Last updated on MARCH 08, 2017
Applies to:Oracle Access Manager - Version 18.104.22.168.0 and later
Information in this document applies to any platform.
Oracle Access Manager (OAM) 11g Windows Native Authentication (WNA) is failing for Windows Domain users. When a resource protected by the OAM Kerberos authentication scheme is accessed using IWA-enabled Internet Explorer (IE) browser, error "Internet Explorer cannot display the webpage" is displayed.
Access to the same resource without WNA using Firefox browser does not reproduce the problem: the OAM 11g fallback basic login popup is displayed.
There are no errors reported in the OAM managed server diagnostic log when the problem is reproduced. When TRACE logging is enabled to investigate, it shows that the last action was an HTTP Response from OAM returning 401 to prompt the browser to resend the authentication request with the Kerberos ticket. This is standard WNA functionality.
The HTTP Header trace collected from the IE browser and saved to file shows that the last request processed is the HTTP-401 response from OAM Server e.g.
Date: Thu, 05 Jan 2012 14:32:02 GMT
Cache-Control: no-cache, no-store
WWW-Authenticate: Basic realm="OAM 11g"
Keep-Alive: timeout=60, max=118
Content-Type: text/html; charset=UTF-8
However if the Resource View is chosen in the HTTP Header trace frame in the browser, it shows that IE responds after receiving the HTTP-401 with a request for GET /oam/CredCollectServlet/WNA that includes the client Kerberos ticket.
The OAM Managed Server access log shows that this second request for /oam/CredCollectServlet/WNA is never received. The Oracle HTTP Server (OHS) access_log for the OHS 11g instance that is proxying OAM Server requests also shows no sign of this request being received.
Windows Domain client -> Cisco ACE -> Oracle HTTP Server 11g -> OAM Managed Server.
Sign In with your My Oracle Support account
Don't have a My Oracle Support account? Click to get started
Million Knowledge Articles and hundreds of Community platforms