So you want to setup Windows Native Authentication with your Oracle Access Manager 11g implementation. According to the documentation, it’s pretty straightforward and simple. And it is =)

The royal pain in the ass comes when something fails and you don’t know why. You’re going to receive 1 of 4 generic errors that when googled will give you all kinds of possible causes. I’m going to give you some more =)

Here’s the common error’s you may receive:

- kinit(v5): KDC has no support for encryption type while getting initial credentials
- kinit(v5): Key table entry not found while getting initial credentials
- kinit(v5): No such file or directory while getting initial credentials
- kinit(v5): Client not found in Kerberos database.

Instead of going into the rhetoric, I’m just going to bullet out the different issues I ran into and their fixes in order of the Oracle setup doc. Hopefully they’ll help someone else out down the road!

1. Your krb5.conf file can be a host of problems.

- First make sure that all the REALM parts are in CAPITAL LETTERS ALWAYS AND EVERYWHERE. Anytime you use the realm name (in the krb5 file, krpass commands, anywhere…) it must be in caps. This is not a host name. All the hostname parts that are in lowercase are actual hostnames (or suffixes) of the box your on.

- Encryption types between your nix box and the AD server can cause problems. If AD isn’t Windows 2008 R2 (yes… R2), you’re going to experience issues. Like until R2, any authentication will fail of the SPN has a “/” in it (which they all do for us here). To help with the encryption problems, put these two lines in your [libdefaults] section:

default_tkt_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
default_tgs_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5

- The example in the Oracle guide is painful to understand if you have no clue what your doing. Also the default port for Kerberos authentication is 88. I just put it there explicitly because I rock like that. Here’s mine:

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = CORP.DOMAIN.COM
ticket_lifetime = 600
dns_lookup_realm = true
dns_lookup_kdc = true
default_tkt_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
default_tgs_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5

[realms]
CORP.DOMAIN.COM = {
kdc = addc1.corp.domain.com:88
admin_server = addc1.corp.domain.com:88
default_domain = CORP.DOMAIN.COM
}

[domain_realm]
.corp.domain.com = CORP.DOMAIN.COM
corp.domain.com = CORP.DOMAIN.COM

2. Creating the Service Principal Name

- A simple one line command right? HA! N00Bs beware =). When you run this command on the AD server, the password you provide will SET the password for that account to whatever you put. So don’t guess if you’re modifying an existing service account!

- If your password has some crazy characters or spaces in it, you’ll need to wrap it in quotes

- If you receive the error “DsCrackNames returned 0×2 in the name entry for [username]. ktpass:failed getting target domain for specified user.” This just means you need to add the domain to the username like “DOMAIN\username”

- Here’s the command I run that works. notice the “HTTP/oamserver.corp.domain.com@CORP.DOMAIN.COM”. Yes. That’s how it should be, and yes the REALM needs to be in CAPITALS:

C:\>ktpass -princ HTTP/oamserver.corp.domain.com@CORP.DOMAIN.COM -pass “c0mpl3x P455w0rd!” -mapuser DOMAIN\username -out c:\temp\keytab.service

- Now that you have your keytab.service file you should be able to get the Kerberos ticket from the AD server with the kinit command. Here’s an example that flows with the rest of the config I’ve given so far:

kinit -V HTTP/oamserver.corp.domain.com@CORP.DOMAIN.COM -k -t keytab.service

- The REALM must be in CAPS here too

Here’s where you’re going to get the majority of your errors too. I’ll try to help here.

kinit(v5): KDC has no support for encryption type while getting initial credentials

- run “klist -ke keytab.service” to see what level of encryption is setup for your file
- verify that it’s one in the list in your krb5.conf file
- Make sure your AD administrator didn’t check “Use Kerberos DES encryption types for this account”. This will cause it to fail.
- If all else fails, regenerate your keytab.service file with the “-crypto All” flag at the end to get all encryption keys

kinit(v5): Key table entry not found while getting initial credentials

- Make sure your AD administrator didn’t check “Use Kerberos DES encryption types for this account”. This will cause it to fail.
- Verify that the HTTP/host@REALM is the same in the keytab.service file matches the FQND of the OAM server and the REALM is in caps and matches what’s in your krb5.conf file

kinit(v5): No such file or directory while getting initial credentials

- The path to your keytab.service file is wrong

kinit(v5): Client not found in Kerberos database.

- Make sure that there is only 1 account in AD that has the SPN of your HTTP/host@REALM. If there is more than one account set to the SPN authentication will fail. You can issue these two commands to verify:

c:\setspn -Q HTTP/oamserver.corp.domain.com
ldifde -f c:\upn_out.txt -d “DC=domain,DC=com” -l * -r “(userprincipalname=HTTP/oamserver.corp.domain.com@CORP.DOMAIN.COM)” -p subtree -s addc1.corp.domain.com
(if you don’t have the ldifde.exe file, google: ldifde.exe “index of”

- You can also verify things with:

kinit [username]

You’ll be prompted for the password. If it’s correct you’ll be dropped to the prompt. If wrong, you’ll receive an error. If that works, then try:

kinit HTTP/host@REALM

You’ll again be prompted for the password for the account it’s attached to. If successfull you’ll be dropped to the prompt. If wrong, you’ll receive an error.

If that works, and kinit with the keytab file fails it’s something in the keytab file or a setting on the AD server.

Lastly, let’s say you don’t like the auto-failover to Basic authentication when WNA fails. Well… there’s no way to change it. Sorry. As per Oracle support, “it’s supposed to work that way”. The actual auth scheme is packaged together when sent to the user. So when WNA fails to get the SPNEGO token, it doesn’t go back to the WebGate or OAM server for a secondary authN scheme or use the Login Failed Redirect URL. It just immediately prompts the user with the popup box.

That’s all I got, but I haven’t found these answers for OAM-WNA integration specifically in one place, so hopefully this’ll save some people some time =)

Cheers!

.: Adam

After much Face<-->Keyboard and an Oracle Support ticket, it’s official! In Oracle Access Manager 11g (11.1.1.5), The Authentication Failure URL Redirect doesn’t work.

Awesome.

You’re not doing anything wrong. You’re not crazy. That box above your Authentication policy that says “Failure URL” is just there to tease you of funcationality that used to work before someone borked it.

Cheers!

.: Adam

Playing around with OAM 11g, I ran into a pain-point (slight downs moment on my end) where I couldn’t get the default identity store to work for any of my webgates, no matter what I tried. Here is an overview of my example:

I setup an Identity Store called ID1 and it points to an Active Directory
I setup a second ID store called ID2 and it points to OID.

Initially, OAM works fine as ID1 is set as the default and test user from AD is able to login.

When I enter the OAM admin console and change the user identity default store to ID2, none of the users in OID are able to login, but users from AD are still authentication successfully.

The little green flag is on the OID identity store, but out authentication policy it’s not acutally using it.

After a couple masterful head > keyboard moves, it finally hit me “Default” store. Meaning there’s got to be a we to select one in particular if needed. Is it in the Oracle Access Manager 11g documentation? Maybe, but I couldn’t find it.

Next step, look into every option of every piece of OAM.

Result… I found it =)

- Click on the System Configuration tab
- Expand Authentication Modules
- Double-click the module being used by your Authentication Scheme
- Select the Identity Store of your liking in the drop-down and click Apply

And now the webgate will authenticate from the newly selected Identity Store instead of the default one!

.: Adam

So let’s say that you’re working in an environment that happens to have Oracle Access Manager (OAM) installed twice. Yep, two instances. Why? Most likely because larger corporations and institutions tend to make decisions that have no real thought behind them. Anywho, a problem that will arise is that if you’re using a global cookie with the .domain.com as your suffix, they will conflict and overwrite eachother. This will cause a wonderful behavior of being SSO’d into one system and when you visit the other system it will overwrite the cookie and kill your other session for you. Why? Because OAM uses a cookie name of ObSSOCookie as the default name. By method of standard practice and IT reasoning, your impulse would be to rename one of the cookies so that there are two separate cookies and that they can be used independently. Weeellllll, surprise surprise, you can’t. Oracle Access Manager will NOT allow you to change the name of the cookie. The official response from Oracle on this is that, “it’s a security issue”. I’m calling B.S. and attributing this to the bad practice of hard-coded variables.

So, yeah. If for whatever reason, you want to change the name of the ObSSOCookie that Oracle Access Manager uses for it’s single sign on purposes, you can’t.

On behalf of Oracle / Oblix… sorry =)

.: Adam

1. Installing Oracle Enterprise Linux 5 Update 3 on VMWare
2. Installing and Configuring Oracle Database 11g Revision 2 (11gR2)
3. Installing WebLogic Server 11gR1 (10.3.3)
4. Executing and Configuring the Repository Creation Utility 11g
5. Installing, Patching, and Configuring Oracle Identity Management 11g
6. Installing and Patching the SOA Suite 11g
7. Installing Oracle Identity and Access Manager 11g
8. Configuration of Oracle Identity Manager 11g
9. WebLogic Server and Domain Start-up Options
10. Starting Oracle Database and Directories

Part 8 – Configuration of Oracle Identity Manager 11g

This video tutorial will walk you though the configuration of Oracle Identity and Access Manager 11g. These tools include:

• Oracle Access Manager 11g
• Oracle Adaptive Access Manager 11g
• Oracle Identity Navigator 11g
• Oracle Identity Manager 11g
• Platform Security Services
• Authorization Policy Manager

Next >> Part 9 – WebLogic Server and Domain Start-up Options

The original source videos are available for download via Vimeo.com You’ll have to sign in to download them though. To get there, click on the “Vimeo” logo in the video.

If you have any questions, please post them below. I’m pretty tied up at the moment, but others will be able to help too!

Thanks!

.: Adam

1. Installing Oracle Enterprise Linux 5 Update 3 on VMWare
2. Installing and Configuring Oracle Database 11g Revision 2 (11gR2)
3. Installing WebLogic Server 11gR1 (10.3.3)
4. Executing and Configuring the Repository Creation Utility 11g
5. Installing, Patching, and Configuring Oracle Identity Management 11g
6. Installing and Patching the SOA Suite 11g
7. Installing Oracle Identity and Access Manager 11g
8. Configuration of Oracle Identity Manager 11g
9. WebLogic Server and Domain Start-up Options
10. Starting Oracle Database and Directories

Part 7 – Installing Oracle Identity and Access Manager 11g

This video tutorial will walk you though the installation of Oracle Identity and Access Manager 11g. These tools include:

• Oracle Access Manager 11g
• Oracle Adaptive Access Manager 11g
• Oracle Identity Navigator 11g
• Oracle Identity Manager 11g
• Platform Security Services
• Authorization Policy Manager

You will need to download the 1.7GB Oracle Identity and Access Management (11.1.1.3.0) Generic Installer (ofm_iam_generic_11.1.1.3.0_disk1_1of1.zip).

Download Oracle Identity and Access Management

Next >> Part 8 – Configuration of Oracle Identity Manager 11g

The original source videos are available for download via Vimeo.com You’ll have to sign in to download them though. To get there, click on the “Vimeo” logo in the video.

If you have any questions, please post them below. I’m pretty tied up at the moment, but others will be able to help too!

Thanks!

.: Adam

Ok… after a ton of debating and drinking, I’ve finally come to a conclusion.

On what, you ask?

Well, over the past few weeks, I’ve been giving myself a crash-course on the new 11g stack for Oracle’s Identity Management Fusion Middleware. During this time, I finally figured out how to get everything installed (on Oracle Enterprise Linux 5 Update 3):

• Oracle Identity Manger 11g
• Oracle Access Manager 11g
• Oracle Adaptive Access Manager 11g
• Oracle Identity Federation 11g
• Oracle Internet Directory 11g
• Oracle Virtual Directory 11g
• Oracle HTTP Server
• Oracle Directory Integration Platform 11g
• Oracle WebLogic Server 11g
• Oracle Database 11gR2
• Oracle Identity Navigator 11g
• Oracle Authorization Policy Manager
• Oracle Platform Security Services

While doing this, I learned a lot…. srsly…

More importantly, I captured the whole process on video, and made video tutorials / guides on how to install and configure each product. Since it’s a video, you’ll also see a few mistakes that I made along the way, this way if the same happens in the future, the fixes are documented.

There are some documents out there, a few blogs with some high-level steps, and one guy I know is selling an eBook on the install process for about $100 (and it’s probably worth it!), so now my dilemma is two fold:

1. Should I make this information that’s worth more than gold available to others?

2. If so, how much should I charge?

Now back to the “I’ve made a decision” part:

1. Yes, I’m going to release these videos to the public.

2. I’m going to charge $1,000.

Hahahah… just kidding =)

I’ll be giving them away free, right here!

Once I get the write-up’s done, and the videos uploaded, I’ll starting posting the videos on my blog for everyone to use.

DONE!

1. Installing Oracle Enterprise Linux 5 Update 3 on VMWare
2. Installing and Configuring Oracle Database 11g Revision 2 (11gR2)
3. Installing WebLogic Server 11gR1 (10.3.3)
4. Executing and Configuring the Repository Creation Utility 11g
5. Installing, Patching, and Configuring Oracle Identity Management 11g
6. Installing and Patching the SOA Suite 11g
7. Installing Oracle Identity and Access Manager 11g
8. Configuration of Oracle Identity Manager 11g
9. WebLogic Server and Domain Start-up Options
10. Starting Oracle Database and Directories

Cheers!

.: Adam

A close friend of mine in the the IDM world just called me the other day saying that a company out of Tampa Florida, EMS Consulting, sent him a resume of an example employee they have named “Gene” that is their lead architect. This resume is MY RESUME! If anyone else out there is receiving resumes of so-called “employees” of this company, you may want to compare it with mine at AdamCallen.com first!

Here’s the story…

Last fall, EMS contacted me to help with a project, University of Louisville. After 2 weeks on the job I saved UofL thousands of dollars in unneeded hardware costs and cut the project time down almost three months, but that’s besides the point. I got sick while there… in the middle of the day. One of the UofL employees even drove me to the hospital (super awesome guy and I can’t thank him enough!). Turns out that it was just a side effect of some nasty flu I had, but that didn’t matter. When I returned the next day, the lead on the project accused me of taking METH! WTF?! Needless to say, I didn’t return.

Now their going around telling people that they have a guy, “Gene” is the name I’ve seen so far, that works for them. They’re sending out MY RESUME and MY CLIENT LIST as an example of employees that they have on staff. I was never even on staff with these people. It was a short-term contract.

So if you hear that they’ve worked at Tyco, University of Mass, and others, they’re LYING! This all goes back to what I keep telling people. CHECK COMPANY’S REFERENCES!

I kept all of the dealings between me and EMS quite with regards to what happened at UofL out of professional courtesy, but this I can’t let go by.

If you are an IDM consultant, you need to stay away from this company. I personally know 2 other people that have been burned from them!

If you’re looking to hire a company to implement your IDM project, take note of their business practices! I can easily recommend many other great companies with excellent reputations if you need them!

If you work for Oracle, or know anyone that does, please spread the word about this company internally! They will only wind up killing your name in the long run!

Lastly, please spread the word to as many people as possible about them so that others won’t be scammed as well.

Thank you!

.: Adam

I just finished up a PoC at Conde Nast with some Access Management tools and such. Everything went smoothly and had the wrap-up meeting today. Oracle sales and the heads of our company all met in their board room. This place was awesome!

I feel I should also add in some learned items as well =)

- If you have a comma in a DN, you need to escape it with a backslash (ie.  cn=Last\, First,ou=People,dc=domain,dc=com). Amazingly, this was the first time I’ve run into a situation where there was a comma in the dn =)

- Hooking up OAM to AD as the user repository with OVD as the proxy in the middle is amazingly simple and works out of the box perfectly! All the groups and memberships show up and work with all group based policies. Just make sure you select “Data Anywhere” as the LDAP, and in OVD, use the OAM-Active Directory Mapping script for the mapping , not the generic AD one. This will keep your corporate AD schema nice and clean, but still allow OAM to use it’s ob* attributes.

- One of the techie sales guys from Oracle told me that in the upcoming release of OAM (11g), there is going to be tighter integration between OAM and WebLogic. Making the two work out of the box together. No more SSPI pain in the ass plugin!

That’s it for today. Sorry for the delay in posts. I just haven’t had a lot of time to get info on here. I’ll try to update more!

.: Adam

A while ago, I put together a video walkthrough of installing Oracle Access Manager onto Oracle Enterprise Linux. If you’re looking to learn the basics, this may be a good start (OAM is a lot easier to learn than OIM)

It’s about 40 minutes long, so grab some popcorn and enjoy the show!

.: Adam

ps. You’re welcome