Kerberos/SPNEGO based Desktop SSO failing since JDK build 1.6.0_21-b06 (Doc ID 1312431.1)

Last updated on FEBRUARY 10, 2017

Applies to:

Oracle Weblogic Server - Version 10.3.4 and later
Information in this document applies to any platform.
***Checked for relevance on Oct 5th, 2012***

Symptoms

Environment:

WebLogic Server: 10.3.4
Java version :"1.6.0_22"
Java(TM) SE Runtime Environment (build 1.6.0_22-b04)
Java HotSpot(TM) Client VM (build 17.1-b03, mixed mode, sharing)

Single Sign-On (SSO) with Microsoft Clients Configuration has been done as laid out in the documentation :

http://download.oracle.com/docs/cd/E17904_01/web.1111/e13707/sso.htm#i1104143

a) Created a user in Active Directory to represent WebLogic Machine/Environment
b) Added service principal names(s) for WebLogic environment in Active Directory using setspn command.
c) Created the keytab file.
d) Created krb5.conf and krb5Login.conf file
e) Configured WebLogic Server(s) with kerberos system properties.
f) Verified keytab file with kinit
g) Configured browser IE on the client machine, to participate intranet Desktop SSO with WebLogic.


Now, when you try to access the secured WebLogic application to participate SSO from the client machine, getting 401 in browser:

Error 401--Unauthorized
From RFC 2068 Hypertext Transfer Protocol -- HTTP/1.1:
10.4.2 401 Unauthorized
...


Interestingly same exact procedure worked in older versions of WebLogic, for example WebLogic 10.3.0.

After enabling the security debugs [atn,atz], in the server log can be seen:

.....
####<Apr 11, 2011 2:22:33 PM CEST> <Debug> <SecurityAtn> <skurumel01> <ms1> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <> <> <> <1302524553312> <BEA-000000> <GSSExceptionInfoGSSExceptionInfo:>
####<Apr 11, 2011 2:22:33 PM CEST> <Debug> <SecurityAtn> <skurumel01> <ms1> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <> <> <> <1302524553312> <BEA-000000> < major: (11) : Failure unspecified at GSS-API level>
####<Apr 11, 2011 2:22:33 PM CEST> <Debug> <SecurityAtn> <skurumel01> <ms1> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <> <> <> <1302524553312> <BEA-000000> < minor: (-1) : Specified version of key is not available (44)>
####<Apr 11, 2011 2:22:33 PM CEST> <Debug> <SecurityAtn> <skurumel01> <ms1> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <> <> <> <1302524553328> <BEA-000000> <acceptGssInitContextTokenacceptGssInitContextToken failed
com.bea.security.utils.kerberos.KerberosException: Failure unspecified at GSS-API level (Mechanism level: Specified version of key is not available (44))
at com.bea.security.utils.kerberos.KerberosTokenHandler.acceptGssInitContextTokenInDoAs(KerberosTokenHandler.java:334)....


When you do a klist on the keytab file, eg: mykeytab :


D:\secuirty-toi\kerberos\domain1034>klist -k mykeytab

Key tab: mykeytab, 3 entries found.

[1] Service principal: skurumel01@AD.VM.ORACLE.COM
KVNO: 1
[2] Service principal: skurumel01@AD.VM.ORACLE.COM
KVNO: 1
[3] Service principal: skurumel01@AD.VM.ORACLE.COM
KVNO: 1

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms