OAM 11g WNA Fails With Error "Internet Explorer cannot display the webpage" (Doc ID 1405533.1)

Last updated on MARCH 08, 2017

Applies to:

Oracle Access Manager - Version 11.1.1.5.0 and later
Information in this document applies to any platform.

Symptoms


Oracle Access Manager (OAM) 11g Windows Native Authentication (WNA) is failing for Windows Domain users. When a resource protected by the OAM Kerberos authentication scheme is accessed using IWA-enabled Internet Explorer (IE) browser, error "Internet Explorer cannot display the webpage" is displayed.

Access to the same resource without WNA using Firefox browser does not reproduce the problem: the OAM 11g fallback basic login popup is displayed.

There are no errors reported in the OAM managed server diagnostic log when the problem is reproduced. When TRACE logging is enabled to investigate, it shows that the last action was an HTTP Response from OAM returning 401 to prompt the browser to resend the authentication request with the Kerberos ticket. This is standard WNA functionality.

The HTTP Header trace collected from the IE browser and saved to file shows that the last request processed is the HTTP-401 response from OAM Server e.g.

HTTP/1.1 401 Authorization Required
Date: Thu, 05 Jan 2012 14:32:02 GMT
Server: Oracle-Application-Server-11g
Cache-Control: no-cache
Pragma: no-cache
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Length: 0
Expires: 0
WWW-Authenticate: Negotiate
WWW-Authenticate: Basic realm="OAM 11g"
Keep-Alive: timeout=60, max=118
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Content-Language: en



However if the Resource View is chosen in the HTTP Header trace frame in the browser, it shows that IE responds after receiving the HTTP-401 with a request for GET /oam/CredCollectServlet/WNA that includes the client Kerberos ticket.

The OAM Managed Server access log shows that this second request for /oam/CredCollectServlet/WNA is never received. The Oracle HTTP Server (OHS) access_log for the OHS 11g instance that is proxying OAM Server requests also shows no sign of this request being received.


Architecture:

Windows Domain client -> Cisco ACE -> Oracle HTTP Server 11g -> OAM Managed Server.


Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms