HTTP-500 Internal Server Error With WNA Enabled SSO (Doc ID 356585.1)

Last updated on JULY 01, 2016

Applies to:

Oracle Application Server Single Sign-On - Version 9.0.4 to 10.1.2 [Release 10gR1 to 10gR2]
IBM AIX on POWER Systems (64-bit)
***Checked for relevance on 01-AUG-2013***

Symptoms

Windows Native Authentication (WNA) has been configured with a 10gAS installation on AIX platform.

Attempts to perform SSO authentication with WNA enabled in the browser fail with error HTTP-500 Internal Server Error.

Startup of OC4J_SECURITY sees error 'Cannot get credential for principal service' in the <sso_home>/opmn/logs/OC4J~OC4J_SECURITY~default_island~1 log.

For example:

06/01/17 11:54:48 Start process
.....
06/01/17 11:55:07 DAS servlet init enter
06/01/17 11:55:07 DAS log file directory is /oracle/app/infra10g/ldap/log/
06/01/17 11:55:11 DAS servlet init exit
06/01/17 11:55:12 Getting creds for HTTP/sso.oracle.com@AD.DOMAIN...
06/01/17 11:55:12 KerberosAuthenticator: GSSException raised in constructor - org.ietf.jgss.GSSException, major code: 11, minor code: 0
  major string: General failure, unspecified at GSSAPI level
  minor string: Cannot get credential for principal service HTTP/sso.oracle.com@AD.DOMAIN
06/01/17 11:55:12 org.ietf.jgss.GSSException, major code: 11, minor code: 0
  major string: General failure, unspecified at GSSAPI level
  minor string: Cannot get credential for principal service HTTP/sso.oracle.com@AD.DOMAIN
06/01/17 11:55:12 at com.ibm.security.jgss.i18n.a.a(a.java:25)
06/01/17 11:55:12 at com.ibm.security.jgss.mech.krb5.g.b(g.java:87)
...............................
06/01/17 11:55:12 KerberosAuthenticator: Please check the error messages and fix it. Restart OC4J (OC4J_SECURITY instance) server
06/01/17 11:55:12 KerberosAuthenticator: Possible errors may be: HTTP service name in jazn-data.xml is wrong or KDC is down


The 'keyTab' option in the $ORACLE_HOME/j2ee/OC4J_SECURITY/config/jazn-data.xml entries for Krb5LoginModule specifies the correct keytab file in $ORACLE_HOME/OC4J_SECURITY/config directory. This keytab file was generated for the SSO principal HTTP/sso.oracle.com.

usr/krb5/bin/kinit -k $ORACLE_HOME/j2ee/OC4J_SECURITY/config/<keytab_filename> HTTP/sso.oracle.com runs without errors, it simply returns to the prompt without output.

/usr/krb5/bin/klist -f -e -a shows a valid Ticket Granting Ticket for HTTP/sso.oracle.com@AD.DOMAIN



Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms