes = des-cbc-crc
  default_tgs_enctypes = des_cbc_crc
  dns_lookup_realm = false
  dns_lookup_kdc = false
  ticket_lifetime =28800
  forwardable = yes
  \[realms\]
  EXAMPLE.COM = {
  kdc = 192.168.1.193:88
  admin_server = dc
  default_domain = EXAMPLE.COM
  \[domain_realm\]
  .example.com = EXAMPLE.COM
  example.com = EXAMPLE.COM
  \[kdc\]
  profile = /var/kerberos/krb5kdc/kdc.conf
  \[appdefaults\]
  autologin = true
  forward = true
  forwardable = true
  encrypt = true
  pkinit = {
  allow_pkinit = false
  h1. 1. Create two users on AD: "New->User" with "User must change password at next logon" option cleared (not tidked)
  weblogic (for weblogic service) (with password = "password1")
  weblogicusr (the user which should access Weblogic Administration Console) ("password2")
  * Note that group membership of these two users are left default.(Domain Users)
  h1. 2. For "weblogic" & "weblogicusr" user set these Account Optiones:
  - Use DES encryption types for this account (ticked)
  - Do not require Kerberos preauthentication (cleared)
  * then reset the password again for "weblogic" (with password = "password1") and "weblogicusr" (with "password2").
  h1. 3. Create Service Principal Names for Weblogic Server and User on Win2K3 machine:
  - >setspn -a host/weblogic.example.com weblogic
  - >setspn -a HTTP/weblogic.example.com weblogic
  here is the result
  C:\Documents and Settings\Administrator.DC>setspn -L weblogic
  Registered ServicePrincipalNames for CN=weblogic,CN=Users,DC=example,DC=com:
  HTTP/weblogic
  host/weblogic
  HTTP/weblogic.example.com
  host/weblogic.example.com
  and
  - >setspn -a HTTP/weblogic.example.com weblogicusr
  and the result
  C:\Documents and Settings\Administrator.DC>setspn -L weblogicusr
  Registered ServicePrincipalNames for CN=Weblogic User,CN=Users,DC=example,DC=com:
  HTTP/weblogicsrv.example.com
  HTTP/weblogicsrv
  h1. 4. Create the keytab file for Weblogic Server:
  On AD machine issue:
  (ktpass from MS Windows Support Tools)
  >ktpass -princ host/[email protected] -pass password1 -mapuser weblogic -out c:\temp\weblogic.host.keytab
  >ktpass -princ HTTP/[email protected] -pass password1 -mapuser weblogic -out c:\temp\weblogic.HTTP.keytab
  (ktab from JRE 6)
  >ktab -k c:\temp\weblogic.keytab -a [email protected]
  Password for [email protected]:*password1*
  Done!
  Service key for [email protected] is saved in c:\temp\weblogic.keytab
  ** Note I could not kinit successfully merely with weblogic.host.keytab and/or weblogic.HTTP.keytab, I got this error +"Key table entry not found while getting initial credentials"+ how ever the keytab I created using ktab("weblogic.keytab") works fine in this case, so I decided to merge whole three of them into a keytab.
  >\[root@weblogic keytabs\]# kinit -k -t weblogic.host.keytab [email protected]
  >kinit(v5): Key table entry not found while getting initial credentials
  h1. 5. Port and Merge keytabs
  Then I ported these three files to the Linux Machine(weblogic.example.com): weblogic.host.keytab, weblogic.HTTP.keytab and weblogic.keytab
  and merged into one keytab:
  ktutil: "rkt weblogic.host.keytab"
  ktutil: "rkt weblogic.HTTP.keytab"
  ktutil: "rkt weblogic.keytab"
  ktutil: "wkt weblogic-keytab"
  ktutil: "q"
  * then put the result keytab "weblogic-keytab" somewhere in Weblogic Path:
  >/root/bea/user_projects/domains/base_domain/kerberos
  h2. 5.1 Test the keytab and kerberos configuration
  >\[root@weblogic keytabs\]# kinit -k -t weblogic-keytab [email protected]
  >\[root@weblogic keytabs\]# klist
  >Ticket cache: FILE:/tmp/krb5cc_0
  >Default principal: [email protected]
  >
  >Valid starting Expires Service principal
  >09/04/09 16:16:42 09/05/09 00:16:42 krbtgt/[email protected]
  >
  Kerberos 4 ticket cache: /tmp/tkt0
  klist: You have no tickets cached
  h1. 6. Creating a JAAS Login File
  Create krb5Login.conf and put it in here: "/root/bea/user_projects/domains/base_domain/kerberos/"
  krb5Login.conf
  com.sun.security.jgss.initiate {
  com.sun.security.auth.module.Krb5LoginModule required
  principal=*"[email protected]"* useKeyTab=true
  keyTab=*/root/bea/user_projects/domains/base_domain/kerberos/weblogic-keytab* storeKey=true;
  com.sun.security.jgss.accept {
  com.sun.security.auth.module.Krb5LoginModule required
  principal=*"[email protected]"* useKeyTab=true
  keyTab=*/root/bea/user_projects/domains/base_domain/kerberos/weblogic-keytab* storeKey=true;
  h1. 7. Modify startup options
  add these option to "/root/bea/user_projects/domains/base_domain/bin/startWebLogic.sh"
  h2. 7.1 Kerberos
  -Djava.security.krb5.realm=EXAMPLE.COM
  -Djava.security.krb5.kdc=dc.example.com
  -zjava.security.auth.login.config=$PATHTOKRB/krb5Login.conf
  -Djavax.security.auth.useSubjectCredsOnly=false
  -Dweblogic.security.enableNegotiate=true h2. 7.2 Debug
  -DDebugSecurityAdjudicator=true
  -Dweblogic.debug.DebugSecurityAtn=true
  -Dsun.security.krb5.debug=true
  -Dweblogic.StdoutDebugEnabled=true";
  -Dweblogic.log.StdoutSeverity=Debugh1. 8. Configuring the Identity Assertion Provider
  In Weblogic Administration I created a Security Realm called "example.com" with everything default and made it default. Then restarted the Weblogic Server.
  Again in Administation Console did this to example.com Security Realm:
  h2. 8.1 -> Prividers: Add 3 Providers
  Negotiate     WebLogic Negotiate Identity Assertion provider     1.0
       DIA     WebLogic Identity Assertion provider     1.0
       AD     Provider that performs LDAP authentication     1.0 (Active Directory provider)
       Default     WebLogic Authentication Provider     1.0
  h2. 8.2 -> Change the default parameters
  h3. 8.2.1 Negotiate     WebLogic Negotiate Identity Assertion provider
  -> Base64 Decoding Required: false (No Change, but shouldn't it be true and how to change?)
  -> Form Based Negotiation Enabled: Removed the tick
  h3. 8.2.2 DIA     WebLogic Identity Assertion provider (no changes)
  (no changes)
  h3. 8.2.3 AD     Provider that performs LDAP authentication (Active Directory provider)
  -> Control Flag: *SUFFICIENT*
  -> User Name Attribute: *sAMAccountName*
  -> Principal: *HTTP/[email protected]*
  -> Host: *192.168.1.193*
  -> User Base DN: *CN=Users,DC=example,dc=com*
  -> Propagate Cause For Login Exception: *ticked*
  -> Group Base DN: *CN=Users,DC=example,dc=com*
  -> Credential: *password1*
  * others left with their default values.
  h1. 9. Configuring an Internet Explorer Browser
  On Windows XP machine (winclient.example.com):
  h2. 9.1 Configure Local Intranet Domains
  - In Internet Explorer, Tools > Internet Options -> the Security tab -> Local intranet -> Sites:
  > "Include all sites that bypass the proxy server" *ticked*
  > "Include all local (intranet) sites not listed in other zones" *ticked*
  - then in -> Advanced Dialog Box added this:
  > weblogic.example.com
  h2. 9.2 Configure Intranet Authentication
  - In Internet Explorer, Tools > Internet Options -> the Security tab -> Local intranet -> Custome Level:
  > In the Security Settings dialog box -> the User Authentication section.
  > "Automatic logon only in Intranet zone" *ticked*
  h2. 9.3 The Proxy Settings
  No proxies are enabled
  h2. 9.4 Enable Integrated Windows Authentication
  - In Internet Explorer, Tools > Internet Options -> Advanced tab -> Security section:
  > "Enable Integrated Windows Authentication" *ticked* by default
  Edited by: Mehdi Sarmadi on Sep 4, 2009 5:51 AM

  I found something in Logfile:
  <Sep 4, 2009 6:17:39 PM IRDT> <Debug> <SecurityAtn> <BEA-000000> <LDAP Atn Login username: weblogicusr>
  <Sep 4, 2009 6:17:39 PM IRDT> <Debug> <SecurityAtn> <BEA-000000> <new LDAP connection to host 192.168.1.193 port 389 use local conne
  ction is false>
  <Sep 4, 2009 6:17:39 PM IRDT> <Debug> <SecurityAtn> <BEA-000000> <created new LDAP connection LDAPConnection { ldapVersion:2 bindDN:
  ""}>
  <Sep 4, 2009 6:17:39 PM IRDT> <Debug> <SecurityAtn> <BEA-000000> <connection failed netscape.ldap.LDAPException: error result (49);
  80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece^@>
  <Sep 4, 2009 6:17:39 PM IRDT> <Debug> <SecurityAtn> <BEA-000000> <[Security:090294]could not get connection>
  According to this post: Re: WL10.3 and SSO and Active Directory
  a correct ldap connection should look like this:
  <LDAP Atn Login username: Administrator>
  <userExists? user:Administrator>
  <new LDAP connection to host 10.10.0.254 port 389 use local connection is false>
  <created new LDAP connection LDAPConnection { ldapVersion:2 bindDN:""}>
  <connection succeeded>
  *<getConnection return conn:LDAPConnection {ldaps://10.10.0.254:389 ldapVersion:3 bindDN:"HTTP/[email protected]"}>
  <getDNForUser search("CN=Users,DC=DOMAIN,dc=local", "(&(&(cn=Administrator)(objectclass=user))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))", base DN & below)>xist>*
  Moreover, I turned AD's debug logging and this is what happens when I try to login with a AD user: Why "Anonymous Logon"?!
  Event Type:     Information
  Event Source:     NTDS LDAP
  Event Category:     LDAP Interface
  Event ID:     1535
  Date:          9/4/2009
  Time:          6:47:07 PM
  User:          NT AUTHORITY\*ANONYMOUS LOGON*
  Computer:     DC
  Description:
  Internal event: The LDAP server returned an error.
  Additional Data
  Error value:
  80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece
  Any help would be greatly appreciated

• What about the security we support when the BIA is not SSO with EBS

  For the following security mode, if all of them need the SSO with EBS?
  Operating Unit-Based Security for Oracle EBS
  Inventory Org-Based Security for Oracle EBS
  Ledger-Based Security for Oracle EBS
  Business Group Org-Based Security for Oracle EBS
  HR Org-Based Security for Oracle EBS
  Human Resource Personnel Data Analyst Security for Oracle EBS
  Employee-Based Security for Oracle EBS

  well you could do the security in OBIEE as well, but why shouldn't you use SSO?