Zero Sign-On (ZSO) or IWA for IIS 8 applications using OAM11GR2

Both  Zero Sign-On (ZSO) and Single Sign-On (SSO) means that user has one username and password (e.g.Active Directory username and password) for the SSO enabled application but ZSO  authenticates seamlessly without prompting for a username and password using  the desktop credential which is achieved using kerberos protocol.Below are the steps to configure ZSO for .NET websites running on IIS server using Oracle access manager.

Environment

OAM :11.1.2.2.0 

Web server:IIS 8 on Windows Server 2012 R2 

Webgate: 11.1.2.2.0

Prerequisite

• Install Visual C++ Redistribution for Visual Studio 2012 Update 4 or else the files will not be copied properly during installation
• Install a 64-bit Java runtime environment (JRE), 1.6 or higher  
• It is recommended to run the command prompt as administrator and execute all the scripts
• Make sure to provide full access for the middleware home and the webgate instance folders.
• Make sure the site is deployed on IIS server and able to list  using the command. 

      %systemroot%\System32\inetsrv>appcmd.exe list sites 

Installing IIS 11g WebGate

Extract the contents of the webgate.zip file to a directory, Go to the Disk1 and run the below command.

setup.exe -jreLoc 64_bit_jre_location

Click Next to continue.

Click Next to continue.

Specify the Middleware Home and Oracle Home locations.

Click Install to begin the installation.

Click Finish to dismiss the Installer.

To deploy the WebGate instance , Go to the webGate_Oracle_Home\webgate\iis\tools\deployWebGate  directory and run the following command

deployWebGateInstance.bat -w WebGate_Instancedir -oh WebGate_Oracle_Home -ws WebServer

To run the ConfigureIISWebGate.bat tool,go to the WebGate_Home\webgate\iis\tools\ConfigureIISConf and run the below command. 


ConfigureIISWebGate.bat -oh c:\WGHome -w c:\WGInstance -site "mysite"

Make sure the webgate.ini has some entry as below for the registered web gate instance.19 represents the site id protected by the access gate.

Also make sure the ISAPI filters are added pointing to the webgate.dll as below.

Register the WebGate using RREG

The web gate registration can be done from the OAM console or the rreg scripts. For registering using the scripts navigate to OAM_REG_HOME/bin and execute the below command.

$ ./oamreg.sh inband input/test_OAMRequest.xml 

Copy the files generated in the RREG_Home\output\Agent_ID  to the WebGate_Instance_Home\webgate\config directory

Make sure the sso agent is registered as 11g webgate.

Configure OAM to use WNA

• Create a  user in Microsoft Active Directory for example oamuser.

• Run ktpass on the KDC server to create the SPN (service principal name)  and associate it with this user. For example

ktpass -princ HTTP/myhost.mydomain.com@DOMAIN.COM -pass ***** 

-mapuser oamuser -out D:\etc\oam.keytab

where myhost.mydomain.com is the FQDN of the host where access manager is running or the host name of the loadbalancer VIP in case of OAM cluster.

• Edit the /etc/krb5.conf file to include the domain and the KDC server.

• Configure the Kerberos authentication scheme to use WNA by Logging in to the OAM console ->Launch Pad ->Authentication schemes >KerberosScheme and change the challenge method to WNA

Login to the OAM console ->Launch Pad ->Authentication Modules >Kerberos and change the default values to the actual values.

• Configure the application domain protecting the resource to use the Kerberos authentication scheme.

• Register the active directory as the identity store and make this as the primary user identity store for Oracle Access Manager.

After you start the IIS Web Server (iisreset), log in to the site by using the following URL without entering any credentials.

http://myhost.domain.com:port