This discussion is archived
5 Replies Latest reply: Apr 23, 2013 12:28 AM by Srinath Menon RSS

Configuring Oracle WCC and Single Sign-On for WNA failed

Mukesh Newbie
Currently Being Moderated
Hi all,

I have configured kerberos set up for the WCC 11g and Windows 2008 R2.

But when I click on login from the WCC home page it is going to login page instead of authenticating to the WCC server.

Here is the kerberos debug log from WCC server.

Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt false ticketCache is null isInitiator true KeyTab is fanpra06.keytab refreshKrb5Config is false principal is HTTP/fanpra06.fanr.local@FANR.LOCAL tryFirstPass is false useFirstPass is false storePass is false clearPass is false
KeyTab instance already exists
Added key: 17version: 3
Found unsupported keytype (18) for HTTP/fanpra06.fanr.local@FANR.LOCAL
Added key: 23version: 3
Added key: 3version: 3
Added key: 1version: 3
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23.
0: EncryptionKey: keyType=23 kvno=3 keyValue (hex dump)=
0000: A3 B4 7F 08 B1 74 0B 8B F8 EF 31 88 9E 91 0C 0A .....t....1.....


principal's key obtained from the keytab
Acquire TGT using AS Exchange
default etypes for default_tkt_enctypes: 23.
KrbAsReq calling createMessage
KrbAsReq in createMessage
KrbKdcReq send: kdc=172.22.35.11 UDP:88, timeout=30000, number of retries =3, #bytes=152
KDCCommunication: kdc=172.22.35.11 UDP:88, timeout=30000,Attempt =1, #bytes=152
KrbKdcReq send: #bytes read=177
KrbKdcReq send: #bytes read=177
KdcAccessibility: remove 172.22.35.11
KDCRep: init() encoding tag is 126 req type is 11
KRBError:
sTime is Thu Apr 04 18:25:48 GST 2013 1365085548000
suSec is 918016
error code is 25
error Message is Additional pre-authentication required
realm is FANR.LOCAL
sname is krbtgt/FANR.LOCAL
eData provided.
msgType is 30
Pre-Authentication Data:
PA-DATA type = 11
PA-ETYPE-INFO etype = 23
PA-ETYPE-INFO salt =
Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 23
PA-ETYPE-INFO2 salt = null
Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
Pre-Authentication Data:
PA-DATA type = 16
Pre-Authentication Data:
PA-DATA type = 15
AcquireTGT: PREAUTH FAILED/REQUIRED, re-send AS-REQ
KrbAsReq salt is FANR.LOCALHTTPfanpra06.fanr.local
default etypes for default_tkt_enctypes: 23.
Pre-Authenticaton: find key for etype = 23
AS-REQ: Add PA_ENC_TIMESTAMP now
EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
KrbAsReq calling createMessage
KrbAsReq in createMessage
KrbKdcReq send: kdc=172.22.35.11 UDP:88, timeout=30000, number of retries =3, #bytes=235
KDCCommunication: kdc=172.22.35.11 UDP:88, timeout=30000,Attempt =1, #bytes=235
KrbKdcReq send: #bytes read=1430
KrbKdcReq send: #bytes read=1430
KdcAccessibility: remove 172.22.35.11
EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
KrbAsRep cons in KrbAsReq.getReply HTTP/fanpra06.fanr.local
principal is HTTP/fanpra06.fanr.local@FANR.LOCAL
EncryptionKey: keyType=23 keyBytes (hex dump)=0000: A3 B4 7F 08 B1 74 0B 8B F8 EF 31 88 9E 91 0C 0A .....t....1.....

EncryptionKey: keyType=17 keyBytes (hex dump)=0000: B5 AF DD 17 55 2E 3B 70 C0 02 16 0A 2C 9C 00 44 ....U.;p....,..D

EncryptionKey: keyType=3 keyBytes (hex dump)=0000: C2 D6 3E AE BA 0D FD 9D
EncryptionKey: keyType=1 keyBytes (hex dump)=0000: C2 D6 3E AE BA 0D FD 9D
Added server's keyKerberos Principal HTTP/fanpra06.fanr.local@FANR.LOCALKey Version 3key EncryptionKey: keyType=23 keyBytes (hex dump)=
0000: A3 B4 7F 08 B1 74 0B 8B F8 EF 31 88 9E 91 0C 0A .....t....1.....


[Krb5LoginModule] added Krb5Principal HTTP/fanpra06.fanr.local@FANR.LOCAL to Subject
Added server's keyKerberos Principal HTTP/fanpra06.fanr.local@FANR.LOCALKey Version 3key EncryptionKey: keyType=17 keyBytes (hex dump)=
0000: B5 AF DD 17 55 2E 3B 70 C0 02 16 0A 2C 9C 00 44 ....U.;p....,..D


[Krb5LoginModule] added Krb5Principal HTTP/fanpra06.fanr.local@FANR.LOCAL to Subject
Added server's keyKerberos Principal HTTP/fanpra06.fanr.local@FANR.LOCALKey Version 3key EncryptionKey: keyType=3 keyBytes (hex dump)=
0000: C2 D6 3E AE BA 0D FD 9D

[Krb5LoginModule] added Krb5Principal HTTP/fanpra06.fanr.local@FANR.LOCAL to Subject
Added server's keyKerberos Principal HTTP/fanpra06.fanr.local@FANR.LOCALKey Version 3key EncryptionKey: keyType=1 keyBytes (hex dump)=
0000: C2 D6 3E AE BA 0D FD 9D

[Krb5LoginModule] added Krb5Principal HTTP/fanpra06.fanr.local@FANR.LOCAL to Subject
Commit Succeeded

Found key for HTTP/fanpra06.fanr.local@FANR.LOCAL(23)
Found key for HTTP/fanpra06.fanr.local@FANR.LOCAL(1)
Found key for HTTP/fanpra06.fanr.local@FANR.LOCAL(3)
Found key for HTTP/fanpra06.fanr.local@FANR.LOCAL(17)
Entered Krb5Context.acceptSecContext with state=STATE_NEW



Am I missing any other steps in the configuration?
Any pointers would be much appreciated.

Regards,
-Mukesh
  • 1. Re: Configuring Oracle WCC and Single Sign-On for WNA failed
    Srinath Menon Guru
    Currently Being Moderated
    Hi Mukesh ,

    Maybe the DES Encryption could be the cause here .

    Details on this aspect are provided in Microsoft article : http://support.microsoft.com/kb/977321

    Enabling DES Encryption on Windows Server 2008 R2 :

    You should follow the instructions in this section on the Domain Controller:

    “Enable the following Group Policies to apply the DES encryption type to all computers that are running Windows 7 or Windows Server 2008 R2:
    1.     In the Group Policy Management Console (GPMC), locate the following location:
    Computer Configuration\ Windows Settings\ Security Settings\ Local Policies\ Security Options
    It is also possible to start the Security Policy configuration program executing “secpol.msc”.
    2.     Click to select the Network security: Configure encryption types allowed for Kerberos option.
    3.     Click to select Define these policy settings and all the six check boxes for the encryption types.
    4.     Click OK. Close the GPMC.”

    Hope this helps .

    Thanks,
    Srinath
  • 2. Re: Configuring Oracle WCC and Single Sign-On for WNA failed
    Mukesh Newbie
    Currently Being Moderated
    Thanks Srinath.

    I have asked the AD team to follow these steps.
    They are analyzing the impact of these changes in AD.

    Regards,
    -Mukesh
  • 3. Re: Configuring Oracle WCC and Single Sign-On for WNA failed
    Mukesh Newbie
    Currently Being Moderated
    Hi Srinath,

    We have made the changes in the note.
    It doesn't solve the issue. It is still redirecting to the login page.
    And here is the kerberos log.

    Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt false ticketCache is null isInitiator true KeyTab is fanpra06.keytab refreshKrb5Config is false principal is HTTP/fanrpra06_wcc@FANR.LOCAL tryFirstPass is false useFirstPass is false storePass is false clearPass is false
    KeyTabInputStream, readName(): FANR.LOCAL
    KeyTabInputStream, readName(): HTTP
    KeyTabInputStream, readName(): fanrpra06_wcc
    KeyTab: load() entry length: 56; type: 1
    KeyTabInputStream, readName(): FANR.LOCAL
    KeyTabInputStream, readName(): HTTP
    KeyTabInputStream, readName(): fanrpra06_wcc
    KeyTab: load() entry length: 56; type: 3
    KeyTabInputStream, readName(): FANR.LOCAL
    KeyTabInputStream, readName(): HTTP
    KeyTabInputStream, readName(): fanrpra06_wcc
    KeyTab: load() entry length: 64; type: 23
    KeyTabInputStream, readName(): FANR.LOCAL
    KeyTabInputStream, readName(): HTTP
    KeyTabInputStream, readName(): fanrpra06_wcc
    KeyTab: load() entry length: 80; type: 18
    KeyTabInputStream, readName(): FANR.LOCAL
    KeyTabInputStream, readName(): HTTP
    KeyTabInputStream, readName(): fanrpra06_wcc
    KeyTab: load() entry length: 64; type: 17
    Added key: 17version: 0
    Found unsupported keytype (18) for HTTP/fanrpra06_wcc@FANR.LOCAL
    Added key: 23version: 0
    Added key: 3version: 0
    Added key: 1version: 0
    Ordering keys wrt default_tkt_enctypes list
    Config name: /etc/krb5.conf
    Using builtin default etypes for default_tkt_enctypes
    default etypes for default_tkt_enctypes: 3 1 23 16 17.
    principal's key obtained from the keytab
    Acquire TGT using AS Exchange
    Using builtin default etypes for default_tkt_enctypes
    default etypes for default_tkt_enctypes: 3 1 23 16 17.
    KrbAsReq calling createMessage
    KrbAsReq in createMessage
    KrbKdcReq send: kdc=172.22.35.11 TCP:88, timeout=30000, number of retries =3, #bytes=155
    DEBUG: TCPClient reading 273 bytes
    KrbKdcReq send: #bytes read=273
    KrbKdcReq send: #bytes read=273
    KdcAccessibility: remove 172.22.35.11
    KDCRep: init() encoding tag is 126 req type is 11
    KRBError:
    sTime is Tue Apr 16 11:06:00 GST 2013 1366095960000
    suSec is 167836
    error code is 25
    error Message is Additional pre-authentication required
    realm is FANR.LOCAL
    sname is krbtgt/FANR.LOCAL
    eData provided.
    msgType is 30
    Pre-Authentication Data:
    PA-DATA type = 19
    PA-ETYPE-INFO2 etype = 17
    PA-ETYPE-INFO2 salt = FANR.LOCALHTTPfanrpra06_wcc
    salt for 23 is null
    salt for 3 is FANR.LOCALHTTPfanrpra06_wcc
    salt for 1 is FANR.LOCALHTTPfanrpra06_wcc
    Pre-Authentication Data:
    PA-DATA type = 2
    PA-ENC-TIMESTAMP
    Pre-Authentication Data:
    PA-DATA type = 16
    Pre-Authentication Data:
    PA-DATA type = 15
    AcquireTGT: PREAUTH FAILED/REQUIRED, re-send AS-REQ
    Updated salt from pre-auth = FANR.LOCALHTTPfanrpra06_wcc
    KrbAsReq salt is FANR.LOCALHTTPfanrpra06_wcc
    Using builtin default etypes for default_tkt_enctypes
    default etypes for default_tkt_enctypes: 3 1 23 16 17.
    Pre-Authenticaton: find key for etype = 1
    AS-REQ: Add PA_ENC_TIMESTAMP now
    EType: sun.security.krb5.internal.crypto.DesCbcCrcEType
    crc32: 357551c4
    crc32: 110101011101010101000111000100
    KrbAsReq calling createMessage
    KrbAsReq in createMessage
    KrbKdcReq send: kdc=172.22.35.11 TCP:88, timeout=30000, number of retries =3, #bytes=234
    DEBUG: TCPClient reading 1423 bytes
    KrbKdcReq send: #bytes read=1423
    KrbKdcReq send: #bytes read=1423
    KdcAccessibility: remove 172.22.35.11
    EType: sun.security.krb5.internal.crypto.DesCbcCrcEType
    crc32: b74d519a
    crc32: 10110111010011010101000110011010
    KrbAsRep cons in KrbAsReq.getReply HTTP/fanrpra06_wcc
    principal is HTTP/fanrpra06_wcc@FANR.LOCAL
    EncryptionKey: keyType=17 keyBytes (hex dump)=0000: 00 0E EF F6 F1 CC 08 5E B3 8C 9A 43 6F 3F 1D 4F .......^...Co?.O

    EncryptionKey: keyType=23 keyBytes (hex dump)=0000: A3 B4 7F 08 B1 74 0B 8B F8 EF 31 88 9E 91 0C 0A .....t....1.....

    EncryptionKey: keyType=3 keyBytes (hex dump)=0000: 68 C7 D3 26 86 5B 54 E9
    EncryptionKey: keyType=1 keyBytes (hex dump)=0000: 68 C7 D3 26 86 5B 54 E9
    Added server's keyKerberos Principal HTTP/fanrpra06_wcc@FANR.LOCALKey Version 0key EncryptionKey: keyType=17 keyBytes (hex dump)=
    0000: 00 0E EF F6 F1 CC 08 5E B3 8C 9A 43 6F 3F 1D 4F .......^...Co?.O


    [Krb5LoginModule] added Krb5Principal HTTP/fanrpra06_wcc@FANR.LOCAL to Subject
    Added server's keyKerberos Principal HTTP/fanrpra06_wcc@FANR.LOCALKey Version 0key EncryptionKey: keyType=23 keyBytes (hex dump)=
    0000: A3 B4 7F 08 B1 74 0B 8B F8 EF 31 88 9E 91 0C 0A .....t....1.....


    [Krb5LoginModule] added Krb5Principal HTTP/fanrpra06_wcc@FANR.LOCAL to Subject
    Added server's keyKerberos Principal HTTP/fanrpra06_wcc@FANR.LOCALKey Version 0key EncryptionKey: keyType=3 keyBytes (hex dump)=
    0000: 68 C7 D3 26 86 5B 54 E9

    [Krb5LoginModule] added Krb5Principal HTTP/fanrpra06_wcc@FANR.LOCAL to Subject
    Added server's keyKerberos Principal HTTP/fanrpra06_wcc@FANR.LOCALKey Version 0key EncryptionKey: keyType=1 keyBytes (hex dump)=
    0000: 68 C7 D3 26 86 5B 54 E9

    [Krb5LoginModule] added Krb5Principal HTTP/fanrpra06_wcc@FANR.LOCAL to Subject
    Commit Succeeded

    Found key for HTTP/fanrpra06_wcc@FANR.LOCAL(23)
    Found key for HTTP/fanrpra06_wcc@FANR.LOCAL(3)
    Found key for HTTP/fanrpra06_wcc@FANR.LOCAL(1)
    Found key for HTTP/fanrpra06_wcc@FANR.LOCAL(17)
    Entered Krb5Context.acceptSecContext with state=STATE_NEW


    Regards,
    -Mukesh
  • 4. Re: Configuring Oracle WCC and Single Sign-On for WNA failed
    Mukesh Newbie
    Currently Being Moderated
    Hi Srinath,

    Yes. This one helps to resolve the issue.
    And also the principal name should be same the fully qualified host name of the WCC server.
    I was following different metalink notes and i got confused on that point.

    Regards,
    -Mukesh
  • 5. Re: Configuring Oracle WCC and Single Sign-On for WNA failed
    Srinath Menon Guru
    Currently Being Moderated
    Hi Mukesh ,

    Great , to see that the issue is resolved .

    Thanks,
    Srinath

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points