WNA fail with GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed) (Doc ID 2245574.1)

Last updated on APRIL 26, 2017

Applies to:

Oracle Access Manager - Version 11.1.2.0.0 and later
Information in this document applies to any platform.

Symptoms

Login using WNA on OAM 11.1.2.3 with EBS R12.X.Y failed. Application in this case is EBS, but error can be for other applications also. 

Error in OAM managed server logs: 

<Mar 14, 2017 6:38:02 PM CET> <Error> <oracle.oam.engine.authn> <BEA-000000> <Failure unspecified at GSS-API level (Mechanism level: Checksum failed)
GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)
at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:788)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
at sun.security.jgss.spnego.SpNegoContext.GSS_acceptSecContext(SpNegoContext.java:875)
at sun.security.jgss.spnego.SpNegoContext.acceptSecContext(SpNegoContext.java:548)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
at oracle.security.am.engine.authn.internal.executor.SPNEGOLoginModule$1.run(SPNEGOLoginModule.java:158)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:415)
at oracle.security.am.engine.authn.internal.executor.SPNEGOLoginModule.login(SPNEGOLoginModule.java:133)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
.......lines omited ...............
at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2182)
at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1499)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:263)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:221)
Caused By: KrbException: Checksum failed
at sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(ArcFourHmacEType.java:102)
at sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(ArcFourHmacEType.java:94)
at sun.security.krb5.EncryptedData.decrypt(EncryptedData.java:177)
at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:278)
at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:144)
at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:108)
at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:771)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
at sun.security.jgss.spnego.SpNegoContext.GSS_acceptSecContext(SpNegoContext.java:875)
at sun.security.jgss.spnego.SpNegoContext.acceptSecContext(SpNegoContext.java:548)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
at oracle.security.am.engine.authn.internal.executor.SPNEGOLoginModule$1.run(SPNEGOLoginModule.java:158)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:415)
at oracle.security.am.engine.authn.internal.executor.SPNEGOLoginModule.login(SPNEGOLoginModule.java:133)
.......lines omited ...............
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:60)
at oracle.dms.servlet.DMSServletFilter.doFilter(DMSServletFilter.java:163)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:60)
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.wrapRun(WebAppServletContext.java:3748)
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3714)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120)
at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2283)
at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2182)
at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1499)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:263)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:221)

After edit the setDomainEnv.sh
and add the following to the section EXTRA_JAVA_PROPERTIES
-Dsun.security.krb5.debug=true -Dsun.security.spnego.debug=true

Example...

EXTRA_JAVA_PROPERTIES=" -DOAM_POLICY_FILE=${DOMAIN_HOME}/config/fmwconfig/oam-policy.xml -DOAM_CONFIG_FILE=${DOMAIN_HOME}/config/fmwconfig/oam-config.xml -DOAM_ORACLE_HOME=${OAM_ORACLE_HOME} -Doracle.security.am.SERVER_INSTNCE_NAME=${SERVER_NAME} -Does.jars.home=${OAM_ORACLE_HOME}/server/lib/oes-d8 -Does.integration.path=${OAM_ORACLE_HOME}/server/lib/oeslib/oes-integration.jar -Djavax.xml.soap.SOAPConnectionFactory=weblogic.wsee.saaj.SOAPConnectionFactoryImpl -Dsun.security.krb5.debug=true -Dsun.security.spnego.debug=true -Djavax.xml.soap.MessageFactory=oracle.j2ee.ws.saaj.soap.MessageFactoryImpl -Djavax.xml.soap.SOAPFactory=oracle.j2ee.ws.saaj.soap.SOAPFactoryImpl ${EXTRA_JAVA_PROPERTIES}"
export EXTRA_JAVA_PROPERTIES

and restart OAM managed server, in oam_server1.out log appear errors:

Found unsupported keytype (18) for HTTP/oamserver.company.com@ADDOMAIN.LOCAL
Added key: 23version: 0
Added key: 3version: 0
Added key: 1version: 0
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23.
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=ADSERVER.addomain.local UDP:88, timeout=30000, number of retries =3, #bytes=158
>>> KDCCommunication: kdc=ADSERVER.addomain.local UDP:88, timeout=30000,Attempt =1, #bytes=158
>>> KrbKdcReq send: #bytes read=183
>>>Pre-Authentication Data:
PA-DATA type = 11
PA-ETYPE-INFO etype = 23, salt =
>>>Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>>>Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
PA-DATA type = 16
>>>Pre-Authentication Data:
PA-DATA type = 15
>>> KdcAccessibility: remove ADSERVER.addomain.local:88
>>> KDCRep: init() encoding tag is 126 req type is 11
>>>KRBError:
sTime is Tue Mar 14 18:38:02 CET 2017 1489513082000
suSec is 128246
error code is 25
error Message is Additional pre-authentication required
realm is ADDOMAIN.LOCAL
sname is krbtgt/ADDOMAIN.LOCAL
eData provided.
msgType is 30

 

Changes

 New OAM WNA setup. 

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms