OAM11g-WNA and OVD
Hello, I'm trying to test out OAM11g/WNA (Windows Native Authentication without IIS). I have OVD configured as primary Identity Store which is virtualizing against 4 AD domains. Most of the documents/blogs around this topic points to creating AD identity store with associated Kerberos configurations in OAM. Can I get the Kerberos authentication pass through OVD and avoid creating AD identity store. Though OAM 11.1.1.5 support multiple identity store, since I have 4 domains, keeping separate krb5.conf and combining SPN file seems to be get complicated. Has anyone tried this? Please share your thoughts.
Thanks,
Sunil.
Hi
I have configured multiple Authn schemes with unique kd5 and keytab files for 2 domains (I'm assuming it will scale to n domains) without issue, it works fine assuming you have multiple policies using their own scheme. I'm now trying to work out if I can use a single policy and single custom Authn module to determine the source domain and user the appropriate kd5/keytab files. Any ideas?
Thanks
Roman
Similar Messages
-
URGENT! Configuring WNA and keytab problems
Hi, I've configured OAS10g integration with AD successfully and able to map the users successfully from AD to OID. The external authentication plugin is working as well. However, I am having problems configuring WNA and getting the following erros in the OC4J_SECURITY logfile:
08/01/06 13:18:44 Getting creds for HTTP/[email protected]...
08/01/06 13:18:44 Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null KeyTab is /san/oas10g/oracle/product/10gas_infra/j2ee/OC4J_SECURITY/config/oraprda01.keytab refreshKrb5Config is false principal is HTTP/oraprda01.mpx.biz tryFirstPass is false useFirstPass is false storePass is false clearPass is false
principal's key obtained from the keytab
08/01/06 13:18:44 principal is HTTP/[email protected]
08/01/06 13:18:44 [Krb5LoginModule] authentication failed
Pre-authentication information was invalid (24)
08/01/06 13:18:44 KerberosAuthenticator: GSSException raised in constructor - No valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT credentials failed!)
08/01/06 13:18:44 GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT credentials failed!)
08/01/06 13:18:44 at sun.security.jgss.krb5.Krb5AcceptCredential.getKeyFromSubject(Krb5AcceptCredential.java:189)
08/01/06 13:18:44 at sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:80)
08/01/06 13:18:44 at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:75)
08/01/06 13:18:44 at sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:149)
08/01/06 13:18:44 at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:334)
08/01/06 13:18:44 at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:44)
08/01/06 13:18:44 at sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:102)
08/01/06 13:18:44 at oracle.security.jazn.oc4j.KerberosAuthenticator.<init>(Unknown Source)
08/01/06 13:18:44 at oracle.security.jazn.oc4j.RealmUserManager.getHttpAuthenticator(Unknown Source)
08/01/06 13:18:44 at oracle.security.jazn.oc4j.FilterUserManager.getHttpAuthenticator(Unknown Source)
08/01/06 13:18:44 at com.evermind.server.http.HttpApplication.initAuthenticator(HttpApplication.java:5371)
08/01/06 13:18:44 at com.evermind.server.http.HttpApplication.initDynamic(HttpApplication.java:980)
08/01/06 13:18:44 at com.evermind.server.http.HttpApplication.<init>(HttpApplication.java:549)
08/01/06 13:18:44 at com.evermind.server.Application.getHttpApplication(Application.java:890)
08/01/06 13:18:44 at com.evermind.server.http.HttpServer.getHttpApplication(HttpServer.java:707)
08/01/06 13:18:44 at com.evermind.server.http.HttpSite.initApplications(HttpSite.java:625)
08/01/06 13:18:44 at com.evermind.server.http.HttpSite.setConfig(HttpSite.java:278)
08/01/06 13:18:44 at com.evermind.server.http.HttpServer.setSites(HttpServer.java:278)
08/01/06 13:18:44 at com.evermind.server.http.HttpServer.setConfig(HttpServer.java:179)
08/01/06 13:18:44 at com.evermind.server.ApplicationServer.initializeHttp(ApplicationServer.java:2394)
08/01/06 13:18:44 at com.evermind.server.ApplicationServer.setConfig(ApplicationServer.java:1551)
08/01/06 13:18:44 at com.evermind.server.ApplicationServerLauncher.run(ApplicationServerLauncher.java:92)
08/01/06 13:18:44 at java.lang.Thread.run(Thread.java:534)
08/01/06 13:18:44 Caused by: javax.security.auth.login.LoginException: Pre-authentication information was invalid (24)
08/01/06 13:18:44 at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:585)
08/01/06 13:18:44 at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:475)
08/01/06 13:18:44 at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
08/01/06 13:18:44 at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
08/01/06 13:18:44 at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
08/01/06 13:18:44 at java.lang.reflect.Method.invoke(Method.java:324)
08/01/06 13:18:44 at javax.security.auth.login.LoginContext.invoke(LoginContext.java:675)
08/01/06 13:18:44 at javax.security.auth.login.LoginContext.access$000(LoginContext.java:129)
08/01/06 13:18:44 at javax.security.auth.login.LoginContext$4.run(LoginContext.java:610)
08/01/06 13:18:44 at java.security.AccessController.doPrivileged(Native Method)
08/01/06 13:18:44 at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607)
08/01/06 13:18:44 at javax.security.auth.login.LoginContext.login(LoginContext.java:534)
08/01/06 13:18:44 at sun.security.jgss.LoginUtility.run(LoginUtility.java:57)
Our setup is such that the SSO hostname is oraprda01.mpx.biz but the AD/KDC realm is AD.MULTIPLEX.BIZ. I found http://www.oracle.com/technology/obe/obe_as_10g/im/wna/wna.htm and we have more or less the same situation so it should work but it doesn't. I've already got this working in the test environment but the SSO hostname there is gfradev01.ad.multiplex.biz. Note that it has the same domain name as the AD realm.
Doing a kinit without using the keytab file works for HTTP/[email protected] but when I use the keytab file, I get the pre-authentication error.
Can anyone advice as to how we can make this work? Are there extra setups which need to be done on the AD server which Oracle did not document?
Thank you very much,
AbigailIf urgent, contact Support.
Is the account option ‘Do not require kerberos preauthentication’ checked (see MicroSoft KB 832572)
In addition: metalink Note: 466288.1
Message was edited on 1-feb-2008 by: Frank van Bortel -
Hi,
It appears OVD did not make it into the Oracle Fusion Middleware Identity Management 11gR2 release. The latest version available is still the one included in the Oracle Fusion Middleware Identity Management 11gR1 release. Is that correct?
If so, I have a deployment of Oracle Access Manager 11gR2, which I'd like to integrate with OVD. Does this situation mean that I must deploy another entire WebLogic domain for the Oracle Fusion Middleware Identity Management 11gR1 release? Or is it possible to somehow install the 11gR1 version of OVD into the 11gR2 instance I've already got?
- JimYes, the latest version of OVD available is 11.1.1.6 (11g R1). You may use this version with OAM 11gR2.
OVD 11.1.1.6 uses WebLogic 10.3.6 and OAM 11g R2 also uses the same weblogic version. Please let me know if you are on some other version of WLS.
As per best practice, try to keep the OAM and OVD in separate WLS domains. -
OID External Authentication Plug-in and OVD
Hello, ppl.
I have success installed AD, OVD(11g), OID(10g), and BI Publisher with SSO (10g).
When i synchronize AD -> OID, and use External Auth Plug-in, synchronized users can success login to BI Publisher.
When i synchronize AD -> OID through OVD, and use External Auth Plug-in which look in the AD, synchronized users can success login to BI Publisher.
But when i synchronize AD -> OID through OVD, and switch External Auth Plug-in from AD to OVD, synchronize users can not login to BI Publisher.
How can i use External Auth Plug-in with OVD, did any one have solution?
In the future, OVD can contains multiple forests from AD's, now AD have one forest(dc).
Help :)
Thanks.
Jeff.I write custom plug-in for OVD.
When user bind, then log write...
OVD bind command's
1) ldapbind -h <OVD_HOST> -p 6501 -D "[email protected]" -w Oracle10g
ldap_bind: Invalid credentials
2) ldapbind -h <OVD_HOST> -p 6501 -D "cn=smith,cn=users,dc=domain,dc=local" -w Oracle10g
bind successful
3) ldapbind -h <OVD_HOST> -p 6501 -D "cn=smith,cn=users,dc=domain,dc=local" -w Oracle10g2
ldap_bind: Invalid credentials
AD bind command's
1) ldapbind -h <AD_HOST> -p 389 -D "[email protected]" -w Oracle10g
bind successful
2) ldapbind -h <AD_HOST> -p 389 -D "cn=smith,cn=users,dc=domain,dc=local" -w Oracle10g
bind successful
In my log file for OVD bind command's, just second and third command written.
Did any one know, why first command not binded and why not logged?
public void bind(Chain chain, Credentials creds, DirectoryString dn, BinarySyntax password, Bool result) throws DirectoryException, ChainException {
//pre bind
try {
chain.nextBind(creds, dn, password, result);
} catch (DirectoryException e) {
try {
FileWriter out = new FileWriter("c://mylogs//bind_error.txt");
out.write("bind: " + dn.toString());
out.close();
} catch (IOException ioe) {
ioe.printStackTrace();
//post bind
try {
FileWriter out = new FileWriter("c://mylogs//bind.txt");
out.write("bind: " + dn.toString());
out.close();
} catch (IOException ioe) {
ioe.printStackTrace();
... -
Hi,
We are trying to configure multi-domain WNA using OAM 11.1.1.5.2. WNA works fine with one domain and fails with the other i.e., if the user logs in to windows with second domain, the authentication fails and we see the KDC is sending NTLM token instead of SPNEGO token and hence the authentication fails. Has anyone tried multi-domain WNA using OAM 11g ? Any ideas/suggestions on how to configure this ??
ThanksHi
I have configured multiple Authn schemes with unique kd5 and keytab files for 2 domains (I'm assuming it will scale to n domains) without issue, it works fine assuming you have multiple policies using their own scheme. I'm now trying to work out if I can use a single policy and single custom Authn module to determine the source domain and user the appropriate kd5/keytab files. Any ideas?
Thanks
Roman -
Oam11g and oim 9.1.0.2 SSO
anyone done sso with oam11g and oim 9.1.0.2?
I seem to be having issue where OAM11g sessions and header variables not getting over.Hi,
Can you provide more details ?
Thanks
GK -
Oracle Enterprise User, OVD and MS Active Directory (AD)
Hi,
I need to authenticate Oracle Users from MS Active Directory.
If I create an Oracle Enterprise User, can I just use OVD or do I need also OID ?
If the answer is YES, I just need OVD do I need just to install OVD or do I need any other installation from OIM in order for it to work?
Thanks in advance for answering this post : )
CMTHi,
I am not sure that you are correct.
In the meantime, some one mentioned a white paper to read: "Directory Services Integration with Database Enterprise User Secuirty. In page 10 it mentions a scenario: EUS deployment using Active Directory and OVD
(without OID).
The cons mentioned are: Need to extend AD schema to include EUS meta-data (which I am not sure how its done). -
OVD 11G, OID 11G and WebApplication - opmnctl
Hi Guys,
My understanding was that OID and OVD were web applications.
Surprisingly, it seems that it is a combination of a webapp and something else.
In fact, I don't think opmnctl fits into the web container.
Can you please clarify my understanding of these 2 products ?
I wanted to try to make 2 instances of the same product on 1 VM (2 JVMs).
- By using weblogic clustering only, does this is feasable ? (or is opmnctl is not going to be clustered)
- If not, how can I make sure to have 1 cluster of weblogic + opmnctl on 1 VM ?
Thank you.Contrary to intution, OVD 11g is not a J2EE application, it is a standalone J2SE server. Therefore, weblogic clustering is not relevant for OVD fail-over. opmnctl is an utility to start, stop and query status of many applications, of which ovd can be one.
-
How to deploy EUS using OVD with existing active directory ?
Hi,
I am new in Oracle FMW and want to explore more into it,
I have existing MS active directory with users and group policies defined there and I need to implement the solution for all users to authenticate in oracle Database (11gR2) via AD.
and after searching reading some docs I came to know that It can be done by "EUS deployment using AD and OVD".
Now I am bit confused for where to start Please guide me . My env is as follows
I have existing MS AD server (win2003) and oracle Database 11gR2 on HP unix..So Do I need another server (Win2003/2008) to install OVD or can I install OVD on existing AD server.
What exactly software required to install OVD as I have downloded software from e delivery site "Oracle Identity and Access Management 11g (11.1.1.7.0)"
Is it same or do i need to download other one?Check this:
Installing and Configuring Oracle Virtual Directory
OIM Image: OID and OVD 11g Basic Install Steps
Oracle&reg; Fusion Middleware
Middleware Technologies : Installing Oracle Virtual Directory -
Enable SSO APEX 4 and MS Active Directory
Hi,
I want enable SSO on my APEX applications. Actually, we use Microsoft Active Directory and Windows 2003 (tomorrow maybe Windows 2008).
Regarding your experiences, what is the best solution that I can us in order to implement SSO ?
Thanks for your help,
I have forget to give this informations :
- Our Oracle Server is under Linux.
- We use Oracle Database 11GR2.
- Our domain controller is under Windows 2003 (we will probably upgrade to 2008 this year).
- Our APEX version is 4.1.0.00.32.
Edited by: user7224400 on 3 févr. 2012 16:23Morten -- Interesting. I wish we had found that before we implemented WebLogic and the APEX listener, it may have been an interesting other option to consider. I'm not sure it would have made it past our change control folks as they might bark at the supportability/security, but it is a intriguing option.
Patrick -- (You have a great blog by the way.). We are talking about upgrading our APEX 3.1 instances this year so I am very interested in the new authentication type. Is it doing anything other than simply retrieving the logon_user? i.e., is it actually authenticating against anything or would it just read the logon_user and let them in if they matched a known username?
AJ -- We just converted from Oracle Portal last year. When I had Oracle Portal, I had it setup to use Windows Native Authentication following the supported solution for that and then had APEX set up as a partner application for portal. So if someone hit portal first, they'd automatically logon as their active directory user through WNA and would be dropped into portal. If they then hit a link for APEX in portal, it would (in rapid succession) go to APEX, redirect back to the portal SSO server, see they were authenticated in app server, and drop them into APEX with barely a visible screen flicker. It worked flawlessly UNTIL we started upgrading to Windows 7. Then a number of changes and patches are required to get WNA to work with app server 10g and Windows 7. If you are using portal in your 10g IAS, you may want to consider that route.
Pardon me while I hop on my soapbox briefly -- I think if our friends in Oracle land could come out with a fully supported method of using NTLM or similar technologies to automatically login to APEX applicaitons, it would help considerably in the adoption of APEX and the APEX listener in customers that have Oracle databases and Active Directory which is a pretty decent size market.
Ok, soapbox moment ended. :-)
Rgds/Mark M. -
Hi ,
I am new to OIM and OAM.Currently in my project they are using OID and OVD .
The diff bet ween OID and OVD is in OVD there is no Database Repository .
what my question is already OID is there whay we are using OVD?
Could any one please explain.
Thanks in advance.
Regards,
Ravi.You don't need to use OVD if you don't need it. OVD allows you to present multiple LDAP resources as if they were one. For example, you could configure OIM/OAM to look at OVD which presents a virtual view of your OID and WebLogic embedded LDAP, so no matter whether the user is in OID or WebLogic, they can authenticate. Similarly, if you have other LDAP repositories like ODSEE or AD, you could do something similar.
-
Installing OID, OVD on 11g Linux system
Hi,
I have installed OIM11g (db, rcu,wl server,oim server, soa server) on linux 5.7
I would like to install OID and OVD ON THIS.
Can you please provide me the some steps to install these and also the order in which I need to install these?
I am thinking the below order.
1) Access manager & Adaptive access manager with LDAP sync
2) OID
3) OVD
4) Http server
5) Webtier
6) Webgates
Is this the correct order? Please let me know.Hi Kevin,
I have successfully installed OID now by following your suggesion.
1) Installed wlserver 10.3.6 as a new middleware home
2) Installed IDM 11.1.1.6
3) Configured just OID.
Now, I am trying to create a new connection in odsm to login into it using the below values but it is saying "incorrect credentials".
Directory type - OID
Name: OID_Instance
Server: localhost
Port: 7005
SSL: unchecked
username:cn=oracladmin
Password: Passw0rd
Start page: Data Browser
Please help me.
Here is my configuration file.
Middleware Home Location : /u01/Oracle/Middleware_1036
Oracle Instance Location : /u01/Oracle/Middleware_1036/Instances
Oracle Instance : OID_Instance
Domain Option : Create Domain
Domain Name : odsm_domain
Domain Home : /u01/Oracle/Middleware_1036/user_projects/domains/odsm_domain
Domain Host Name : myserver.home.com
Domain Port : 7002
Weblogic Console : http://myserver.home.com:7002/console
Weblogic User Name : weblogic
Automatic Port Detection : true
Enterprise Manager :
http://myserver.home.com:7002/em
Enterprise Manager Agent
http://myserver.home.com:5162/emd/main
Oracle Internet Directory
Oracle Directory Services Manager :
http://myserver.home.com:7005/odsm/faces/odsm.jspx -
I always hear these things from Oracle, OAM, OIM, OID and OVD. are they the same thing? if not, I belive they are related since people always mention them together, then, what's relationship? please clarify
I'm new to Oracle identity management products. please let me know if there are any others products closely relate to above in this family.
ThanksHi,
Each and every thing performs specific role,It will interdependent you can say when it comes to implementation.
OAM->oracle access manager=performing authentication and authorization of web based and non webbased resources by protecting them.
OIM->oracle identity manager =managing identities of organisation,integrating and provisioning(giving access) to various application and single sign on.
OID->oracle internet directory=its one of the directory server like sun directory server,AD for managing user data.
OVD->oracle virtual directory=its a virtual directory server which provides only view from multiple directory servers.
Please go through oracle docs for more info.
Thanks,
Ragu. -
Finding existing allocated object ID numbers in OID & OVD
Is there any way to find the object IDs that are already used in OID and OVD?
I need to create some new attributes - so I'll need to assign new object IDs to these attributes - and I want these to continue on from IDs that have previously been assigned (and obviously, be different numbers).
I can see that I can use the Oracle Directory Services Manager to find the Object ID for each individual attribute we already have set up by clicking on each individual attribute in the Schema tab, but given that we have a couple of thousand attributes, that's not very practical.
Is there some other way to view to allocated Object IDs via the DSM, or some query I can run on the OID & OVD databases?
ThanksActually, the fact that it's a string works for me here,
since my custom formatter expects a string.
That's the one last thing I'm confused about. Following the
example I got from a book, I made my formatter. And it was the
place I got the "myNumber" thing. So how would I modify my
FractionFormatter.as to eliminated the need to pass the string from
the main file (if I understand correctly):
package myComponents
//Import base Formatter class
import mx.formatters.Formatter
public class FractionFormatter extends Formatter {
// Declare the variable to hold the pattern string.
public var myNumber:String;
// Constructor
public function FractionFormatter() {
// Call base class constructor.
super();
// Override format().
override public function format(value:Object):String {
//Validate value - it must be a nonzero length string.
if(value.length == 0) {
// Return empty string and error message for zero-length
string.
error="Zero Length String";
return ""
//If the value is valid, format the string.
switch (myNumber) {
case ".25" :
return "1/4";
break;
case ".5":
return "1/2";
break;
case ".75":
return "3/4";
break;
case "1":
return "1";
break;
case "1.25":
return "1 1/4";
break;
default :
// If formatString is not "upper" or "lower",
// return empty string and set the error message.
error="Invalid Format String";
return "";
} -
Administrative privileges in OVD
Hi All,
I have OAM setup with both OID and OVD. The user data stores in OVD.
What I need is, a user with administrative privileges in OVD to be able to update other users attributes, other than the default administrator.
Please help in this scenario...
Thanks.Any ideas please...!!!
How to grant privileges to a user other than admin user (cn=admin) in OVD.
Maybe you are looking for
-
My kids want apple products. I don't own any. I buy an iPad for one and an iPhone for the other, but I can't set them up because they require me to setup Family Share and create accounts. I can't do that because I don't have a device with iOS 8 alre
-
DHCP with manual address doesn't work
My ISP has decided that they won't support static addresses for the DHCP servers anymore. I'd really like to keep static IP addresses, so I tried using the "DHCP with manual address." Unfortunately, it doesn't recognize my Router which is serving DHC
-
Button to save as reader enabled
Good evening! I have a form that I am automatically saving with a button. However, I will have to go into each form and save as reader-enabled. It is for evaluation forms--so does not exceed the EULA. Is there a way to save as reader extended with
-
New aluminum keyboard keeping PC from booting?
I just got this new thin apple keyboard (with numeric kaypad) and i plugged it in to my PC and it worked amazing and wonderful and was great for the first few hours) Until the next day when i tried to start up my computer for the first time with it a
-
Exporting Mail Messages and Addresses to Outlook
Hello, I have had to move my wife from her 12" PB to a WinTel (XP Pro) box (to be compatible with a school network and application suite). Yes, an unfortunate downgrade, but the school "encourages" it - i.e., the Mac is unspported. She has about 1,20