5 Replies Latest reply: Apr 23, 2013 2:28 AM by Srinath Menon-Oracle RSS

    Configuring Oracle WCC and Single Sign-On for WNA failed

    Mukesh
      Hi all,

      I have configured kerberos set up for the WCC 11g and Windows 2008 R2.

      But when I click on login from the WCC home page it is going to login page instead of authenticating to the WCC server.

      Here is the kerberos debug log from WCC server.

      Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt false ticketCache is null isInitiator true KeyTab is fanpra06.keytab refreshKrb5Config is false principal is HTTP/fanpra06.fanr.local@FANR.LOCAL tryFirstPass is false useFirstPass is false storePass is false clearPass is false
      KeyTab instance already exists
      Added key: 17version: 3
      Found unsupported keytype (18) for HTTP/fanpra06.fanr.local@FANR.LOCAL
      Added key: 23version: 3
      Added key: 3version: 3
      Added key: 1version: 3
      Ordering keys wrt default_tkt_enctypes list
      default etypes for default_tkt_enctypes: 23.
      0: EncryptionKey: keyType=23 kvno=3 keyValue (hex dump)=
      0000: A3 B4 7F 08 B1 74 0B 8B F8 EF 31 88 9E 91 0C 0A .....t....1.....


      principal's key obtained from the keytab
      Acquire TGT using AS Exchange
      default etypes for default_tkt_enctypes: 23.
      KrbAsReq calling createMessage
      KrbAsReq in createMessage
      KrbKdcReq send: kdc=172.22.35.11 UDP:88, timeout=30000, number of retries =3, #bytes=152
      KDCCommunication: kdc=172.22.35.11 UDP:88, timeout=30000,Attempt =1, #bytes=152
      KrbKdcReq send: #bytes read=177
      KrbKdcReq send: #bytes read=177
      KdcAccessibility: remove 172.22.35.11
      KDCRep: init() encoding tag is 126 req type is 11
      KRBError:
      sTime is Thu Apr 04 18:25:48 GST 2013 1365085548000
      suSec is 918016
      error code is 25
      error Message is Additional pre-authentication required
      realm is FANR.LOCAL
      sname is krbtgt/FANR.LOCAL
      eData provided.
      msgType is 30
      Pre-Authentication Data:
      PA-DATA type = 11
      PA-ETYPE-INFO etype = 23
      PA-ETYPE-INFO salt =
      Pre-Authentication Data:
      PA-DATA type = 19
      PA-ETYPE-INFO2 etype = 23
      PA-ETYPE-INFO2 salt = null
      Pre-Authentication Data:
      PA-DATA type = 2
      PA-ENC-TIMESTAMP
      Pre-Authentication Data:
      PA-DATA type = 16
      Pre-Authentication Data:
      PA-DATA type = 15
      AcquireTGT: PREAUTH FAILED/REQUIRED, re-send AS-REQ
      KrbAsReq salt is FANR.LOCALHTTPfanpra06.fanr.local
      default etypes for default_tkt_enctypes: 23.
      Pre-Authenticaton: find key for etype = 23
      AS-REQ: Add PA_ENC_TIMESTAMP now
      EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
      KrbAsReq calling createMessage
      KrbAsReq in createMessage
      KrbKdcReq send: kdc=172.22.35.11 UDP:88, timeout=30000, number of retries =3, #bytes=235
      KDCCommunication: kdc=172.22.35.11 UDP:88, timeout=30000,Attempt =1, #bytes=235
      KrbKdcReq send: #bytes read=1430
      KrbKdcReq send: #bytes read=1430
      KdcAccessibility: remove 172.22.35.11
      EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
      KrbAsRep cons in KrbAsReq.getReply HTTP/fanpra06.fanr.local
      principal is HTTP/fanpra06.fanr.local@FANR.LOCAL
      EncryptionKey: keyType=23 keyBytes (hex dump)=0000: A3 B4 7F 08 B1 74 0B 8B F8 EF 31 88 9E 91 0C 0A .....t....1.....

      EncryptionKey: keyType=17 keyBytes (hex dump)=0000: B5 AF DD 17 55 2E 3B 70 C0 02 16 0A 2C 9C 00 44 ....U.;p....,..D

      EncryptionKey: keyType=3 keyBytes (hex dump)=0000: C2 D6 3E AE BA 0D FD 9D
      EncryptionKey: keyType=1 keyBytes (hex dump)=0000: C2 D6 3E AE BA 0D FD 9D
      Added server's keyKerberos Principal HTTP/fanpra06.fanr.local@FANR.LOCALKey Version 3key EncryptionKey: keyType=23 keyBytes (hex dump)=
      0000: A3 B4 7F 08 B1 74 0B 8B F8 EF 31 88 9E 91 0C 0A .....t....1.....


      [Krb5LoginModule] added Krb5Principal HTTP/fanpra06.fanr.local@FANR.LOCAL to Subject
      Added server's keyKerberos Principal HTTP/fanpra06.fanr.local@FANR.LOCALKey Version 3key EncryptionKey: keyType=17 keyBytes (hex dump)=
      0000: B5 AF DD 17 55 2E 3B 70 C0 02 16 0A 2C 9C 00 44 ....U.;p....,..D


      [Krb5LoginModule] added Krb5Principal HTTP/fanpra06.fanr.local@FANR.LOCAL to Subject
      Added server's keyKerberos Principal HTTP/fanpra06.fanr.local@FANR.LOCALKey Version 3key EncryptionKey: keyType=3 keyBytes (hex dump)=
      0000: C2 D6 3E AE BA 0D FD 9D

      [Krb5LoginModule] added Krb5Principal HTTP/fanpra06.fanr.local@FANR.LOCAL to Subject
      Added server's keyKerberos Principal HTTP/fanpra06.fanr.local@FANR.LOCALKey Version 3key EncryptionKey: keyType=1 keyBytes (hex dump)=
      0000: C2 D6 3E AE BA 0D FD 9D

      [Krb5LoginModule] added Krb5Principal HTTP/fanpra06.fanr.local@FANR.LOCAL to Subject
      Commit Succeeded

      Found key for HTTP/fanpra06.fanr.local@FANR.LOCAL(23)
      Found key for HTTP/fanpra06.fanr.local@FANR.LOCAL(1)
      Found key for HTTP/fanpra06.fanr.local@FANR.LOCAL(3)
      Found key for HTTP/fanpra06.fanr.local@FANR.LOCAL(17)
      Entered Krb5Context.acceptSecContext with state=STATE_NEW



      Am I missing any other steps in the configuration?
      Any pointers would be much appreciated.

      Regards,
      -Mukesh
        • 1. Re: Configuring Oracle WCC and Single Sign-On for WNA failed
          Srinath Menon-Oracle
          Hi Mukesh ,

          Maybe the DES Encryption could be the cause here .

          Details on this aspect are provided in Microsoft article : http://support.microsoft.com/kb/977321

          Enabling DES Encryption on Windows Server 2008 R2 :

          You should follow the instructions in this section on the Domain Controller:

          “Enable the following Group Policies to apply the DES encryption type to all computers that are running Windows 7 or Windows Server 2008 R2:
          1.     In the Group Policy Management Console (GPMC), locate the following location:
          Computer Configuration\ Windows Settings\ Security Settings\ Local Policies\ Security Options
          It is also possible to start the Security Policy configuration program executing “secpol.msc”.
          2.     Click to select the Network security: Configure encryption types allowed for Kerberos option.
          3.     Click to select Define these policy settings and all the six check boxes for the encryption types.
          4.     Click OK. Close the GPMC.”

          Hope this helps .

          Thanks,
          Srinath
          • 2. Re: Configuring Oracle WCC and Single Sign-On for WNA failed
            Mukesh
            Thanks Srinath.

            I have asked the AD team to follow these steps.
            They are analyzing the impact of these changes in AD.

            Regards,
            -Mukesh
            • 3. Re: Configuring Oracle WCC and Single Sign-On for WNA failed
              Mukesh
              Hi Srinath,

              We have made the changes in the note.
              It doesn't solve the issue. It is still redirecting to the login page.
              And here is the kerberos log.

              Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt false ticketCache is null isInitiator true KeyTab is fanpra06.keytab refreshKrb5Config is false principal is HTTP/fanrpra06_wcc@FANR.LOCAL tryFirstPass is false useFirstPass is false storePass is false clearPass is false
              KeyTabInputStream, readName(): FANR.LOCAL
              KeyTabInputStream, readName(): HTTP
              KeyTabInputStream, readName(): fanrpra06_wcc
              KeyTab: load() entry length: 56; type: 1
              KeyTabInputStream, readName(): FANR.LOCAL
              KeyTabInputStream, readName(): HTTP
              KeyTabInputStream, readName(): fanrpra06_wcc
              KeyTab: load() entry length: 56; type: 3
              KeyTabInputStream, readName(): FANR.LOCAL
              KeyTabInputStream, readName(): HTTP
              KeyTabInputStream, readName(): fanrpra06_wcc
              KeyTab: load() entry length: 64; type: 23
              KeyTabInputStream, readName(): FANR.LOCAL
              KeyTabInputStream, readName(): HTTP
              KeyTabInputStream, readName(): fanrpra06_wcc
              KeyTab: load() entry length: 80; type: 18
              KeyTabInputStream, readName(): FANR.LOCAL
              KeyTabInputStream, readName(): HTTP
              KeyTabInputStream, readName(): fanrpra06_wcc
              KeyTab: load() entry length: 64; type: 17
              Added key: 17version: 0
              Found unsupported keytype (18) for HTTP/fanrpra06_wcc@FANR.LOCAL
              Added key: 23version: 0
              Added key: 3version: 0
              Added key: 1version: 0
              Ordering keys wrt default_tkt_enctypes list
              Config name: /etc/krb5.conf
              Using builtin default etypes for default_tkt_enctypes
              default etypes for default_tkt_enctypes: 3 1 23 16 17.
              principal's key obtained from the keytab
              Acquire TGT using AS Exchange
              Using builtin default etypes for default_tkt_enctypes
              default etypes for default_tkt_enctypes: 3 1 23 16 17.
              KrbAsReq calling createMessage
              KrbAsReq in createMessage
              KrbKdcReq send: kdc=172.22.35.11 TCP:88, timeout=30000, number of retries =3, #bytes=155
              DEBUG: TCPClient reading 273 bytes
              KrbKdcReq send: #bytes read=273
              KrbKdcReq send: #bytes read=273
              KdcAccessibility: remove 172.22.35.11
              KDCRep: init() encoding tag is 126 req type is 11
              KRBError:
              sTime is Tue Apr 16 11:06:00 GST 2013 1366095960000
              suSec is 167836
              error code is 25
              error Message is Additional pre-authentication required
              realm is FANR.LOCAL
              sname is krbtgt/FANR.LOCAL
              eData provided.
              msgType is 30
              Pre-Authentication Data:
              PA-DATA type = 19
              PA-ETYPE-INFO2 etype = 17
              PA-ETYPE-INFO2 salt = FANR.LOCALHTTPfanrpra06_wcc
              salt for 23 is null
              salt for 3 is FANR.LOCALHTTPfanrpra06_wcc
              salt for 1 is FANR.LOCALHTTPfanrpra06_wcc
              Pre-Authentication Data:
              PA-DATA type = 2
              PA-ENC-TIMESTAMP
              Pre-Authentication Data:
              PA-DATA type = 16
              Pre-Authentication Data:
              PA-DATA type = 15
              AcquireTGT: PREAUTH FAILED/REQUIRED, re-send AS-REQ
              Updated salt from pre-auth = FANR.LOCALHTTPfanrpra06_wcc
              KrbAsReq salt is FANR.LOCALHTTPfanrpra06_wcc
              Using builtin default etypes for default_tkt_enctypes
              default etypes for default_tkt_enctypes: 3 1 23 16 17.
              Pre-Authenticaton: find key for etype = 1
              AS-REQ: Add PA_ENC_TIMESTAMP now
              EType: sun.security.krb5.internal.crypto.DesCbcCrcEType
              crc32: 357551c4
              crc32: 110101011101010101000111000100
              KrbAsReq calling createMessage
              KrbAsReq in createMessage
              KrbKdcReq send: kdc=172.22.35.11 TCP:88, timeout=30000, number of retries =3, #bytes=234
              DEBUG: TCPClient reading 1423 bytes
              KrbKdcReq send: #bytes read=1423
              KrbKdcReq send: #bytes read=1423
              KdcAccessibility: remove 172.22.35.11
              EType: sun.security.krb5.internal.crypto.DesCbcCrcEType
              crc32: b74d519a
              crc32: 10110111010011010101000110011010
              KrbAsRep cons in KrbAsReq.getReply HTTP/fanrpra06_wcc
              principal is HTTP/fanrpra06_wcc@FANR.LOCAL
              EncryptionKey: keyType=17 keyBytes (hex dump)=0000: 00 0E EF F6 F1 CC 08 5E B3 8C 9A 43 6F 3F 1D 4F .......^...Co?.O

              EncryptionKey: keyType=23 keyBytes (hex dump)=0000: A3 B4 7F 08 B1 74 0B 8B F8 EF 31 88 9E 91 0C 0A .....t....1.....

              EncryptionKey: keyType=3 keyBytes (hex dump)=0000: 68 C7 D3 26 86 5B 54 E9
              EncryptionKey: keyType=1 keyBytes (hex dump)=0000: 68 C7 D3 26 86 5B 54 E9
              Added server's keyKerberos Principal HTTP/fanrpra06_wcc@FANR.LOCALKey Version 0key EncryptionKey: keyType=17 keyBytes (hex dump)=
              0000: 00 0E EF F6 F1 CC 08 5E B3 8C 9A 43 6F 3F 1D 4F .......^...Co?.O


              [Krb5LoginModule] added Krb5Principal HTTP/fanrpra06_wcc@FANR.LOCAL to Subject
              Added server's keyKerberos Principal HTTP/fanrpra06_wcc@FANR.LOCALKey Version 0key EncryptionKey: keyType=23 keyBytes (hex dump)=
              0000: A3 B4 7F 08 B1 74 0B 8B F8 EF 31 88 9E 91 0C 0A .....t....1.....


              [Krb5LoginModule] added Krb5Principal HTTP/fanrpra06_wcc@FANR.LOCAL to Subject
              Added server's keyKerberos Principal HTTP/fanrpra06_wcc@FANR.LOCALKey Version 0key EncryptionKey: keyType=3 keyBytes (hex dump)=
              0000: 68 C7 D3 26 86 5B 54 E9

              [Krb5LoginModule] added Krb5Principal HTTP/fanrpra06_wcc@FANR.LOCAL to Subject
              Added server's keyKerberos Principal HTTP/fanrpra06_wcc@FANR.LOCALKey Version 0key EncryptionKey: keyType=1 keyBytes (hex dump)=
              0000: 68 C7 D3 26 86 5B 54 E9

              [Krb5LoginModule] added Krb5Principal HTTP/fanrpra06_wcc@FANR.LOCAL to Subject
              Commit Succeeded

              Found key for HTTP/fanrpra06_wcc@FANR.LOCAL(23)
              Found key for HTTP/fanrpra06_wcc@FANR.LOCAL(3)
              Found key for HTTP/fanrpra06_wcc@FANR.LOCAL(1)
              Found key for HTTP/fanrpra06_wcc@FANR.LOCAL(17)
              Entered Krb5Context.acceptSecContext with state=STATE_NEW


              Regards,
              -Mukesh
              • 4. Re: Configuring Oracle WCC and Single Sign-On for WNA failed
                Mukesh
                Hi Srinath,

                Yes. This one helps to resolve the issue.
                And also the principal name should be same the fully qualified host name of the WCC server.
                I was following different metalink notes and i got confused on that point.

                Regards,
                -Mukesh
                • 5. Re: Configuring Oracle WCC and Single Sign-On for WNA failed
                  Srinath Menon-Oracle
                  Hi Mukesh ,

                  Great , to see that the issue is resolved .

                  Thanks,
                  Srinath