WNA Stopped Working with Error KDC has no support for encryption type (14)
(Doc ID 2102480.1)
Last updated on NOVEMBER 25, 2019
Applies to:Oracle Application Server Single Sign-On - Version 10.1.2.0.2 to 10.1.4.3 [Release 10gR2 to 10gR3]
Information in this document applies to any platform.
Oracle SSO 10g ( 10.1.2.1 - 10.1.4.3)
Microsoft AD 2008
DES Encryption already enabled in AD
WNA was working fine and the problem started happening suddenly
OC4J~OC4J_SECURITY~default_island~1 log file shows the following error
Acquire TGT using AS Exchange
[Krb5LoginModule] authentication failed
KDC has no support for encryption type (14)
KerberosAuthenticator: GSSException raised in constructor - No valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT credentials failed!)
GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT credentials failed!)
Caused by: javax.security.auth.login.LoginException: KDC has no support for encryption type (14)
Caused by: KrbException: KDC has no support for encryption type (14)
Caused by: KrbException: Identifier doesn't match expected value (906)
KerberosAuthenticator: Please check the error messages and fix it. Restart OC4J (OC4J_SECURITY instance) server
KerberosAuthenticator: Possible errors may be:
KerberosAuthenticator: 1.HTTP service name in $ORACLE_HOME/j2ee/OC4J_SECURITY/config/jazn-data.xml or $ORACLE_HOME/j2ee/OC4J_SECURITY/application-deployments/sso/orion-application.xml is wrong.
KerberosAuthenticator: 2.KDC Details (host/port) in $ORACLE_HOME/opmn/conf/opmn.xml are wrong.
KerberosAuthenticator: 3.KDC is down.
KerberosAuthenticator: 4.KDC Details in the keytab file are wrong or the keytab file path has been incorrectly specified.
Change at AD Domain Controller level
To view full details, sign in with your My Oracle Support account.
Don't have a My Oracle Support account? Click to get started!
In this Document