com.bea.security.utils.kerberos.KerberosException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - RC4 with HMAC) (Doc ID 1362571.1)

Last updated on JUNE 30, 2017

Applies to:

Oracle WebLogic Server - Version 10.3 and later
Information in this document applies to any platform.

Symptoms

On WLS 10.3.5 version, WLS Security / SSO / Kerberos / SPNEGO, when attempting to authenticate on WLS, the following error occurs:

####<23/Set/2011 18H04m BST> <Debug> <SecurityAtn> <IAPMEIDEV07> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <> <> <dc9bf30e83bdafa8:-6c56f46b:13296d98f3e:-8000-0000000000000ba1> <1316797498332> <BEA-000000> <acceptGssInitContextToken failed
com.bea.security.utils.kerberos.KerberosException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - RC4 with HMAC)
  at com.bea.security.utils.kerberos.KerberosTokenHandler.acceptGssInitContextTokenInDoAs(KerberosTokenHandler.java:334)
...

After creating the SPN on the AD side, creating the keytab file, configuring Kerberos on the Weblogic Server side, a try to authenticate to the webapp via SSO failed with the Kerberos exception above.

The configuration was:

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms