SAGE Computing Services Consulting and customised training workshops Active Directory Integration...
-
Upload
barrie-shelton -
Category
Documents
-
view
215 -
download
2
Transcript of SAGE Computing Services Consulting and customised training workshops Active Directory Integration...
SAGE Computing ServicesConsulting and customised training
workshops
Active Directory Integration
AD, WLS & ADF in Harmony(a case study)
Ray TindallSenior Systems Consultant
www.sagecomputing.com.au
Things have changed since 2006
www.sagecomputing.com.au
Active Directory Integration
“OID & AD in Harmony?”WLS
SSO Portal
Things have changed since 2006
www.sagecomputing.com.au
Synchronisation of OID & ADAD LDAP Provider
SSO Delegated AuthenticationADF Security
Windows Native Authentication with SSO
Kerberos with WLS
Forms
Agenda Overview
Who, What &WhyThe primary Goal
Resources & ReferencesIBM
The Plan & The PathImplementation
How we did it – How you can do it
TestingTroubleshooting & Hints
Wrap upWhere are we now
IBM???
Who, What & Why
www.sagecomputing.com.au
Who?
What?The System
Why?The Wishlist
Weblogic Server 10.3.2. ADF 11.1.1.2. Active Directory
on Windows Server 2003(now 2008 R2)
Windows workstationswith IE 7
Seamless & transparent authentication (login) against AD
Authorisation against AD (Groups)
Forms to ADF interoperability Scope to expand
Resources & References
www.sagecomputing.com.au
Administering the SPNEGO TAI: Tips on using Kerberos service principal namesby Martin Lansche, IBM
Configuring Kerberos with Weblogic Serverby Faisal Khan, SecureZone
Troubleshooting Kerberos issues with Weblogic serverby Faisal Khan, SecureZone
Configuring WLS With MS Active Directoryby Chris Muir, SAGE Computing
Configuring a JDev 11g ADF Security app on standalone WLS against MS Active Directoryby Chris Muir, SAGE Computing
Oracle® Fusion Middleware Securing Oracle WebLogic Server, 11g Release 1 (10.3.1), 6 Configuring Single Sign-On with Microsoft Clients
This “is” 10.3.2 !
The Plan & The Path
www.sagecomputing.com.au
Proof of Concept – DEVNew system on new infrastructure
Target Apps – DEVWLS on VM – Snapshots
Risks:Production AD only!Load Balancing – PROD only
How to Get There
www.sagecomputing.com.au
Implementation Key ConceptsAD LDAP Provider
Kerberos with WLS
ADF Security
How to Get There
www.sagecomputing.com.au
Implementation Task OverviewNetwork & AD preparationWLS AD AuthenticationWLS Host Kerberos configurationWLS Kerberos configurationClients (Browser/s) configuration
Apps (ADF Application) configuration
Test (with your favourite beverage at hand)
Troubleshoot (with your favourite beverage at hand)
Environment Specifics
www.sagecomputing.com.au
KDC server: OURKDC(.dtf.wa.gov.au)Windows domain controller serving as Key Distribution CentreMost doco (inc Official) implies to use IP but use DNS instead!
Default AD domain: dtf.wa.gov.au
Kerberos Realm: DTF.WA.GOV.AUUppercase of Domain
WLS AD account: wlskerberosadacc / obscurepwd“User" AD account used for WLS Host & to map Service PrincipalOfficial doco says just use simple machine name
NO! - Bad idea; make it different and make it descriptive
WLS Virtual Host DNS: ourvirtualwls(.dtf.wa.gov.au)URL you will use to access your Web Applications
Also serves as the basis of the Service PrincipalOfficial doco doesn't even mention Virtual Host as consideration
BUT! - Critical for same Domain Windows WLS host*& good idea in other cases anyway.
*The machine name URL will already exist in a Windows Domain, being HOST\machine.dtf.wa.gov.au, as a Service Principal against the Machine Computer account in AD.At runtime Kerberos will derive the basis of the Service Principal from the browser URL.AD will find and default to the HOST\ Service Principal and try to use the “computer” account instead of finding our HTTP\ Service Principal and using our WLS “user” AD account. The credentials in your Keytab will not match the ticket returned by AD.
Bottom line: ignoring the protocol HTTP\, the URL of the Service Principal that will be used to access your Web Applications should exist in AD only once!
*The machine name URL will already exist in a Windows Domain, being HOST\machine.dtf.wa.gov.au, as a Service Principal against the Machine Computer account in AD.At runtime Kerberos will derive the basis of the Service Principal from the browser URL.AD will find and default to the HOST\ Service Principal and try to use the “computer” account instead of finding our HTTP\ Service Principal and using our WLS “user” AD account. The credentials in your Keytab will not match the ticket returned by AD.
Bottom line: ignoring the protocol HTTP\, the URL of the Service Principal that will be used to access your Web Applications should exist in AD only once!
Network & AD preparation
www.sagecomputing.com.au
Implementation Steps:
1. Create Virtual Host DNS
2. Create WLS Service AD “user” account
3. Map SPN (Service Principal) with setspn
& generate Keytab with ktab
Linux – use ktpass instead
Implementation Steps:
1. Create Virtual Host DNS
2. Create WLS Service AD “user” account
3. Map SPN (Service Principal) with setspn
& generate Keytab with ktab
Linux – use ktpass instead
Implementation Steps:
1. Create Virtual Host DNS
2. Create WLS Service AD “user” account
3. Map SPN (Service Principal) with setspn
& generate Keytab with ktab
Linux – use ktpass instead
Not computer
!
Not strictly needed with JDK
1.5+
Implementation Steps:
1. Create Virtual Host DNS
2. Create WLS Service AD “user” account
3. Map SPN (Service Principal) with setspn
& generate Keytab with ktab
Linux – use ktpass instead
Must be your user service
account.
Get it right.Not
validated!
WLS AD Authentication
www.sagecomputing.com.au
Implementation Steps:
4. Create WLS AD Authentication Provider
WLS LDAPAuthenticator
5. Test Authentication Provider
Configuring a JDev 11g ADF Security app on standalone WLS against MS Active
Directoryby Chris Muir, SAGE Computing
Implementation Steps:
4. Create WLS AD Authentication Provider
WLS LDAPAuthenticator
5. Test Authentication Provider
Configuring a JDev 11g ADF Security app on standalone WLS against MS Active
Directoryby Chris Muir, SAGE Computing
Remove!
Remove?
Implementation Steps:
4. Create WLS AD Authentication Provider
WLS LDAPAuthenticator
5. Test Authentication Provider
Configuring a JDev 11g ADF Security app on standalone WLS against MS Active
Directoryby Chris Muir, SAGE Computing
WLS Host Kerberos configuration
www.sagecomputing.com.au
Implementation Steps:
6. Create krb5.ini
7. Copy Keytab to WLS
for Linux ftp – note this is a binary file
8. Test Host Kerberos with kinit
Go no further if this no worky!
Implementation Steps:
6. Create krb5.ini
7. Copy Keytab to WLS
for Linux ftp – note this is a binary file
8. Test Host Kerberos with kinit
Not strictly needed with JDK
1.5+
Case sensitive
Implementation Steps:
6. Create krb5.ini
7. Copy Keytab to WLS
for Linux ftp – note this is a binary file
8. Test Host Kerberos with kinit
Implementation Steps:
6. Create krb5.ini
7. Copy Keytab to WLS
for Linux ftp – note this is a binary file
8. Test Host Kerberos with kinit
WLS Kerberos configuration
www.sagecomputing.com.au
Implementation Steps:
9. Create krb5Login.conf
10.Add WLS Kerberos startup parameters
startWebLogic.cmd
11.Create Identity Assertion Provider
WLS NegotiateIdentityAsserter
Implementation Steps:
9. Create krb5Login.conf
10.Add WLS Kerberos startup parameters
startWebLogic.cmd
11.Create Identity Assertion Provider
WLS NegotiateIdentityAsserter
Implementation Steps:
9. Create krb5Login.conf
10.Add WLS Kerberos startup parameters
startWebLogic.cmd
11.Create Identity Assertion Provider
WLS NegotiateIdentityAsserter
Implementation Steps:
9. Create krb5Login.conf
10.Add WLS Kerberos startup parameters
startWebLogic.cmd
11.Create Identity Assertion Provider
WLS NegotiateIdentityAsserter
Client (Browser/s) configuration
www.sagecomputing.com.au
Implementation Steps:
12.Configure Windows Native Authentication
Auto logon for Intranet
IE
Firefox
…
Implementation Steps:
12.Configure Windows Native Authentication
Auto logon for Intranet
IE
Firefox
…
Implementation Steps:
12.Configure Windows Native Authentication
Auto logon for Intranet
IE
Firefox
…
Apps (ADF Application) configuration
www.sagecomputing.com.au
Implementation Steps:
13.Configure ADF Application Security
Run - Configure ADF Security Wizard
Enterprise Roles (AD) Application Roles (ADF)
Web.xml <login-config>
<auth-method>CLIENT-CERT
13 steps; hmmm; is this a sign?
Implementation Steps:
13.Configure ADF Application Security
Run - Configure ADF Security Wizard
Enterprise Roles (AD) Application Roles (ADF)
Web.xml <login-config>
<auth-method>CLIENT-CERT
Testing
www.sagecomputing.com.au
LDAP Provider
Kinit (with keytab)
Bringing it all together
ADF Application
Transparent login
Wha…?I followed theInstructions!
Troubleshooting
www.sagecomputing.com.au
When things just don’t go your way!
WLS Security debugWLS log level – standard out
Utilities checks (with verbose debug)Check AD user account
inc SPN mapping
Config fileskrb5.ini krb5Login.conf config.xml
AD LDAP Providerbase DNs, filters, search scopes
Wireshark... – in extreme cases
When things just don’t go your way!
WLS Security debugWLS log level – standard out
Utilities checks (with verbose debug)Check AD user account
inc SPN mapping
Config fileskrb5.ini krb5Login.conf config.xml
AD LDAP Providerbase DNs, filters, search scopes
Wireshark... – in extreme cases
+ standard out log level>= notice
Due toCLIENT-CERT,FORM
When things just don’t go your way!
WLS Security debugWLS log level – standard out
Utilities checks (with verbose debug)Check AD user account
inc SPN mapping
Config fileskrb5.ini krb5Login.conf config.xml
AD LDAP Providerbase DNs, filters, search scopes
Wireshark... – in extreme cases
Best to have 1 only
Don’t be fooled.Normal!
Success
When things just don’t go your way!
WLS Security debugWLS log level – standard out
Utilities checks (with verbose debug)Check AD user account
inc SPN mapping
Config fileskrb5.ini krb5Login.conf config.xml
AD LDAP Providerbase DNs, filters, search scopes
Wireshark... – in extreme cases
Server Admin Pack
SofterraLDAP
Browser
When things just don’t go your way!
WLS Security debugWLS log level – standard out
Utilities checks (with verbose debug)Check AD user account
inc SPN mapping
Config fileskrb5.ini krb5Login.conf config.xml
AD LDAP Providerbase DNs, filters, search scopes
Wireshark... – in extreme cases
Case sensitivity
Syntax
Linux?Has this
changed?
No krb5.prior to JDK
6.0Include
prior options
When things just don’t go your way!
WLS Security debugWLS log level – standard out
Utilities checks (with verbose debug)Check AD user account
inc SPN mapping
Config fileskrb5.ini krb5Login.conf config.xml
AD LDAP Providerbase DNs, filters, search scopes
Wireshark... – in extreme cases
When things just don’t go your way!
WLS Security debugWLS log level – standard out
Utilities checks (with verbose debug)Check AD user account
inc SPN mapping
Config fileskrb5.ini krb5Login.conf config.xml
AD LDAP Providerbase DNs, filters, search scopes
Wireshark... – in extreme cases
Debug = java kinit
Success
Checksum failed! ?
Traps
www.sagecomputing.com.au
Naming & Case sensitivityDon’t name AD account same as WLS HostMind case sensitivity & syntax (especially krb5.ini)
Must be only “one” SPN URL in ADldifde to check for duplicates setspn –D to remove bad or duplicate SPNs
Kerberos / WLS can’t find config files (krb5.ini keytab krb5Login.conf)
Know & use default locations for themTry absolute paths where referenced in dependant configTry WLS/Host reboot
Order of WLS Providers
Asserter followed by LDAP Provider then defaults
Use Virtual URL - not host URL
Configure 2nd DNS – not DNS alias
Clear Browser cache/s
Clock Skew - AD, WLS, Client within 2mins
Does host need WA Daylight Saving patch
Note: Does not require
WLS VH definition
Hints & Tips
www.sagecomputing.com.au
WLS / Host reboots at critical points
Check full range of options for utilities (kinit ktab klist)
java core of these for verbose debug output
Use CLIENT-CERT only in ADF Security for troubleshootingCLIENT-CERT,FORM may not produce debug message output
Use client local hosts in lieu of no DNS
Also useful to test specific node in Load Balanced scenario
Load Balanced / Proxy scenario - same keytab / setup on each node
DNS/Virtual URL (for SPN) is the URL the LBR/Proxy routes
Performance hits
Mind recursive & deep Group searching
Check & turn off all DEBUG once happy
Multiple technologies – look outside the Oracle box
Linux – ktpass changes AD accountName changes to HTTP/former_name
Mind this for kinit & krb5Login.conf setup
Current Status
www.sagecomputing.com.au
Friends?No Problem!
Proof of Concept – DEV
TEST
UAT
PRODGo Live – coming weekend
Thankyou!
Questions?
Presentations are available from our website:www.sagecomputing.com.au
SAGE Computing ServicesConsulting and customised training
workshops
Peace&
Harmony