WNA Login to SSO Fails With 'Page Cannot Be Displayed'

(Doc ID 356775.1)

Last updated on JULY 01, 2016

Applies to:

Oracle Application Server Single Sign-On - Version 9.0.4 and later
IBM AIX on POWER Systems (64-bit)
***Checked for relevance on 02-JUL-2015***


Symptoms

WNA authentication fails with error 'Page Cannot be Displayed' with 10gAS SSO.

OC4J_SECURITY startup completes without errors.

The client has a valid Kerberos ticket for the SSO site principal, as verified by the Windows Kerbtray utility or klist ouput.

$ORACLE_HOME/sso/log/ssoServer.log in debug mode shows:

.......
[DEBUG] AJPRequestHandler-ApplicationServerThread-5 Remote user name: {{UNAUTH_USER}}
[DEBUG] AJPRequestHandler-ApplicationServerThread-5 Windows Native Authentication was not possible.
.......


i.e., SSO does not receive a Remote User Name from OC4J_SECURITY, signifying that the client Kerberos ticket validation failed.

However, there are no errors in opmn/logs/OC4J~OC4J_SECURITY~default_island~1 when client WNA authentication fails.

HTTP Header trace shows that the browser sends the client Kerberos ticket after receiving the HTTP-401 Authorization request from SSO.

HTTP Server debug log shows that SSO returns HTTP-401 request again after receiving the client Kerberos ticket.

If 'Enable Windows Native Authentication' is unset in the browser options, SSO fallback authentication succeeds.

 

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms