ktpass resets SSO Account Password or kinit Errors With 'Client Not Found in Kerberos Database'
(Doc ID 377377.1)
Last updated on MARCH 08, 2017
Oracle Application Server Single Sign-On - Version 9.0.4 to 10.1.4 [Release 10gR1 to 10gR3] Information in this document applies to any platform.
Kerberos utilities ktpass and kinit.
***Checked for relevance on 03-MAR-2016***
When configuring WNA with SSO and trying to generate a keytab file for the SSO Server by running ktpass on the Active Directory/KDC Server, ktpass produces unexpected warnings and if prompts are accepted will reset the password in Active Directory.
Targeting domain controller: adcore.ad.oracle.com Using legacy password setting method WARNING: Account SSOSERVER$ is not a normal user account (uacFlags =0x1000).
Do you really want to delete any previous servicePrincipalName values on SSOSERVER$ [y/n]? y Successfully mapped HTTP/ssoserver.uk.oracle.com to SSOSERVER$ WARNING: Resetting SSOSERVER$'s password may cause authentication problems if SSOSERVER$ is being used as a server.
Reset SSOSERVER$'s password [y/n]?
If 'y' is entered connections can no longer be made to Active Directory as this user.
kinit is failing for SSO Server servicePrincipalName with error 'Client not found in Kerberos database'.
C:\>%oracle_home%\jdk\bin\kinit HTTP/ssoserver.uk.oracle.com Password for HTTP/ssoserver.uk.oracle.com@AD.ORACLE.COM: sso123 Exception: krb_error 6 Client not found in Kerberos database (6) Client not found in Kerberos database KrbException: Client not found in Kerberos database (6) at sun.security.krb5.KrbAsRep.<init>(DashoA12275:67) at sun.security.krb5.KrbAsReq.getReply(DashoA12275:315) at sun.security.krb5.KrbAsReq.getReply(DashoA12275:276) at sun.security.krb5.internal.tools.Kinit.<init>(DashoA12275:271) at sun.security.krb5.internal.tools.Kinit.main(DashoA12275:109) Caused by: KrbException: Identifier doesn't match expected value (906) at sun.security.krb5.internal.af.a(DashoA12275:134) at sun.security.krb5.internal.at.a(DashoA12275:63) at sun.security.krb5.internal.at.<init>(DashoA12275:58) at sun.security.krb5.KrbAsRep.<init>(DashoA12275:53) ... 4 more
However the 'ssoserver' user can be viewed in Active Directory Users and Computers with servicePrincipalName=HTTP/ssoserver.uk.oracle.com, so it does exist in the Kerberos database.
Sign In with your My Oracle Support account
Don't have a My Oracle Support account? Click to get started
My Oracle Support provides customers with access to over a Million Knowledge Articles and hundreds of Community platforms