Showing posts with label Impersonation. Show all posts
Showing posts with label Impersonation. Show all posts

Friday, 5 September 2014

Configuring OAM11G R2PS2 for Impersonation Module (Integrated Mode)

Enabling Impersonation Module:

1)     Registering Impersonation Module

·         We need to register the impersonation module at Global level and so that other sites can configure it at their end.
·         Go to the Global site level, open Modules



·         Go to “Configure Native Module” (see at the top right corner)




·         Click Register.
                                     




o   Provide a name -> “OAMImpersonation” & path to the IISImpersonationModule.dll (present in webgate install directory).
o   Press OK
o   As you can see the Module is added to the list.




o   But beware don’t add this module at Global Level. We only need to register it here & we will be adding this per site level.

2)     Adding Impersonation Module at Site Level:

           ·         Go to your site -> Open Modules



      ·         Configure Native Module:
                                              



          ·         The moment we add the module, web.config of the site gets updated.
Extract from it:


Note: The above configuration is valid for the site running in Integrated Mode.
         ·         Thus now we have configured the IISImpersonationModule.dll with our site.
         ·         Restart the IIS Server.
         ·         Now we need to do some configuration at OAM Console end.


·         Open OAM Console ->
     1)      Adding Response Header in Authorization Policy
·         Go to Application Domain -> Open WebGate Profile -> Authorization Policy -> Protected Policy
Note- It is not mandate to use ‘Protected Policy’, we are using because we have explicitly not specified the Policy.



·         Open Responses Tab (in authorization policy) & add a new response field.



Note: The header field name should be “IMPERSONATE” and value “$user.userid”.
·         Add the Response Header & Apply the changes.

·         Now at User defined parameter in Webgate Profile:

MSImpersonationCredential=clk:Welcome1



Remember: This user defined parameter contains username & password, this should be an admin user. Because an admin user has the rights to perform impersonation.
·         Apply the changes.

3)     Performing Impersonation:


       1)      Deploy the ASP.NET application in your created site.
       2)      Impersonation feature is activated.
       3)      Now we will access the resource /WebApp/default.aspx. <we have created a sample app>

o   Provide login credentials – try using some other user login rather than using admin login.



o   Before you sign in to the system, Open Event Viewer -> Under Windows Logs -> Click Security



o   Now do the login, after user authn & authz checks, user is provided the resource access.



Note: This is a sample app created.
·         Now to check whether user is impersonated or not.
For this we check the system security event logs, to see that user ‘test’ is impersonated by the admin user ‘clk’.
As we have already opened the event log viewer, now see we have an entry ‘Credential Validation’ entry log.

It shows that system is authenticating the user with credentials of the admin user ‘clk’ that we have provided in the user defined parameters.

o   Now Click ‘Log on’ event log above the ‘Credential Validation’ Log. It shows that the system has authenticated the user with ‘clk’. Thus it proves that user ‘test’ has logged in to the system with the credentials of ‘clk’ thus it is impersonated.




Thursday, 21 August 2014

Creating an IIS7.5 New Site (Integrated Mode)

Creating an IIS7.5 Site in Integrated Mode: 

     ·         Go to Sites -> Right Click -> Add New Site








      ·         Now provide the details & Press Ok. Your site is created now.
o   If you explore your site, you will see that perl & cgi handler are already present.
Because we have added them at global site level already.
      ·         Remember the name of the site created. Like we created a site with name “ecc_ship_r2ps2”.
o   As this name is required at the time of webgate configuration.

1)      Application Pool –
This site created above is in “Integrated Mode”.



Note: Here the .net version is v2.0 but if in future we want to use ObPrincipalModule.dll with our deployed app than this version needs to be changed to v4.0

2)      Check Handler Mapping:
Go to IIS -> <Your Site> -> Open Handler Mapping
Note: In case you see that ISAPI.dll is disable, it means it is not having execute permission. Just right click & enable it.





o   Give Execute Permission to it.




We are done with IIS7.5 new site creationin Integrated Mode............!!!!!!!!!!!!!!!


Enjoy :-)

Integrating OAM 11G R2PS2 Webgate Impersonation Module in IIS7.5 Windows 2008 R2

Lets start the process: Just follow below steps :-)

1)  Follow Steps for Pre-requisites (Windows Server 2008 R2)

·         IIS 7.5 Server Role Configuration  
·         IIS7.5 Site Configuration -

2)  How to Perform –

·         Enabling Impersonation Module

3)  Troubleshooting Section (to be updated soon)


4) Configuring DCC Webgate in IIS 7.5-