8 Replies Latest reply: Nov 27, 2012 3:12 AM by nikhil kulkarni RSS

    Oracle Access Manager 11g- Failed to get the Kerberos ticket

    kokito
      Hello friends,
      I have a problem setting the WNA with OAM, exactly when I try to get the Kerberos ticket
      Retrieval command kerberos ticket
      [oracle @ pc2012 bin] $ kinit-V HTTP/pc2012@domain.com -k -t / opt/keyOAM/2012OAM.keytab

      where>
      pc2012> corresponds to the linux PC trying to get the Kerberos ticket.
      2012OAM.keytab> was the file created in the Active Directory (SPN associated with the user)

      Error Message:
      kinit (v5): Can not resolve network address for KDC in realm while getting initial credentials domain.com


      Any recommendations for resolving this case


      thanks
        • 1. Re: Oracle Access Manager 11g- Failed to get the Kerberos ticket
          idm731
          Looks like the KDC entry in your krb5.conf file is invalid. Can you let me know what entries do you have in the krb5.conf file.

          Make sure you are able to ping/telnet the kdc server

          Is it OAM 11g R1 or R2.
          • 2. Re: Oracle Access Manager 11g- Failed to get the Kerberos ticket
            kokito
            Hello idm731,
            The version used is the OAM 11g R1 and Windows 2008 R2. Here more details of the file in mention: krb5.conf

            .........................................................................................................................
            [logging]
            default = FILE:/var/log/krb5libs.log
            kdc = FILE:/var/log/krb5kdc.log
            admin_server = FILE:/var/log/kadmind.log

            [libdefaults]
            default_realm = DOMAIN.COM
            dns_lookup_realm = false
            dns_lookup_kdc = false
            default_tkt_enctypes = des-cbc-crc
            default_tgs_enctypes = des-cbc-crc
            default_etypes = des-cbc-crc
            default_etypes_des = des-cbc-crc
            ticket_lifetime = 24h
            forwardable = yes

            [realms]
            DOMAIN.COM = {
            kdc = server.domain.com:88
            admin_server = server.domain.com:749
            default_domain = domain.com
            }

            [domain_realm]
            .domain.com = DOMAIN.COM
            domain.com = DOMAIN.COM

            [appdefaults]
            pam = {
            debug = false
            ticket_lifetime = 36000
            renew_lifetime = 36000
            forwardable = true
            krb4_convert = false
            .........................................................................................................................

            Any recommendations for solving the following message:
            kinit(v5): Key table entry not found while getting initial credentials


            Regards,

            Edited by: JLK on Nov 21, 2012 4:27 PM

            Edited by: JLK on Nov 21, 2012 6:51 PM
            • 3. Re: Oracle Access Manager 11g- Failed to get the Kerberos ticket
              idm731
              Looks like now you are able to reach the KDC server.
              What is the command you used to generate the keytab file.

              Replace the encryption type in your krb5.conf file:

              default_tkt_enctypes = RC4-HMAC
              default_tgs_enctypes = RC4-HMAC

              Windows 2008 R2 AD server works on RC4-HMAC.

              and you may remove the following lines as these are not required:
              default_etypes = des-cbc-crc
              default_etypes_des = des-cbc-crc

              If you do not want to remove these, then update the encryption type.

              Let me know if you have any questions.
              • 4. Re: Oracle Access Manager 11g- Failed to get the Kerberos ticket
                kokito
                Friends,
                any recommendations for resolving the following error message:
                kinit (v5): Key table entry not found while getting initial credentials



                Thanks

                Edited by: JLK on Nov 22, 2012 3:21 PM
                • 5. Re: Oracle Access Manager 11g- Failed to get the Kerberos ticket
                  amit1090
                  Hi,

                  Can you please provide the kinit command which you are using along with output of klist -e command, so that we can find out whats going wrong here.
                  • 6. Re: Oracle Access Manager 11g- Failed to get the Kerberos ticket
                    amit1090
                    Also,

                    kinit (v5): Key table entry not found while getting initial credentials

                    Normally this error means there is something related to your SPN and user.
                    Please ensure that the user is configured as kerberos user and this SPN is unique throughout the AD domain.
                    • 7. Re: Oracle Access Manager 11g- Failed to get the Kerberos ticket
                      nikhil kulkarni
                      Hi JLK,
                      I recently solved the WNA issue. I have gone through same errors which you are getting.
                      As suggested by Amit , please provide the kinit command .
                      Also Add the Primary Domain Controller entry in /etc /hosts file in your Linux machine. (I assumed here, OAM is running on Linux box)
                      The formart will be:
                      IP Address of PDC FQDN of PDC HOSTNAME of PDC

                      Then try again the Kinit command on linux machine.

                      Warm Regards
                      Nikhil

                      Edited by: Nikhil K
                      • 8. Re: Oracle Access Manager 11g- Failed to get the Kerberos ticket
                        nikhil kulkarni
                        Please Refer this document to carry the step. and let us know:

                        OAM 11g WNA Step by Step Setup Guide [ID 1416860.1]

                        Warm Regards
                        Nikhil K