Windows Native Authentication with 2 (multiple) AD domains
I have managed to get Windows Native Authentication for Oracle Application Server 10g (9.0.4) on Windows working. The following has been done and works in a test environment:
Phase 1) Active Directory (AD) to Oracle Internet Directory (OID) Synchronization
Phase 2) Configure a Kerberos Service Account for the Single Sign-on
Currently all the above setup points to a single windows active directory server, i.e. active1.uk.oacle.com. This is acceptable for a test environment, but before the changes can be deployed to production I need to incorporate some disaster recovery.
The active directory is replicated across multiple servers – i.e. active1.uk.oacle.com, active2.uk.oacle.com. In the event that the primary active directory server is unavailable Oracle users should still be able to access applications. I need to incorporate active2.uk.oacle.com into the above setup.
Questions:
1)Can I get away with not incorporating active2.uk.oacle.com into phase 1. If the users have been pulled into OID then we are not particular concerned with pulling in new users in a disaster situation.
2)Can I configure the Oracle side of the Kerberos setup to use multiple realms with an order or precedence – i.e. try active1.uk.oacle.com, then try active2.uk.oacle.com. I would generate a keytab file from each server.
Ideally I would like to just modify the Kerberos setup to check active1.uk.oacle.com then active2.uk.oacle.com. Is this a workable approach? If yes how do I proceed? I believe the krb5.ini and opmn.xml need to be amended.
Thanks
Does anyone have any ideas on how to do this????
Similar Messages
-
Windows Native Authentication with 2 AD domains
I have installed 10g infrastructure on win2k server. I completed the steps in note 282074.1 and WNA is working for the first domain (norris.intra). I now want to have this work for a second domain (shoremont.intra). These 2 AD domains are in separate forests (no global catalog server). I have sync'd the second domain with OID and configured external authentication. According to note 190312.1 you can merge kerberos Keytabs. I have setup the following krb5.ini files on the domain control in each domain:
File: krb5.ini on AD server monroe2k.norris.intra
[libdefaults]
default_realm = NORRIS.INTRA
clockskew = 300
[realms]
NORRIS.INTRA= {kdc = monroe2k.norris.intra:88}
SHOREMONT.INTRA= {kdc = swtp_fileserver.shoremont.intra:88}
[domain_realm]
.norris.intra = NORRIS.INTRA
norris.intra = NORRIS.INTRA
.shoremont.intra = SHOREMONT.INTRA
shoremont.intra = SHOREMONT.INTRA
File: krb5.ini on AD server swtp_fileserver.shoremont.intra
[libdefaults]
default_realm = SHOREMONT.INTRA
clockskew = 300
[realms]
SHOREMONT.INTRA= {kdc = swtp_fileserver.shoremont.intra:88}
NORRIS.INTRA= {kdc = monroe2k.norris.intra:88}
[domain_realm]
.shoremont.intra = SHOREMONT.INTRA
shoremont.intra = SHOREMONT.INTRA
.norris.intra = NORRIS.INTRA
norris.intra = NORRIS.INTRA
Are the above entries correct? Once I generate and merge the keytab files I will copy the merged file to the OSS server. Following note 282074.1 what other changes need to be made to the various .xml files to implement this configuration? Thanks.Does anyone have any ideas on how to do this????
-
Hi guys,
I was able to setup the wna infact
no errors appears in OC4J~OC4J_SECURITY~default_island~1 log file when OC4J_SECURITY instance starts up
but if I try to connect to
http://sso.<domain>/pls/orasso using a client of
Windows Domain the sso login page appears
and the following message in ssoServer.log
[DEBUG] AJPRequestHandler-ApplicationServerThread-6 Calling Authentication method
[INFO] AJPRequestHandler-ApplicationServerThread-6 Entered SSOKerbeAuth.authenticate method ...
[DEBUG] AJPRequestHandler-ApplicationServerThread-6 Remote user name: {{UNAUTH_USER}}
[DEBUG] AJPRequestHandler-ApplicationServerThread-6 Windows Native Authentication was not possible.
[DEBUG] AJPRequestHandler-ApplicationServerThread-6 Falling back to SSO authentication
[INFO] AJPRequestHandler-ApplicationServerThread-6 Entered SSOServerAuth:authenticate method
[DEBUG] AJPRequestHandler-ApplicationServerThread-6 user name NULL
[DEBUG] AJPRequestHandler-ApplicationServerThread-6 Password Null
[DEBUG] AJPRequestHandler-ApplicationServerThread-6 Subscriber Null
[DEBUG] AJPRequestHandler-ApplicationServerThread-6 Voice header: null
[DEBUG] AJPRequestHandler-ApplicationServerThread-6 x-oracle-mobile-authtype: null
[DEBUG] AJPRequestHandler-ApplicationServerThread-6 auth mode is user/pass
[DEBUG] AJPRequestHandler-ApplicationServerThread-6 Perhaps this is a Basic Auth u/pwd
[DEBUG] AJPRequestHandler-ApplicationServerThread-6 No username supplied. Sending IPASInsufficientCredException
[DEBUG] AJPRequestHandler-ApplicationServerThread-6 Requesting Login Page to collect credentials
[INFO] AJPRequestHandler-ApplicationServerThread-6 Entered SSOKerbeAuth.getUserCredentialPage method ...
[DEBUG] AJPRequestHandler-ApplicationServerThread-6 Sending login page to the user with an error message: null
[INFO] AJPRequestHandler-ApplicationServerThread-6 Exiting from SSOKerbeAuth.getUserCredentialPage method
Any ideas bout this issue ?
Regards
LuigiLuigi,
did you follow up
http://www.oracle.com/technology/obe/obe_as_10g/im/wna/wna.htm
regards,
--olaf -
Windows Native Authentication from Windows 7
Has anyone successfully tested SSO with Windows Native authentication from a windows 7 client ?
I have a working setup with SSO on OID 10.1.4.3 but with windows 7 client I get the fallback login prompt instead of automatic login.
I have got a workaround from support but it still does not work:
- on the client Windows7 PC to to PC security policies (Policies -> Network Security -> Configure encryption types allowed for Kerberos) and select all of them EXCEPT the “Allow future types” option;
- change the value of HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SuppressExtendedProtection = REG_DWORD with a value of 3 (please take a backup of the registry settings before any change).
Thanks // KerstinApply patch 6915917 solves the problem
-
1 Apple TV 2nd Gen, Windows 7 Computer with multiple user accounts
The issue that I am having is I have 1 Apple TV 2nd Gen and Windows 7 Computer with multiple user accounts.
When I log onto my Windows user account, open up Itunes and turn on home sharing my Apple TV work perfect but if another family member switches to their Windows user account without logging me out, the home share shows up on Apple TV but it just says "Loading ... Library" and never loads.
If we switch back to my user account, restart iTunes, everything is fine. Is there a way to keep my home share active in ATV2 across multiple user accounts? All of my video is under my account.You can home-share multiple libraries but only use one account at a time.
-
People Picker search order with multiple forest domains
I had customer with multiple forest domain environment. Now the problem is that all users from one domain synced to the resource domain(Domain A) where sharepoint is installed.
The peoplepicker is now finding at first the user in Domain A where sharepoint is installed. My Solution is now to specify the order of searching in People Picker that first all users in Domain B will return and if there is noting will return Domain A.
All SharePoint Server(s) had Network Access to the other Domains. And there are two-way-trust konfigured.
Any Solution for that?
Thanks for your feedback!
P.Regardless of search order, you would get both results returned. Have you tried using the UserAccountDirectoryPath property on the Site Collection to specify DC=domainB,DC=com?
Trevor Seward
Follow or contact me at...
This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.
Nice to now that i can set it up per site collection. But it do not work in my case, it indeed returned users from Domain B but Domain A, C, D and F(Examples) are excluded from People Picker. -
Authentication with Multiple SSIDs AP521G, using Autonomous
I have an AP521G access point that I am trying to setup authentication for multiple SSIDs. One SSID is for domain users with WPA/TKIP authentication to a radius server and the other SSID is for guest to have access to Internet with no authentication. Is there a way to setup both SSIDs on the AP for this configuration?
Security option for an SSID can be unique and can be configured when you configure a SSID or under VLAN . Note that each vlan is uniquely mapped to induvidual SSID.
-
TLS setup with multiple receiving domains
Hi,
We have our Ironport setup with about 10 receiving domains. My aim is to set it up so that all email sent and received from a particular domain (client.com) uses TLS. This domain will only send mail to our primary domain (company.com).
I am wondering how the TLS certificate will work with multiple domains? Is that cert just mapped to one email domain? Is a separate cert required for each domain, and so a separate listener for the receive domains that I don't need TLS for?Hi Graham,
Yes it will be one certificate per box.
In reagrds to the TLS question you can set the TLS encryption to "Prefered" and take a lookt to the section create content filters for encryption.
http://www.cisco.com/en/US/docs/security/esa/esa7.5/ESA_7.5_Configuration_Guide.pdf
http://www.cisco.com/en/US/products/ps10154/products_user_guide_list.html
HTH,
Luis Silva
"If you need PDI (Planning, Design, Implement) assistance feel free to reach"
http://www.cisco.com/web/partners/tools/pdihd.html -
Best Migration Method for Exchange 2007 with multiple accepted domains
We are trying to determine which method would be best for us as we migrate to O365. Scenario as follows:
1) Multiple accepted domains (each in their own OU in AD); example: domainA.com, domainB.com
2) Exchange is 2007; clients will be upgrading the Outlook 2013
3) Would like to be able to sync mailboxes starting anytime but be able to cut over a domain at a time.
Tested so far with staged migration but it appears that with this, there is a change in the TargetAddress sending all mail to the O365. Even changing MXs didn't redirect the message as it reaches the Exchange box and immediately goes to O365.
We haven't tried the cutover as we're only able to test with the production box and if that somehow cutover the entire box, we'd be .. well, it wouldn't be good.
Anyone had any experience so that our #3 point would be doable, that would be great.
Thx
GeorgeHi George,
According to your description, I understand that the issue is related to Exchange migration from Exchange 2007 to Exchange Online for Office 365. This forum focuses on some general discussion about Office 365 ProPlus which
is the version of Office that comes with many Office 365 plans. Therefore, I suggest we can post the issue in Microsoft Exchange Online (Office 365) forum for more professional suggestions:
http://social.technet.microsoft.com/Forums/en-US/home?forum=onlineservicesexchange
Hope you can find the solution soon.
Regards,
Winnie Liang
TechNet Community Support -
Windows Intergrated Authentication with reverse proxy issue with Safari
Hi All
I having a application which has Windows Integrated Authentication, for Internet users we are having a reverse proxy which has a IIS server which will authenticate using basic authentication then redirected to the actual application, every thing works as expected in IE and firefox but in safari there is a second login dialog box appears. When I did a packet capture using wireshark I noticed that in IE and FF the basic authentication which is carried forward to the actual application from IIS server but in Safari there is a NTLM negotiation in between because there is a 401 response so my application asks for on more login dialog. Dose any one knows why safari is behaving like this?
Thanks & Regards
Karthikeyan VaithilingamI found a related post https://discussions.apple.com/thread/3274071?start=0&tstart=0. There is an issue with basic authentication and Http Redirect.
-
VPN Concentrator authentication with multiple domains
I have a hub and spoke network where a T1 comes in to the hub site A and there is a frame relay connection going over to the spoke site B. We want to add a VPN concentrator to site A for remote access but site A and site B have their own domains that are independant of one another. Can I set up the VPN Concentrator to authenticate users that belong to site A domain using site A's domain controller and authenticate users the belong to site B domain using site B's domain controller? That way we can use a single VPN concentrator and a single internet connection but keep the authentication seperate.
Thanks in advance for any help.To authenticate users that belong to site A domain using site A's domain controller you should authenticate users the belong to site A domain using site A's domain controller
-
Manual Tomcat Active Directory (AD) Authentication with multiple domains
Hi,
We have successfully implemented manual AD Authenticaiton on our BO XI 3.1 environment using Tomcat applicaiton server.
Now we need to include another domain to be able to use AD authenticaiton to BOE.
What changes do we need to perform to allow the additional domain to log in successfully?
Thanks for any support.
Thanks,
JHello,
You need to modify the file krb5.ini by adding the second domain there
Have a look at the note 1406795 (https://bosap-support.wdf.sap.corp/sap/support/notes/1406795)
The users of that domain will have to login by specifying that domain (user@domain)
Regards,
Philippe -
Portal AD authentication with multiple OU
Hi, all.
We are trying to implement AD authentication. Users are located under 3 different OU(but same domain controller). I don't want to use AD group to "group" the users since they would be limited to have one group. Is there a way to put in multiple OU in UME user path config?
We are running on EP7, SP13.
Thanks,
Jonathan.Hi,
LDAP error 49 is:
LDAP_INVALID_CREDENTIALS: Indicates that during a bind operation one of the following occurred:
The client passed either an incorrect DN or password.
The password is incorrect because it has expired, intruder detection has locked the account, or some other similar reason.
(ref http://www.directory-info.com/LDAP/LDAPErrorCodes.html)
Probably you've entered the password wrong, or the xml file is refering to one of the field of the UME config properties (are several you can refer to from the xml file).
Could you either send the relevant part of the datasource configuration xml file or do a network trace on port 389 with ethereal in order to find out which password the portal uses ?
Regards
Dagfinn -
Windows Server CNA with multiple NICs needed
I have a Windows server in which I am teaming two CNA connections for Networking and Storage. They are teamed using the Emulex teaming utility. I want to set up a primary network and a backup network, but I cannot seem to edit the current
configured team to allow for multiple connections. Can anybody help out?Hi,
To resolve your problem as soon as possible, please consult the teaming utility manufacturer about this issue.
To configure NIC Teaming on Windows Server 2012R2, please follow the steps below,
Click the server name in the list of servers (even if there is only a single server).
From the Tasks drop-down menu in the
Teams section, click New Team.
In the Add Team dialog box, type a team name and select the network adapters in the team.
If you are using VLANs, clear the Default check box and specify the VLAN ID. By default, the team will deliver up all traffic received regardless of VLAN ID (though the VLAN ID is passed with the packet so that
other components in the stack can sort them appropriately).
If you want to use a mode other than the default, click
Advanced and specify the teaming mode (Switch Independent, Static Teaming, or LACP) and load distribution mode (Address Hash) as needed.
Click OK to create the team.
You can change the Active/Standby adapter in step 5
For detailed information, please view the link below,
NIC Teaming Overview
http://technet.microsoft.com/en-us/library/hh831648.aspx
Hope this helps.
Steven Lee
TechNet Community Support -
Every time i open a new window, search something in google, or click a link, a firefox window with four tabs comes up.
The first tab has: http://xn--9ca960n/
The second: file:///C:/Program%20Files/Mozilla%20Firefox/
The third: http://xn--depe5-era1e2dt998a/
The fourth: http://xn--jr2dqm-ekaby3owwwa1bgb4bh1dw4lgao61m/
We have also lost our windows XP theme for the desktop at the same time. I did fix that issue, but the theme keeps disappearing again and is becoming a hassle.
I have run a virus scan with trend micro but nothing was found.
I also deleted cookies, caches and the whole history
would appreciate your help. thanks
== This happened ==
Every time Firefox opened
== out of the blue, early this week. ==
== User Agent ==
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Hello Susanne.
You may be having a problem with some Firefox add-on that is hindering your Firefox's normal behavior. Have you tried disabling all add-ons (just to check), to see if Firefox goes back to normal?
Whenever you have a problem with Firefox, whatever it is, you should make sure it's not coming from one of your installed add-ons, be it an extension, a theme or a plugin. To do that easily and cleanly, run Firefox in [http://support.mozilla.com/en-US/kb/Safe+Mode safe mode] and select ''Disable all add-ons''. If the problem disappears, you know it's from an add-on. Disable them all in normal mode, and enable them one at a time until you find the source of the problem. See [http://support.mozilla.com/en-US/kb/Troubleshooting+extensions+and+themes this article] for information about troubleshooting extensions and theme. You can troubleshoot plugins the same way.
If you want support for one of your add-ons, you'll need to contact its author.
Maybe you are looking for
-
Is there a way to backup my external hard drive with Time Machine?
Most of the memory used on my MBP is mainly used for applications and miscellaneous things for Logic and Final Cut. I have two external HD's. To save space on the internal HD, all of my music, pictures, and videos are one my external hard drive, whil
-
Need an information using java.sql in jsp
I found that there is a 'dataset' like architecture in .NET, is there any 'dataset' like substance in our java, if it is means can you give me some ideas for using it in jsp, give me some example for saving a record in the mysql database. very urgent
-
Issues with the "right click" window not going away, unable to web browse
Out of the blue, and at least 3-4 times a day, the "right click" pop up window will appear while I am web browsing, if I try to move the mouse , the window will continue to appear until I have to re boot.. Also, while it does this, sometimes it will
-
Hi, How to go abt using auxliary variable? i need 2 declare a variable of type p decimals 3... Regards Gunjan
-
My Delete key is broken...Where can I get a new one?
I need to replace the "delete" for a new one. The plastic hooks broke. Where is the best place to purchase a new one? I am in Texas. Thanks