WNA Stopped Working with Error KDC has no support for encryption type (14) (Doc ID 2102480.1)

Last updated on JULY 10, 2017

Applies to:

Oracle Application Server Single Sign-On - Version 10.1.2.0.2 to 10.1.4.3 [Release 10gR2 to 10gR3]
Information in this document applies to any platform.

Symptoms

Oracle SSO 10g ( 10.1.2.1 - 10.1.4.3)
Microsoft AD 2008
DES Encryption already enabled in AD
WNA was working fine and the problem started happening suddenly

 

OC4J~OC4J_SECURITY~default_island~1 log file shows the following error

 

Acquire TGT using AS Exchange
 [Krb5LoginModule] authentication failed
 KDC has no support for encryption type (14)
 KerberosAuthenticator: GSSException raised in constructor - No valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT credentials failed!)
 GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT credentials failed!)
 at sun.security.jgss.krb5.Krb5AcceptCredential.getKeyFromSubject(Krb5AcceptCredential.java:189)

 Caused by: javax.security.auth.login.LoginException: KDC has no support for encryption type (14)
 at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:641)

 Caused by: KrbException: KDC has no support for encryption type (14)
 at sun.security.krb5.KrbAsRep.<init>(DashoA12275:69)

 Caused by: KrbException: Identifier doesn't match expected value (906)
 at sun.security.krb5.internal.ah.a(DashoA12275:134)

 KerberosAuthenticator: Please check the error messages and fix it. Restart OC4J (OC4J_SECURITY instance) server
 KerberosAuthenticator: Possible errors may be:
 KerberosAuthenticator: 1.HTTP service name in $ORACLE_HOME/j2ee/OC4J_SECURITY/config/jazn-data.xml or $ORACLE_HOME/j2ee/OC4J_SECURITY/application-deployments/sso/orion-application.xml is wrong.
 KerberosAuthenticator: 2.KDC Details (host/port) in $ORACLE_HOME/opmn/conf/opmn.xml are wrong.
 KerberosAuthenticator: 3.KDC is down.
 KerberosAuthenticator: 4.KDC Details in the keytab file are wrong or the keytab file path has been incorrectly specified.

 

 

Changes

Change at AD Domain Controller level

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms