My Oracle Support Banner

ktpass resets SSO Account Password or kinit Errors With 'Client Not Found in Kerberos Database' (Doc ID 377377.1)

Last updated on AUGUST 15, 2018

Applies to:

Oracle Application Server Single Sign-On - Version 9.0.4 to 10.1.4 [Release 10gR1 to 10gR3]
Information in this document applies to any platform.
Kerberos utilities ktpass and kinit.
***Checked for relevance on 03-MAR-2016***


Symptoms

Symptoms

Either:

When configuring WNA with SSO and trying to generate a keytab file for the SSO Server by running ktpass on the Active Directory/KDC Server, ktpass produces unexpected warnings and if prompts are accepted will reset the password in Active Directory.

Example:

ktpass -princ HTTP/ssoserver.uk.oracle.com@AD.ORACLE.COM -pass sso123 -mapuser ssoserver -mapOp set -out sso.keytab

Targeting domain controller: adcore.ad.oracle.com
Using legacy password setting method
WARNING: Account SSOSERVER$ is not a normal user account (uacFlags =0x1000).

Do you really want to delete any previous servicePrincipalName values on SSOSERVER$ [y/n]? y
Successfully mapped HTTP/ssoserver.uk.oracle.com to SSOSERVER$
WARNING: Resetting SSOSERVER$'s password may cause authentication problems if SSOSERVER$ is being used as a server.

Reset SSOSERVER$'s password [y/n]?

 

If 'y' is entered connections can no longer be made to Active Directory as this user.

Or:

kinit is failing for SSO Server servicePrincipalName with error 'Client not found in Kerberos database'.

Example:

C:\>%oracle_home%\jdk\bin\kinit HTTP/ssoserver.uk.oracle.com
Password for HTTP/ssoserver.uk.oracle.com@AD.ORACLE.COM: sso123
Exception: krb_error 6 Client not found in Kerberos database (6) Client not found in Kerberos database
KrbException: Client not found in Kerberos database (6)
at sun.security.krb5.KrbAsRep.<init>(DashoA12275:67)
at sun.security.krb5.KrbAsReq.getReply(DashoA12275:315)
at sun.security.krb5.KrbAsReq.getReply(DashoA12275:276)
at sun.security.krb5.internal.tools.Kinit.<init>(DashoA12275:271)
at sun.security.krb5.internal.tools.Kinit.main(DashoA12275:109)
Caused by: KrbException: Identifier doesn't match expected value (906)
at sun.security.krb5.internal.af.a(DashoA12275:134)
at sun.security.krb5.internal.at.a(DashoA12275:63)
at sun.security.krb5.internal.at.<init>(DashoA12275:58)
at sun.security.krb5.KrbAsRep.<init>(DashoA12275:53)
... 4 more


 

However the 'ssoserver' user can be viewed in Active Directory Users and Computers with servicePrincipalName=HTTP/ssoserver.uk.oracle.com, so it does exist in the Kerberos database.


 

Cause

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!


In this Document
Symptoms
Cause
Solution
References

This document is being delivered to you via Oracle Support's Rapid Visibility (RaV) process and therefore has not been subject to an independent technical review.
My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.