0 Replies Latest reply on Sep 14, 2016 6:29 PM by Lukasz W

    SSO on ORDS , APEX

    Lukasz W

      Hi

      I've used a famous guide

      Windows Integrated Authentication - HOWTO

       

      Followed all steps. When run kinit and klist got success messages.

       

      However when trying to run apex I hit 401 error

       

      Logs looks like this and nothing more about failure Anyone got some ideas ?

       

      >>> KeyTabInputStream, readName(): company.com

      >>> KeyTabInputStream, readName(): HTTP

      >>> KeyTabInputStream, readName(): apex-dev

      >>> KeyTab: load() entry length: 58; type: 23

      Looking for keys for: HTTP/apex-dev@company.com

      Java config name: /apps/tomcat/apache-tomcat-7.0.70/krb5.conf

      Loaded from Java config

      Added key: 23version: 9

      >>> KdcAccessibility: reset

      Looking for keys for: HTTP/apex-dev@company.com

      Added key: 23version: 9

      default etypes for default_tkt_enctypes: 17 23 16.

      >>> KrbAsReq creating message

      >>> KrbKdcReq send: kdc=AUTH.company.com UDP:88, timeout=30000, number of retries =3, #bytes=137

      >>> KDCCommunication: kdc=AUTH.company.com UDP:88, timeout=30000,Attempt =1, #bytes=137

      >>> KrbKdcReq send: #bytes read=175

      >>>Pre-Authentication Data:

           PA-DATA type = 11

           PA-ETYPE-INFO etype = 23, salt =

       

      >>>Pre-Authentication Data:

           PA-DATA type = 19

           PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null

       

      >>>Pre-Authentication Data:

           PA-DATA type = 2

           PA-ENC-TIMESTAMP

      >>>Pre-Authentication Data:

           PA-DATA type = 16

       

      >>>Pre-Authentication Data:

           PA-DATA type = 15

       

      >>> KdcAccessibility: remove AUTH.company.com

      >>> KDCRep: init() encoding tag is 126 req type is 11

      >>>KRBError:

           sTime is Wed Sep 14 19:22:18 BST 2016 1473877338000

           suSec is 512389

           error code is 25

           error Message is Additional pre-authentication required

           sname is krbtgt/company.com@company.com

           eData provided.

           msgType is 30

      >>>Pre-Authentication Data:

           PA-DATA type = 11

           PA-ETYPE-INFO etype = 23, salt =

       

      >>>Pre-Authentication Data:

           PA-DATA type = 19

           PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null

       

      >>>Pre-Authentication Data:

           PA-DATA type = 2

           PA-ENC-TIMESTAMP

      >>>Pre-Authentication Data:

           PA-DATA type = 16

       

      >>>Pre-Authentication Data:

           PA-DATA type = 15

       

      KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ

      default etypes for default_tkt_enctypes: 17 23 16.

      Looking for keys for: HTTP/apex-dev@company.com

      Added key: 23version: 9

      Looking for keys for: HTTP/apex-dev@company.com

      Added key: 23version: 9

      default etypes for default_tkt_enctypes: 17 23 16.

      >>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType

      >>> KrbAsReq creating message

      >>> KrbKdcReq send: kdc=AUTH.company.com UDP:88, timeout=30000, number of retries =3, #bytes=219

      >>> KDCCommunication: kdc=AUTH.company.com UDP:88, timeout=30000,Attempt =1, #bytes=219

      >>> KrbKdcReq send: #bytes read=90

      >>> KrbKdcReq send: kdc=AUTH.company.com TCP:88, timeout=30000, number of retries =3, #bytes=219

      >>> KDCCommunication: kdc=AUTH.company.com TCP:88, timeout=30000,Attempt =1, #bytes=219

      >>>DEBUG: TCPClient reading 1598 bytes

      >>> KrbKdcReq send: #bytes read=1598

      >>> KdcAccessibility: remove AUTH.company.com

      Looking for keys for: HTTP/apex-dev@company.com

      Added key: 23version: 9

      >>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType

      >>> KrbAsRep cons in KrbAsReq.getReply HTTP/apex-dev

      Search Subject for SPNEGO ACCEPT cred (<<DEF>>, sun.security.jgss.spnego.SpNegoCredElement)

      Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>, sun.security.jgss.krb5.Krb5AcceptCredential)

      Found KeyTab /apps/tomcat/apache-tomcat-7.0.70/conf/tomcat.keytab for HTTP/apex-dev@company.com

      Found KeyTab /apps/tomcat/apache-tomcat-7.0.70/conf/tomcat.keytab for HTTP/apex-dev@company.com

      Found ticket for HTTP/apex-dev@company.com to go to krbtgt/company.com@company.com expiring on Thu Sep 15 05:22:18 BST 2016