okinit Fails When Preauthentication Is Enabled For The User Principal on Windows KDC (Doc ID 1105699.1)

Last updated on OCTOBER 14, 2016

Applies to:

Advanced Networking Option - Version 11.1.0.6 to 11.2.0.1 [Release 11.1 to 11.2]
Information in this document applies to any platform.
Checked for relevance on 03-SEP-2013

Symptoms

Attempting to obtain a Windows Kerberos Ticket using the okinit utility, it retrieves:
"Cannot contact any KDC for requested realm"

STEPS
-----------------------
The issue can be reproduced with the following steps:

1. Configure Windows KDC
2. Configure Oracle RDBMS release 11g
3. $ okinit

okinit trace shows:

snauk5l_sendto_kdc: entry
snauk5l_sendto_kdc: Returning 90: Cannot contact any KDC for requested realm
.
snauk5l_sendto_kdc: exit
snauk5l_sendto_kdc: Returning 90: Cannot contact any KDC for requested realm
.
snauk5l_sendto_kdc: exit
nauk5la_get_in_tkt: Returning 90: Cannot contact any KDC for requested realm

Changes

This issue tends to appear after a database upgrade to 11g, where the AES encryption algorithms are enabled for Kerberos authentication.

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms