Weblogic SSO with Negotiate Asserter to AD Windows2003

Similar Messages

• Weblogic SSO with AD - My Try - What's wrong?

  Dear All
  I'm trying to setup Weblogic to Authenticate using AD and have SSO with a Windows workstation(joined to the domain).
  I just setup an Active Directory(Win2K3), a Windows XP(SP2) and a Linux System(CentOS5) with Weblogic 10.3.
  I'm wondering what is wrong with my configuration. I can only logon on Adminstration Console using weblogics local users, and even with entering username(those which created on AD) and password AD Authentication does not work.
  Anyone has simliar experiance or any clue?
  Appreciated
  TIA
  Cheers
  Here is the setup:
  The domain is: example.com and machines are: dc.example.com (AD), winclient.example.com (Windows XP joined to the example.com domain) and weblogic.example.com (CentOS with Weblogic 10.3 installed)
  The hosts file on all three machines are filled with their FQDN, Machine Name and corresponding IP addresses. They all have ping working successfully between each two of them. Firewalls are checked to be off.
  These are the steps I came through based on documentation I could found on the net:
  h1. 0. Configuring Your Network Domain to Use Kerberos
  In Linux Machine(Weblogic Server) edit Kerberos configuration file for appropriate values:
  */etc/krb5.conf*
  \[logging\]
  default = FILE:/var/log/krb5libs.log
  kdc = FILE:/var/log/krb5kdc.log
  admin_server = FILE:/var/log/kadmind.log
  \[libdefaults\]
  default_realm = EXAMPLE.COM
  default_tkt_enctypes = des-cbc-crc
  default_tgs_enctypes = des_cbc_crc
  dns_lookup_realm = false
  dns_lookup_kdc = false
  ticket_lifetime =28800
  forwardable = yes
  \[realms\]
  EXAMPLE.COM = {
  kdc = 192.168.1.193:88
  admin_server = dc
  default_domain = EXAMPLE.COM
  \[domain_realm\]
  .example.com = EXAMPLE.COM
  example.com = EXAMPLE.COM
  \[kdc\]
  profile = /var/kerberos/krb5kdc/kdc.conf
  \[appdefaults\]
  autologin = true
  forward = true
  forwardable = true
  encrypt = true
  pkinit = {
  allow_pkinit = false
  h1. 1. Create two users on AD: "New->User" with "User must change password at next logon" option cleared (not tidked)
  weblogic (for weblogic service) (with password = "password1")
  weblogicusr (the user which should access Weblogic Administration Console) ("password2")
  * Note that group membership of these two users are left default.(Domain Users)
  h1. 2. For "weblogic" & "weblogicusr" user set these Account Optiones:
  - Use DES encryption types for this account (ticked)
  - Do not require Kerberos preauthentication (cleared)
  * then reset the password again for "weblogic" (with password = "password1") and "weblogicusr" (with "password2").
  h1. 3. Create Service Principal Names for Weblogic Server and User on Win2K3 machine:
  - >setspn -a host/weblogic.example.com weblogic
  - >setspn -a HTTP/weblogic.example.com weblogic
  here is the result
  C:\Documents and Settings\Administrator.DC>setspn -L weblogic
  Registered ServicePrincipalNames for CN=weblogic,CN=Users,DC=example,DC=com:
  HTTP/weblogic
  host/weblogic
  HTTP/weblogic.example.com
  host/weblogic.example.com
  and
  - >setspn -a HTTP/weblogic.example.com weblogicusr
  and the result
  C:\Documents and Settings\Administrator.DC>setspn -L weblogicusr
  Registered ServicePrincipalNames for CN=Weblogic User,CN=Users,DC=example,DC=com:
  HTTP/weblogicsrv.example.com
  HTTP/weblogicsrv
  h1. 4. Create the keytab file for Weblogic Server:
  On AD machine issue:
  (ktpass from MS Windows Support Tools)
  >ktpass -princ host/[email protected] -pass password1 -mapuser weblogic -out c:\temp\weblogic.host.keytab
  >ktpass -princ HTTP/[email protected] -pass password1 -mapuser weblogic -out c:\temp\weblogic.HTTP.keytab
  (ktab from JRE 6)
  >ktab -k c:\temp\weblogic.keytab -a [email protected]
  Password for [email protected]:*password1*
  Done!
  Service key for [email protected] is saved in c:\temp\weblogic.keytab
  ** Note I could not kinit successfully merely with weblogic.host.keytab and/or weblogic.HTTP.keytab, I got this error +"Key table entry not found while getting initial credentials"+ how ever the keytab I created using ktab("weblogic.keytab") works fine in this case, so I decided to merge whole three of them into a keytab.
  >\[root@weblogic keytabs\]# kinit -k -t weblogic.host.keytab [email protected]
  >kinit(v5): Key table entry not found while getting initial credentials
  h1. 5. Port and Merge keytabs
  Then I ported these three files to the Linux Machine(weblogic.example.com): weblogic.host.keytab, weblogic.HTTP.keytab and weblogic.keytab
  and merged into one keytab:
  ktutil: "rkt weblogic.host.keytab"
  ktutil: "rkt weblogic.HTTP.keytab"
  ktutil: "rkt weblogic.keytab"
  ktutil: "wkt weblogic-keytab"
  ktutil: "q"
  * then put the result keytab "weblogic-keytab" somewhere in Weblogic Path:
  >/root/bea/user_projects/domains/base_domain/kerberos
  h2. 5.1 Test the keytab and kerberos configuration
  >\[root@weblogic keytabs\]# kinit -k -t weblogic-keytab [email protected]
  >\[root@weblogic keytabs\]# klist
  >Ticket cache: FILE:/tmp/krb5cc_0
  >Default principal: [email protected]
  >
  >Valid starting Expires Service principal
  >09/04/09 16:16:42 09/05/09 00:16:42 krbtgt/[email protected]
  >
  Kerberos 4 ticket cache: /tmp/tkt0
  klist: You have no tickets cached
  h1. 6. Creating a JAAS Login File
  Create krb5Login.conf and put it in here: "/root/bea/user_projects/domains/base_domain/kerberos/"
  krb5Login.conf
  com.sun.security.jgss.initiate {
  com.sun.security.auth.module.Krb5LoginModule required
  principal=*"[email protected]"* useKeyTab=true
  keyTab=*/root/bea/user_projects/domains/base_domain/kerberos/weblogic-keytab* storeKey=true;
  com.sun.security.jgss.accept {
  com.sun.security.auth.module.Krb5LoginModule required
  principal=*"[email protected]"* useKeyTab=true
  keyTab=*/root/bea/user_projects/domains/base_domain/kerberos/weblogic-keytab* storeKey=true;
  h1. 7. Modify startup options
  add these option to "/root/bea/user_projects/domains/base_domain/bin/startWebLogic.sh"
  h2. 7.1 Kerberos
  -Djava.security.krb5.realm=EXAMPLE.COM
  -Djava.security.krb5.kdc=dc.example.com
  -zjava.security.auth.login.config=$PATHTOKRB/krb5Login.conf
  -Djavax.security.auth.useSubjectCredsOnly=false
  -Dweblogic.security.enableNegotiate=true h2. 7.2 Debug
  -DDebugSecurityAdjudicator=true
  -Dweblogic.debug.DebugSecurityAtn=true
  -Dsun.security.krb5.debug=true
  -Dweblogic.StdoutDebugEnabled=true";
  -Dweblogic.log.StdoutSeverity=Debugh1. 8. Configuring the Identity Assertion Provider
  In Weblogic Administration I created a Security Realm called "example.com" with everything default and made it default. Then restarted the Weblogic Server.
  Again in Administation Console did this to example.com Security Realm:
  h2. 8.1 -> Prividers: Add 3 Providers
  Negotiate     WebLogic Negotiate Identity Assertion provider     1.0
       DIA     WebLogic Identity Assertion provider     1.0
       AD     Provider that performs LDAP authentication     1.0 (Active Directory provider)
       Default     WebLogic Authentication Provider     1.0
  h2. 8.2 -> Change the default parameters
  h3. 8.2.1 Negotiate     WebLogic Negotiate Identity Assertion provider
  -> Base64 Decoding Required: false (No Change, but shouldn't it be true and how to change?)
  -> Form Based Negotiation Enabled: Removed the tick
  h3. 8.2.2 DIA     WebLogic Identity Assertion provider (no changes)
  (no changes)
  h3. 8.2.3 AD     Provider that performs LDAP authentication (Active Directory provider)
  -> Control Flag: *SUFFICIENT*
  -> User Name Attribute: *sAMAccountName*
  -> Principal: *HTTP/[email protected]*
  -> Host: *192.168.1.193*
  -> User Base DN: *CN=Users,DC=example,dc=com*
  -> Propagate Cause For Login Exception: *ticked*
  -> Group Base DN: *CN=Users,DC=example,dc=com*
  -> Credential: *password1*
  * others left with their default values.
  h1. 9. Configuring an Internet Explorer Browser
  On Windows XP machine (winclient.example.com):
  h2. 9.1 Configure Local Intranet Domains
  - In Internet Explorer, Tools > Internet Options -> the Security tab -> Local intranet -> Sites:
  > "Include all sites that bypass the proxy server" *ticked*
  > "Include all local (intranet) sites not listed in other zones" *ticked*
  - then in -> Advanced Dialog Box added this:
  > weblogic.example.com
  h2. 9.2 Configure Intranet Authentication
  - In Internet Explorer, Tools > Internet Options -> the Security tab -> Local intranet -> Custome Level:
  > In the Security Settings dialog box -> the User Authentication section.
  > "Automatic logon only in Intranet zone" *ticked*
  h2. 9.3 The Proxy Settings
  No proxies are enabled
  h2. 9.4 Enable Integrated Windows Authentication
  - In Internet Explorer, Tools > Internet Options -> Advanced tab -> Security section:
  > "Enable Integrated Windows Authentication" *ticked* by default
  Edited by: Mehdi Sarmadi on Sep 4, 2009 5:51 AM

  I found something in Logfile:
  <Sep 4, 2009 6:17:39 PM IRDT> <Debug> <SecurityAtn> <BEA-000000> <LDAP Atn Login username: weblogicusr>
  <Sep 4, 2009 6:17:39 PM IRDT> <Debug> <SecurityAtn> <BEA-000000> <new LDAP connection to host 192.168.1.193 port 389 use local conne
  ction is false>
  <Sep 4, 2009 6:17:39 PM IRDT> <Debug> <SecurityAtn> <BEA-000000> <created new LDAP connection LDAPConnection { ldapVersion:2 bindDN:
  ""}>
  <Sep 4, 2009 6:17:39 PM IRDT> <Debug> <SecurityAtn> <BEA-000000> <connection failed netscape.ldap.LDAPException: error result (49);
  80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece^@>
  <Sep 4, 2009 6:17:39 PM IRDT> <Debug> <SecurityAtn> <BEA-000000> <[Security:090294]could not get connection>
  According to this post: Re: WL10.3 and SSO and Active Directory
  a correct ldap connection should look like this:
  <LDAP Atn Login username: Administrator>
  <userExists? user:Administrator>
  <new LDAP connection to host 10.10.0.254 port 389 use local connection is false>
  <created new LDAP connection LDAPConnection { ldapVersion:2 bindDN:""}>
  <connection succeeded>
  *<getConnection return conn:LDAPConnection {ldaps://10.10.0.254:389 ldapVersion:3 bindDN:"HTTP/[email protected]"}>
  <getDNForUser search("CN=Users,DC=DOMAIN,dc=local", "(&(&(cn=Administrator)(objectclass=user))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))", base DN & below)>xist>*
  Moreover, I turned AD's debug logging and this is what happens when I try to login with a AD user: Why "Anonymous Logon"?!
  Event Type:     Information
  Event Source:     NTDS LDAP
  Event Category:     LDAP Interface
  Event ID:     1535
  Date:          9/4/2009
  Time:          6:47:07 PM
  User:          NT AUTHORITY\*ANONYMOUS LOGON*
  Computer:     DC
  Description:
  Internal event: The LDAP server returned an error.
  Additional Data
  Error value:
  80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece
  Any help would be greatly appreciated

• Enabling SSO with Weblogic Server

  Hi,
  Can someone please forward some documention on enabling SSO with Weblogic server for different applications using the admin console.
  Is enabling SSO only possible programmatically??
  Is there an external server amongst the Weblogic Platform that maintains this SSO information??
  Regards,
  Mukta

  Pradeep,
  Here are some questions for you.
  1. what version of Weblogic App Server you are using?
  2. Is it a weblogic Portal or a Java application deployed
     on a Weblogic App Server?
  3. You have mentioned that the users are stored in a table. Is it a database table ?
  Anyway see the following link as a starting point?
  http://e-docs.bea.com/wls/docs81/jconnector/security.html#1216783
  If the customer has lot of other web applications that they want to integrate you can look at third party authentication solutions (Ex: Siteminder). But if it is a few or limited applications then custom solution would be more appropriate from the cost perspective.
  Hope this can be a starting point.
  -Regards
  -Venkat Malempati

• OBIEE 11.1.1.6 SSO with OAM 11.1.1.5: OID 11.1.1.6 attribute problem

  Hi Everyone!
  I have configured a OAM(webgate)+OID+OBIEE+OHS system.
  The OBIEE is protected via OHS(weblogic module) and webgate. It is working very well.
  The OAM authenticates from OID(default user identity store).
  The *"User Search Base"* is same ( *"cn=Users,dc=mydomain,dc=com"* ) in identity store and in OBIEE's OID authentication provider too.
  The SSO is enabled in OBIEE and the providers are:
  OID (Provider that performs LDAP authentication     1.0) SUFFICIENT
  OAM Provider (Oracle Access Manager Identity Asserter     1.0) REQUIRED
  DefaultAuthenticator     (WebLogic Authentication Provider     1.0) SUFFICIENT
  DefaultIdentityAsserter
  IF the *"User Name Attribute"* is *"cn"* in OAM's user identity store and the OBIEE's OID provider's *"user name attribute"* is *"cn"* (default) too, everything is working fine.
  But I have to use *"orclSAMAccountName"* instead of *"cn"* (OAM and OID provider). And in this case I have the problem.
  In the OBIEE's OID provider are:
  All Users Filter: (&(orclSAMAccountName=*)(objectclass=person))
  User From Name Filter: (&(orclSAMAccountName=%u)(objectclass=person))
  User Name Attribute: orclSAMAccountName
  I made a test user:
  cn=test
  sn=test_sn
  orclsamaccountname=test_sama
  uid=test_uid
  krbprincipalname=test_krb
  I can authenticate with test_sama in OAM, but OBIEE say: *"You are not logged in here: Oracle BI Server."*
  The bi log shows that:
  +Default (self-tuning)'> <BISystemUser> <> <00093dFuR^HFW7PMye7i6G00052S000Tt7> <1345642607333> <BEA-000000> <javax.security.auth.login.FailedLoginException: [Security:090304]Authentication Failed: User test javax.security.auth.login.LoginException: [Security:090300]Identity Assertion Failed: User test does not exist+
  +oracle.security.jps.internal.api.jaas.AssertionException: javax.security.auth.login.FailedLoginException: [Security:090304]Authentication Failed: User test javax.security.auth.login.LoginException: [Security:090300]Identity Assertion Failed: User test does not exist+
  Why does search OBIEE the *"cn"* and why does not use the *"orclsamaccountname"* ?
  Any idea???
  Regards, Jani

  Hello Jani,
  This is a known issue in OBIEE 11.1.1.6.0 , Please refer to : OBIEE 11.1.1.6 Agent failed with Error Codes: IHVF6OM7:OPR4ONWY:U9IM8TAC [nQSError: 13039] The impersonator does not exist in the BI Security Service [ID 1446877.1]
  We have configured OBIEE 11.1.1.6 on Linux and using Single Sign On (SSO) with Windows Native Authentication (WNA).
  Configured AD Authenticator, selected sAMAccountName instead of CN for User Attribute. Enabled SSO in EM. When trying to access OBIEE Presentation services we have encountered the error below.
  "You are not logged in here: Oracle BI Server."
  When checking the biserver1 log file found : [Security:090300]Identity Assertion Failed: User OracleSystemUser does not exist
  After applying the patch 13553428 on top of OBIEE 11.1.1.6.0 we have successfully logged into OBIEE Presentation services.
  This works fine with OBIEE 11.1.1.5.0 and 11.1.1.6.1
  Fixed in OBIEE 11.1.1.6.1. Apply Patch 13742915.
  If you want to stay in OBIEE 11.1.1.6.0. Apply Patch 13553428.
  Let me know if this solves the Asserter issue.
  Pls mark if helpful or answered.
  Thanks,
  -SVS

• Help  - SPENGO - Microsoft SSO with WLS 9.2

  Friends,
  I am trying to integrate Microsoft SSO with WLS with SPENGO. I followed the steps given in http://edocs.bea.com/wls/docs92/secmanage/sso.html and even in 8.x documentation where I had to create a LDAP authenticator etc.
  However, instead of SPENGO token, I get the NTLM token. It looks like when Kerberos fails, WLS tries to invoke NTLM. But I am not sure where I am doing wrong. It would be great if someone could look at the following logs and suggest some workaround.
  <<WLS Kernel>> <> <> <1183957002830> <000000> <NegotiateIdentityAsserterServletAuthenticationFilter.doFilter() called>
  <<WLS Kernel>> <> <> <1183957002830> <000000> <CERT auth type found for webapp>
  <<WLS Kernel>> <> <> <1183957002830> <000000> <All request headers:>
  <<WLS Kernel>> <> <> <1183957002830> <000000> < Header: Accept : image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*>
  <<WLS Kernel>> <> <> <1183957002830> <000000> < Header: Accept-Language : en-us>
  <<WLS Kernel>> <> <> <1183957002830> <000000> < Header: UA-CPU : x86>
  <<WLS Kernel>> <> <> <1183957002830> <000000> < Header: Accept-Encoding : gzip, deflate>
  <<WLS Kernel>> <> <> <1183957002830> <000000> < Header: User-Agent : Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322)>
  <<WLS Kernel>> <> <> <1183957002830> <000000> < Header: Host : 10.31.252.182:7001>
  <<WLS Kernel>> <> <> <1183957002830> <000000> < Header: Connection : Keep-Alive>
  <<WLS Kernel>> <> <> <1183957002862> <000000> <Negotiate filter: new session, no negotiation has started>
  <<WLS Kernel>> <> <> <1183957002862> <000000> <PrincipalAuthenticator.getChallengeToken will use common security service>
  <<WLS Kernel>> <> <> <1183957002862> <000000> <com.bea.common.security.internal.service.ChallengeIdentityAssertionServiceImpl.getChallengeToken(WWW-Authenticate.Negotiate)>
  <<WLS Kernel>> <> <> <1183957002862> <000000> <com.bea.common.security.internal.service.ChallengeIdentityAssertionTokenServiceImpl.getChallengeToken(WWW-Authenticate.Negotiate)>
  <<WLS Kernel>> <> <> <1183957002862> <000000> <com.bea.common.security.internal.legacy.service.ChallengeIdentityAssertionProviderImpl$ChallengeIdentityAsserterV2Adapter.getChallengeToken(WWW-Authenticate.Negotiate)>
  <<WLS Kernel>> <> <> <1183957002862> <000000> <Unauthorized, sending WWW-Authenticate: Negotiate>
  <<WLS Kernel>> <> <> <1183957003268> <000000> <NegotiateIdentityAsserterServletAuthenticationFilter.doFilter() called>
  <<WLS Kernel>> <> <> <1183957003268> <000000> <CERT auth type found for webapp>
  <<WLS Kernel>> <> <> <1183957003268> <000000> <All request headers:>
  <<WLS Kernel>> <> <> <1183957003268> <000000> < Header: Accept : image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*>
  <<WLS Kernel>> <> <> <1183957003268> <000000> < Header: Accept-Language : en-us>
  <<WLS Kernel>> <> <> <1183957003268> <000000> < Header: UA-CPU : x86>
  <<WLS Kernel>> <> <> <1183957003268> <000000> < Header: Accept-Encoding : gzip, deflate>
  <<WLS Kernel>> <> <> <1183957003268> <000000> < Header: User-Agent : Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322)>
  <<WLS Kernel>> <> <> <1183957003268> <000000> < Header: Host : 10.31.252.182:7001>
  <<WLS Kernel>> <> <> <1183957003268> <000000> < Header: Connection : Keep-Alive>
  <<WLS Kernel>> <> <> <1183957003268> <000000> < Header: Cookie : JSESSIONID=0nRcGRQKvcpzV8wQPVX584Pxwly4GrpTdQGGGYGGb4Z62Rs1GLVv!542382297>
  <<WLS Kernel>> <> <> <1183957003268> <000000> < Header: Authorization : Negotiate TlRMTVNTUAABAAAAB7IIogoACgAvAAAABwAHACgAAAAFAs4OAAAAD0RFU0tUT1BGRURFUkFUSU9O>
  <<WLS Kernel>> <> <> <1183957003268> <000000> < processing header: Negotiate TlRMTVNTUAABAAAAB7IIogoACgAvAAAABwAHACgAAAAFAs4OAAAAD0RFU0tUT1BGRURFUkFUSU9O>
  <<WLS Kernel>> <> <> <1183957003283> <000000> <SPNEGONegotiateToken.discriminate: not Application Constructed Object, not SPNEGO NegTokenInit token>
  <<WLS Kernel>> <> <> <1183957003283> <000000> <Token not supported by Negotiate Filter, ignoring: NTLM>

  Another question.
  When you configure Spnego and sso, do you also need to configure an active directory authenticator ??
  I think I have the SSO part working - it does kerberos authentication and gets the username, howerver after taht it fails because it tries to do an LDAP authentication with that username.
  <LDAP Atn Login username: kerbuser01>
  <[Security:090300]Identity Assertion Failed: User kerbuser01 does not exist
  Any pointers ?

• Integrating WebLogic Server with CA SiteMinder Web Agent R6

  Hi I have searched on the topic of integrating WebLogic Server with the CA SiteMinder Web Agent R6 to provide single sign on services, and have been unable to find anything. Does anyone have any experience with this that could provide some tips, or could direct me to some documentation?

  It definitely can work. We have done the same thing in several installations. The question is "How secure does it need to be?" You will be using SM to do authentication. You will configure SSO to trust the SM header variable. If you really want to be secure you need to configure your boxes so that the http server on you SUSE box (for Portal) can only be accessed from the Reverse Proxy. If another machine can access it someone could spoof the header variable and log in as anyone they want.
  Hope this is helpful.
  Anton

• How configure Windows 8.1 Clients with IE11 for SSO with Kerberos SPNEGO

  We are using BI Publisher OBIEE 11.1.1.7 with SSO Kerberos SPNEGO.
  The Weblogic Server Version is WLS_PRODUCT_VERSION=10.3.5.0
  The SSO is working very well with Clients that are Windows XP or Windows 2003 R2. We had testet wit IE7,IE8 Firefox.
  Now as we become Windows 8.1 Clients with IE11 the Kerberos SPNEGO SSO is not working.
  Please give us advice or a HOW TO Document about the configuration on Windows 8.1 Cllients with IE11 Browser.
  I find many Dokuments related to older Windows Versions for example
  http://www.oracle.com/technetwork/articles/idm/weblogic-sso-kerberos-1619890.html
  but nothing for Windows 8.1 Clients
  Thanks in advance.

  The location for tabs in IE11 browser might be different but the steps are the same :
  Configure Local Intranet Domains
     1. In Internet Explorer, select Tools > Internet Options.
     2. Select the Security tab.
     3. Select Local intranet and click Sites.
     4. In the Local intranet popup, ensure that the Include all sites that bypass the proxy server and Include all local (intranet) sites not listed in other zones options are checked.
     5. Click Advanced.
     6. In the Local intranet (Advanced) dialog box, add all relative domain names that will be used for Oracle WebLogic Server instances participating in the SSO configuration (for example, myhost.example.com) and click OK.
  Configure Intranet Authentication
     1. Select Tools > Internet Options.
     2. Select the Security tab.
     3. Select Local intranet and click Custom Level... .
     4. In the Security Settings dialog box, scroll to the User Authentication section.
     5. Select Automatic logon only in Intranet zone. This option prevents users from having to re-enter logon credentials, which is a key piece to this solution.
     6. Click OK.
  Verify Proxy Settings
  If you have a proxy server enabled:
     1. Select Tools > Internet Options.
     2. Select the Connections tab and click LAN Settings.
     3. Verify that the proxy server address and port number are correct.
     4. Click Advanced.
     5. In the Proxy Settings dialog box, ensure that all desired domain names are entered in the Exceptions field.
     6. Click OK to close the Proxy Settings dialog box.
  What is the error reported by the browser / wls logs ?
  -- Puneeth

• Oracle Forms 11g SSO with OID and IAM

  What versions of OID and Access Manager are required to get an Oracle Forms and Reports 11.1.1.2 application
  on Weblogic 10.3.2 configured for Oracle SSO using OID authentication?
  We want the OID to store and authenticate Users for username and password logins to the database, then
  ultimately by user Certificate authentication in OID. I have OID 11.1.1.2 installed and SSO enabled for Forms
  in Enterprise Manager.
  Is Access Manager required for Forms SSO with OID authentication to work or just to allow user interaction
  for registration and Password reset?
  Things mention OAM 10.4.3 and others talk about IAM 11g for Forms 11.1.1.2 SSO to work with OID.
  We did this back in Oracle Forms and OID 10g with JSP and LDAP to setup users but I understand 11g is
  different and IAM can help or is required for this type of SSO to work.
  Any help?
  Edited by: Kirch on Apr 30, 2013 7:39 AM

  Hi,
  According to Oracle's certification matrix found at http://www.oracle.com/technetwork/middleware/downloads/fmw-11gr1certmatrix.xls, Oracle Forms 11.1.1.2 is not supported to use any Oracle Access Manager (OAM) version. OAM is a component of IAM. It is only supported with Oracle SSO 10.1.4.x. The best solution would be to upgrade the Forms and Reports environment to either 11gR2 (11.1.2.1) or to the latest 11gR1 patchset 11.1.1.7. Both versions are compatible with OAM 11.1.1.7.0 and OID 11.1.1.7.0 where only Forms 11gR2 (11.1.2.1) is compatible with OAM 11.1.2.0 and OID 11.1.1.7.0. That would be the best solution as we have ran into configuration problems in the past with using Oracle SSO 10.1.4.x.
  Since OID 11.1.1.2.0 is already installed, you should be able to patch it up to 11.1.1.7.0.
  For user authentication in OID, it is required to have OAM or Oracle SSO as both products use WebGate or mod_osso agents for authentication and authorization. For purposes of allowing end users to register accounts and password reset, you will either need to also install another IAM component called Oracle Identity Manager (OIM) or create a customized SSO login page that can be coded to perform these actions. I believe there are some examples available on the Internet.
  Thanks,
  Scott
  http://pitss.com/us

• What does AM do with Attribute Assertions

  Hi,
  I am sending Auth statement and atribute statement assertion to AM. AM is accepting the Auth assertion and creating the session, but I am not sure what it does it with Attribute assertion? I want to pass these attributes to next AM. How can I do this. I am looking to fetch these attribues in attributemapper class implementation but not sure how to fetch them from original assertion so that I can pass it on..Does AM store it in SSO Token or what. How can I get those original attribute here.
  Thanks
  Deepak

  Got the solution...AM sets these attributes in SSOToken..You can get those by using getProperty() method..make sure that subject of AuthStatement and attribute statement are same otherwise the attribute will not get stored in SSO Token...I modified subject of attribute statement ..so that it matches with that of auth statement nad later in attribute mapper class fetched those attributes form SSO Token and added it to list..so that these attributes can get transferred to next AM.
  Thanks
  Deepak

• Integrating Weblogic Portal with Oracle BPMS

  Hello,
  I need to integrate the Weblogic Portal with the OBPMS, but i need to show only the portlet with the work list. Anyone here already did something like this ?
  I have a tutorial at Oracle with that but in this document says that i need to :
  Add the following portlets by dragging and dropping them from the Design Palette View:
  Menu Action
  Work List
  Instance Detail
  The tutorial is :
  http://download.oracle.com/docs/cd/E13154_01/bpm/docs65/config_guide/index.html?t=modules/enterprise/wlp/t_WLP_Config_Overview.html
  But i need to show only the worklist , its possible ?
  the section with the portlets is : http://download.oracle.com/docs/cd/E13154_01/bpm/docs65/config_guide/index.html?t=modules/enterprise/wlp/t_WLP_Config_Overview.html

  Here's my thoughts on how I think this works. I think you need to have an Authentication Provider or Identity Asserter that plugs into the WLS Security Provider framework that understands the Oracle Access Manager provided token (or whatever mechanism OAM is using to pass the user credentials). That piece will be responsible for creating the principal and groups in the WLS security framework. In WLP, you use Visitor Entitlement Roles to secure things like portlets. The visitor entitlements roles can be defined by many attributes (user profile, date time, request, etc). One of which is the groups that the Authorization Provider or Identity Asserter reports. You might want to post this in the WebLogic Portal forum as well.

• 10g - how to configure sso with iis-

  hi, experts, I have followed Oracle® Business Intelligence Enterprise Edition Deployment Guide to configure SSO with IIS.
  but I always meet this message.
  Not Logged In
  You are not currently logged in to the Oracle BI Server.
  If you have already logged in, your connection might have timed out, or a communications or server error may have occurred
  what steps are missing?
  how to check?

  hi, experts,
  I checked C:\OracleBIData\web\log\sawlog0.log on the obi server (windows server 2003 standard).
  at Thu Feb 17 14:48:46 2011 , I logined OBI on another machine (not via the browser on the obi server).
  however, the log shows the login user is the administrator of the obiserver (obiserver\administrator ).
  any setup on IIS are wrong? thank you very much!
  =========================================================================================
  Running job 'MinutelyMonitor' took 7422 milliseconds, 12.3% of job's frequency (60 seconds).
  Type: Error
  Severity: 40
  Time: Thu Feb 17 14:48:46 2011
  File: project/webodbcaccess/odbcconnectionimpl.cpp Line: 371
  Properties: ConnId-1,1;ThreadID-1796
  Location:
       saw.odbc.connection.open
       saw.connectionPool.getConnection
       saw.subsystem.security.checkAuthenticationImpl
       saw.threadPool
       saw.threads
  Odbc driver returned an error (SQLDriverConnectW).
  State: 08004. Code: 10018. [NQODBC] [SQL_STATE: 08004] [nQSError: 10018] Access for the requested connection is refused.
  [nQSError: 43001] Authentication failed for obiserver\administrator in repository Star: invalid user/password. (08004)
  Type: Error
  Severity: 42
  Time: Thu Feb 17 14:48:46 2011
  File: project/webconnect/connection.cpp Line: 276
  Properties: ThreadID-1796
  Location:
       saw.connectionPool.getConnection
       saw.subsystem.security.checkAuthenticationImpl
       saw.threadPool
       saw.threads
  Authentication Failure.
  Odbc driver returned an error (SQLDriverConnectW).
  ---------------------------------------

• SSO with Logon Ticket to non-SAP Unix based application

  Hi all,
  Anyone has implemented SSO with Logon Ticket to a Unix box ?
  We need to achieve Single Sign On between our EP5.0 SP5 Portal and a third-party web application with a front-end on a Unix AIX machine with Apache.
  We achieved SSO with non-SAP applications with Logon Tickets, but one was to an IIS system in another domain (we therefore used the standard Web Filter for IIS and declared it in usermanagement for cross-domain support) and another one running on Windows platform (we used the C libraries provided in the "Logon Ticket Toolkit": NT or Linux only).
  From what we understand and found on the web sites, we cannot reuse any standard web filter (none for Unix, am I correct ???) and want to implement custom code using SAP libraries, if possible using Java
  -> Are there any Java libraries that are available to both:
  . verify the logon ticket with the deployed Portal public key
  . decrypt/extract the authenticated username from this ticket ??
  I've seen a mention of Java libraries, and Unix, in a SAP EP 6.0 document but I'm not sure where to find them...
  Is the SAP Logon Ticket issued the same way in EP 5.0 and EP 6.0 ?
  I managed to find something called SAPSSOEXT, for AIX, which contains some partial library and a sample, but it is dated 2000 !! Anyone has more information about this ?
  Any hint is very much appreciated.
  Thanks a lot
  Olivier

  Check these links for reference regarding AIX and Apache using X.509 certificates:
  http://publib16.boulder.ibm.com/pseries/en_US/aixbman/security/cas_pki.htm
  And just using cookies -
  http://forums.devshed.com/archive/t-105611 (perl based)
  You can also use mod_ssl built into your Apache to facilitate both certificate based authentication as well as encryption.
  The mod_ssl route is most secure (because of the encryption), the IBM link is comprehensive but requires extra infrastructure (LDAP).
  Nick
  Nick

• SSO with KRB/ADS on Enterprise Portal 7

  Dear All
  while i am trying to configure SSO with KRB/ADS on Enterprise Portal 7 i am getting this on the trace file..completed the configuration through SpNego and when i try to log in its promting for user name password..
  i have attched the trace file extract for  your advice..
  Regards
  Buddhike
  #1.5 #001CC45E6DA0008000000004000054FC00044F76844D9013#1213270351029#com.sap.engine.services.security.authentication.logincontext#
  sap.com/com.sap.security.core.admin
  #com.sap.engine.services.security.authentication.logincontext#Guest#0####3e642d50387311ddc2a0001cc45e6da0#Thread[Thread-110,5,SAPEngine_Application_Thread[impl:3]_Group]#
  #0#0#Error#1#/System/Security/Authentication#Plain###
  LOGIN.FAILED User:N/A Authentication Stack:com.sun.security.jgss.accept
  *Login Module                                                               Flag        Initialize  Login      Commit     Abort      Details*1. com.sun.security.auth.module.Krb5LoginModule                            OPTIONAL    ok          exception             false      null#
  #1.5 #001CC45E6DA0006E00000029000054FC00044F76844D95C5#1213270351029#com.sap.engine.services.security.authentication.loginmodule.spnego.SPNegoLoginModule#sap.com/com.sap.security.core.admin#com.sap.engine.services.security.authentication.loginmodule.spnego.SPNegoLoginModule#Guest#0####3e669e50387311dda053001cc45e6da0#SAPEngine_Application_Thread[impl:3]_2##0#0#Error##Java###Acquiring credentials for realm KEELLS.INT failed
  [EXCEPTION]
  #1#GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT credentials failed!)     at sun.security.jgss.krb5.Krb5AcceptCredential.getKeyFromSubject(Krb5AcceptCredential.java:189)
       at sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:80)
       at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:75)
       at sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:149)
       at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:334)
       at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:44)
       at sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:102)
       at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper.acquireCredentialsInCurrentThread(ConfigurationHelper.java:236)
       at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper.access$000(ConfigurationHelper.java:29)
       at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper$RunnableHelper.run(ConfigurationHelper.java:337)
  Caused by: com.sap.engine.services.security.exceptions.BaseLoginException: Access Denied.     at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:297)
       at com.sap.engine.system.SystemLoginModule.login(SystemLoginModule.java:90)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:324)
       at javax.security.auth.login.LoginContext.invoke(LoginContext.java:675)
       at javax.security.auth.login.LoginContext.access$000(LoginContext.java:129)
       at javax.security.auth.login.LoginContext$4.run(LoginContext.java:610)
       at java.security.AccessController.doPrivileged(Native Method)
       at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607)
       at javax.security.auth.login.LoginContext.login(LoginContext.java:534)
       at sun.security.jgss.LoginUtility.run(LoginUtility.java:57)
       at java.security.AccessController.doPrivileged(Native Method)
       at sun.security.jgss.krb5.Krb5AcceptCredential.getKeyFromSubject(Krb5AcceptCredential.java:186)
       ... 9 more
  Caused by: com.sap.engine.services.security.exceptions.BaseSecurityException: Internal server error. An error log with ID [001CC45E6DA0008000000001000054FC00044F76844D8A3F] is created. For more information contact your system administrator.
       at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:156)
       at java.security.AccessController.doPrivileged(Native Method)
       at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:181)
       ... 23 more

  Hi,
  please check if the options defined in the KRB5LoginModule are correct.
  First of all check for the option prinicpal. Did you provide this option and also provided the correct value?
  This error often occurs if you provided a wrong value for option prinicpal
  Cheers

• SSO with ITS & Webenabling WEBGui

  Hello,
  We have configured SSO with R/3 system. It works fine.
  The requirement is, we have to webenable R/3 system thru SAP GUI For Windows and SAP GUI For HTML.
  We are able to do both on developement environment where both R/3 and portal has got the same host names.
  But in the qa environment, we are able to webenable R/3 with SAP GUI For Windows and the SSO also works fine. But when we try to using SAP GUI For Html, it asks for the username and pwd again. Here the portal and R/3 has different host names.
  Otherwise the settings in dev and test are exactly the same. Has anybody got a clue why is it not working?
  Regards,
  Rukmani

  Hi all,
  it is always good to start with a good checklist. Here is probably the best one: https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/documents/a1-8-4/sso checklist.html
  My suggestion is: do not skip even simple steps, sometimes problem appears there
  Regards,
  Pavol

• SSO with EP 6.0 and R/3 as backened not working

  Hi , 
      I am implementing ESS in EP 6.0 and r/3 4.7c as backend. SSO is working with UIPWD. but when I try with LogonTickets it does not work.
  I tried with ordinary SAP transaction SSO with logon tickets works. But through ITS if I call a ESS transaction service It asks me for login user and password.
  What are the setting to be done in ITS for SSO towork. I have set the parameter
  msapcomusesso2cookie = 1 in the global.svrc file.
  I do not know what is wrong. Please help.
  Regards,
  Ramesh

  Hi,
    I am using a standalone ITS for a R/3 4.7 system.
  How should I maintain a FQDN for ITS?
  You are right,
  now it is not of the format hostname.domain.com:port format. It is of the format hostname:port.
  But where should I change this format. The host name of the system where the ITS is setup is <hostname> only.
  can you please tell me as to where should I maintain the FQDN as the specific format you suggested.
  Regards,
  Ramesh