7 Replies Latest reply on Dec 20, 2007 8:35 AM by 614382

    SSO + wna falls into KDC_ERR_S_PRINCIPAL_UNKNOWN

    436586
    436586 Mar 7, 2007 1:35 PM
      Hi,
      I configured SSO + wna (OAS 10.1.2.0.2(oid, sso) on RHEL3 U4, active directory, IE5 on win2k). Everything looks fine (kerberos configured properly as well as SSO, AD-OID sync.). But when I try login through sso, IE shows sso login form, kerberos ticket is not used.
      KDC log error KDC_ERR_S_PRINCIPAL_UNKNOWN appears in event viewer, IE tries NTLMSSP authentication. Any suggestion what's going wrong?

      Thx.
      William

      Event log:
      A Kerberos Error Message was received:
      on logon session InitializeSecurityContext
      Client Time:
      Server Time:
      Error Code: 12:39:28.0000 3/7/2007 (null) 0x7
      Extended Error: KDC_ERR_S_PRINCIPAL_UNKNOWN
      Client Realm:
      Client Name:
      Server Realm: REALM
      Server Name: krbtgt/REALM
      Target Name: ssoHost.domain$@REALM
      Error Text:
      File:
      Line:
      Error Data is in record data.
      • 1183 Views
      • Tags:
        • 1. Re: SSO + wna falls into KDC_ERR_S_PRINCIPAL_UNKNOWN
          306937
          306937 Mar 7, 2007 6:54 PM (in response to 436586)
          Which version of OC4J are you using? How do you know that Kerberos is configured properly? I assume you ran kinit?

          /usr/kerberos/bin/kinit -k -t $ORACLE_HOME/j2ee/home/config/myfile.keytab HTTP/myhost.mydomain.com

          I would also modify the debug level on your OC4J so you can see if the kerberos ticket is being handled properly. This is set in the file :

          $ORACLE_HOME/j2ee/home/config/j2ee-logging.xml

          Change NOTIFICATION:1 to TRACE:32

          Then look at your log.xml file which will be located in your:

          $ORACLE_HOME/j2ee/home/log/home_default_group_1/oc4j

          This assumes your application is deployed to your home OC4J instance. Also, make sure to change TRACE:32 to NOTIFICATION:1 after you are finished. It really makes the logs grow fast.
          • 2. Re: SSO + wna falls into KDC_ERR_S_PRINCIPAL_UNKNOWN
            436586
            436586 Mar 8, 2007 12:35 PM (in response to 306937)
            Thanks much for your reply,
            I'm using OAS/OC4J v 10.1.2.0.2 (oc4j build number 050812.1879)
            You are true, I executed kinit successfully. My conclusion "kerberos ticket is not used" is based on 362313.1 :"...The above value starts "NTLMSSP..." whitch means that the browser is returning the user NTLM authentication. A kerberos ticket is a lot larger...." as well as on win kerberos error event mentioned above.
            I try login to oiddas through SSO. I set up a logging (-Dsun.security.krb5.debug=true, -Djazn.debug.log.enable=true,...). j2ee-logging turn on TRACE doesn't bring me more info (or i'm not sure what looking for).
            It looks more like win2k/AD/IE issue than RHEL/oas.

            There is one thing I'm not sure about. Win2k+AD+IE and RHEL+OAS are accessible on domain "domain", but Win2k+AD+IE also has it own domain called "TEST" (because I cannot use production right domain AD), IE user is loged in TEST domain :

            D:\>ipconfig /all

            Windows 2000 IP Configuration

            Host Name . . . . . . . . . . . . : AD
            Primary DNS Suffix . . . . . . . : TEST
            Node Type . . . . . . . . . . . . : Hybrid
            IP Routing Enabled. . . . . . . . : No
            WINS Proxy Enabled. . . . . . . . : No
            DNS Suffix Search List. . . . . . : TEST

            But SSO withou WNA (directly entered login/password TEST$user) works fine.

            Any help will be appritiated.

