Below steps should be followed to configure kerberos for OAM :
1.
Create user in Active Directory which OAM will use
during WNA
2.
Generate the keytab file
3.
Transfer the keytab file to OAM server
4.
Configure krb5.conf file
5.
Check the keytab file and the SPN
6.
Configure the Kerberos scheme
7.
Configure Kerberos Authentication Module
8.
Protect the resource with the Kerberos scheme
9.
Enabling the Browser to Return Kerberos Tokens
10. Issues and
work-around
1.
Create user in Active Directory which
OAM will use during WNA
·
Login to devcorp.Test.com by Remote Desktop
connection.
·
Navigate to Active Directory Users and Groups.
·
Create a new user as below:
·
Provide password and check password never expire
option.
·
Provide the user Domain Admins privilege so that the
user can login by RDP.
·
The newly created user now should be able to login
with his credentials.
2.
Generate the keytab file
·
Open cmd in RDP and run below command to create the
keytab file :
ktpass /princ HTTP/dev-sso.Test.com@DEVCORP.TEST.COM
/mapuser Oamssouser /pass Oracle@12345 /ptype KRB5_NT_PRINCIPAL /out C:\oraclesso1.keytab
/kvno 0
·
It should create the oraclesso1.keytab file in C
directory.
3.
Transfer the keytab file to OAM server
·
Copy the keytab file into local system from RDP and
transfer it into OAM server in location /appl/iam/middleware/oam/server/config.
4.
Configure krb5.conf file
·
Configure krb.conf file located in /etc/krb5.conf.
# Configuration snippets
may be placed in this directory as well
includedir
/etc/krb5.conf.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = DEVCORP.TEST.COM
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
udp_preference_limit = 1
default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
rc4-hmac
default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
rc4-hmac
permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
rc4-hmac
[realms]
DEVCORP.TEST.COM = {
kdc = w2ddcw0011003.devcorp.Test.com
admin_server = w2ddcw0011003.devcorp.Test.com
default_domain = DEVCORP.TEST.COM
}
[domain_realm]
devcorp.Test.com = DEVCORP.TEST.COM
.devcorp.Test.com = DEVCORP.TEST.COM
.Test.com = DEVCORP.TEST.COM
dev-sso.Test.com = DEVCORP.TEST.COM
5.
Check the keytab file and the SPN
·
We can verify the Keytab and SPN using klist and
kinit command as below:
klist -k -t -K -e
FILE:/appl/iam/middleware/oam/server/config/oraclesso1.keytab
kinit -V -k -t /appl/iam/middleware/oam/server/config/oraclesso1.keytab
HTTP/dev-sso.Test.com@DEVCORP.TEST.COM
6.
Configure the Kerberos scheme
·
An authentication scheme is created as TESTKerberosScheme
as below:
7.
Configure Kerberos Authentication
Module
·
An authentication module is created as TESTKerberos
as below:
Name TESTKerberos
Key Tab File /appl/iam/middleware/oam/server/config/oraclesso1.keytab
KRB Config File /etc/krb5.conf
8.
Protect the resource with the Kerberos
scheme
·
Create an Authentication Policy TESTWNAPolicy as
below:
·
Protect the resource /WNA.html with the policy
created above.
9.
Enabling the Browser to Return
Kerberos Tokens
·
Make sure Enable Integrated Windows Authentication
option is enabled in IE under Advanced section.
·
Add sites under Security -> Local intranet zone
·
Then the application should be accessible without
any prompt for authentication.
10.
Issues
and work-around :
i) Kerberos Application keeps on waiting state
for a long time and then giving timeout error:
Soln:
Providing
below parameter in krb5.conf file:
udp_preference_limit
= 1
right
tag)
DNS
issue: After adding the below entry in AD hosts etc file this issue resolved.
References:
