Thursday, March 12, 2015

WNA configuration in Oracle Access Manager 11g

Below is the step by step Windows Native Authentication WNA configuration for Oracle Access Manager 11g Release2 PS2 integrated with Oracle EBusiness Suite EBS for Single Sign On SSO.

1. Create new service account in Active Directory domain controller. User should not have any password expiry.

2. Open the command prompt in Active Directory server execute the below command to generate the keytab file. This keytab file will be later copied to OAM Server.

ktpass -princ HTTP/<oamHostName>@<adDomainName> -mapuser <adDomain>\<username> -pass <userPassword> -out <path>

Check the success message as shown in the below screen shot.

3. Open the user account in AD and click on the Account tab. Verify that principle name as shown in the above screen shot HTTP/

4. Copy the keytab file from AD machine to OAM machine in any directory. Later we will specify the directory path with file name in the Oracle Access Manager OAMCONSOLE.

5. Login as a root user and edit the /etc/krb5.conf file as below,
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

 default_realm = IN.SAMI.NET
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 allow_weak_crypto = true
 #default_tkt_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5 aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
 #default_tgs_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5 aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96

  kdc =
  admin_server =
  default_domain = IN.SAMI.NET

[domain_realm] = IN.SAMI.NET = IN.SAMI.NET

6. Execute the klist command on OAM server as shown in the below screen.

"klist -k -t -K -e FILE:/<keytab file path>"

7. Execute the kinit command in OAM machine
kinit -V <Principle Name> -k -t <keytab file path>
klist -e

8. Now Login to the access manager admin console. Navigate to Authentication modules --> Kerberos and
Provide the required parameters as shown below.
9. Create new data store for AD in OAM.

10.Create Authentication policy with Kerberos schema.

11. For your reference verify the Kerberos authentication schema as shown in the below screen.
12.NTLM Changes.
  • Login to OAM server and modify the file $DOMAIN_HOME/config/fmwconfig/oam-config.xml
  • /u02/oracle/mwoam/user_projects/domains/IAMDomain/oam-config.xml
  • Modify the NTLM Response from DEFAULT to BASIC.
  • Restart the Weblogic Admin server and OAM Managed server.

  • Testing:

    Login to the AD Domain machine.
    Open command prompt and execute command "klist" to check the kerberos tokens are generated or not.

    Open IE browser then open Internet options and navigate to Advanced tab. Scroll down and verify "Enable Integrated Windows Authentication" is selected.
    Now try to access the application which is protected by OAM Kerberos authentication and you will see that it will automatically authenticate the user against active directory and login to the application.

    For any queries please don't hesitate to contact me on