Thursday, January 7, 2010

Trouble Shooting OAM-Sharepoint Integration

This post will describe some of the trouble shooting tips of OAM and Sharepoint Integration.
Error: Images not appearing:-
Simulation:
1. Access the sharepoint portal page.
2. Enter the OAM credentials to login to portal.
3. Sharepoint portal page will be shown but images are not displayed.
Probable Solution: Check the Anonymous Access checkbox is enabled in Sharepoint Administration website. If not enable it and restart IIS web server.
Create a new web site and create 2 sites, first for default as / and second for testing purpose as sample.
Add the same hostname:port in the host identifiers section.
Restart Access Server.
Goto IIS console and to the new website created, enable the anonymous authentication in the Directory Security. Add the IIS impersonation dll in the Home Directory --> Configurations. Move the IIS dll upwards.
Restart IIS server and test the new sharepoint portal for OAM integration.

Error: Authentication prompting twice:-
Simulation:
1. Access the sharepoint portal page.
2. A windows pops up, user enters OAM credentials and submits.
3. Again a window appears (for Windows Native Authentication) for credentials.
4. Enter the credentials again with DOMAIN (eg., domain_name\orcladmin) and submit.
5. Sharepoint portal page will be shown.
Probable Solution : Check the Integrated Windows Authentication checkbox is enabled in the Sharepoint website. If so, uncheck it and restart IIS webserver.
Error : Access is Denied:
Description:
1. Access the sharepoint portal page.
2. A windows pops up, user enters OAM credentials and submits.
Probable Solutions:
1.Check if there is time difference between OAM machine and webgate Sharepoint machine.
2. Check the web based policies in Sharepoint Portal Administration Page to see if the authorized to see the resource.

Error : 401 UnAuthorized
Solution: Check if the anonymous access is diasabled in the sharepoint website. If so, enable the checkbox and restart IIS server.
Error:The following file(s) have been blocked by the administrator: /access/oblix/apps/webgate/bin/webgate.dll
Probable Solution: Goto Policy Manager console, access the sharepoint policy domain. Goto Authorization rules and check the access is allowed to all users. If not select Any One and try accessing the SPPS resource.

Keypoints to remember for this integration:
1. SPPSImpersonator should be added in DomainController Security Policy and Domain Security Policy. Goto LocalPolicies --> User Rights Assignments and double click act as part of operating system and add the SPPSImpersonator user.
2. Sharepoint machine and OAM installed machine should not have time difference.
3. Sharepoint Administrator website should not have IISImpersonation dll.
4. Sharepoint Administrator website should have both anonymous access and Integrated Windows Authentication checkboxes enabled.
5. The Sharepoint portal website should have anonymous access checkbox enabled, but IWA checkbox disabled.
6. Make the IISImpersonationExtension.dll as the first option in the Wildcard application maps in the sharepoint portal website properties.
7. Ensure that Allow option for Oracle Webgate in Web Service Extensions is greyed.
8. While installing .Net Framework 3.0 (before installing sharepoint) ensure that you are online (internet connection).
9. The Sharepoint policy domain should have Headervar as IMPERSONATE with attribute as uid in the Authentication Actions.
10. Ensure that port is specfied in IIS access gate in the Access System Console before IIS webgate installation.

KeyPoints for Multi Domain SSO:
The above integration has E-business Suite, OAM and Sharepoint were existing on different machines in different domains. OAM will provide multi domain SSO for E-biz and Sharepoint applications.
The OHS webgate installed on OAM machine should act as primary authentication server and IIS webgate installed on Sharepoint machine will act as secondary server.
However, both the webgates will have primary HTTP cookie domain and preferred hostnames specified with their respective domain and machine names.
The Authentication scheme for IIS webgate should have challenge redirect field specified as OHS server (eg., http://ohs_installed_hostname:port).
The Authentication scheme for E-business suite application should have authentication level (say 0) less than that of Auth level for IIS webgate(say 1).

6 comments:

  1. how to impliment sign in as diffrent user / sign out with oam from sharepoint

    ReplyDelete
  2. Mahendra, I like the way you have organized troubleshooting issues. We have a strange issue; memebers in OAM group are failed to authorize to SP site level. If we add users manually, then no issue, but we want to grant permissions at group level.Please share your expertise.
    Thanks in advance.
    Mahesh.

    ReplyDelete
  3. mahesh,
    Is this happening with Sharepoint integration specifically? Are there any other applications for which group level authorization is working?

    Are you seeing any error in OAM access server logs when group based atz is not working?

    ReplyDelete
    Replies
    1. Yes, this is happending with SP integration only. No issue with other apps. Not much useful info from OAM access server logs.

      Delete
  4. Mahendra, thanks for your reply.
    It's happening with SP integration only. No useful information in OAM server logs.

    ReplyDelete
  5. Were you able to test OAM group based atz with any other sample html application? See if that works.. If it works then something has to be handled at SP site. Do you see any errors in SP logs?

    ReplyDelete