My Oracle Support Banner

OAM - WNA - "SocketTimeOutException" errors in logs - and Not Validating Kerberos Token against next available KDC (Doc ID 2357254.1)

Last updated on FEBRUARY 12, 2018

Applies to:

Oracle Access Manager - Version 11.1.2.3.0 and later
Information in this document applies to any platform.

Symptoms

Functional implementation of WNA - that periodically is failing with "SocketTimeOutException" errors in logs - and is Not validating Kerberos Token against next available KDC

 

In OAM logs (with Kerberos Debug enabled) we can see:

>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=<DNS_name_of_KDC1> UDP:88, timeout=30000, number of retries =3, #bytes=172
>>> KDCCommunication: kdc=<DNS_name_of_KDC1> UDP:88, timeout=30000,Attempt =1, #bytes=172
SocketTimeOutException with attempt: 1
>>> KDCCommunication: kdc=<DNS_name_of_KDC1> UDP:88, timeout=30000,Attempt =2, #bytes=172
SocketTimeOutException with attempt: 2
>>> KDCCommunication: kdc=<DNS_name_of_KDC1> UDP:88, timeout=30000,Attempt =3, #bytes=172
>>> KrbKdcReq send: #bytes read=211

.........

>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=<DNS_name_of_KDC1> UDP:88, timeout=30000, number of retries =3, #bytes=172
>>> KDCCommunication: kdc=<DNS_name_of_KDC1> UDP:88, timeout=30000,Attempt =1, #bytes=172
SocketTimeOutException with attempt: 1
>>> KDCCommunication: kdc=<DNS_name_of_KDC1> UDP:88, timeout=30000,Attempt =2, #bytes=172
SocketTimeOutException with attempt: 2
>>> KDCCommunication: kdc=<DNS_name_of_KDC1> UDP:88, timeout=30000,Attempt =3, #bytes=172
SocketTimeOutException with attempt: 3
>>> KrbKdcReq send: error trying prosegur.local
java.net.SocketTimeoutException: Receive timed out
at java.net.PlainDatagramSocketImpl.receive0(Native Method)
at java.net.AbstractPlainDatagramSocketImpl.receive(AbstractPlainDatagramSocketImpl.java:146)
at java.net.DatagramSocket.receive(DatagramSocket.java:816)
at sun.security.krb5.internal.UDPClient.receive(NetClient.java:207)
at sun.security.krb5.KdcComm$KdcCommunication.run(KdcComm.java:390)
at sun.security.krb5.KdcComm$KdcCommunication.run(KdcComm.java:343)
..........

  - These frequent "SocketTimeOutException" prove that is a communication problem with the first KDC server (probable some network delays or heavy load on AD server)

 

Next problem is, that after 3 failed attempts of contacting KDC1, when is trying to what appears to be next next KDC - is failing also (with different error):

..........
>>> KdcAccessibility: add <DNS_name_of_next_KDC>
>>> KrbKdcReq send: kdc=<DNS_name_of_next_KDC> UDP:88, timeout=30000, number of retries =3, #bytes=172
>>> KDCCommunication: kdc=<DNS_name_of_next_KDC> UDP:88, timeout=30000,Attempt =1, #bytes=172
>>> KrbKdcReq send: #bytes read=100
>>> KdcAccessibility: remove prosegur.es
>>> KDCRep: init() encoding tag is 126 req type is 11
>>>KRBError:
sTime is Fri Feb 02 11:26:52 CET 2018 1517567212000
suSec is 73104
error code is 68
error Message is null

 --------> Error code 68 refers to an incorrect domain in the initial credentials validation.

 

Changes

 

Cause

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!


My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.