13-JAN Update: I switched from edocr to our own Knowledgebase. Please use the following URL for the latest version: https://knowledgebase.mt-ag.com/q/apex_sso_kerberos For APEX apps, you normally use a URL like /apex/f?p=xxx after which by default you have to authenticate yourself using username/password credentials. However, most end users of APEX applications already have authenticated themselves by logging on to the Windows domain, so why authenticate a second time to use the first APEX application? Wouldn’t it be nice if you could point your browser to an APEX app and you are instantly authenticated? A secure method to achieve this is to use the Kerberos protocol, which is the same protocol that Windows uses for authentication. In this document we will first describe how to install and setup the Apache module mod_auth_kerb in a Linux environment that performs the authentication against a Windows domain controller (chapter 3). For those of you who favor a Windows environment, chapter 4 describes how to setup IIS, that is used instead of Apache on Windows.
Page 1 of 32
SINGLE SIGN-ON
FOR (APEX) APPLICATIONS
USING KERBEROS
Author: Niels de Bruijn
Version: 6.4
Date: 22-APR-2020
Page 2 of 32
1
INTRODUCTION
For APEX apps, you normally use a URL like <hostname>/apex/f?p=xxx after which by default you
have to authenticate yourself using username/password credentials. However, most end users of
APEX applications already have authenticated themselves by logging on to the Windows domain, so
why authenticate a second time to use the first APEX application? Wouldn’t it be nice if you could point
your browser to an APEX app and you are instantly authenticated? A secure method to achieve this is
to use the Kerberos protocol, which is the same protocol that Windows uses for authentication. In this
document we will first describe how to install and setup the Apache module mod_auth_kerb in a Linux
environment that performs the authentication against a Windows domain controller (chapter 3). For
those of you who favor a Windows environment, chapter 4 describes how to setup IIS, that is used
instead of Apache on Windows.
Image 1: Recommended standard APEX architecture with Apache and ORDS.
In this document we assume that you have setup a Windows domain controller with Active Directory
(Windows Server 20xx) and you have Windows based client-PCs where you have to authenticate
against the Windows domain. Also, make sure you have successfully installed and configured the
Oracle Database with Oracle Application Express, Tomcat and Oracle REST Data Services (ORDS).
Caution:
There is potentially one major drawback to this setup: if a user belongs to too many groups in Active
Directory or the user has a long “history”, the Kerberos ticket might become too big. I have seen this
several times where Apache Web Server was used and “Bad Request” was returned. The “history”
may be deleted by a Windows domain administrator, but if the problem originates in the many user
groups, there is no