Oracle Access Manager 11g R2PS3 (OAM 11.1.2.3) - WNA - "SocketTimeOutException" Errors In Logs - And Not Validating Kerberos Token Against Next Available KDC
(Doc ID 2357254.1)
Last updated on NOVEMBER 26, 2024
Applies to:
Oracle Access Manager - Version 11.1.2.3.0 and laterInformation in this document applies to any platform.
Oracle is not responsible for instructions/information from 3rd party sites that may be contained in this KM note.
Symptoms
Functional implementation of WNA - that periodically is failing with "SocketTimeOutException" errors in logs - and is Not validating Kerberos Token against next available KDC
In OAM logs (with Kerberos Debug enabled) we can see:
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=<DNS_NAME_OF_KDC1> UDP:88, timeout=30000, number of retries =3, #bytes=172
>>> KDCCommunication: kdc=<DNS_NAME_OF_KDC1> UDP:88, timeout=30000,Attempt =1, #bytes=172
SocketTimeOutException with attempt: 1
>>> KDCCommunication: kdc=<DNS_NAME_OF_KDC1> UDP:88, timeout=30000,Attempt =2, #bytes=172
SocketTimeOutException with attempt: 2
>>> KDCCommunication: kdc=<DNS_NAME_OF_KDC1> UDP:88, timeout=30000,Attempt =3, #bytes=172
>>> KrbKdcReq send: #bytes read=211
.........
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=<DNS_NAME_OF_KDC1> UDP:88, timeout=30000, number of retries =3, #bytes=172
>>> KDCCommunication: kdc=<DNS_NAME_OF_KDC1> UDP:88, timeout=30000,Attempt =1, #bytes=172
SocketTimeOutException with attempt: 1
>>> KDCCommunication: kdc=<DNS_NAME_OF_KDC1> UDP:88, timeout=30000,Attempt =2, #bytes=172
SocketTimeOutException with attempt: 2
>>> KDCCommunication: kdc=<DNS_NAME_OF_KDC1> UDP:88, timeout=30000,Attempt =3, #bytes=172
SocketTimeOutException with attempt: 3
>>> KrbKdcReq send: error trying prosegur.local
java.net.SocketTimeoutException: Receive timed out
at java.net.PlainDatagramSocketImpl.receive0(Native Method)
at java.net.AbstractPlainDatagramSocketImpl.receive(AbstractPlainDatagramSocketImpl.java:146)
at java.net.DatagramSocket.receive(DatagramSocket.java:816)
at sun.security.krb5.internal.UDPClient.receive(NetClient.java:207)
at sun.security.krb5.KdcComm$KdcCommunication.run(KdcComm.java:390)
at sun.security.krb5.KdcComm$KdcCommunication.run(KdcComm.java:343)
..........
- These frequent "SocketTimeOutException" prove that is a communication problem with the first KDC server (probable some network delays or heavy load on AD server)
Next problem is, that after 3 failed attempts of contacting KDC1, when is trying to what appears to be next next KDC - is failing also (with different error):
>>> KdcAccessibility: add <DNS_NAME_OF_NEXT_KDC>
>>> KrbKdcReq send: kdc=<DNS_NAME_OF_NEXT_KDC> UDP:88, timeout=30000, number of retries =3, #bytes=172
>>> KDCCommunication: kdc=<DNS_NAME_OF_NEXT_KDC> UDP:88, timeout=30000,Attempt =1, #bytes=172
>>> KrbKdcReq send: #bytes read=100
>>> KdcAccessibility: remove prosegur.es
>>> KDCRep: init() encoding tag is 126 req type is 11
>>>KRBError:
sTime is Fri Feb 02 11:26:52 CET 2018 1517567212000
suSec is 73104
error code is 68
error Message is null
--------> Error code 68 refers to an incorrect domain in the initial credentials validation.
Cause
To view full details, sign in with your My Oracle Support account. |
|
Don't have a My Oracle Support account? Click to get started! |
In this Document
| Symptoms |
| Cause |
| Solution |
| References |