Installed Oracle Application Server 10g Instance.

Verified that OID server is up and running.

On your Linux server you need to configure a file called krb5.conf. The file is located in the /etc directory. The contents of the file are modified as follows:

[libdefaults]
default_realm = ACME.COM
[realms]
ACME.COM = {
kdc = dude.us.oracle.com:88
}
[domain_realm]
.us.oracle.com = ACME.COM

kdc is equal to the fully qualified domain name (FQDN) of the AD server.
Specify the Kerberos port number of the AD server at the end of the kdc line.
On the last line of this file set the DNS domain name for your SSO server. In the example above this is set to .us.oracle.com. The value on the right side of the "=" sign is the default realm in the AD server.

Next you need to verify the clocks on both your SSO server and the AD server are in sync. This includes the time, date, and time zone settings.

Login to the AD server as Administrator.

Click Next.

Enter a password for this user. Do not select any password expiration settings. Click Next.

The new user appears in the list of users.

From the command line prompt use the ktpass command on your AD server to generate this file.

The command is:

C:\> ktpass -princ HTTP/aspen.us.oracle.com@ACME.COM -pass welcome1 -mapuser aspen -out aspen.keytab

The -princ value is HTTP/ followed by the FQDN of your SSO server, followed by @YOUR_AD_DEFAULT_REALM. This is case sensitive and you must have the AD default realm in upper case. The FQDN of the SSO server should be in lower case.

The -pass value must be set to the same password you assigned to the SSO hostname user account that you created in the AD server.

The -mapuser value is the SSO hostname user you created in the AD server.

The -out value is the name you want to give for the file output that is generated, for example

hostname.keytab

After the keytab file is generated, copy the file to the $ORACLE_HOME/j2ee/OC4J_SECURITY/config directory on the SSO server.

The command you can use to test this is:

# /usr/kerberos/bin/kinit -k -t $ORACLE_HOME/j2ee/OC4J_SECURITY/config/aspen.keytab HTTP/aspen.us.oracle.com

Substitute $ORACLE_HOME with the full Oracle home directory path

Substitute aspen.keytab with the name of the keytab file you generated with the -out option when you ran the ktpass command

Substitute aspen.us.oracle.com with the FQDN of the machine your SSO server is running on

If you are successful, there should be no output at all from this command. You should just get another command prompt back. If you see any output this indicates an error and you will need to resolve this problem before you go any further.

Configure the opmn.xml file.

Edit the file $ORACLE_HOME/opmn/conf/opmn.xml using a text editor.

In this file search for the value:

process-type id="OC4J_SECURITY" module-id="OC4J"

About seven lines down from this line you will see an opening tag called '<data id="Java-options" value="server"'. Near the end of this line we need to add two values. The first value is:

-Djavax.security.auth.useSubjectCredsOnly=false

The second value which should be added is:

-Doracle.security.jazn.config=$ORACLE_HOME/j2ee/OC4J_ SECURITY/config/jazn.xml

Both of these values are added at the end of this tag but before the last double quote in the line. Each value should be seperated by a space.

Replace the $ORACLE_HOME with your Oracle home directory path.

Save and exit the file.

Edit the jaxn.xml file.

Open the $ORACLE_HOME/j2ee/OC4J_SECURITY/config/jazn.xml file in a text editor

Make sure you have a tag line that looks like this in the file:

<jazn provider="XML" location="./jazn-data.xml" />

Edit the jazn-data.xml and web.xml files.

In a text editor open the file:

$ORACLE_HOME/j2ee/OC4J_SECURITY/config/jazn-data.xml

In this file search for the opening tag jazn-loginconfig.

Copy and paste the following content:

<application>
<name>com.sun.security.jgss.accept</name>
<login-modules>
<login-module>
<class>com.sun.security.auth.module.Krb5LoginModule</class>
<control-flag>required</control-flag>
<options>
<option>
<name>debug</name>
<value>true</value>
</option>
<option>
<name>addAllRoles</name>
<value>true</value>
</option>
<option>
<name>useKeyTab</name>
<value>true</value>
</option>
<option>
<name>keyTab</name>
<value>$ORACLE_HOME/j2ee/OC4J_SECURITY/config/sso.keytab</value>
</option>
<option>
<name>principal</name>
<value>HTTP@$SSO_MIDTIER_HOST_NAME</value>
</option>
<option>
<name>doNotPrompt</name>
<value>true</value>
</option>
<option>
<name>storeKey</name>
<value>true</value>
</option>
</options>
</login-module>
</login-modules>
</application>

In the text you pasted into the jazn-data.xml file you need to modify the following:
Replace $ORACLE_HOME with the actual directory path to your Oracle Home.

In this same text you will see a value of sso.keytab. Replace this value with the name of the keytab file you generated earlier. The keytab file is located in your $ORACLE_HOME/j2ee/OC4J_SECURITY/config directory.

Next you need to make a modification the the principal value.
Change HTTP@$SSO_MIDTIER_HOST_NAME to read like this:
HTTP/aspen.us.oracle.com where aspen.us.oracle.com is the FQDN of the machine that is running the SSO server.

Save your changes and exit the file.

Edit the web.xml file.
In a text editor open the file:

$ORACLE_HOME/j2ee/OC4J_SECURITY/applications/sso/web/WEB-INF/web.xml

Immediately under the opening web-app tag line paste the following section:
<security-role>
<role-name>{{PUBLIC}}</role-name>
</security-role>

<security-constraint>
<web-resource-collection>
<web-resource-name>SSO</web-resource-name>
<url-pattern>auth</url-pattern>
</web-resource-collection>
<!-- authorization -->
<auth-constraint>
<role-name>{{PUBLIC}}</role-name>
</auth-constraint>
</security-constraint>

<!-- authentication -->
<login-config>
<auth-method>BASIC</auth-method>
</login-config>

Save your changes and exit the file.

$ORACLE_HOME/j2ee/OC4J_SECURITY/application-deployments/sso/orion-application.xml

Copy and paste the following section:

<security-role-mapping name="{{PUBLIC}}">
<group name="{{PUBLIC}}" />
</security-role-mapping>
<jazn provider="LDAP" location="ldap://directory_server.domain:port"
default-realm="default_realm_in_Oracle_Internet_Directory">
<jazn-web-app auth-method="WINDOWS_KERBEROS_AUTH"/>
<property name="kerberos-servicename" value="HTTP@sso.acme.com"/>
</jazn>

In the new section you just pasted into this file make the following changes:

Change ldap://directory_server.domain:port to ldap://aspen.us.oracle.com:3060
where aspen.us.oracle.com is the FQDN of the server that is running OID and 3060 is the port number OID is running on.

Change the default realm value default_realm_in_Oracle_Internet_Directory to us

Change the kerberos-servicename from value=HTTP@sso.acme.com to value=HTTP@aspen.us.oracle.com
where aspen.us.oracle.com is the FQDN of the machine that is running the SSO server.

If there is already another <jazn provider> tag line in orion-application.xml file, delete this extra <jazn provider> tag line.

Save this file and exit the editor.

Edit the policy.properties file.

In a text editor open the file:

$ORACLE_HOME/sso/conf/policy.properties

Change the line that reads MediumSecurity_AuthPlugin = oracle.security.sso.server.auth.SSOServerAuth to MediumSecurity_AuthPlugin = oracle.security.sso.server.auth.SSOKerbeAuth

From the command prompt type the following commands:

# opmnctl stopall

Wait about 1 minute before you start the application server.

# opmnctl startall

Login to windows using a user account that has been synchronized from the AD server to the OID server. Although the passwords have not been synchronized with OID you will still be able to login to SSO applications because you have already setup OID for External Authentication.

After logging into the Windows domain, open the Internet Explorer browser. From the Tools menu in the browser, select Internet Options.

Select the Security tab.

Highlight the Local Intranet icon.

Click Sites.

Click Advanced in the Local intranet dialog window.

Enter the URL for the machine that is running the SSO server (http://aspen.us.oracle.com) in the Add this Web site to the zone field. Do not enter the SSO login page or port number. Click Add.

Click OK. Click OK in the Local intranet window. Click OK in the Internet Options window.

Back at the Internet Options tab, click Customer Level. The User Authentication Logon should be set for Automatic logon only in Intranet zone.

http://aspen.us.oracle.com:7777/pls/orasso

At the login page you will see a link in the upper left hand corner that reads Login. Click this link.

Thus when you click Login link, the link name changes to Logout.