This discussion is archived
0 Replies Latest reply: Jan 29, 2013 11:46 PM by User517828-OC RSS

OAM11gR2  WNA for multi-forest not working

User517828-OC Newbie
Currently Being Moderated
Hi all,

I have a multi-forest topology env and need to set OAM WNA.
I am using OAM11gR2, OVD 11.1.1.6, AD 2003 that connects to OVD

Following below document -
http://docs.oracle.com/cd/E27559_01/admin.1112/e27239/wna.htm#CHDJGJGJ

My solution works fine for one domain(which is set as default realm in krb5.conf), but kerberos does not work for the user logged into second realm.

Configurations looks like:

Krb5.conf
[libdefaults]
default_realm = LM.EXAMPLE.COM
ticket_lifetime = 600
clock_skew = 600

[realms]
LM.EXAMPLE.COM = { --
kdc = kdc.lm.example.com
admin_server = kdc.lm.example.com
default_domain = lm.example.com
}
XY.EXAMPLE.COM = { --
kdc = kdc.xy.example.com
admin_server = kdc.xy.example.com
default_domain = xy.example.com
}

[domain_realm]
LM.EXAMPLE.COM =LM.EXAMPLE.COM
.LM.EXAMPLE.COM = LM.EXAMPLE.COM
XY.EXAMPLE.COM =XY.EXAMPLE.COM
.XY.EXAMPLE.COM = XY.EXAMPLE.COM

Keytab
created keytabs for both ADs with des only option and then merged them using ktutil utility

kinit works fine for user of both domain only when in user@domain, domain is given in uppercase

OAM configuration
In plugin the Service Principal is given as principal for lm.example.com

The error that if filed in oam-diagnostic log
Login user with spengo token
Authentication failed ...login exception

There was an issue in OAM11gR1 -
https://support.oracle.com/epmos/faces/ui/km/SearchDocDisplay.jspx?_afrLoop=607295560084358&type=DOCUMENT&id=1408606.1&displayIndex=5&_afrWindowMode=0&_adf.ctrl-state=x7fxlohqi_81

however in my case its not working for different users also

Has anyone worked and tested this scenario for OAM11gR2.
Please suggest if there is some other configuration required

Regards,
Deepika

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points