So you want to setup Windows Native Authentication with your Oracle Access Manager 11g implementation. According to the documentation, it’s pretty straightforward and simple. And it is =)

The royal pain in the ass comes when something fails and you don’t know why. You’re going to receive 1 of 4 generic errors that when googled will give you all kinds of possible causes. I’m going to give you some more =)

Here’s the common error’s you may receive:

- kinit(v5): KDC has no support for encryption type while getting initial credentials
- kinit(v5): Key table entry not found while getting initial credentials
- kinit(v5): No such file or directory while getting initial credentials
- kinit(v5): Client not found in Kerberos database.

Instead of going into the rhetoric, I’m just going to bullet out the different issues I ran into and their fixes in order of the Oracle setup doc. Hopefully they’ll help someone else out down the road!

1. Your krb5.conf file can be a host of problems.

- First make sure that all the REALM parts are in CAPITAL LETTERS ALWAYS AND EVERYWHERE. Anytime you use the realm name (in the krb5 file, krpass commands, anywhere…) it must be in caps. This is not a host name. All the hostname parts that are in lowercase are actual hostnames (or suffixes) of the box your on.

- Encryption types between your nix box and the AD server can cause problems. If AD isn’t Windows 2008 R2 (yes… R2), you’re going to experience issues. Like until R2, any authentication will fail of the SPN has a “/” in it (which they all do for us here). To help with the encryption problems, put these two lines in your [libdefaults] section:

default_tkt_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
default_tgs_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5

- The example in the Oracle guide is painful to understand if you have no clue what your doing. Also the default port for Kerberos authentication is 88. I just put it there explicitly because I rock like that. Here’s mine:

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = CORP.DOMAIN.COM
ticket_lifetime = 600
dns_lookup_realm = true
dns_lookup_kdc = true
default_tkt_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
default_tgs_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5

[realms]
CORP.DOMAIN.COM = {
kdc = addc1.corp.domain.com:88
admin_server = addc1.corp.domain.com:88
default_domain = CORP.DOMAIN.COM
}

[domain_realm]
.corp.domain.com = CORP.DOMAIN.COM
corp.domain.com = CORP.DOMAIN.COM

2. Creating the Service Principal Name

- A simple one line command right? HA! N00Bs beware =). When you run this command on the AD server, the password you provide will SET the password for that account to whatever you put. So don’t guess if you’re modifying an existing service account!

- If your password has some crazy characters or spaces in it, you’ll need to wrap it in quotes

- If you receive the error “DsCrackNames returned 0×2 in the name entry for [username]. ktpass:failed getting target domain for specified user.” This just means you need to add the domain to the username like “DOMAIN\username”

- Here’s the command I run that works. notice the “HTTP/oamserver.corp.domain.com@CORP.DOMAIN.COM”. Yes. That’s how it should be, and yes the REALM needs to be in CAPITALS:

C:\>ktpass -princ HTTP/oamserver.corp.domain.com@CORP.DOMAIN.COM -pass “c0mpl3x P455w0rd!” -mapuser DOMAIN\username -out c:\temp\keytab.service

- Now that you have your keytab.service file you should be able to get the Kerberos ticket from the AD server with the kinit command. Here’s an example that flows with the rest of the config I’ve given so far:

kinit -V HTTP/oamserver.corp.domain.com@CORP.DOMAIN.COM -k -t keytab.service

- The REALM must be in CAPS here too

Here’s where you’re going to get the majority of your errors too. I’ll try to help here.

kinit(v5): KDC has no support for encryption type while getting initial credentials

- run “klist -ke keytab.service” to see what level of encryption is setup for your file
- verify that it’s one in the list in your krb5.conf file
- Make sure your AD administrator didn’t check “Use Kerberos DES encryption types for this account”. This will cause it to fail.
- If all else fails, regenerate your keytab.service file with the “-crypto All” flag at the end to get all encryption keys

kinit(v5): Key table entry not found while getting initial credentials

- Make sure your AD administrator didn’t check “Use Kerberos DES encryption types for this account”. This will cause it to fail.
- Verify that the HTTP/host@REALM is the same in the keytab.service file matches the FQND of the OAM server and the REALM is in caps and matches what’s in your krb5.conf file

kinit(v5): No such file or directory while getting initial credentials

- The path to your keytab.service file is wrong

kinit(v5): Client not found in Kerberos database.

- Make sure that there is only 1 account in AD that has the SPN of your HTTP/host@REALM. If there is more than one account set to the SPN authentication will fail. You can issue these two commands to verify:

c:\setspn -Q HTTP/oamserver.corp.domain.com
ldifde -f c:\upn_out.txt -d “DC=domain,DC=com” -l * -r “(userprincipalname=HTTP/oamserver.corp.domain.com@CORP.DOMAIN.COM)” -p subtree -s addc1.corp.domain.com
(if you don’t have the ldifde.exe file, google: ldifde.exe “index of”

- You can also verify things with:

kinit [username]

You’ll be prompted for the password. If it’s correct you’ll be dropped to the prompt. If wrong, you’ll receive an error. If that works, then try:

kinit HTTP/host@REALM

You’ll again be prompted for the password for the account it’s attached to. If successfull you’ll be dropped to the prompt. If wrong, you’ll receive an error.

If that works, and kinit with the keytab file fails it’s something in the keytab file or a setting on the AD server.

Lastly, let’s say you don’t like the auto-failover to Basic authentication when WNA fails. Well… there’s no way to change it. Sorry. As per Oracle support, “it’s supposed to work that way”. The actual auth scheme is packaged together when sent to the user. So when WNA fails to get the SPNEGO token, it doesn’t go back to the WebGate or OAM server for a secondary authN scheme or use the Login Failed Redirect URL. It just immediately prompts the user with the popup box.

That’s all I got, but I haven’t found these answers for OAM-WNA integration specifically in one place, so hopefully this’ll save some people some time =)

Cheers!

.: Adam

After much Face<-->Keyboard and an Oracle Support ticket, it’s official! In Oracle Access Manager 11g (11.1.1.5), The Authentication Failure URL Redirect doesn’t work.

Awesome.

You’re not doing anything wrong. You’re not crazy. That box above your Authentication policy that says “Failure URL” is just there to tease you of funcationality that used to work before someone borked it.

Cheers!

.: Adam

Recently, Google blackballed this site saying it was hosting malware and infecting websites…blah, blah blah.

Well, it wasn’t. There was a 1x1px iframe as part of a plugin that was being used to do SEO. Google took this as “Suspicious” and gave the site the red page of death. Awesome.

Talk about racking my brain to find the “malware” that was so dangerous… anywho.

It’s all good now, and Google has prolly killed the rank of my site. Yay!

New OAM 11g goodness to come!

.: Adam

Playing around with OAM 11g, I ran into a pain-point (slight downs moment on my end) where I couldn’t get the default identity store to work for any of my webgates, no matter what I tried. Here is an overview of my example:

I setup an Identity Store called ID1 and it points to an Active Directory
I setup a second ID store called ID2 and it points to OID.

Initially, OAM works fine as ID1 is set as the default and test user from AD is able to login.

When I enter the OAM admin console and change the user identity default store to ID2, none of the users in OID are able to login, but users from AD are still authentication successfully.

The little green flag is on the OID identity store, but out authentication policy it’s not acutally using it.

After a couple masterful head > keyboard moves, it finally hit me “Default” store. Meaning there’s got to be a we to select one in particular if needed. Is it in the Oracle Access Manager 11g documentation? Maybe, but I couldn’t find it.

Next step, look into every option of every piece of OAM.

Result… I found it =)

- Click on the System Configuration tab
- Expand Authentication Modules
- Double-click the module being used by your Authentication Scheme
- Select the Identity Store of your liking in the drop-down and click Apply

And now the webgate will authenticate from the newly selected Identity Store instead of the default one!

.: Adam

A lot of people out there work with, are friends with, or are even in a relationship with someone that is a traveling consultant. What’s that? It’s someone that has to fly out every week for work. For most people (the one’s that don’t do this), they think it’s easy and / or a glamourous job. It’s not. This video was made to show my wife what it is that I really do from the minute she drops me off at the airport.

I hope this helps a lot of others out there really get the point across of what it is that we do to earn our paychecks.

If you are also a traveling consultant, I’d love to hear feedback from you!

Cheers!

.: Adam

I just read this on a forum (link below) and it’s genius! Let’s say you need to copy all the .log files (and only the .log files) from within a bunch of directories to a /log directory. This is actually a pain in the ass. Check this out:

cp $(find . -name “*.log”) /log/

GENIUS!

Ref link: http://www.linuxquestions.org/questions/linux-general-1/useful-shortcut-pipe-results-of-search-to-cp-295092/

There is a situation that seems too common in this industry. Companies are storing the last four digits of a users social security number in a data repository in clear text. I’m going to put this next part on it’s only line to reaaaaly stress my point:

DON’T EVER STORE THE LAST 4 OF AN SSN IN CLEAR TEXT!

First we need to ask ourselves “why” they think it’s ok to do this. Generally the response is, “well, it’s ok because it’s not the full SSN”. My best guess is that they never put any real thought into this, because the last four digits of a social security number is the most important part!

Ask yourself, “Why do you guard your SSN so tightly?” and you’ll probably come back with something like, “I don’t want people to steal my identity”.

Well… you don’t need the full SSN. Well, maybe for more elaborate things, like opening a line of credit, but not for any of your day-to-day stuff. Think about it. When someone wants to validate you are who you say, they ask you a couple questions that everyone knows (name, phone, etc), and then the über secure, “What’s the last four of your SSN?”

Everyone verifies you now via the last four of your SSN! You want a bunch of help desk personel (maybe even off-shore) to have the last four of your SSN? Yeah… didn’t think so.

Also, not sure if you already know this or not, but the last four of your SSN are the ONLY numbers that are serial. The first three have to do with where you filed for your SSN. It’s a location code. The second two are a grouping (most not even used) and they are determined by when you where born (the year). You can find out the code behind it here:

http://stevemorse.org/ssn/ssn.html

So, let’s say you were born in Delaware. Then the first three digits are either 221 or 222. Let’s say you were born in 1973; the middle two digits would be 50. Not very random huh?

Now you’re just down to just the last four (the one’s companies want to leave unencrypted) and there’s only 10,000 possibilities. Sure, a malicious user calling up AT&T is going to have a tough time guessing 1 in 10,000 but if there’s an online app that has you “verify” the last four of your SSN, they’ve basically created a brute force tool to “verify” that you’ve guessed the correct answer =). Also, phishing the last four from someone isn’t terribly difficult. Ironically, this is because of the same reasons that a company thinks it’s ok to leave the last 4 unencrypted. Most people think you can’t do anything with just the last 4, and the rest are random.

You can read more, right from the Social Security Administration (http://www.ssa.gov/history/ssn/geocard.html).

So, this is my public outcry to everyone to push companies to stop using the last 4 as a security measure! I don’t want everyone knowing my SSN, and neither should you. Until there’s a better citizen numbering system implemented (which is probably going to be pretty soon), these guys need to come up with something better.

Maybe ask for the first 3? LOL!

I guess I should reword my opening statement to:

DON’T EVER STORE THE LAST 4 OF AN SSN IN CLEAR TEXT!

And even more importantly you should adopt this one:

DON’T EVER STORE THE LAST 4 OF AN SSN IN CLEAR TEXT!

Because, really, it’s not needed. I mean c’mon, if Facebook or Google hasn’t asked for it, and they know more about you than you do, it’s just not necessary.

.: Adam

I had a HUGE dilemma, my DB server locked up because the HDD filled up due to the transaction log file getting over 50GB (Daaamn!)

Now, I am not a DB admin… at all. So I turned to Google. I was told to run DBCC Shrinkfile and all would be ok. Wrong. Nothing Happened. Turns out, my database was somehow stuck in Replication mode for the log_reuse_wait_desc in sys.databases. After a few days of Google-scrounging, I foud this gem:

Run this scheduled task: sp_removedbreplication

No i backed up my database, and then ran the DBCC Shrinkfile command and BAM! It’s all good now =)

.: Adam

So you want to replicate your production data into your test environment. You understand all the reasons you shouldn’t do this, but your client wants it done anyway. Soooo, here’s a generic outline of the steps you’ll need to do. After this is done, don’t forget that you need to “refresh” all your resources (AD, OID, etc), so that all the accounts match up.

Rajnish Bhatia has provided the community with an AWESOME resource. He’s listed out all the tables of OIM and what they correlate to. I have personally referenced this table a ton of times, and I know others have as well. I’m mirroring it here for data integrity.

Please go to his website (http://rajnishbhatia19.blogspot.com/2008/08/oim-tables-descriptions-9011.html) and check out his other articles.

Great stuff!

.: Adam

From Rajnish:

The following table lists the purpose of each table within OIM.

Note: Custom Tables are created for user defined Object / Process Forms.