Oracle Access Manager 11g R2PS3 (OAM 11.1.2.3): WNA fail with GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)
(Doc ID 2245574.1)
Last updated on MAY 09, 2023
Applies to:
Oracle Access Manager - Version 11.1.2.3.0 and laterInformation in this document applies to any platform.
Oracle is not responsible for instructions/information from 3rd party sites that may be contained in this KM note.
Symptoms
Authentication using WNA on Oracle Access Manager 11g R2PS3 (OAM 11.1.2.3) with EBS R12.X.Y failed. Application in this case is EBS, but error can be for other applications also.
Error in OAM managed server logs:
<Mar 14, 2017 6:38:02 PM CET> <Error> <oracle.oam.engine.authn> <BEA-000000> <Failure unspecified at GSS-API level (Mechanism level: Checksum failed) GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)
at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:788)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
at sun.security.jgss.spnego.SpNegoContext.GSS_acceptSecContext(SpNegoContext.java:875)
at sun.security.jgss.spnego.SpNegoContext.acceptSecContext(SpNegoContext.java:548)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
at oracle.security.am.engine.authn.internal.executor.SPNEGOLoginModule$1.run(SPNEGOLoginModule.java:158)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:415)
at oracle.security.am.engine.authn.internal.executor.SPNEGOLoginModule(SPNEGOLoginModule.java:133)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
.......lines omited ...............
at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2182)
at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1499)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:263)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:221)
Caused By: KrbException: Checksum failed
at sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(ArcFourHmacEType.java:102)
at sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(ArcFourHmacEType.java:94)
at sun.security.krb5.EncryptedData.decrypt(EncryptedData.java:177)
at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:278)
at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:144)
at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:108)
at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:771)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
at sun.security.jgss.spnego.SpNegoContext.GSS_acceptSecContext(SpNegoContext.java:875)
at sun.security.jgss.spnego.SpNegoContext.acceptSecContext(SpNegoContext.java:548)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
at oracle.security.am.engine.authn.internal.executor.SPNEGOLoginModule$1.run(SPNEGOLoginModule.java:158)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:415)
at oracle.security.am.engine.authn.internal.executor.SPNEGOLoginModule(SPNEGOLoginModule.java:133)
.......lines omited ...............
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:60)
at oracle.ddms.servlet.DMSServletFilter.doFilter(DMSServletFilter.java:163)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:60)
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.wrapRun(WebAppServletContext.java:3748)
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3714)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120)
at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2283)
at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2182)
at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1499)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:263)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:221)
at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:788)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
at sun.security.jgss.spnego.SpNegoContext.GSS_acceptSecContext(SpNegoContext.java:875)
at sun.security.jgss.spnego.SpNegoContext.acceptSecContext(SpNegoContext.java:548)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
at oracle.security.am.engine.authn.internal.executor.SPNEGOLoginModule$1.run(SPNEGOLoginModule.java:158)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:415)
at oracle.security.am.engine.authn.internal.executor.SPNEGOLoginModule(SPNEGOLoginModule.java:133)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
.......lines omited ...............
at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2182)
at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1499)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:263)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:221)
Caused By: KrbException: Checksum failed
at sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(ArcFourHmacEType.java:102)
at sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(ArcFourHmacEType.java:94)
at sun.security.krb5.EncryptedData.decrypt(EncryptedData.java:177)
at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:278)
at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:144)
at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:108)
at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:771)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
at sun.security.jgss.spnego.SpNegoContext.GSS_acceptSecContext(SpNegoContext.java:875)
at sun.security.jgss.spnego.SpNegoContext.acceptSecContext(SpNegoContext.java:548)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
at oracle.security.am.engine.authn.internal.executor.SPNEGOLoginModule$1.run(SPNEGOLoginModule.java:158)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:415)
at oracle.security.am.engine.authn.internal.executor.SPNEGOLoginModule(SPNEGOLoginModule.java:133)
.......lines omited ...............
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:60)
at oracle.ddms.servlet.DMSServletFilter.doFilter(DMSServletFilter.java:163)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:60)
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.wrapRun(WebAppServletContext.java:3748)
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3714)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120)
at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2283)
at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2182)
at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1499)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:263)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:221)
After edit the setDomainEnv.sh
and add the following to the section EXTRA_JAVA_PROPERTIES
-Dsun.security.krb5.debug=true -Dsun.security.spnego.debug=true
Example...
EXTRA_JAVA_PROPERTIES=" -DOAM_POLICY_FILE=${DOMAIN_HOME}/config/fmwconfig/oam-policy.xml -DOAM_CONFIG_FILE=${DOMAIN_HOME}/config/fmwconfig/oam-config.xml -DOAM_ORACLE_HOME=${OAM_ORACLE_HOME} -Doracle.security.am.SERVER_INSTNCE_NAME=${SERVER_NAME} -Does.jars.home=${OAM_ORACLE_HOME}/server/lib/oes-d8 -Does.integration.path=${OAM_ORACLE_HOME}/server/lib/oeslib/oes-integration.jar -Djavax.xml.soap.SOAPConnectionFactory=weblogic.wsee.saaj.SOAPConnectionFactoryImpl -Dsun.security.krb5.debug=true -Dsun.security.spnego.debug=true -Djavax.xml.soap.MessageFactory=oracle.j2ee.ws.saaj.soap.MessageFactoryImpl -Djavax.xml.soap.SOAPFactory=oracle.j2ee.ws.saaj.soap.SOAPFactoryImpl ${EXTRA_JAVA_PROPERTIES}"
export EXTRA_JAVA_PROPERTIES
export EXTRA_JAVA_PROPERTIES
and restart OAM managed server, in oam_server1.out log appear errors:
Found unsupported keytype (18) for HTTP/<OAM_HOSTNAME>@<AD_DOMAIN>.LOCAL
Added key: 23version: 0
Added key: 3version: 0
Added key: 1version: 0
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23.
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=<AD_DOMAIN>.<AD_DOMAIN>.local UDP:88, timeout=30000, number of retries =3, #bytes=158
>>> KDCCommunication: kdc=<AD_DOMAIN>.<AD_DOMAIN>.local UDP:88, timeout=30000,Attempt =1, #bytes=158
>>> KrbKdcReq send: #bytes read=183
>>>Pre-Authentication Data:
PA-DATA type = 11
PA-ETYPE-INFO etype = 23, salt =
>>>Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>>>Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
PA-DATA type = 16
>>>Pre-Authentication Data:
PA-DATA type = 15
>>> KdcAccessibility: remove<AD_DOMAIN>.<AD_DOMAIN>.local:<AD_PORT>
>>> KDCRep: init() encoding tag is 126 req type is 11
>>>KRBError:
sTime is Tue Mar 14 18:38:02 CET 2017 1489513082000
suSec is 128246
error code is 25
error Message is Additional pre-authentication required
realm is<AD_DOMAIN>.LOCAL
sname is krbtgt/<AD_DOMAIN>.LOCAL
eData provided.
msgType is 30
Added key: 23version: 0
Added key: 3version: 0
Added key: 1version: 0
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23.
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=<AD_DOMAIN>.<AD_DOMAIN>.local UDP:88, timeout=30000, number of retries =3, #bytes=158
>>> KDCCommunication: kdc=<AD_DOMAIN>.<AD_DOMAIN>.local UDP:88, timeout=30000,Attempt =1, #bytes=158
>>> KrbKdcReq send: #bytes read=183
>>>Pre-Authentication Data:
PA-DATA type = 11
PA-ETYPE-INFO etype = 23, salt =
>>>Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>>>Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
PA-DATA type = 16
>>>Pre-Authentication Data:
PA-DATA type = 15
>>> KdcAccessibility: remove<AD_DOMAIN>.<AD_DOMAIN>.local:<AD_PORT>
>>> KDCRep: init() encoding tag is 126 req type is 11
>>>KRBError:
sTime is Tue Mar 14 18:38:02 CET 2017 1489513082000
suSec is 128246
error code is 25
error Message is Additional pre-authentication required
realm is<AD_DOMAIN>.LOCAL
sname is krbtgt/<AD_DOMAIN>.LOCAL
eData provided.
msgType is 30
Changes
New OAM WNA setup.
Cause
To view full details, sign in with your My Oracle Support account. |
|
Don't have a My Oracle Support account? Click to get started! |
In this Document
| Symptoms |
| Changes |
| Cause |
| Solution |
| References |