In VRA7 Kerberos authentication configuration

Similar Questions

• Kerberos authentication and use the KTPASS tool

  I work in support to a network analysis software company.  We have the ability to use Kerberos authentication for our product.  Recently, we found that when you generate the keytab file using ktpass on a Windows Server 2003 or 2008, it is a step backwards in the process.  Eventually do you run the ktpass twice to get the keytab file good.

  Our external authentication module is software that uses Kerberos authentication and then he puts it on a remote client computer to access our software. We configure our Kerberos application and then read from the file keytab generated on a Windows Server 2003 or 2008 domain controller by using Kerberos V5 found in the AD domain controllers.

  When you run the ktpass tool, you must submit the username and password to generate the keytab file.  When it is generated, there is a generated KVNO number / incremented in the keytab file.  But it writes the file first and then updates the KVNO + 1 number in the actual key stored in AD.  If your keytab file is always number 1 behind what is actually stored in AD!

  We can fix it by running ktpass once,

  Examine the properties for the KVNO number in the last keytab file

  Re-run the ktpass, but number KVNO + 1

  The keytab file is generated, AD wrote the new KVNO + 1 number in AD

  But now our keytab file matches KVNO number generated by AD

  We lose a step in the ktpass tool?

  is there a way to see what the current number of KVNO is set in AD

  We have tested extensively with Windows 2003 and Windows 2008 R2 domain controllers

  The guests were the two Windows 7 Prof 64 bit

  Was just curious if anyone has had this experience?

  Thanks in advance,

  Terry Ball

  Hello Terry,

  According to the description of the problem, it seems that you are working on Windows server 2003 and 2008. I would recommend posting your query on the Server Forums TechNet for Windows.

  TechNet is watched by other computing professionals who would be more likely to help you. Please check the below link which will redirect you to the appropriate forum.

  http://social.technet.Microsoft.com/forums/WindowsServer/en-us/home?Forum=winserver8gen

  Hope that the information provided is useful. Let us know if you have questions related to Windows, we will be happy to help you.

  Kind regards

• Kerberos authentication problem

  I followed the step of the configuration of http://weblogic-wonders.com/weblogic/2009/11/15/configuring-kerberos-with-weblogic-server/ published by Faisal Khan.
  
  When I try to access my application running in weblogic, I faced following problem (famous error 401 - no) authorized
  Suppose that the main user is "* main-user *', and my windows account is ' * windows-user *'.
  
  (1) the Kerberos authentication looks very good, I had successful following information:
  Found the key for [email protected] (1)
  Entry Krb5Context.acceptSecContext = STATE_NEW stateful
  EType: sun.security.krb5.internal.crypto.DesCbcMd5EType
  Using builtin default ETYPE for permitted_enctypes
  default ETYPE for permitted_enctypes: 3 1 23 16 17.
  EType: sun.security.krb5.internal.crypto.DesCbcMd5EType
  Reset config by default kdc XXX.COM
  cache of proofreading for windows-user@XXX is null.
  object 0: 1282932038000/154
  object 0: 1282932038000/154
  * > > > KrbApReq: authenticate reussir.*
  Krb5Context setting peerSeqNumber to: 1113985206
  EType: sun.security.krb5.internal.crypto.DesCbcMd5EType
  Krb5Context setting mySeqNumber to: 792726776
  
  (2) but after that, seems weblogic wants to do another authenticates with my windows account:
  
  < user name were found, implemented callbackhandler >
  < com.bea.common.security.internal.legacy.service.ChallengeIdentityAssertionProviderImpl$ ChallengeIdentityAsserterV2Adapter$ ChallengeContextV2Impl.constructor >
  < com.bea.common.security.internal.service.ChallengeIdentityAssertionTokenServiceImpl$ ChallengeContextImpl.constructor >
  < com.bea.common.security.internal.service.ChallengeIdentityAssertionServiceImpl$ ChallengeContextImpl.constructor >
  < com.bea.common.security.internal.service.ChallengeIdentityAssertionServiceImpl$ ChallengeContextImpl.hasChallengeIdentityCompleted >
  < com.bea.common.security.internal.service.ChallengeIdentityAssertionTokenServiceImpl$ ChallengeContextImpl.hasChallengeIdentityCompleted >
  < com.bea.common.security.internal.legacy.service.ChallengeIdentityAssertionProviderImpl$ ChallengeIdentityAsserterV2Adapter$ ChallengeContextV2Impl.hasChallengeIdentityCompleted >
  < com.bea.common.security.internal.service.ChallengeIdentityAssertionTokenServiceImpl$ ChallengeContextImpl.getCallbackHandler >
  < com.bea.common.security.internal.service.ChallengeIdentityAssertionTokenServiceImpl$ ChallengeContextImpl.hasChallengeIdentityCompleted >
  < com.bea.common.security.internal.legacy.service.ChallengeIdentityAssertionProviderImpl$ ChallengeIdentityAsserterV2Adapter$ ChallengeContextV2Impl.hasChallengeIdentityCompleted >
  < com.bea.common.security.internal.legacy.service.ChallengeIdentityAssertionProviderImpl$ ChallengeIdentityAsserterV2Adapter$ ChallengeContextV2Impl.getCallbackHandler >
  < com.bea.common.security.internal.legacy.service.ChallengeIdentityAssertionProviderImpl$ ChallengeIdentityAsserterV2Adapter$ ChallengeContextV2Impl.hasChallengeIdentityCompleted >
  < com.bea.common.security.internal.service.IdentityAssertionCallbackServiceImpl.assertIdentity >
  < com.bea.common.security.internal.service.IdentityAssertionCallbackServiceImpl.assertIdentity >
  < com.bea.common.security.internal.service.IdentityAssertionCallbackServiceImpl.assertIdentity return windows-user >
  * < com.bea.common.security.internal.service.IdentityCacheServiceImpl.getCachedIdentity(windows-user) > *.
  * < com.bea.common.security.internal.service.IdentityCacheServiceImpl.getCachedIdentity(windows-user) return null > *.
  * < com.bea.common.security.internal.service.IdentityAssertionCallbackServiceImpl.assertIdentity did not find a cached identity. > *.
  < com.bea.common.security.internal.service.CallbackHandlerWrapper.constructor >
  .... (do a LDAP search)
  < delegated com.bea.common.security.internal.service.LoginModuleWrapper.commit, returning false >
  * < weblogic.security.service.internal.WLSJAASLoginServiceImpl$ ServiceImpl.authenticate authentication failed for windows user > *.
  
  I don't know after Kerberos authentication, why the weblogic using my windows account to another?
  
  and if I create the user "windows" as a user weblogic, then authentication would succeed and can access my application.
  
  but this is not the so-called "SSO" - there is no point to create all users as users weblogic domain.
  
  I think I might make a mistake in my env weblogic, any idea?
  
  Thank you very much.

  Hi Victor,

  I have observed the following in your server logs

  
  
  
  
  
  <[Security:090300]Identity assertion="" failed:="" user="" windows.user="" does="" not="" exist="">
  
  

  We need to create a user in Weblogic Server (whether in DefaulAuthenticator or ActiveDirectoryAuthenticator) which tries to connect to the application for kerberos based authentication to work.

  Single sign-on means that the customer (end user) doesn't have to provide the creadentials all over again and its domain credentials are substituted.
  Put simply, a kerberos token is passed to WLS and WLS Decrpts token, retrieves the user name and try to check it against some stores. So, the user must present b and in accordance with the Kerberos protocol.

  Hope that help.

  Let me know if you have any other questions!

  Thank you
  Faisal

• Kerberos authentication vs. AAU 10 gR 3

  Hello
  
  I would like to know if it is possible to use Kerberos authentication out of the box with gR 10, 3 of the Complutense University of MADRID, without using IOM or levels like that.
  
  University Complutense of MADRID is running on a Server Windows server 2003 and IIS 6.X. Clients and applications are on Windows XP or 2003.
  
  Thank you.

  What is your user directory? AD

  You try to authenticate the users connected to the windows domain already?

  If the answer to those is yes then configure authentication Windows integrated and by default it will use Kerberos

  If this is what you need then let us know and I can give you some advice

  Tim

  Published by: Tim Snell on June 25, 2010 13:23

• Need to implement the alternative login if Kerberos authentication fails.

  Need to implement the alternative login if Kerberos authentication fails.

  In our case, we are sure that Kerberos will fail because we allow agencies 'B' to access this application of reliable source.

  Kerberos fails and the application should display the name of user and password page and then authenticate.

  In the web.xml file changed auth method basic with Kerberos, set up successfully.

  'A' agency users can make successful Kerberos SSO. But when an agency "B" SSO access will fail with 401 and the application appears pop base with the name of user and password fields.

  When the user provides the details and present application returns 401 again. not able to go beyond these steps.

  Please provide your inputs.

  can you please enable security ATN debug and share the newspapers?

  Who will be telll us why the authentication will fail.

  Replace the CLIENT-CERT, BASIC authentication method in the web.xml and try.

  What is the default authenticator control indicator? I think that its just / optional.

  -Faisal

• Kerberos authentication PeopleCode works do not (FUNCLIB_LDAP. LDAPAUTH. FieldDefault.KRB_AUTHENTICATION)

  Hello

  I try to enable Kerberos authentication on our PeopleSoft (8.53.24 tools) system and have problems with authentication peoplecode. More precisely, the function KRB_AUTHENTICATION() in FUNCLIB_LDAP. LDAPAUTH. FieldDefault(). I've set up according to the instructions contained in PeopleBooks. The web server accepts a valid Kerberos token and runs the correct PeopleCode. Successfully, it retrieves the username since the token, but when it instantiates the class KerberosSSOValidator and calls the validate() method, it will return a "NULL" string for the & variable validUserName, which actually fail subsequent evaluation of IF. See below and note the code highlighted in red indicating where my problem lies:

  If Len (& userName) > 0 Then

  & krbToken = Substring (& krbToken, 11, Len(&krbToken) + 1);

  & validator = GetJavaClass("com.peoplesoft.pt.desktopsso.kerberos.KerberosSSOValidator").getInstance ();

  Local chain & validUserName = & validator.validate (& krbToken);

  If & validUserName <>'NULL' And

  & princName = & validUserName then

  SetAuthenticationResult (True, Upper (and username), "", False);

  & authMethod = "KRB";

  End - If;

  
  

       End - If;

  I added a few statements to insert the values of the various values that are at play in this block of code and I can see that before you call $ () validator.validate & userName correctly holds the user ID who came through in the Kerberos token. I also confirmed that the call to instantiate KerberosSSOValidator not returns a null object (if it was that the later line would fail anyway). Yet validate() always returns a string "NULL". Also, if I replace the call to validate and the hardcode & the validUserName = "< username >", it connect me (or someone) as my ID if they try and hit a page of PeopleSoft.

  Someone else knows this error? Please respond with any information specific to this code, and not with Oracle instructions on setting up Kerberos authentication. I follow the steps.

  Finally, we have solved this problem. The problem is that when a keytab file has been generated, the parameter -mapuser was absent from the ktpass command. Thus the SPN has not correctly mapped to the service account we created for this feature.

• Active Directory kerberos authentication ticket control

  Hello

  Customer asked if Active Directory cartridge has the ability to control errors in Kerberos authentication ticket? For example when the user has too many groups in his account AD and the Kerberos ticket is larger at all an ad.

  Thank you

  Hi Miska,

  A search in eDocs reveals that there is Directory Services Performance view of health that includes:

  Kerberos Authentications. This counter displays the rate at which clients are using a Kerberos ticket to authenticate to the DC.     Authentication Requests. This graph displays the number of times per second that clients use a Kerberos ticket to authenticate to the DC.
  

  These parameters are evaluated for the Rule of authentication Kerberos LDAP:

  Purpose This rule monitors the number of times per second that clients use a Kerberos ticket to authenticate to a DC. An upward trend may result in issues with LDAP-dependent services
  

  These references appear to be the closest thing "the ability to control the Kerberos authentication ticket errors."

  Kind regards

  Brian Wheeldon

• EAP-FAST EAP and PEAP authentication configuration

  Hello world

  I'm pretty well EAP works, however with the help of LEAP
  When I get to PEAP and EAP-FAST, I can't make it work

  What am I missing, I don't know that EAP-FAST and PEAP require certificates. However, how to configure their client side?
  Hope you guys can help me on this point, stuck on this part xD

  First of all I would make that PEAP or FAST is configured correctly. Debugs them when test pay close attention to the newspapers on the WLC or do what is necessary to solve the problems.

  Good read on local eap...
  http://www.Cisco.com/c/en/us/TD/docs/wireless/controller/7-4/configurati...

  To set up your client I'll assume it windows 7 or newer?

  https://supportforums.Cisco.com/document/68096/PEAP-authentication-confi...

• The AAA authentication configuration

  We have ACS server 3.1 to AAA for authentication for all routers and switches. I want each person to connect the router using its own id, password password and activate. If the ACS server is unavailable, I want to have different id, password and enable password for console and telnet access. What is the right way to do this? I also want to follow all orders entered on the router.

  That's what I have:

  AAA new-model

  AAA authentication login default group Ganymede + local

  enable AAA authentication login no_tacacs

  the AAA authentication enable default group Ganymede + line

  AAA authorization exec default group Ganymede + local

  AAA authorization commands 15 default group Ganymede + local

  AAA accounting exec default start-stop Ganymede group.

  orders accounting AAA 15 by default start-stop Ganymede group.

  !

  username admin password 7 xxxxxxxxxxxxxxxx

  !

  !

  Line con 0

  connection of authentication no_tacacs

  line to 0

  line vty 0 4

  password 7 xxxxxxxxxxxxxxxxxxxxxxxx

  !

  Yes, it's Joy on the right. Thank you, Renault

• Configuration of the DMZ for MS access

  I set up a DMZ for a Web server. I'll probably put an RODC in there later, but for now I want to open ports to the domain controller.

  I'm a bit new to DMZ and I'm a bit confused.

  I put in place services for different ports and then configure the rules of lan/dmz coming out of the demilitarized zone to the domain controller, but I get no connection.

  I have the DMZ a 10.0.0.1 / 255.255.240.0
  The value 10.0.0.5 Web server / 255.255.255.240.0
  Gateway is 10.0.0.1

  DNS server on the primary domain controller 192.168.10.1

  I opened the ports following services:

  Kerberos 88 (TCP, UDP)
  Time 123 (UDP)
  135 Kerberos authentication (TCP)
  LDAP 389
  LDAP 445
  MS DS 3268 (TCP)
  1025-4999 RPC Ports (TCP)

  In the rules of the DMZ Lan, for those leaving, should I simply specify the machine side of DMZ DMZ users or do I need to specify the side Lan Lan users too?

  Then I need to duplicate these ports in the Incoming, correct?

  Any help in pointing to the relevant documentation would be great.

  No, you should not need to configure static routes, unless you have something weird going. You can check the network path by adding rules incoming/outgoing ICMP LAN DMZ (ICMP-TYPE-8, to be precise) and ping back and forth between the DC and the Web server (ensuring any intermediate software firewall is disabled). If you can test in both directions, then you know with certainty that none of the static routes are needed.

• Authentication for VPN Client AD

  Hello

  I use Cisco 1812 as a server EZVPN. I want to use Active directory for authentication of the VPN users. I'm getting two or three days, but without success.

  With ASA, I am able to authenticate against AD, but not with router IOS. Here is my configuration

  AAA AD krb5 authentication login

  Kerberos local realm THECCIEGROUP. LOCAL

  domain Kerberos THECCIEGROUP thecciegroup.local. LOCAL

  Kerberos realm. thecciegroup.local THECCIEGROUP. LOCAL

  Server Kerberos THECCIEGROUP. 10.10.102.2 PREMISES

  encrypted-kerberos-timestamp preauthentication, Kerberos

  send Kerberos credentials

  If kerberos authentication is not possible, I would like to know the possibility of using AD as external ACS database. I run both AD and ACS on the same server. If I can integrate AD with ca, I can use GANYMEDE or RADIUS for authentication.

  Thank you best regards &,.

  VAMSi Pinnaka

  Bangalore.

  I can answer from the side of the ACS.

  Yes, you can integrate ACS with AD, then the switch uses ACS as a radius server. ACS controls AD by kerberos in the backend transparently.

  If you race 4.x ACS on a Windows PC is a member of the domain, the integration server is automatically made in fact.

• Question of authentication of domain AD Cross via VPN IPSEC RA on SAA

  Hello

  I installation of remote access for users that connect to an ASA 5540, the IPSEC policy uses the RADUIS via AD authentication as well as certificates. Users authenticate correctly and can access everything on the field without any problem. Lets say that the domain is (X). We recently merged with another company that manages the domain (Y), on the AD servers, the two domains are configured as areas of trust.

  The problem we seem to be running, it of when users connect to the VPN network and authenticate in the domain X, then try to access resources in domain, it fails generally. They cannot systematically map readers by FQDN or IP and vice versa also (when authentication on domain Y and attempting to access the resources on the domain X). It seems to work sometimes for some users, but more often it doesn't. Real IP connectivity is fine, the problem is that the authentication will fail.

  Someone at - he noted problems with the passage of the Kerberos authentication via an IPSEC tunnel? When you try to access these resources when you are locally connected to the network, there is no problem, so it seems to be only with remote access.

  Any suggestion would be appreciated.

  Thank you

  Sam

  Saami

  Good fishing!

  The VPN host search server TCP capable kerberos to authenticate to it.

  The server must be joined to domain you.

  If your kerberos/AD can talk TCP, it's just a matter of adding these records to your local DNS server. (Note that this is not a SRV record has in A)

  That being said I think that this should not be the default option and is very often used as backup in case of failure of UDP communication, but it can depend on the client config - I'm not intimately Fall with this implementation on Microsoft systems.

  Marcin

• Database Oracle 12 c and Kerberos

  Hi guys, I have the Kerberos authentication on lunix works well but I can not configure the database to authenticate users with Kerberos 5.

  I followed the official instructions on setting up Kerberos authentication. However, I am struck with as error.

  The work of okinit and oklist. But when I try to connect with 'sqlplus /@orcl' it gives me this error:

  ERROR:

  ORA-12638: credential retrieval failed

  Can someone help me?

  Thanks in advance

  Environmental information:

  Database Oracle 12 c: with the support of multitenent.

  Red Hat Enterprise Linux Server 6.4 release (Santiago) - Kernel: 2.6.32 - 358.18.1.el6.x86_64

  the newspaper made with Kerberos.

  The content of the relevant files are here:

  SQL.ora

  # Network Configuration file SQLNET.ora:... /Network/admin/SQLNET.ora

  # Generated by Oracle configuration tools.

  SQLNET. AUTHENTICATION_SERVICES = (DOB KERBEROS5)

  SQLNET. KERBEROS5_KEYTAB = /etc/oracle.keytab.03.27.14

  SQLNET. KERBEROS5_REALMS = /etc/krb5.realms

  SQLNET. KERBEROS5_CC_NAME = / tmp/krb5cc

  SQLNET. KERBEROS5_CONF = /etc/krb5.conf

  SQLNET. KERBEROS5_CONF_MIT = TRUE

  SQLNET. AUTHENTICATION_KERBEROS5_SERVICE = orcl.my - machine.my - domain

  SQLNET. KERBEROS5_CLOCKSKEW = 6000

  NAMES. DIRECTORY_PATH = (TNSNAMES, EZCONNECT)

  TRACE_LEVEL_SERVER = ADMIN

  TRACE_LEVEL_CLIENT = ADMIN

  TRACE_LEVEL_LISTENER = ADMIN

  krb5.conf

  #File modified by ipa-client-install

  INCLUDEDIR /var/lib/sss/pubconf/krb5.include.d/

  [libdefaults]

  default_realm = MY-DOMAIN

  dns_lookup_realm = false

  dns_lookup_kdc = false

  RDN = false

  ticket_lifetime = 24 hours

  address = yes

  [realms]

  MY. AREA = {}

  KDC = kdc - server.my - area: 88

  kdc = master_kdc - server.my - domain: 88

  admin_server = kdc - server.my - domain: 749

  domaine_par_defaut = my-domain

  pkinit_anchors = FILE:/etc/ipa/ca.crt

  }

  [domain_realm]

  .my-domain = MY-DOMAIN

  My-domain = MY-DOMAIN

  krb5. Realms

  My-MY-DOMAIN

  tnsnames.ora

  # Network Configuration file tnsnames.ora:... /Network/admin/tnsnames.ora

  # Generated by Oracle configuration tools.

  ORCL =

  (DESCRIPTION =

  (ADDRESS = (PROTOCOL = TCP) (HOST = my - machine.my -)(PORT = 1521) area)

  (CONNECT_DATA =

  (SERVER = DEDICATED)

  (SERVICE_NAME = orcl.my - domain)

  )

  )

  Besides, I saw the newspaper of KDC kerberos 'sqlplus /@orcl' demand was very strange:

  Mar 27 15:15:43 kdc - server.my - domain krb5kdc [2715] (info): TGS_REQ (4 {18 17 16 23} ETYPE) 128.122.72.166: PROCESS_TGS: authtime 0, < unknown client > < unknown Server >, wrong net address

  Mar 27 15:15:43 kdc - server.my - domain krb5kdc [2714] (info): TGS_REQ (4 {18 17 16 23} ETYPE) 128.122.72.166: PROCESS_TGS: authtime 0, < unknown client > < unknown Server >, wrong net address

  Hi again, my steps below. I apologize for my English

  And I don't know how to remove links e-mail. I.e. [email protected] should be just krbuser to somedomain.ru.

  Test configuration:

  Kerberos (KDC, Microsoft) server:

  • Host: dc1.somedomain.ru (10.0.2.11)
  • Server Windows 2008/2012 tested
  • Active Directory (KDC)
  • Domain: SOMEDOMAIN.RU

  Kerberos (Oracle DB server) client:

  • Host: dboraclen1.somedomain.ru (10.0.2.76)
  • RedHat Linux
  • Oracle 11.2.0.4 Server Standard Edition (* patched)

  Oracle client:

  • Host: dbclient.somedomain.ru (10.0.2.7)
  • RedHat Linux
  • Oracle 11.2.0.4 client

  P1: Setting up the Kerberos client to interoperate with KDC in Windows Server 2008/2012

  On dboraclen1.somedomain.ru.

  1.1 Kerberos software control

  [root @ /] $ cd/etc
  [root @ / etc] $ rpm - qa | grep-i krb5
  krb5-workstation - 1.2.7 - 44
  pam_krb5-1, 73-1
  krb5-libs - 1.2.7 - 44

  1.2 configure Kerberos

  Check/change:

  /etc/krb5.conf

  / etc/krb5. Realms

  / etc/KRB. Realms

  / etc/hosts

  / etc/services

  # /etc/krb5.conf:
  [record]
  default=file:/var/log/krb5libs.log
  KDC=file:/var/log/krb5kdc.log
  admin_server=file:/var/log/kadmind.log

  [libdefaults]
  default_realm = SOMEDOMAIN.RU
  dns_lookup_realm = false

  dns_lookup_kdc = false

  ticket_lifetime = 24 hours

  renew_lifetime = 7 d

  address = true

  [realms]
  SOMEDOMAIN.RU = {}
  KDC = dc1.somedomain.ru:88
  }

  [domain_realm]
  . somedomain.ru = SOMEDOMAIN.RU
  somedomain.ru = SOMEDOMAIN.RU

  [CDC]
  Profile = /var/kerberos/krb5kdc/kdc.conf

  # /etc/krb5.realms:

  . somedomain.ru = SOMEDOMAIN.RU

  # /etc/krb.realms:
  . somedomain.ru = SOMEDOMAIN.RU

  # / etc/hosts:
  127.0.0.1 localhost.localdomain localhost

  10.0.2.76 dboraclen1.somedomain.ru dboraclen1
  10.0.2.11 dc1.somedomain.ru dc1

  # / etc/services:
  88/tcp kerberos5 Kerberos krb5 # Kerberos v5
  88/udp kerberos5 Kerberos krb5 # Kerberos v5

  !!! Using only capital letters with domain, only lowercase with names of user/hostames. It is important.

  1. 1.3 Kerberos software control on the database server

  (oracle owner = oracle, ORACLE_HOME= /Oracle/u01/oracle/database/11r2)
  

  [oracle@ /home/oracle]$ cd $ORACLE_HOME/bin [oracle@ /Oracle/u01/oracle/database/11r2/bin]$ ./adapters
  
   Installed Oracle Advanced Security options are: ... Kerberos v5 authentication RADIUS authentication or
  
   [oracle@ /Oracle/u01/oracle/database/11r2/bin]$ ./adapters ./oracle ... Kerberos v5 authentication RADIUS authentication
  

  P2: Configuration of KDC in Windows 2008/2012

  On dc1.somedomain.ru.

  2.1 create a user in Microsoft Active Directory

  
  

  In the menu "Administration / Active Directory users and computers:

  [General]
  Name: krbuser
  Family name: eu1
  View name: kerberos user 1

  [Account]
  User logon name: [email protected]

  Main 2.2.create for Oracle database in Microsoft AD

  Create the user with the name exactly as database host name, i.e. the dboraclen1.somedomain.ru and password, i.e. oracle:

  [General]
  Name: dboraclen1.somedomain.ru
  Full name: dboraclen1.somedomain.ru

  [Account]
  User logon name: [email protected]

  [Account options]
  Password never expires.

  !!! Select the option: do not use Kerberos preauthentication

  !!! Deselect the option "user must change password on the next logon".

  To complete the creation use ktpass.exe.

  Run:

  C:\Program Files\Support Tools > ktpass princ - oracle/[email protected] mapuser - dboraclen1-pass oracle-crypto RC4-HMAC-NT - out c:\temp\keytab.dboraclen1
  Targeting the domain controller: dc1.somedomain.ru
  The setting method using legacy password
  Correctly mapped dboraclen1.somedomain.ru oracle/dboraclen1.somedomain.ru.
  WARNING: type pType and account do not match. This could cause problems.
  Created key.
  Output keytab to c:\temp\keytab.dboraclen1 file:
  Keytab version: 0 x 502
  KeySize 81 oracle/[email protected] ptype 0

  Copy c:\temp\keytab.dboraclen1 into the directory etc./etc/etc on Oracle DB machine (dboraclen1.somedomain.ru).

  P3: Configuring Oracle DB to interoperate with KDC

  On dboraclen1.somedomain.ru.

  sqlnet.ora 3.1

  #/Oracle/u01/oracle/database/11r2/network/admin/sqlnet.ora

  NAMES. DIRECTORY_PATH = (TNSNAMES)
  SQLNET. KERBEROS5_REALMS = /etc/krb5.realms
  SQLNET. KERBEROS5_CONF=/etc/krb5.conf
  SQLNET. KERBEROS5_KEYTAB=/etc/keytab.dboraclen1
  SQLNET. AUTHENTICATION_KERBEROS5_SERVICE = oracle
  SQLNET. KERBEROS5_CONF_MIT = true
  SQLNET. AUTHENTICATION_SERVICES = (DOB, Kerberos5)

  SQLNET. KERBEROS5_CLOCKSKEW = 6000

  3.2 check/change settings on the server of DB Oracle

  OS_AUTHENT_PREFIX =""
  REMOTE_OS_AUTHENT = FALSE

  3.3.create user database in Oracle DB

  The user sys (System):

  SQL > create user '[email protected]' identified externally.
  Created by the user.

  SQL > grant create session, resources to '[email protected]';
  Grant succeeded.

  or

  SQL > create user KERBUSER identified externally as ' [email protected]';
  Created by the user.

  SQL > grant create session, resource at KERBUSER.
  Grant succeeded.

  P4 - configuration of Oracle customers

  On each client computer.

  4.1 configuration of oracle (for Linux)

  The configuration files (krb5.conf, krb5.realms, krb.realms) Kerberos and armed, services may be same as above.

  Create a linux user, i.e. krbuser.

  # /home/krbuser/sqlnet.ora
  NAMES. DIRECTORY_PATH = (TNSNAMES)

  SQLNET. KERBEROS5_CC_NAME = / tmp/krb5cc_502

  SQLNET. KERBEROS5_CONF = /etc/krb5.conf

  SQLNET. KERBEROS5_CONF_MIT = true

  SQLNET. AUTHENTICATION_SERVICES = (kerberos5)

  SQLNET. KERBEROS5_CLOCKSKEW = 6000

  # /home/krbuser/tnsnames.ora
  DB_test_auth =

  (DESCRIPTION =

  (ADDRESS = (PROTOCOL = TCP)(HOST = dboraclen1.somedomain.ru) (PORT = 1521))

  (CONNECT_DATA =

  (SERVER = DEDICATED)

  (SERVICE_NAME = GlobalDB)

  )

  )

  4.2 get ticket (TGT) initial kerberos:

  Run $ORACLE_HOME/bin/okinit:

  [krbuser @ / home/krbuser] $ okinit EI 23
  Utilities for Linux Kerberos: Version 11.2.0.4.0 - Production on August 16, 2011 15:44:11
  Copyright (c) 1996, Oracle 2011.  All rights reserved.
  Password for [email protected]:<-- ad="" user="">
  [krbuser @ / home/krbuser] $

  Check the TGT with $ORACLE_HOME/bin/oklist:

  [krbuser @ / home/krbuser] $ oklist
  Utilities for Linux Kerberos: Version 11.2.0.4.0 - Production on August 16, 2011 15:45:46
  Copyright (c) 1996, Oracle 2011.  All rights reserved.
  Ticket cache: / tmp/krb5cc_502
  Default principal: [email protected]
  Valid from expires Principal
  November 16, 2013 15:41:52 16 November 2013 23:44:11 krbtgt/SOMEDOMAIN. [email protected]
  [krbuser @ / home/krbuser] $

  and

  [krbuser @ / home/krbuser] $ ls tmp/-l/krb5cc_502
  -rw - 1 krbuser s/n 527 Nov 15:41 16 / tmp/krb5cc_502

  4.3.test

  Check the time synchronization between the clients and the server of DB.

  [krbuser @ / home/krbuser] $ sqlplus /@DB_test_auth
  SQL * more: version 11.2.0.4.0 - Production on Tue Nov 16 15:56:53 2013
  Copyright (c) 1982, 2013, Oracle.  All rights reserved.
  Connected to:
  Oracle Database 11 g Release 11.2.0.4.0 - 64 bit Production

  SQL >

• Integration of 11g OAM with Kerberos on cluster with virtualhost load balancing

  Hello!
  I need to make an integration of Kerberos with OAM.
  I find the rest of OAM 11 g notes: Configuration Ondaaah HA Clusters [1365888.1 ID] (https://support.oracle.com/epmos/faces/ui/km/SearchDocDisplay.jspx?_afrLoop=223640518878014 & type = DOCUMENT & id = 1365888.1 & displayIndex = 1 & _afrWindowMode = 0 & _adf.ctrl - State = 14ehvbh4z2_61).
  
  "In environment clustered OAM, OAM Principal for Ondaaah must be the same on all levels, i.e. balancing virtualhost to the OAM cluster."
  That's why each managed server OAM will reference the same keytab file generated for main HTTP / < virtualhost.domain >, and the keytab file will be in the same location on all OAM servers managed.
  For example: ${DOMAIN_HOME} /domains/$ {DomainName} / config/fmwconfig/oam / < the keytab file name >.
  
  After copying the file keytab to the same directory on all OAM manages the server machines, proceed to configuring the Kerberos authentication module in the Console of Administration of OAM (/ oamconsole).
  The AdminServer ensure that the config.xml file - oam on all levels of OAM managed server in the cluster is updated with this configuration."
  
  The question is; When I create oam.keytab with the following command, what is the name of the server I'll have to order? Node1 and Node2 (balanced) VirtualHost?
  
  Ktpass - princ HTTP / < servername > @domaine - pass XXXXXXX mapuser domain\user - on oam.keytab.
  
  Thanks in advance and best regards!
  
  PS: Sorry if my English is not clear.

  David,

  Your main name must match the URL of SSO LB. (ie: sso.mycomany.com)

  Ktpass - princ HTTP/sso.mycomany.com@DOMAIN-passer XXXXXXX mapuser domain\user - on oam.keytab.

  Also make sure that sso.mycomany.com has a reverse DNS configured correctly.
  You can check using the dig command

  Ping sso.mycomany.com
  Regardless of the ip address
  dig - x

  Check in the reverse DNS it takes 1 form.

  ;; SECTION OF THE ANSWER:
  1.1.1.1.in - addr.arpa. 3600 IN PTR sso.mycomany.com.

  Let me know if you have any other questions.

  Thank you
  Saurabh

• How to restore two-factor authentication?

  How can I restore two factor authentication after having set up authentication in two steps?

  I use:

  • OS X El Capitan v 10.11.5 on MacBook Pro 13 "early 2015
  • 9 IOS on iPhone 4S

  I have mistakenly set up authentication in two steps without realizing that the improved two-factor authentication is built into iOS 9 and OS X 10.  I must have forgotten two-factor authentication configuration when I implemented the new MacBook a year ago.

  Try turning off authentication step 2 to see if you have then the possibility to select.