WNA Startup - Clients Credentials Have Been Revoked

(Doc ID 1263331.1)

Last updated on SEPTEMBER 16, 2016

Applies to:

Oracle Application Server Single Sign-On - Version 10.1.2.0.2 to 10.1.4.3 [Release 10gR2 to 10gR3]
Information in this document applies to any platform.
***Checked for relevance on 30-SEP-2013***

Symptoms

After restarting OC4J_SECURITY, SSO, Windows Native Authentication (WNA) fails.
the following error is seen in the $ORACLE_HOME/opmn/logs/OC4J~OC4J_SECURITY~default_island~1 log file

ERROR
-----------------------
10/10/27 12:43:59 Caused by: KrbException: Clients credentials have been revoked (18)
10/10/27 12:43:59 at sun.security.krb5.KrbAsRep.<init>(DashoA12275:67)
10/10/27 12:43:59 at sun.security.krb5.KrbAsReq.getReply(DashoA12275:315)
10/10/27 12:43:59 at sun.security.krb5.Credentials.acquireTGT(DashoA12275:352)
10/10/27 12:43:59 at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:576)
10/10/27 12:43:59 ... 36 more
10/10/27 12:43:59 Caused by: KrbException: Identifier doesn't match expected value (906)
10/10/27 12:43:59 at sun.security.krb5.internal.af.a(DashoA12275:134)
10/10/27 12:43:59 at sun.security.krb5.internal.at.a(DashoA12275:63)
10/10/27 12:43:59 at sun.security.krb5.internal.at.<init>(DashoA12275:58)
10/10/27 12:43:59 at sun.security.krb5.KrbAsRep.<init>(DashoA12275:53)
10/10/27 12:43:59 ... 39 more
10/10/27 12:43:59 KerberosAuthenticator: Please check the error messages and fix it. Restart OC4J (OC4J_SECURITY instance) server
10/10/27 12:43:59 KerberosAuthenticator: Possible errors may be:
10/10/27 12:43:59 KerberosAuthenticator: 1.HTTP service name in $ORACLE_HOME/j2ee/OC4J_SECURITY/config/jazn-data.xml or $ORACLE_HOME/j2ee/OC4J_SECURITY/application-deployments/sso/orion-application.xml is wrong.
10/10/27 12:43:59 KerberosAuthenticator: 2.KDC Details (host/port) in $ORACLE_HOME/opmn/conf/opmn.xml are wrong.
10/10/27 12:43:59 KerberosAuthenticator: 3.KDC is down.
10/10/27 12:43:59 KerberosAuthenticator: 4.KDC Details in the keytab file are wrong or the keytab file path has been incorrectly specified.


Due to this issue, users cannot authenticate to Single Sign On with WNA.

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms