How to Configure a Second SSO Server for External Access When WNA is Configured
Last updated on JULY 01, 2016
Applies to:Oracle Application Server Single Sign-On - Version 9.0.4 to 10.1.4 [Release 10gR1 to 10gR3]
Information in this document applies to any platform.
***Checked for relevance on 03-FEB-2015***
When WNA is configured for a site that should be accessed both internally by users who are Windows authenticated and externally by users who are not in a Windows domain, it is not possible to suppress the HTTP-401 response from the Single Sign-On (SSO) server that is configured for Windows Native Authentication (WNA), if only one SSO server is configured (see <bug 5724874>).
Depending on the user's Internet Explorer browser settings, for external non-Windows-domain users this can cause a) an undesirable Basic Login popup from the browser which will only accept a Windows domain userid (orclsamaccountname) as username or b) double login symptoms as described in <Note:388321.1> 'Login Requested Twice For Non-Domain User With WNA Enabled In Browser'. a) is expected WNA fallback login behaviour for specific IE versions/configuration but is a problem for external users without Windows domain credentials. b) is due to the browser prompting for network authentication before returning an NTLM ticket to SSO - SSO never receives the credentials entered in this popup and the NTLM ticket is not valid for SSO WNA authentication so SSO redirects the user to the SSO login page for authentication.
To avoid these problems a second SSO server must be configured that uses the same host name and port as the WNA configured SSO server but is accessed via a different IP address. The DNS must be configured to resolve the host name to the appropriate IP address based upon the origin of the request.
Sign In with your My Oracle Support account
Don't have a My Oracle Support account? Click to get started
Million Knowledge Articles and hundreds of Community platforms