ktpass resets SSO Account Password or kinit Errors With 'Client Not Found in Kerberos Database' (Doc ID 377377.1)

Last updated on MARCH 08, 2017

Applies to:

Oracle Application Server Single Sign-On - Version 9.0.4 to 10.1.4 [Release 10gR1 to 10gR3]
Information in this document applies to any platform.
Kerberos utilities ktpass and kinit.
***Checked for relevance on 03-MAR-2016***


Symptoms

Symptoms

Either:

When configuring WNA with SSO and trying to generate a keytab file for the SSO Server by running ktpass on the Active Directory/KDC Server, ktpass produces unexpected warnings and if prompts are accepted will reset the password in Active Directory.

Example:

ktpass -princ HTTP/ssoserver.uk.oracle.com@AD.ORACLE.COM -pass sso123 -mapuser ssoserver -mapOp set -out sso.keytab

Targeting domain controller: adcore.ad.oracle.com
Using legacy password setting method
WARNING: Account SSOSERVER$ is not a normal user account (uacFlags =0x1000).

Do you really want to delete any previous servicePrincipalName values on SSOSERVER$ [y/n]? y
Successfully mapped HTTP/ssoserver.uk.oracle.com to SSOSERVER$
WARNING: Resetting SSOSERVER$'s password may cause authentication problems if SSOSERVER$ is being used as a server.

Reset SSOSERVER$'s password [y/n]?

 

If 'y' is entered connections can no longer be made to Active Directory as this user.

Or:

kinit is failing for SSO Server servicePrincipalName with error 'Client not found in Kerberos database'.

Example:

C:\>%oracle_home%\jdk\bin\kinit HTTP/ssoserver.uk.oracle.com
Password for HTTP/ssoserver.uk.oracle.com@AD.ORACLE.COM: sso123
Exception: krb_error 6 Client not found in Kerberos database (6) Client not found in Kerberos database
KrbException: Client not found in Kerberos database (6)
at sun.security.krb5.KrbAsRep.<init>(DashoA12275:67)
at sun.security.krb5.KrbAsReq.getReply(DashoA12275:315)
at sun.security.krb5.KrbAsReq.getReply(DashoA12275:276)
at sun.security.krb5.internal.tools.Kinit.<init>(DashoA12275:271)
at sun.security.krb5.internal.tools.Kinit.main(DashoA12275:109)
Caused by: KrbException: Identifier doesn't match expected value (906)
at sun.security.krb5.internal.af.a(DashoA12275:134)
at sun.security.krb5.internal.at.a(DashoA12275:63)
at sun.security.krb5.internal.at.<init>(DashoA12275:58)
at sun.security.krb5.KrbAsRep.<init>(DashoA12275:53)
... 4 more


 

However the 'ssoserver' user can be viewed in Active Directory Users and Computers with servicePrincipalName=HTTP/ssoserver.uk.oracle.com, so it does exist in the Kerberos database.


 

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms