0 Replies Latest reply: Jan 30, 2013 1:46 AM by User517828-OC RSS

    OAM11gR2  WNA for multi-forest not working

    User517828-OC
      Hi all,

      I have a multi-forest topology env and need to set OAM WNA.
      I am using OAM11gR2, OVD 11.1.1.6, AD 2003 that connects to OVD

      Following below document -
      http://docs.oracle.com/cd/E27559_01/admin.1112/e27239/wna.htm#CHDJGJGJ

      My solution works fine for one domain(which is set as default realm in krb5.conf), but kerberos does not work for the user logged into second realm.

      Configurations looks like:

      Krb5.conf
      [libdefaults]
      default_realm = LM.EXAMPLE.COM
      ticket_lifetime = 600
      clock_skew = 600

      [realms]
      LM.EXAMPLE.COM = { --
      kdc = kdc.lm.example.com
      admin_server = kdc.lm.example.com
      default_domain = lm.example.com
      }
      XY.EXAMPLE.COM = { --
      kdc = kdc.xy.example.com
      admin_server = kdc.xy.example.com
      default_domain = xy.example.com
      }

      [domain_realm]
      LM.EXAMPLE.COM =LM.EXAMPLE.COM
      .LM.EXAMPLE.COM = LM.EXAMPLE.COM
      XY.EXAMPLE.COM =XY.EXAMPLE.COM
      .XY.EXAMPLE.COM = XY.EXAMPLE.COM

      Keytab
      created keytabs for both ADs with des only option and then merged them using ktutil utility

      kinit works fine for user of both domain only when in user@domain, domain is given in uppercase

      OAM configuration
      In plugin the Service Principal is given as principal for lm.example.com

      The error that if filed in oam-diagnostic log
      Login user with spengo token
      Authentication failed ...login exception

      There was an issue in OAM11gR1 -
      https://support.oracle.com/epmos/faces/ui/km/SearchDocDisplay.jspx?_afrLoop=607295560084358&type=DOCUMENT&id=1408606.1&displayIndex=5&_afrWindowMode=0&_adf.ctrl-state=x7fxlohqi_81

      however in my case its not working for different users also

      Has anyone worked and tested this scenario for OAM11gR2.
      Please suggest if there is some other configuration required

      Regards,
      Deepika