Configuring OAM11G R2PS2 for Impersonation Module (Integrated Mode)

Enabling Impersonation Module:

This post is part of series Enabling Impersonation Module in OAM11G R2PS2 IIS7.5

1)     Registering Impersonation Module

·         We need to register the impersonation module at Global level and so that other sites can configure it at their end.

·         Go to the Global site level, open Modules

·         Go to “Configure Native Module” (see at the top right corner)

·         Click Register.
                                     

o   Provide a name -> “OAMImpersonation” & path to the IISImpersonationModule.dll (present in webgate install directory).

o   Press OK

o   As you can see the Module is added to the list.

o   But beware don’t add this module at Global Level. We only need to register it here & we will be adding this per site level.

2)     Adding Impersonation Module at Site Level:

           ·         Go to your site -> Open Modules

      ·         Configure Native Module:

                                              

          ·         The moment we add the module, web.config of the site gets updated.

Extract from it:

Note: The above configuration is valid for the site running in Integrated Mode.

         ·         Thus now we have configured the IISImpersonationModule.dll with our site.

         ·         Restart the IIS Server.

         ·         Now we need to do some configuration at OAM Console end.

·         Open OAM Console ->

     1)      Adding Response Header in Authorization Policy

·         Go to Application Domain -> Open WebGate Profile -> Authorization Policy -> Protected Policy

Note- It is not mandate to use ‘Protected Policy’, we are using because we have explicitly not specified the Policy.

·         Open Responses Tab (in authorization policy) & add a new response field.

Note: The header field name should be “IMPERSONATE” and value “$user.userid”.

·         Add the Response Header & Apply the changes.

·         Now at User defined parameter in Webgate Profile:

MSImpersonationCredential=clk:Welcome1

Remember: This user defined parameter contains username & password, this should be an admin user. Because an admin user has the rights to perform impersonation.

·         Apply the changes.

3)     Performing Impersonation:

       1)      Deploy the ASP.NET application in your created site.

       2)      Impersonation feature is activated.

       3)      Now we will access the resource /WebApp/default.aspx. <we have created a sample app>

o   Provide login credentials – try using some other user login rather than using admin login.

o   Before you sign in to the system, Open Event Viewer -> Under Windows Logs -> Click Security

o   Now do the login, after user authn & authz checks, user is provided the resource access.

Note: This is a sample app created.

·         Now to check whether user is impersonated or not.

For this we check the system security event logs, to see that user ‘test’ is impersonated by the admin user ‘clk’.

As we have already opened the event log viewer, now see we have an entry ‘Credential Validation’ entry log.

It shows that system is authenticating the user with credentials of the admin user ‘clk’ that we have provided in the user defined parameters.

o   Now Click ‘Log on’ event log above the ‘Credential Validation’ Log. It shows that the system has authenticated the user with ‘clk’. Thus it proves that user ‘test’ has logged in to the system with the credentials of ‘clk’ thus it is impersonated.