Kerberos authentication vs. AAU 10 gR 3

Hello

I would like to know if it is possible to use Kerberos authentication out of the box with gR 10, 3 of the Complutense University of MADRID, without using IOM or levels like that.

University Complutense of MADRID is running on a Server Windows server 2003 and IIS 6.X. Clients and applications are on Windows XP or 2003.

Thank you.

What is your user directory? AD

You try to authenticate the users connected to the windows domain already?

If the answer to those is yes then configure authentication Windows integrated and by default it will use Kerberos

If this is what you need then let us know and I can give you some advice

Tim

Published by: Tim Snell on June 25, 2010 13:23

Tags: Fusion Middleware

Similar Questions

Kerberos authentication and use the KTPASS tool

I work in support to a network analysis software company. We have the ability to use Kerberos authentication for our product. Recently, we found that when you generate the keytab file using ktpass on a Windows Server 2003 or 2008, it is a step backwards in the process. Eventually do you run the ktpass twice to get the keytab file good.

Our external authentication module is software that uses Kerberos authentication and then he puts it on a remote client computer to access our software. We configure our Kerberos application and then read from the file keytab generated on a Windows Server 2003 or 2008 domain controller by using Kerberos V5 found in the AD domain controllers.

When you run the ktpass tool, you must submit the username and password to generate the keytab file. When it is generated, there is a generated KVNO number / incremented in the keytab file. But it writes the file first and then updates the KVNO + 1 number in the actual key stored in AD. If your keytab file is always number 1 behind what is actually stored in AD!

We can fix it by running ktpass once,

Examine the properties for the KVNO number in the last keytab file

Re-run the ktpass, but number KVNO + 1

The keytab file is generated, AD wrote the new KVNO + 1 number in AD

But now our keytab file matches KVNO number generated by AD

We lose a step in the ktpass tool?

is there a way to see what the current number of KVNO is set in AD

We have tested extensively with Windows 2003 and Windows 2008 R2 domain controllers

The guests were the two Windows 7 Prof 64 bit

Was just curious if anyone has had this experience?

Thanks in advance,

Terry Ball

Hello Terry,

According to the description of the problem, it seems that you are working on Windows server 2003 and 2008. I would recommend posting your query on the Server Forums TechNet for Windows.

TechNet is watched by other computing professionals who would be more likely to help you. Please check the below link which will redirect you to the appropriate forum.

http://social.technet.Microsoft.com/forums/WindowsServer/en-us/home?Forum=winserver8gen

Hope that the information provided is useful. Let us know if you have questions related to Windows, we will be happy to help you.

Kind regards

Need to implement the alternative login if Kerberos authentication fails.

Need to implement the alternative login if Kerberos authentication fails.
In our case, we are sure that Kerberos will fail because we allow agencies 'B' to access this application of reliable source.
Kerberos fails and the application should display the name of user and password page and then authenticate.
In the web.xml file changed auth method basic with Kerberos, set up successfully.
'A' agency users can make successful Kerberos SSO. But when an agency "B" SSO access will fail with 401 and the application appears pop base with the name of user and password fields.
When the user provides the details and present application returns 401 again. not able to go beyond these steps.
Please provide your inputs.

can you please enable security ATN debug and share the newspapers?

Who will be telll us why the authentication will fail.

Replace the CLIENT-CERT, BASIC authentication method in the web.xml and try.

What is the default authenticator control indicator? I think that its just / optional.

-Faisal

Kerberos authentication PeopleCode works do not (FUNCLIB_LDAP. LDAPAUTH. FieldDefault.KRB_AUTHENTICATION)

Hello
I try to enable Kerberos authentication on our PeopleSoft (8.53.24 tools) system and have problems with authentication peoplecode. More precisely, the function KRB_AUTHENTICATION() in FUNCLIB_LDAP. LDAPAUTH. FieldDefault(). I've set up according to the instructions contained in PeopleBooks. The web server accepts a valid Kerberos token and runs the correct PeopleCode. Successfully, it retrieves the username since the token, but when it instantiates the class KerberosSSOValidator and calls the validate() method, it will return a "NULL" string for the & variable validUserName, which actually fail subsequent evaluation of IF. See below and note the code highlighted in red indicating where my problem lies:
If Len (& userName) > 0 Then
& krbToken = Substring (& krbToken, 11, Len(&krbToken) + 1);
& validator = GetJavaClass("com.peoplesoft.pt.desktopsso.kerberos.KerberosSSOValidator").getInstance ();
Local chain & validUserName = & validator.validate (& krbToken);
If & validUserName <>'NULL' And
& princName = & validUserName then
SetAuthenticationResult (True, Upper (and username), "", False);
& authMethod = "KRB";
End - If;

End - If;
I added a few statements to insert the values of the various values that are at play in this block of code and I can see that before you call $ () validator.validate & userName correctly holds the user ID who came through in the Kerberos token. I also confirmed that the call to instantiate KerberosSSOValidator not returns a null object (if it was that the later line would fail anyway). Yet validate() always returns a string "NULL". Also, if I replace the call to validate and the hardcode & the validUserName = "< username >", it connect me (or someone) as my ID if they try and hit a page of PeopleSoft.
Someone else knows this error? Please respond with any information specific to this code, and not with Oracle instructions on setting up Kerberos authentication. I follow the steps.

Finally, we have solved this problem. The problem is that when a keytab file has been generated, the parameter -mapuser was absent from the ktpass command. Thus the SPN has not correctly mapped to the service account we created for this feature.

In VRA7 Kerberos authentication configuration

Hello
I'm trying to configure Kerberos authentication in my environment VRA7. I followed the instructions of the reference documentation. I have install the connector, workers and Kerberos authentication providers... and can connect with my domain user name and password via the password authentication provider.
However, when you try to login, I get the following error message: access.policy.auth.methods.not.valid.
Access denied because no valid authentication methods have been found 404
When I try the test URL: https://connector-instance.domain.host/authenticate , I got a HTTP 404 status - / authenticate error message.
Any ideas?
Best
Guido

Solved: all accounts that are synchronized with the Identity Manager must have a name, surname and email configured.

Active Directory kerberos authentication ticket control

Hello

Customer asked if Active Directory cartridge has the ability to control errors in Kerberos authentication ticket? For example when the user has too many groups in his account AD and the Kerberos ticket is larger at all an ad.

Thank you

Hi Miska,

A search in eDocs reveals that there is Directory Services Performance view of health that includes:
```
Kerberos Authentications. This counter displays the rate at which clients are using a Kerberos ticket to authenticate to the DC.     Authentication Requests. This graph displays the number of times per second that clients use a Kerberos ticket to authenticate to the DC.
```
These parameters are evaluated for the Rule of authentication Kerberos LDAP:
```
Purpose This rule monitors the number of times per second that clients use a Kerberos ticket to authenticate to a DC. An upward trend may result in issues with LDAP-dependent services
```
These references appear to be the closest thing "the ability to control the Kerberos authentication ticket errors."

Kind regards

Brian Wheeldon

Kerberos authentication problem
I followed the step of the configuration of http://weblogic-wonders.com/weblogic/2009/11/15/configuring-kerberos-with-weblogic-server/ published by Faisal Khan.

When I try to access my application running in weblogic, I faced following problem (famous error 401 - no) authorized
Suppose that the main user is "* main-user *', and my windows account is ' * windows-user *'.

(1) the Kerberos authentication looks very good, I had successful following information:
Found the key for [email protected] (1)
Entry Krb5Context.acceptSecContext = STATE_NEW stateful
EType: sun.security.krb5.internal.crypto.DesCbcMd5EType
Using builtin default ETYPE for permitted_enctypes
default ETYPE for permitted_enctypes: 3 1 23 16 17.
EType: sun.security.krb5.internal.crypto.DesCbcMd5EType
Reset config by default kdc XXX.COM
cache of proofreading for windows-user@XXX is null.
object 0: 1282932038000/154
object 0: 1282932038000/154
* > > > KrbApReq: authenticate reussir.*
Krb5Context setting peerSeqNumber to: 1113985206
EType: sun.security.krb5.internal.crypto.DesCbcMd5EType
Krb5Context setting mySeqNumber to: 792726776

(2) but after that, seems weblogic wants to do another authenticates with my windows account:

< user name were found, implemented callbackhandler >
< com.bea.common.security.internal.legacy.service.ChallengeIdentityAssertionProviderImpl$ ChallengeIdentityAsserterV2Adapter$ ChallengeContextV2Impl.constructor >
< com.bea.common.security.internal.service.ChallengeIdentityAssertionTokenServiceImpl$ ChallengeContextImpl.constructor >
< com.bea.common.security.internal.service.ChallengeIdentityAssertionServiceImpl$ ChallengeContextImpl.constructor >
< com.bea.common.security.internal.service.ChallengeIdentityAssertionServiceImpl$ ChallengeContextImpl.hasChallengeIdentityCompleted >
< com.bea.common.security.internal.service.ChallengeIdentityAssertionTokenServiceImpl$ ChallengeContextImpl.hasChallengeIdentityCompleted >
< com.bea.common.security.internal.legacy.service.ChallengeIdentityAssertionProviderImpl$ ChallengeIdentityAsserterV2Adapter$ ChallengeContextV2Impl.hasChallengeIdentityCompleted >
< com.bea.common.security.internal.service.ChallengeIdentityAssertionTokenServiceImpl$ ChallengeContextImpl.getCallbackHandler >
< com.bea.common.security.internal.service.ChallengeIdentityAssertionTokenServiceImpl$ ChallengeContextImpl.hasChallengeIdentityCompleted >
< com.bea.common.security.internal.legacy.service.ChallengeIdentityAssertionProviderImpl$ ChallengeIdentityAsserterV2Adapter$ ChallengeContextV2Impl.hasChallengeIdentityCompleted >
< com.bea.common.security.internal.legacy.service.ChallengeIdentityAssertionProviderImpl$ ChallengeIdentityAsserterV2Adapter$ ChallengeContextV2Impl.getCallbackHandler >
< com.bea.common.security.internal.legacy.service.ChallengeIdentityAssertionProviderImpl$ ChallengeIdentityAsserterV2Adapter$ ChallengeContextV2Impl.hasChallengeIdentityCompleted >
< com.bea.common.security.internal.service.IdentityAssertionCallbackServiceImpl.assertIdentity >
< com.bea.common.security.internal.service.IdentityAssertionCallbackServiceImpl.assertIdentity >
< com.bea.common.security.internal.service.IdentityAssertionCallbackServiceImpl.assertIdentity return windows-user >
* < com.bea.common.security.internal.service.IdentityCacheServiceImpl.getCachedIdentity(windows-user) > *.
* < com.bea.common.security.internal.service.IdentityCacheServiceImpl.getCachedIdentity(windows-user) return null > *.
* < com.bea.common.security.internal.service.IdentityAssertionCallbackServiceImpl.assertIdentity did not find a cached identity. > *.
< com.bea.common.security.internal.service.CallbackHandlerWrapper.constructor >
.... (do a LDAP search)
< delegated com.bea.common.security.internal.service.LoginModuleWrapper.commit, returning false >
* < weblogic.security.service.internal.WLSJAASLoginServiceImpl$ ServiceImpl.authenticate authentication failed for windows user > *.

I don't know after Kerberos authentication, why the weblogic using my windows account to another?

and if I create the user "windows" as a user weblogic, then authentication would succeed and can access my application.

but this is not the so-called "SSO" - there is no point to create all users as users weblogic domain.

I think I might make a mistake in my env weblogic, any idea?

Thank you very much.
Hi Victor,

I have observed the following in your server logs

<[Security:090300]Identity assertion="" failed:="" user="" windows.user="" does="" not="" exist="">

We need to create a user in Weblogic Server (whether in DefaulAuthenticator or ActiveDirectoryAuthenticator) which tries to connect to the application for kerberos based authentication to work.

Single sign-on means that the customer (end user) doesn't have to provide the creadentials all over again and its domain credentials are substituted.
Put simply, a kerberos token is passed to WLS and WLS Decrpts token, retrieves the user name and try to check it against some stores. So, the user must present b and in accordance with the Kerberos protocol.

Hope that help.

Let me know if you have any other questions!

Thank you
Faisal

Problems with Server 2008 R2 Kerberos with Mac and CentOS machines? Need to re - join domain

We are having a problem with our Mac and Linux / CentOS machines constantly having to be re-attached to our AD domain.
We are able to join machines to the domain successfully, but after a few weeks or if authentication is broken and we again join them to the domain.
I see Security event logs on our domain controller when kerberos authentication fails.
On the linux server - I see this message in the logs
-binding failed: server not found in the kerberos database.

I'm guessing this has to do with Server 2008 R2 and incompatible mac / linux versions.

Any ideas?

Hello

I suggest you try to post the question in the forums and check them off below if it helps:

http://social.technet.Microsoft.com/forums/en-us/windowsserver2008r2general/threads

It will be useful.

KB982381 which replaces 980182, 978207, 976749, 976325 and native authentication from windows 974455 breaks Single Sign On

I have proven tha the recently updated KB 982381 which replaces 980182,978207, 976749, 976325 and 974455 breaks single sign on for my domain. This process of Single Sign-On using Kerberos authentication to the people on an Oracle Portal newspaper. This works perfectly for each single user... As long as we do not install these updates. Each month, we must keep remove these KBs. The thing is I don't want to continue to do that I have not WSUS. In addition, I would quite be able to upgrade my computers without breach of SIngle Sign On. That everybody knows or has information on what could cause this problem?

Contact the Support of Oracle and your MS TAM.

No computer must be connected to the internet without security for IE installed the latest update!

Visit the Microsoft Solution Center and antivirus security for resources and tools to keep your PC safe and healthy. If you have problems with the installation of the update itself, visit the Microsoft Update Support for resources and tools to keep your PC updated with the latest updates.

Buying to meet problems installing Microsoft security updates also can visit the following page for assistance:https://consumersecuritysupport.microsoft.com/

For more information about how to contact your local Microsoft subsidiary for security update support issues, visit the International Support Web site:http://support.microsoft.com/common/international.aspx

For enterprise customers, support for security updates is available through your usual support contacts.

~ Robear Dyer (PA Bear) ~ MS MVP (that is to say, mail, security, Windows & Update Services) since 2002 ~ WARNING: MS MVPs represent or work for Microsoft

Authentication for VPN Client AD

Hello

I use Cisco 1812 as a server EZVPN. I want to use Active directory for authentication of the VPN users. I'm getting two or three days, but without success.

With ASA, I am able to authenticate against AD, but not with router IOS. Here is my configuration

AAA AD krb5 authentication login

Kerberos local realm THECCIEGROUP. LOCAL

domain Kerberos THECCIEGROUP thecciegroup.local. LOCAL

Kerberos realm. thecciegroup.local THECCIEGROUP. LOCAL

Server Kerberos THECCIEGROUP. 10.10.102.2 PREMISES

encrypted-kerberos-timestamp preauthentication, Kerberos

send Kerberos credentials

If kerberos authentication is not possible, I would like to know the possibility of using AD as external ACS database. I run both AD and ACS on the same server. If I can integrate AD with ca, I can use GANYMEDE or RADIUS for authentication.

Thank you best regards &,.

VAMSi Pinnaka

Bangalore.

I can answer from the side of the ACS.

Yes, you can integrate ACS with AD, then the switch uses ACS as a radius server. ACS controls AD by kerberos in the backend transparently.

If you race 4.x ACS on a Windows PC is a member of the domain, the integration server is automatically made in fact.

Question of authentication of domain AD Cross via VPN IPSEC RA on SAA

Hello

I installation of remote access for users that connect to an ASA 5540, the IPSEC policy uses the RADUIS via AD authentication as well as certificates. Users authenticate correctly and can access everything on the field without any problem. Lets say that the domain is (X). We recently merged with another company that manages the domain (Y), on the AD servers, the two domains are configured as areas of trust.

The problem we seem to be running, it of when users connect to the VPN network and authenticate in the domain X, then try to access resources in domain, it fails generally. They cannot systematically map readers by FQDN or IP and vice versa also (when authentication on domain Y and attempting to access the resources on the domain X). It seems to work sometimes for some users, but more often it doesn't. Real IP connectivity is fine, the problem is that the authentication will fail.

Someone at - he noted problems with the passage of the Kerberos authentication via an IPSEC tunnel? When you try to access these resources when you are locally connected to the network, there is no problem, so it seems to be only with remote access.

Any suggestion would be appreciated.

Thank you

Sam

Saami

Good fishing!

The VPN host search server TCP capable kerberos to authenticate to it.

The server must be joined to domain you.

If your kerberos/AD can talk TCP, it's just a matter of adding these records to your local DNS server. (Note that this is not a SRV record has in A)

That being said I think that this should not be the default option and is very often used as backup in case of failure of UDP communication, but it can depend on the client config - I'm not intimately Fall with this implementation on Microsoft systems.

Marcin

Database Oracle 12 c and Kerberos

Hi guys, I have the Kerberos authentication on lunix works well but I can not configure the database to authenticate users with Kerberos 5.
I followed the official instructions on setting up Kerberos authentication. However, I am struck with as error.
The work of okinit and oklist. But when I try to connect with 'sqlplus /@orcl' it gives me this error:
ERROR:
ORA-12638: credential retrieval failed
Can someone help me?
Thanks in advance
Environmental information:
Database Oracle 12 c: with the support of multitenent.
Red Hat Enterprise Linux Server 6.4 release (Santiago) - Kernel: 2.6.32 - 358.18.1.el6.x86_64
the newspaper made with Kerberos.
The content of the relevant files are here:
SQL.ora
# Network Configuration file SQLNET.ora:... /Network/admin/SQLNET.ora
# Generated by Oracle configuration tools.
SQLNET. AUTHENTICATION_SERVICES = (DOB KERBEROS5)
SQLNET. KERBEROS5_KEYTAB = /etc/oracle.keytab.03.27.14
SQLNET. KERBEROS5_REALMS = /etc/krb5.realms
SQLNET. KERBEROS5_CC_NAME = / tmp/krb5cc
SQLNET. KERBEROS5_CONF = /etc/krb5.conf
SQLNET. KERBEROS5_CONF_MIT = TRUE
SQLNET. AUTHENTICATION_KERBEROS5_SERVICE = orcl.my - machine.my - domain
SQLNET. KERBEROS5_CLOCKSKEW = 6000
NAMES. DIRECTORY_PATH = (TNSNAMES, EZCONNECT)
TRACE_LEVEL_SERVER = ADMIN
TRACE_LEVEL_CLIENT = ADMIN
TRACE_LEVEL_LISTENER = ADMIN
krb5.conf
#File modified by ipa-client-install
INCLUDEDIR /var/lib/sss/pubconf/krb5.include.d/
[libdefaults]
default_realm = MY-DOMAIN
dns_lookup_realm = false
dns_lookup_kdc = false
RDN = false
ticket_lifetime = 24 hours
address = yes
[realms]
MY. AREA = {}
KDC = kdc - server.my - area: 88
kdc = master_kdc - server.my - domain: 88
admin_server = kdc - server.my - domain: 749
domaine_par_defaut = my-domain
pkinit_anchors = FILE:/etc/ipa/ca.crt
}
[domain_realm]
.my-domain = MY-DOMAIN
My-domain = MY-DOMAIN
krb5. Realms
My-MY-DOMAIN
tnsnames.ora
# Network Configuration file tnsnames.ora:... /Network/admin/tnsnames.ora
# Generated by Oracle configuration tools.
ORCL =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = TCP) (HOST = my - machine.my -)(PORT = 1521) area)
(CONNECT_DATA =
(SERVER = DEDICATED)
(SERVICE_NAME = orcl.my - domain)
)
)
Besides, I saw the newspaper of KDC kerberos 'sqlplus /@orcl' demand was very strange:
Mar 27 15:15:43 kdc - server.my - domain krb5kdc [2715] (info): TGS_REQ (4 {18 17 16 23} ETYPE) 128.122.72.166: PROCESS_TGS: authtime 0, < unknown client > < unknown Server >, wrong net address
Mar 27 15:15:43 kdc - server.my - domain krb5kdc [2714] (info): TGS_REQ (4 {18 17 16 23} ETYPE) 128.122.72.166: PROCESS_TGS: authtime 0, < unknown client > < unknown Server >, wrong net address

Hi again, my steps below. I apologize for my English

And I don't know how to remove links e-mail. I.e. [email protected] should be just krbuser to somedomain.ru.

Test configuration:

Kerberos (KDC, Microsoft) server:
- Host: dc1.somedomain.ru (10.0.2.11)
- Server Windows 2008/2012 tested
- Active Directory (KDC)
- Domain: SOMEDOMAIN.RU
Kerberos (Oracle DB server) client:
- Host: dboraclen1.somedomain.ru (10.0.2.76)
- RedHat Linux
- Oracle 11.2.0.4 Server Standard Edition (* patched)
Oracle client:
- Host: dbclient.somedomain.ru (10.0.2.7)
- RedHat Linux
- Oracle 11.2.0.4 client
P1: Setting up the Kerberos client to interoperate with KDC in Windows Server 2008/2012

On dboraclen1.somedomain.ru.

1.1 Kerberos software control

[root @ /] $ cd/etc
[root @ / etc] $ rpm - qa | grep-i krb5
krb5-workstation - 1.2.7 - 44
pam_krb5-1, 73-1
krb5-libs - 1.2.7 - 44

1.2 configure Kerberos

Check/change:

/etc/krb5.conf

/ etc/krb5. Realms

/ etc/KRB. Realms

/ etc/hosts

/ etc/services

# /etc/krb5.conf:
[record]
default=file:/var/log/krb5libs.log
KDC=file:/var/log/krb5kdc.log
admin_server=file:/var/log/kadmind.log

[libdefaults]
default_realm = SOMEDOMAIN.RU
dns_lookup_realm = false

dns_lookup_kdc = false

ticket_lifetime = 24 hours

renew_lifetime = 7 d

address = true

[realms]
SOMEDOMAIN.RU = {}
KDC = dc1.somedomain.ru:88
}

[domain_realm]
. somedomain.ru = SOMEDOMAIN.RU
somedomain.ru = SOMEDOMAIN.RU

[CDC]
Profile = /var/kerberos/krb5kdc/kdc.conf

# /etc/krb5.realms:

. somedomain.ru = SOMEDOMAIN.RU

# /etc/krb.realms:
. somedomain.ru = SOMEDOMAIN.RU

# / etc/hosts:
127.0.0.1 localhost.localdomain localhost

10.0.2.76 dboraclen1.somedomain.ru dboraclen1
10.0.2.11 dc1.somedomain.ru dc1

# / etc/services:
88/tcp kerberos5 Kerberos krb5 # Kerberos v5
88/udp kerberos5 Kerberos krb5 # Kerberos v5

!!! Using only capital letters with domain, only lowercase with names of user/hostames. It is important.
1. 1.3 Kerberos software control on the database server
```
(oracle owner = oracle, ORACLE_HOME= /Oracle/u01/oracle/database/11r2)
```
```
 
```
```
[oracle@ /home/oracle]$ cd $ORACLE_HOME/bin [oracle@ /Oracle/u01/oracle/database/11r2/bin]$ ./adapters

 Installed Oracle Advanced Security options are: ... Kerberos v5 authentication RADIUS authentication or

 [oracle@ /Oracle/u01/oracle/database/11r2/bin]$ ./adapters ./oracle ... Kerberos v5 authentication RADIUS authentication
```
P2: Configuration of KDC in Windows 2008/2012

On dc1.somedomain.ru.

2.1 create a user in Microsoft Active Directory

In the menu "Administration / Active Directory users and computers:

[General]
Name: krbuser
Family name: eu1
View name: kerberos user 1

[Account]
User logon name: [email protected]

Main 2.2.create for Oracle database in Microsoft AD

Create the user with the name exactly as database host name, i.e. the dboraclen1.somedomain.ru and password, i.e. oracle:

[General]
Name: dboraclen1.somedomain.ru
Full name: dboraclen1.somedomain.ru

[Account]
User logon name: [email protected]

[Account options]
Password never expires.

!!! Select the option: do not use Kerberos preauthentication

!!! Deselect the option "user must change password on the next logon".

To complete the creation use ktpass.exe.

Run:

C:\Program Files\Support Tools > ktpass princ - oracle/[email protected] mapuser - dboraclen1-pass oracle-crypto RC4-HMAC-NT - out c:\temp\keytab.dboraclen1
Targeting the domain controller: dc1.somedomain.ru
The setting method using legacy password
Correctly mapped dboraclen1.somedomain.ru oracle/dboraclen1.somedomain.ru.
WARNING: type pType and account do not match. This could cause problems.
Created key.
Output keytab to c:\temp\keytab.dboraclen1 file:
Keytab version: 0 x 502
KeySize 81 oracle/[email protected] ptype 0

Copy c:\temp\keytab.dboraclen1 into the directory etc./etc/etc on Oracle DB machine (dboraclen1.somedomain.ru).

P3: Configuring Oracle DB to interoperate with KDC

On dboraclen1.somedomain.ru.

sqlnet.ora 3.1

#/Oracle/u01/oracle/database/11r2/network/admin/sqlnet.ora

NAMES. DIRECTORY_PATH = (TNSNAMES)
SQLNET. KERBEROS5_REALMS = /etc/krb5.realms
SQLNET. KERBEROS5_CONF=/etc/krb5.conf
SQLNET. KERBEROS5_KEYTAB=/etc/keytab.dboraclen1
SQLNET. AUTHENTICATION_KERBEROS5_SERVICE = oracle
SQLNET. KERBEROS5_CONF_MIT = true
SQLNET. AUTHENTICATION_SERVICES = (DOB, Kerberos5)

SQLNET. KERBEROS5_CLOCKSKEW = 6000

3.2 check/change settings on the server of DB Oracle

OS_AUTHENT_PREFIX =""
REMOTE_OS_AUTHENT = FALSE

3.3.create user database in Oracle DB

The user sys (System):

SQL > create user '[email protected]' identified externally.
Created by the user.

SQL > grant create session, resources to '[email protected]';
Grant succeeded.

or

SQL > create user KERBUSER identified externally as ' [email protected]';
Created by the user.

SQL > grant create session, resource at KERBUSER.
Grant succeeded.

P4 - configuration of Oracle customers

On each client computer.

4.1 configuration of oracle (for Linux)

The configuration files (krb5.conf, krb5.realms, krb.realms) Kerberos and armed, services may be same as above.

Create a linux user, i.e. krbuser.

# /home/krbuser/sqlnet.ora
NAMES. DIRECTORY_PATH = (TNSNAMES)

SQLNET. KERBEROS5_CC_NAME = / tmp/krb5cc_502

SQLNET. KERBEROS5_CONF = /etc/krb5.conf

SQLNET. KERBEROS5_CONF_MIT = true

SQLNET. AUTHENTICATION_SERVICES = (kerberos5)

SQLNET. KERBEROS5_CLOCKSKEW = 6000

# /home/krbuser/tnsnames.ora
DB_test_auth =

(DESCRIPTION =

(ADDRESS = (PROTOCOL = TCP)(HOST = dboraclen1.somedomain.ru) (PORT = 1521))

(CONNECT_DATA =

(SERVER = DEDICATED)

(SERVICE_NAME = GlobalDB)

)

)

4.2 get ticket (TGT) initial kerberos:

Run $ORACLE_HOME/bin/okinit:

[krbuser @ / home/krbuser] $ okinit EI 23
Utilities for Linux Kerberos: Version 11.2.0.4.0 - Production on August 16, 2011 15:44:11
Copyright (c) 1996, Oracle 2011. All rights reserved.
Password for [email protected]:<-- ad="" user="">
[krbuser @ / home/krbuser] $

Check the TGT with $ORACLE_HOME/bin/oklist:

[krbuser @ / home/krbuser] $ oklist
Utilities for Linux Kerberos: Version 11.2.0.4.0 - Production on August 16, 2011 15:45:46
Copyright (c) 1996, Oracle 2011. All rights reserved.
Ticket cache: / tmp/krb5cc_502
Default principal: [email protected]
Valid from expires Principal
November 16, 2013 15:41:52 16 November 2013 23:44:11 krbtgt/SOMEDOMAIN. [email protected]
[krbuser @ / home/krbuser] $

and

[krbuser @ / home/krbuser] $ ls tmp/-l/krb5cc_502
-rw - 1 krbuser s/n 527 Nov 15:41 16 / tmp/krb5cc_502

4.3.test

Check the time synchronization between the clients and the server of DB.

[krbuser @ / home/krbuser] $ sqlplus /@DB_test_auth
SQL * more: version 11.2.0.4.0 - Production on Tue Nov 16 15:56:53 2013
Copyright (c) 1982, 2013, Oracle. All rights reserved.
Connected to:
Oracle Database 11 g Release 11.2.0.4.0 - 64 bit Production

SQL >

Add a PowerShell with Kerberos host

Hi, I just added my domain controller name powershell host and it works not much, but now I need to add another host and this isn't a field control, but I need to run on a command powershell with domain administrator privileges, so I need to add this host powershell with kerberos authentication, how can I do this?

I have installed a new virtual machine and add the host with kerberos without problem...

the problem was the net framework 4.5

Question about Kerberos/SSO

Hello
We are currently assessing Horizon Workspace. We strive to achieve SSO working for our AD users. We have done until now
* Arrival at the connector GOING to the field
* Active Windows authentication on the connector WILL
* Added connector VA URL FULL for the local Intranet Sites, checked securty settings in Internet Explorer
When we navigate to https://FQDN-of-connector-VA the user is authenticated without problems, but when you browse on https://workspace-FQDN the login screen is displayed.
Analyze Connector logs WILL show the following for the scenario to work
2013-06-04 15:02:23, 317 INFO: com.vmware.horizon.connector.mvc.ControllerInterceptor - / hc /, used/total/max (MB): 56, 487, 2666
2013-06-04 15:02:23, 321 INFO: com.vmware.horizon.connector.mvc.ControllerInterceptor - / hc/authenticate /, used/total/max (MB): 56, 487, 2666
2013-06-04 15:02:23, 324 INFO: com.vmware.horizon.connector.controller.AuthenticateController - samlRequestInfo 1: null
2013-06-04 15:02:23, 324 INFO: com.vmware.horizon.connector.controller.AuthenticateController - authorization null header. Initiate SPNEGO in replying to the questionnaire 401 w / header: WWW - to the
thenticate: NEGOTIATE
2013-06-04 15:02:23, 628 INFO: com.vmware.horizon.connector.mvc.ControllerInterceptor - / hc/authenticate /, used/total/max (MB): 56, 487, 2666
2013-06-04 15:02:23, 631 INFO: com.vmware.horizon.connector.controller.AuthenticateController - samlRequestInfo 1: null
2013-06-04 15:02:23, 631 INFO: com.vmware.horizon.connector.controller.AuthenticateController - AuthWithoutNego:YIIIFgYGKwYBBQUCoIIICjCCCAagMDAuBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYK
KwYBBAGCNwICHgYKKwYBBAGCNwICCqKCB9AEggfMYIIHyAYJKoZIhvcSAQICAQBugge3MIIHs6ADAgEFoQMCAQ6iBwMFACAAAACjggZBYYIGPTCCBjmgAwIBBaEMGwpXSVRDT00uTkVUoikwJ6ADAgECoSAwHhsESFRUUBsWaC1jb25u
LXZhMDEud2l0Y29tLm5ldKOCBfcwggXzoAMCARehAwIBAqKCBeUEggXh5ThMi + tcL78Rpd9ANLdVQs6VqffxDfsJM0JKUhsoEQC6ErttZxafWBmmy1znDE/CpY/rwwu/AlOObeJ + Ii9gWQVUk8ezAgdThCfcyqwFquqCXZ77 / HhZogCR
CtIbaT1ZRonQ + mnPuq4leaXYi + HeHVYrY0gLTVR0nW57JySrDjbaRrqidgoB65sKsvZ2E4Qfqeor + NXFz8RVhG32ABNnVrorpNYtO + 0cOm + ZXQ + wImIdFhcf7FcgSK / J8YKcQTIkydfS4s8u9JDIqn7huM + YPhdDHtChBUUaVTe9Blz /.
4El, 1sNFSN4IA2OOoQ9nqqGXeNVzMaAYnmYuJD2Bao8QbhtBvdJNiTd7Tlnjg4HoYC1D3pdDGMSwiTRJFhGfu + Yha6n7A4UiycAnar28NVb2y7O3lQmwUFfs3WvsK7i19axEJv + KhhFcZt3MJZV3QNlikWYRZJ7wwzfRDRc + BVzv + rZe
Ov5xQc9ujs7YEjbwNVVwgjZRRlOAd0i9RFabfBaao88wkOveHG365pFH1IAHOVzmXPedO / + cF/pRDC4ccoMudx6nGlAY4ua9xaqx9P5ijzWMxwx62wCoEkdfiMzTlfmdvlJT3hT9x5SeQu9ljt4bEWUbDnQo06IUxTiiRgMBkNYBL6VH
o829U13KzpV, Z0202vimKvYboU2tNohBx6IFzWDert3PhktvUBT5i21vKR81fvVNc55FmmZWTceyL8wGv6p7lI0ajd0TH712UWz7J20C6D6CcT2UODQAKNgSM9EAx9AbqmrNyhRfZPa, dOBBUNWTg7bHCQ, GPL5h3UQH5lo47v25qD + y
DwI0sMikL7da7 + Sx + mg04wSM595OLMkt7dGdVusOr/yjkZG14Ta19DJ4VuWn2pR + 3fpxSzMFVva9XHgmZwt2CuYuMqq + fSc8MBI/uT6Y7maoqPvWAN3seZxe2Tp0 + JM, jny6NoC / 7 K/91jyHORJ6dDSO15QNZd4WNdvl/GHc70XZNPPR
VUsUsaVeJ7e80hgCeKQxyT10vhcad1tfcSvbieDbKEcRcoCreq30vNFWkDqHt8cKrC2pv62igkJuAvpsFwROfIo483dbfob3qR0c20i + ICLC0xQw5BGJ3YO8/18GARn/ucsUtb3rBgzOZzFISlfJqZgegtR4FAyjnT77PZvRqQju1T4P
EbaCW1nU0WsguCLldrpbAI69hXN2dzP + Nb + ln9d15BVqLBk70HQSmPc6SjcJSCr00D86MGgldI5pgZczEJSPrGwwagkiZQGbJBUBkjB81SfrY5HmllaU6D7MF37WlCBMTPufy1h1qy4X4f3phJi9ooofHtiu3QGmqz9Hd093XyDThvd6
4 + tpF0t4kcJ0ZRsinZNWdc/jO0am9ttmMj7pkMcQVAHJ33Fl8A 5s6mag + vZKQHA5i + tImdUhFOFZTX + JYN8yMPIUA5HqkHLCDTxcytwO7v6kRm/QNSHhWV9Z + 96DZCz7xOWKdEuD15/rCFGEZEUnl + caTbFQcRGo3Xdr6evGia3d
iFiJAbTuCIres2ylFXCe/Yfis1IDfaswUDEsbOeeROInGmRCj5ZfcE + 11k1LUfNa9xPh9HFd5Abjt8fiButeDV2Xk6HM7/xjuNuhEBSo04GAJ4MHaY4Id8D00XSS + UgQeteJDOQnvu3LNYc80V2SysmXWu8zerYr6mgEuabiieBU + RW
ShryTcCxnw9jps + ZyoP2eV8dhrPWVGTOvN8Llq + O4AWp + eO0e + Yk + zjjBSJ3ZW + sFmuJ + xNmStFWdZ97cAOKFPvvwN6HOdP + 2iMrWdVzhJLQaonPtJM2vt780y80VcQWRlXl9ij0tLNkyFYKfapg/LQKRvm4/lVESWi/o4H7IyWCZMUh
iPM9svYgvwNb2Xbcv6ihmgH9OM7/stSOf16OGEsbB1XzXkLgVLOQofg vkC + 3r + lHG64cqxCmgeVcDkyQtMGS0KDGpOpocpcVyFykqr27tisUCNNSYW + johjBRGkgZSkggFXMIIBU6ADAgEXooIBSgSCAUYWvQcbeNFTNyc0czVIDoFr
90AJyIrsbEAlckWB7h33tl2R9OEXauESBVChMsXNcixxCOenYCcnQK0mQ31CodyUdnvrKHp6XUUrwpD47ljGorTXz7oKc + 9f0I36bMQxGuDTzmRMPUiugwgDP1t4w6qmz9a7tvSFtyY5QDAZwRDrSNzQNtmzxxEJjNzpuTFf/qruYg5f
ZfJv4owzEHX5jJ2dxgltMsktJvuDEkkiyDZLeHcseW73hxyaXOzBssb22iwrr7t5isZZMys4H8T7u5ZHSbVyPhybrm + rwx36W30rgjYO45ynYfpvVMMCSgvRlsLNlJV/0qZsh6XJ + khxKZfF18mYHmKs8H9722XKI + SzAre4P1HofVok
NXv8WHh8KLnhKQFjFIsBOBHyoXVdeA + AZoK3oas7FGReC2V/YOymebq6HL49Hw is
2013-06-04 15:02:23, 641 INFO: com.vmware.horizon.auth.ntlm.WindowsAuthServiceImpl - authenticated username:9793
2013-06-04 15:02:23, 641 INFO: com.vmware.horizon.connector.controller.AuthenticateController - authentication SUCCESS: 9793
2013-06-04 15:02:23, 641 INFO: com.vmware.horizon.connector.controller.AuthenticateController - samlRequestInfo 2: null
2013-06-04 15:02:23, 641 INFO: com.vmware.horizon.connector.controller.IdPInitiatedSSOController - samlRequestInfo: null
2013-06-04 15:02:23, 641 INFO: com.vmware.horizon.connector.controller.IdPInitiatedSSOController - acsUrl is missing; using State acsUrl: https://FQDN/SaaS/API/1.0/post/federate?identityProvider=HorizonConnector__1
2013-06-04 15:02:23, 641 INFO: com.vmware.horizon.directory.ldap.LdapDirectoryService - search attribute: 9793 - START
2013-06-04 15:02:28, 654 INFO: com.vmware.horizon.directory.ldap.LdapDirectoryService - search attribute: 9793 - SUCCESS
2013-06-04 15:02:28, 654 INFO: com.vmware.horizon.connector.controller.IdPInitiatedSSOController - samlAttributeNames for 9793: [userPrincipalName, lastName, phone, electronic mail, the user
Name, first name, disabled, ExternalId]
And here's what happens when you are surfing for the FQDN of the workspace
2013-06-04 14:59:41, 382 INFO: com.vmware.horizon.connector.mvc.ControllerInterceptor - / hc/authenticate /, used/total/max (MB): 54, 487, 2666
2013-06-04 14:59:41, 391 INFO: com.vmware.horizon.connector.controller.AuthenticateController - samlRequestInfo 1: SamlRequestInfo [acsUrl =https://FQDN/SAA ]
[ S/auth / / response saml, relayState = {'idpId': 1, 'dest' ': ' 'https://FQDN:443 / web'}, nameId = < null >]
2013-06-04 14:59:41, 391 INFO: com.vmware.horizon.connector.controller.AuthenticateController - authorization null header. Initiate SPNEGO in replying to the questionnaire 401 w / header: WWW - to the
thenticate: NEGOTIATE
2013-06-04 14:59:41, 402 INFO: com.vmware.horizon.connector.mvc.ControllerInterceptor - / hc/authenticate /, used/total/max (MB): 54, 487, 2666
2013-06-04 14:59:41, 410 INFO: com.vmware.horizon.connector.controller.AuthenticateController - samlRequestInfo 1: SamlRequestInfo [acsUrl =https://FQDN/SAA ]
[ S/auth / / response saml, relayState = {'idpId': 1, 'dest' ': ' 'https://FQDN:443 / web'}, nameId = < null >]
2013-06-04 14:59:41, 410 INFO: com.vmware.horizon.connector.controller.AuthenticateController - AuthWithoutNego:TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbAdAAAADw ==
2013-06-04 14:59:41, 410 INFO: com.vmware.horizon.connector.controller.AuthenticateController - NTLM tokens cannot be used for authentication. Redirect to the login page.
2013-06-04 14:59:41, 457 INFO: com.vmware.horizon.connector.mvc.ControllerInterceptor - / hc/connection /, used/total/max (MB): 55, 487, 2666
In this case, NTLM authentication is used, which does not work.
Is this by Design?
Concerning
Carsten

You have only a single connector in your system? If this is the connector by default, its IDP URL is set to the FQDN of Workspace Horizon. Therefore, if you switch from Horizon Workspace FQDN, Kerberos authentication will not work.

You can try the following?

In the connector user interface admin, click the identity on the left navigation provider, replace the URL with connector FULL domain name.

If you want to support both forms of auth - kerberos for internal users, name of user and password for users outside, etc, then you will need to install an additional connector. Please see the installation guide for more information on adding a new connector.

Integration of 11g OAM with Kerberos on cluster with virtualhost load balancing
Hello!
I need to make an integration of Kerberos with OAM.
I find the rest of OAM 11 g notes: Configuration Ondaaah HA Clusters [1365888.1 ID] (https://support.oracle.com/epmos/faces/ui/km/SearchDocDisplay.jspx?_afrLoop=223640518878014 & type = DOCUMENT & id = 1365888.1 & displayIndex = 1 & _afrWindowMode = 0 & _adf.ctrl - State = 14ehvbh4z2_61).

"In environment clustered OAM, OAM Principal for Ondaaah must be the same on all levels, i.e. balancing virtualhost to the OAM cluster."
That's why each managed server OAM will reference the same keytab file generated for main HTTP / < virtualhost.domain >, and the keytab file will be in the same location on all OAM servers managed.
For example: ${DOMAIN_HOME} /domains/$ {DomainName} / config/fmwconfig/oam / < the keytab file name >.

After copying the file keytab to the same directory on all OAM manages the server machines, proceed to configuring the Kerberos authentication module in the Console of Administration of OAM (/ oamconsole).
The AdminServer ensure that the config.xml file - oam on all levels of OAM managed server in the cluster is updated with this configuration."

The question is; When I create oam.keytab with the following command, what is the name of the server I'll have to order? Node1 and Node2 (balanced) VirtualHost?

Ktpass - princ HTTP / < servername > @domaine - pass XXXXXXX mapuser domain\user - on oam.keytab.

Thanks in advance and best regards!

PS: Sorry if my English is not clear.
David,

Your main name must match the URL of SSO LB. (ie: sso.mycomany.com)

Ktpass - princ HTTP/sso.mycomany.com@DOMAIN-passer XXXXXXX mapuser domain\user - on oam.keytab.

Also make sure that sso.mycomany.com has a reverse DNS configured correctly.
You can check using the dig command

Ping sso.mycomany.com
Regardless of the ip address
dig - x

Check in the reverse DNS it takes 1 form.

;; SECTION OF THE ANSWER:
1.1.1.1.in - addr.arpa. 3600 IN PTR sso.mycomany.com.

Let me know if you have any other questions.

Thank you
Saurabh

Kerberos authentication vs. AAU 10 gR 3

Similar Questions

Maybe you are looking for