OAM WNA fails in Multi domain/multi forest where there is no trust between domains (Doc ID 2101327.1)

Last updated on APRIL 16, 2017

Applies to:

Oracle Access Manager - Version 11.1.2.2.5 and later
Information in this document applies to any platform.

Symptoms

OAM WNA fails in Multi domain/multi forest where there is no trust between domains

forest 1 - TEST.ORACLE.COM
forest 2 - TEST1.ORACLE.COM

In the custom authentication module, there is a step KTA. It accepts an input KEY_PRINCIPAL as an argument.
If they  give KEY_PRINCIPAL as  HTTP/ssologin-stg02.oracle.com@TEST.ORACLE.COM WNA from TEST.ORACLE.COM works and WNA from TEST1.ORACLE.COM fails.
Because whatever AD end User login it send the token to TEST.ORACLE.COM KDC

On the other hand if we give KEY_PRINCIPAL as  HTTP/ssologin-stg02.oracle.com@TEST1.ORACLE.COM - WNA from TEST1.ORACLE.COM  works and WNA from
TEST.ORACLE.COM  fails. (Same as above - Because whatever AD end user logs in it send the token to TEST1.ORACLE.COM KDC.

[2015-08-25T13:47:53.662-07:00] [oam_server1] [ERROR] [] [oracle.oam.plugin] [tid: [ACTIVE].ExecuteThread: '12' for queue: 'weblogic.kernel.Default
(self-tuning)'] [userId: <anonymous>] [ecid:0001Zx3Y7bY2ZNxLoAG7yY00018e000IO0,0:3] [APP: oam_server#11.1.2.0.0] [URI:
/oam/CredCollectServlet/WNA] Failure unspecified at GSS-API level (Mechanism level: Checksum failed)[[GSSException: Failure unspecified at GSS-API level (Mechanism level:  Checksum failed)  at
sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:788)

 

This issue was duplicated in internal LAB

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms