Kerberos SSO Issues When Users Have Local Admin Rights

(Doc ID 2091600.1)

Last updated on SEPTEMBER 15, 2017

Applies to:

Oracle Agile Engineering Data Management - Version 6.1.3.0 to 6.2.0.0 [Release 6.1.0 to 6.2.0]
Information in this document applies to any platform.

Symptoms

On Oracle Agile e6.1.3, Java Client with Kerberos SSO solution activated
Find that if a user has local administration rights, due to the JAVA implementation of the SSO, the e6.1.3 Java Client cannot access the Microsoft TGT and thus cannot supply SSO.
Therefore it is necessary to change the implementation of the Kerberos SSO according to the Microsoft recommendation: Change the application or it's runtime to use the Windows methods of managing identity and secure server connections so it does not require access to the session keys anymore. For that purpose WAFFLE (Windows Authentication Functional Framework (Light Edition)) should be used in the future to overcome this issue.

The issue can be reproduced at will with the following steps:
-------------------------------------------------------------------
1. Activate SSO in the Java Client
2. Give the operating system user on the client machine administrator rights
3. Try to log in with SSO
-> Log on is denied


Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms