My Oracle Support Banner

Kerberos SSO Issues When Users Have Local Admin Rights (Doc ID 2091600.1)

Last updated on JUNE 21, 2018

Applies to:

Oracle Agile Engineering Data Management - Version to [Release 6.1.0 to 6.2.0]
Information in this document applies to any platform.


On Oracle Agile e6.1.3, Java Client with Kerberos SSO solution activated
Find that if a user has local administration rights, due to the JAVA implementation of the SSO, the e6.1.3 Java Client cannot access the Microsoft TGT and thus cannot supply SSO.
Therefore it is necessary to change the implementation of the Kerberos SSO according to the Microsoft recommendation: Change the application or it's runtime to use the Windows methods of managing identity and secure server connections so it does not require access to the session keys anymore. For that purpose WAFFLE (Windows Authentication Functional Framework (Light Edition)) should be used in the future to overcome this issue.

The issue can be reproduced at will with the following steps:
1. Activate SSO in the Java Client
2. Give the operating system user on the client machine administrator rights
3. Try to log in with SSO
-> Log on is denied


To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!

In this Document

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.