OAM11g : WNA Login fails with error KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN as per tcp dump. (Doc ID 1520054.1)

Last updated on AUGUST 25, 2017

Applies to:

Oracle Access Manager - Version 11.1.1.5.0 and later
Information in this document applies to any platform.

Symptoms

On : 11.1.1.5.0 version, Authentication Engine

Attempting to set up WNA Kerberos authentication with OAM but receiving the following error message when attempting authentication:

A.. Kerberos Debug -

Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23.
0: EncryptionKey: keyType=23 kvno=11 keyValue (hex dump)=
0000: 7A 84 D3 EB 91 D6 82 53   1D 17 B4 FC 57 BC E4 27  z......S....W..'


default etypes for default_tkt_enctypes: 23.
>>> KrbAsReq calling createMessage
>>> KrbAsReq in createMessage
>>> KrbKdcReq send: kdc=xxx.xxx.com TCP:88, timeout=30000, number of retries =3, #bytes=163
>>>DEBUG: TCPClient reading 631 bytes
>>> KrbKdcReq send: #bytes read=631
>>> KrbKdcReq send: #bytes read=631
>>> KdcAccessibility: remove xxx.xxxx.com

<18-Dec-2012 5:27:46 o'clock AM CST> <Error> <oracle.oam.plugin> <BEA-000000> <Defective token detected (Mechanism level: GSSHeader did not find the right tag)
GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)
       at sun.security.jgss.GSSHeader.<init>(GSSHeader.java:80)
       at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:287)
       at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:267)
       at oracle.security.am.plugin.authn.SPNEGOLoginModule$1.run(SPNEGOLoginModule.java:138)
       at java.security.AccessController.doPrivileged(Native Method)
       at javax.security.auth.Subject.doAs(Subject.java:396)
       at oracle.security.am.plugin.authn.SPNEGOLoginModule.login(SPNEGOLoginModule.java:123)


Above error could be because of Token being NTLM.


B. Token is NTLM and not Kerberos - Negotiate TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==


GET /oam/CredCollectServlet/WNA?authn_try_count=0&spnegotoken=string&challenge_url=/oam/CredCollectServlet/WNA&request_id=4632656537515794630&OAM_REQ=&locale=en_US&resource_url=http%3A%2F%2Fsss2062d1.dev.idam.xx.net%3A7777%2Fprotected%2Fsample.html HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, */*
Accept-Language: en-us
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Host: login.dev.idam.xx.net:4444
Connection: Keep-Alive
Cookie: OAMAuthnCookie_login.dev.idam.xx.net:4444=do0CL4BjnF1aW6OchO7YyQvAcRYRlCiq59kg7wkhw0YuVhTtsZ35/u5WloQKVXz8O1ltFzbyTgMRjK0dyMu4COPjWv6G8jdpERDIyXjHeGiRfwikRyECbihlqa4qODZvPwjFneRHtpxvmhZR/xIGB0h6IFLABgsokBhAcANQ2dpBrWZ50UvQ4PnCkkAmpIJPLgMNpS4XG0S/xxl3BFNQ++h8tjpRDkervAfNnK+A2P528094tqXBYEX5ifS1zPWB; OAM_REQ=VERSION_4~GbZgRi3CX1Iim3hweGLFnKZqUYaShizYXiyY9uqOaCJ2gXoFIKjxxUjHq6HZ18IdCWbBNOEwlFpcPjkS+1/yNRgqVmRNDm+EhyvgrjpJ0ESQ/eCb+XpHIceUBfS4eY8aFyJkBhlpEVjfkmJg7/o+q6k8mtqqQwKkxmu0Cm0iwiQK5uRZenLyd8nG/a05RmknmcmM4GCgYTjImlhqzj42NTDbrdRFvHln1ak3AoIaAtDoxYv4qUrW+S/0C7LabeUC0aMVN6vSSQidBX2NXiJnKpmninfqJNXjSvsm3V+qNYIm/dxNr332dOK9bgH50dNKBtqjs4pda758hk4hYekfmPbzPSNeJbWKAbZE6GmwJleKhRcZTksqUabxqxeEUaLnUMEbWL/mPG7Ee78tHRVTn0uy+u5xIM1TaDPbzUCV/fye901IEEAF9oJ+cf4fjwXxuJNvMXjw+dQ2w/vjiMVuw2JbNBCfeK4ekZafVg+slvhOMs6GqwF8vyKN84bfgVmJPMPZyNaiQQW3mtqhQugcmHW/TniPr6Dvp65/d1yygb8V1THckceecNHdoa8sdbcHiwVmXOpCymE63epmox7wKSY+mbQD7RGMb02mlBaj4FHMNKAf+WTNkSddhAUR68WEvqOHKEIPhtHjqXybppjzR7+QUk1ossncF7mytT/TN9NcIkNlF5PMKbO+2ZAHvF+r6Rux6zVCPCn2dHvfsa+WQyvdcWnKevfeUS11wdJABi1cE3TonU4KMz01DXVvXWAZ9ymk9mQA56H/gx7nzpTmzLLZ+2JEcd+gunmnuEqjikkz7lsnUkVktmZnyq6fy76rbvwoWKMaNiByiN4LfvzndxNaHw4/yDIvS+eeZf0nSehIuXfD4h1YhRXwyyEKfDtfRFOvnFX46QUnXfZSQYk9ns4LGhizKkhltOMkBoOaNdc/4v7BjIagOvPRqAZY2V8yTACwEwj6+dgB1hCrSkaW4R8XzrbioxeDsuAtDhc2GhU7+ba/0updk4vW+gb6y64N/Bts8QbJzkelVAujobTA4AVjg9iWM2pLgG4y+hlwY1gZ03QQ9WXWO6a63Gm1GAtxKoE/aCXGaO1BVtVx8of4xdoZM0+wULr7dKntXwt92dorZJDWUkeOcAgt0nzHHrUMrRbFfU8fq+5SatagbIoi1A90xAAQ3BpYX2fDETN2uZFi6MJQbADsqQfTMmrZnOVezf40h7eMmpYSd9+j5y3Wn8FvkaFZFS0t9/qgoXSjDRCJSUyo4KDVhs51JZ5N8hBlMEwwCBdsTMJqhxq5yvatyv0yQ5/2z7VMbmb5t8j1DtparzVS92BRM2eXN7jVFMlD2D8GVB9ivwIjMA/OXAD2eRIO7Q60/gBIQG09a0S81FL4AKLLOqvPdrF1OaZNwjTm6jgllh7Un69qm7cwtMLl6ageV1vYWsfpQlLQw8AqRTuEvPfyw3zzPKxrprJVf34VId/N1uotRJUQPwg+kq+y85xpBauJ6ggqZDS/9w33BQkQ5g/xgeU0EdCNHeaBhx5DeXTgSPp6zzcf94pRh7o4+ye4EoCoYLJjP3Uxk+lj3amhU691ImklAUAS2gm3LAgSN3zPfRLa3L1IfpCoTOTHO99cJLHxWYBj3svXLKJ8SLZ4x4ynqAGI43Lgq5rR98HVrG+ipazlaw+rZ+TcQLpW7a0DSEFkKrOXM/RxNfGgvnifGGXHvi6on3m3d8X9r0lv9xgpS8BJAS5SsvgqZGCBEQ==
Authorization: Negotiate TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==



C. OAM-diagnostic logs-

[2012-12-18T05:27:57.752-06:00] [oam_server1] [TRACE] [] [oracle.oam.engine.authn] [tid: [ACTIVE].ExecuteThread: '5' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId:
<anonymous>] [ecid: <ECID>] [SRC_CLASS: oracle.security.am.engine.authn.internal.executor.AuthenticationSchemeExecutor] [APP: oam_server] [SRC_M
ETHOD: execute] [URI: /oam/CredCollectServlet/WNA] Authentication Exception secondary msg. null
[2012-12-18T05:27:57.753-06:00] [oam_server1] [NOTIFICATION] [] [oracle.oam.engine.authn] [tid: [ACTIVE].ExecuteThread: '5' for queue: 'weblogic.kernel.Default (self-tuning)'] [
userId: <anonymous>] [ecid: <ECID>] [APP: oam_server] [URI: /oam/CredCollectServlet/WNA] [[
oracle.security.am.engine.authn.api.exception.AuthenticationException
       at oracle.security.am.engine.authn.internal.executor.AuthenticationSchemeExecutor.execute(AuthenticationSchemeExecutor.java:140)
       at oracle.security.am.engine.authn.internal.controller.AuthenticationEngineControllerImpl.validateUser(AuthenticationEngineControllerImpl.java:268)
       at oracle.security.am.engines.enginecontroller.AuthnEngineController.authenticateUser(AuthnEngineController.java:673)
       at oracle.security.am.engines.enginecontroller.AuthnEngineController.processEvent(AuthnEngineController.java:296)
       at oracle.security.am.controller.MasterController.processEvent(MasterController.java:568)
       at oracle.security.am.controller.MasterController.processRequest(MasterController.java:757)



[2012-12-18T05:27:57.758-06:00] [oam_server1] [TRACE] [] [oracle.oam.controller] [tid: [ACTIVE].ExecuteThread: '5' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: <anonymous>] [ecid: <ECID>] [SRC_CLASS: oracle.security.am.engines.enginecontroller.AuthnEngineController] [APP: oam_server] [SRC_METHOD: authenticateUser] [URI: /oam/CredCollectServlet/WNA] processing engines.authn.event.AuthnEngineController:processEvent:VALIDATE_CREDS[[
oracle.security.am.engine.authn.api.exception.AuthenticationException
       at oracle.security.am.engine.authn.internal.executor.AuthenticationSchemeExecutor.execute(AuthenticationSchemeExecutor.java:140)
       at oracle.security.am.engine.authn.internal.controller.AuthenticationEngineControllerImpl.validateUser(AuthenticationEngineControllerImpl.java:268)
       at oracle.security.am.engines.enginecontroller.AuthnEngineController.authenticateUser(AuthnEngineController.java:673)
       at oracle.security.am.engines.enginecontroller.AuthnEngineController.processEvent(AuthnEngineController.java:296)
       at oracle.security.am.controller.MasterController.processEvent(MasterController.java:568)
       at oracle.security.am.controller.MasterController.processRequest(MasterController.java:757)
       at oracle.security.am.controller.MasterController.process(MasterController.java:680)
       at oracle.security.am.pbl.PBLFlowManager.delegateToMasterController(PBLFlowManager.java:209)
       at oracle.security.am.pbl.PBLFlowManager.handleBaseEvent(PBLFlowManager.java:147)
       at oracle.security.am.pbl.PBLFlowManager.processRequest(PBLFlowManager.java:107)
       at oracle.security.am.pbl.transport.http.AMServlet.handleRequest(AMServlet.java:170)




Changes

 

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms