OUD-AD-Kerberos Errors Indicate Second Retry Required for Successful Authentication

(Doc ID 1910358.1)

Last updated on JUNE 22, 2017

Applies to:

Oracle Unified Directory - Version 11.1.2.1.0 and later
Information in this document applies to any platform.

Goal

1. Problem Description


After having installed MS AD patch KB2927811 some OUD error messages are seen throughout the error log. Authentication is working.

But, Kerberos Preauthentication is failing while OUD authenticating against MS AD using kerberos.
A 2nd retry is necessary for successful authentication -

>>> KDCRep: init() encoding tag is 126 req type is 11
>>>KRBError:
sTime is Thu Jun 19 14:32:12 CEST 2014 1403181132000
suSec is 171939
error code is 25
error Message is Additional pre-authentication required
realm is FOO.BAR.COM
sname is krbtgt/FOO.BAR.COM
eData provided.
msgType is 30
>>>Pre-Authentication Data:
PA-DATA type = 11
PA-ETYPE-INFO etype = 23
PA-ETYPE-INFO salt =
PA-ETYPE-INFO etype = 3
PA-ETYPE-INFO salt = FOO.BAR.COMPEARSMA3
PA-ETYPE-INFO etype = 1
PA-ETYPE-INFO salt = FOO.BAR.COMPEARSMA3
AcquireTGT: PREAUTH FAILED/REQUIRED, re-send AS-REQ
default etypes for default_tkt_enctypes: 18 17 23 3 1.
>>>KrbAsReq salt is EU.NOVARTIS.NETPEARSMA3
default etypes for default_tkt_enctypes: 18 17 23 3 1.
Pre-Authenticaton: find key for etype = 23
AS-REQ: Add PA_ENC_TIMESTAMP now
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbAsReq calling createMessage
>>> KrbAsReq in createMessage
>>> KrbKdcReq send: kdc=phchbs-s4002.foo.bar.com TCP:88, timeout=30000, number of retries =3, #bytes=235
>>> KDCCommunication: kdc=phchbs-s4002.foo.bar.com TCP:88, #bytes=235
>>>DEBUG: TCPClient reading 2203 bytes
>>> KrbKdcReq send: #bytes read=2203
>>> KrbKdcReq send: #bytes read=2203
>>> KdcAccessibility: remove phchbs-s4002.foo.bar.com
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbAsRep cons in KrbAsReq.getReply PEARSMA3
default etypes for default_tkt_enctypes: 18 17 23 3 1.
default etypes for default_tkt_enctypes: 18 17 23 3 1.
default etypes for default_tkt_enctypes: 18 17 23 3 1.
>>> KrbAsReq calling createMessage
>>> KrbAsReq in createMessage
>>> KrbKdcReq send: kdc=phchbs-s4002.foo.bar.com TCP:88, timeout=30000, number of retries =3, #bytes=157
>>> KDCCommunication: kdc=phchbs-s4002.foo.bar.com TCP:88, #bytes=157
>>>DEBUG: TCPClient reading 224 bytes
>>> KrbKdcReq send: #bytes read=224
>>> KrbKdcReq send: #bytes read=224
>>> KdcAccessibility: remove phchbs-s4002.foo.bar.com

Solution

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms