Setting up Kerberos authentication on Oracle Access Manager

The configuration for Windows Native Authentication requries a keytab file to be generated by the AD administrator.

                       1.       Send a request to AD administrator to generate a Keytab file .Instructions to be sent to AD                        administrator is as follows.Windows Server 2008 R2.

a.       Create an AD user. username = oam1 password = Welcome1

b.      Verify that the SPNs do not exist for oam1.

a.       setspn -L oam1

c.       Generate the keytab by using the following command.

d.      ktpass -princ HTTP/oam1.domain.com@DOMAIN.COM -pass Welcome1 -mapuser oam1 -out c:\temp\oam1.keytab. (The name oam1.domain.com is the listen address of OAM server. Not specifying any encyption mechanism makes use of RC4-HMAC protocol.)

e.      Check the box does not require Kerberos pre authentication. (this was requried else I was getting an error saying that pre authentication is required.)

2.       Update the krb5.conf file located at /etc folder on the OAM servers 

[logging]

 default = FILE:/var/log/krb5libs.log

 kdc = FILE:/var/log/krb5kdc.log

 admin_server = FILE:/var/log/kadmind.log

[libdefaults]

 default_realm = DOMAIN.COM

 dns_lookup_realm = false

 dns_lookup_kdc = false

 default_tkt_enctypes = arcfour-hmac-md5

 default_tgs_enctypes = arcfour-hmac-md5

 ticket_lifetime = 24h

 forwardable = yes

udp_preference_limit = 1  (I required this paramter because i was getting an error saying that packet size                                                was too huge. Then found that by default kereberos uses UDP Protocol which has                                                     a limitation of paket size. This parameter forces the use TCP protocol.)

[realms]

 DOMAIN.COM = {

  kdc = ADSERVER

  admin_server = ADSERVER

  default_domain = DOMAIN.COM

 }

[domain_realm]

 .lacmta.net  =  DOMAIN.COM

 lacmta.net =  DOMAIN.COM

[appdefaults]

 pam = {

   debug = true

   ticket_lifetime = 36000

   renew_lifetime = 36000

   forwardable = true

   krb4_convert = false

   autologin = true

   forward = true

   encrypt = true

 }

2.       Once the keytab file is sent by the AD administrator validate the keytab file by executing the below command on the OAM boxes.Place the keytab file on the OAM server at /share/oracle/keytab.

kinit -V -k -t /share/oracle/keytab/oam1.keytab HTTP/oam1.domain.com@DOMAIN.COM

                              This should result in an output of “Authenticated to Kerberos v5”.

                       In case you are not able to authenticate please debug and then proceed further.

3.       Login to http://oam.domain.com:7001/oamconsole and open the OAM console.Navigate to System Configuration.

4. Navigate to Common Configuration->Data Sources->User Identity Store and click on New.

5. Create a Datastore such that the samacountname from the AD matches the usernameattribute in the username.In my case the samaccountname in AD was kumarab, but in OID the cn was m80845kumar and orclasamaccountame was kumarab. So when creating the datastorein the username attribute of the datastore i specified orclsamaccountname. (generally we specify cn or uid.)Make the user store the default userstore.

6. Navigate to Access Manager ->  Authentication Modules -> Kerberos Authentication module -> Kerberos

7. Fill in the following details.                                                                                                                                         

   

Name	Kerberos
Key Tab File	/share/oracle/keytab/oam1.keytab
Principal (same as the one which was given when creating the keytab.)	HTTP/oam1.domain.com@DOMAIN.COM
KRB Config File	/etc/krb5.conf

8. Now go to authentication modules->protected policies->use kerberos scheme as the authentication policy.

9. ADD http://oam1.domain.com to your local list of intranet resources in your browser and you should be done.

Some common issues which I faced:-

OAM in most of cases gives a generic error saying userid is locked. Enable trace32 log for OAM and you may be able to see some more details in the diagonistic logs.

1. gssheader did not find the right tag. The principal name which is sent by the browser does not the principal name in the keytab. for example the principal name sent by browser may be HTTP/oam2.domain.com whereas the keytab may be generated by using HTTP/oam1.domain.com. To find out which principal is generated use the network tracing NETSH Micorosoft netsh command and network monitor tool mechanism of Windows 7 and apply the filter as kerberos to view details. The error in the logs would say " KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN."Hence the spengo token is not sent instead NLTM token is sent. This can be detected by using a HTTP header, NLTM headers are generally one liners whereas SPENGO are bigger in size as compared to NLTM.(Definitely more than one line.)
2. The other error is GSSException: Failure unspecified at GSS-API level which is  generally due to the non matching KVNO version .This can be resolved   by regenerating the keytab.
3. Other issue which I faced was to the packet limit constraint, which was resolved by adding a parameter in the krb5.conf. udp_preference_limit = 1.
4. Other issue is user not found in datastore. In this case cross verify the datastore configured in OAM, make sure the default userstore is the one which has usernameattribute==samaccountname from AD.