I have an environment with several instances (PROD, Dev, UAT, Sandbox, etc) of a Weblogic-based application that have been set up with Kerberos SSO. All servers are essentially identical. Keytab files have been created using the KTPASS command. One of the instances is generating an error during SSO login. The pertinent section of the log:
(Nov 19 2019 15:22:45:[[ACTIVE] ExecuteThread: '5' for queue: 'weblogic.kernel.Default (self-tuning)']: ERROR com.deltek.enterprise.DEServer.system.security.authentication ) CPLogger.java - GSS-API error occured during Kerberos token processing
GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - AES256 CTS mode with HMAC SHA1-96)
(Nov 19 2019 15:22:45:[[ACTIVE] ExecuteThread: '5' for queue: 'weblogic.kernel.Default (self-tuning)']: ERROR Deltek.enterprise.DEServer.system.security.authentication) CPFilterPostKerberos.java - Invalid login information provided: Kerberos single sign-on authentication failed: Failed to retrieve User Principal Name from Kerberos token.
As far as error regarding: "Failed to retrieve UPN...", I've confirmed using SETSPN -L that the UPN does indeed exist.
Just to be clear, the instance of the application is a new instance and the keytab file was created at a different time than the other instances. However, the same command structure was used:
ktpass -princ HTTP/cname.domain.com@DOMAIN.COM -mapuser sso_sand1@DOMAIN.COM -pass XXXXXXXX -crypto ALL -ptype KRB5_NT_PRINCIPAL -out c:\keytabfile.keytab
Does anyone have any thoughts as to why SSO is not working on just this one instance?