            William

            Some additional OAS logs:
            ---------------
            07/03/08 12:41:14 DAS servlet init exit
            07/03/08 12:41:15 Initiating the Kerberos authenticator.
            07/03/08 12:41:15 Kerberos service name: HTTP@host.domain
            07/03/08 12:41:15 Fallback support: true
            07/03/08 12:41:15 Windows domain separator char: $
            07/03/08 12:41:15 JAZN Config object: [JAZNConfig file:/oracle/asdb/j2ee/OC4J_SECURITY/application-deployments/sso/]
            07/03/08 12:41:15 Getting creds for HTTP/host.domain@TEST...
            07/03/08 12:41:15 JAAS: LoginConfigProvider: JAZNConfig=[JAZNConfig file:/oracle/asdb/j2ee/OC4J_SECURITY/config/jazn.xml]
            07/03/08 12:41:15 JAAS: LoginConfigProvider=oracle.security.jazn.spi.xml.XMLLoginModuleManager@2c17f7
            07/03/08 12:41:15 Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null KeyTab is /oracle/asdb/
            j2ee/OC4J_SECURITY/config/ws19163.keytab refreshKrb5Config is false principal is HTTP/host.domain tryFirstPass is false useFirstPass is fa
            lse storePass is false clearPass is false
            KeyTab: load() entry length: 54
            07/03/08 12:41:15 >>> KeyTabInputStream, readName(): TEST
            07/03/08 12:41:15 >>> KeyTabInputStream, readName(): HTTP
            07/03/08 12:41:15 >>> KeyTabInputStream, readName(): host.domain
            07/03/08 12:41:15 principal's key obtained from the keytab
            07/03/08 12:41:15 principal is HTTP/host.domain@TEST
            07/03/08 12:41:15 >>> EType: sun.security.krb5.internal.crypto.DesCbcCrcEType
            07/03/08 12:41:15 >>>crc32: 92da59ea
            07/03/08 12:41:15 >>>crc32: 10010010110110100101100111101010
            07/03/08 12:41:15 >>> KrbAsReq calling createMessage
            07/03/08 12:41:15 >>> KrbAsReq in createMessage
            07/03/08 12:41:15 >>> KrbAsReq etypes are: 3 1
            KrbKdcReq send: kdc=ad.domain UDP:88, timeout=30000, number of retries =3, #bytes=219
            07/03/08 12:41:15 >>> KDCCommunication: kdc=ad.domain UDP:88, timeout=30000,Attempt =1, #bytes=219
            07/03/08 12:41:16 >>> KrbKdcReq send: #bytes read=1273
            07/03/08 12:41:16 >>> KrbKdcReq send: #bytes read=1273
            07/03/08 12:41:16 >>> EType: sun.security.krb5.internal.crypto.DesCbcMd5EType
            07/03/08 12:41:16 >>> KrbAsRep cons in KrbAsReq.getReply HTTP/host.domain
            07/03/08 12:41:16 Added server's keyKerberos Principal HTTP/host.domain@TESTKey Version 1key EncryptionKey: keyType=1 keyBytes (hex dump)
            =
            0000: DF CD FB E6 54 64 F2 FD

            07/03/08 12:41:16 [Krb5LoginModule] added Krb5Principal HTTP/host.domain@TEST to Subject
            07/03/08 12:41:16 Commit Succeeded

            07/03/08 12:41:16 Found key for HTTP/host.domain@TEST
            07/03/08 12:41:16 Getting creds for HTTP/host.domain@TEST done
            07/03/08 12:41:16 SSOLoginServlet.init: Starting up SSO server ...
            07/03/08 12:41:16 Initilize NLS utility...
            07/03/08 12:41:16 Reading SSO server policy....
            07/03/08 12:41:16 SSO: Entered FilePolicyManager constructor ...
            07/03/08 12:41:16 SSO: FilePolicyManager: done loading the /oracle/asdb/sso/conf/policy.properties file
            07/03/08 12:41:16 SSO: Leaving FilePolicyManager constructor ...
            07/03/08 12:41:16 SSODebug: Done loading the debug file, /oracle/asdb/sso/log/ssoServer.log
            07/03/08 12:41:18 SSOLoginServlet.init: SSO server started
            07/03/08 12:41:19 Oracle Application Server Containers for J2EE 10g (10.1.2.0.2) initialized
            ----end of init
            ----IE request
            07/03/08 12:59:07 Browser type: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0; .NET CLR 2.0.50727)
            07/03/08 12:59:07 Browser OS supports Kerberos WNA.
            07/03/08 12:59:07 Browser is IE
            07/03/08 12:59:07 IE browser version = 5.5
            07/03/08 12:59:07 Browser supports Kerberos WNA.
            07/03/08 12:59:07 Doing SPNEGO negotiation with the browser ...
            07/03/08 12:59:07 Authorization header was not sent from the browser.
            07/03/08 12:59:07 Sending WWW-Authenticate request ...
            07/03/08 12:59:07 Sending SPNEGO request.
            07/03/08 12:59:07 Browser type: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0; .NET CLR 2.0.50727)
            07/03/08 12:59:07 Browser OS supports Kerberos WNA.
            07/03/08 12:59:07 Browser is IE
            07/03/08 12:59:07 IE browser version = 5.5
            07/03/08 12:59:07 Browser supports Kerberos WNA.
            07/03/08 12:59:07 Doing SPNEGO negotiation with the browser ...
            07/03/08 12:59:07 Authorization header sent from the browser: Negotiate TlRMTVNTUAABAAAAB7IAogUABQAwAAAACAAIACgAAAAFAJMIAAAAD1NXQ1owMDExS0NFTlQ
            =
            07/03/08 12:59:07 Fallback Authentication enabled. Retrieving basic auth header.
            07/03/08 12:59:07 Received NTLM token. Sending request for fallback authentication.
            07/03/08 12:59:07 kerberos principal retrieved: {{UNAUTH_USER}}
            07/03/08 12:59:07 KERBE_DUMMY_USER retrieved. Trying Fallback Authentication.
            ---------------
            • 3. Re: SSO + wna falls into KDC_ERR_S_PRINCIPAL_UNKNOWN
              436586
              436586 Mar 13, 2007 4:06 PM (in response to 436586)
              Hi

              it seems to be problem with "$" in service (or target) principal

              ssoHost.domain$@REALM

              but I have no idea why "$" is there. I think this string is composed in IE, not in OAS, based on requesting URL and current web client domain(?).

              When I try execute kinit with service name (with $ at the end) missing domain specification, domain is added :

              c:\share>kinit HTTP/ssoHost.domain$
              Password for HTTP/ssoHost.domain$@REALM:

              I get same wrong service name and kinit failed.
              • 4. Re: SSO + wna falls into KDC_ERR_S_PRINCIPAL_UNKNOWN
                306937
                306937 Mar 13, 2007 6:03 PM (in response to 436586)
                There shouldn't be a dollar sign at the end. How did you determine this was being appended to your principal id?

                You may want to download kerbtray from Microsoft. Just google kerbtray.exe or kerbtray and it should bring you to the download. I do believe there are different versions for 2000, 2003, etc.. This utility will show u if the kerberos ticket on your machine looks correct or not.
                • 5. Re: SSO + wna falls into KDC_ERR_S_PRINCIPAL_UNKNOWN
                  436586
                  436586 Mar 14, 2007 7:47 AM (in response to 306937)
                  In kerberos error log (windows event viewer) is record:
                  Target Name: ssoHost.domain$@REALM
                  this should be the SPN registered through "setspn" or "ktpass" commands. I'm able register SPN with additional dollar sign, but there is also missing "service-class" part, like:

                  HTTP/ssoHost.domain$@REALM

                  (wiht or without $). I don't know why IE doesn't use HTTP/ (or HOST/) prefix.

                  I'm using kerbtray, there is no ticket form ssoHost because i have never obtain any. There are TGT and some other tickets like "krbtgt/DOMAIN", "ldap/HOST.DOMAIN/DOMAIN" or "HOST$".
                  • 6. Re: SSO + wna falls into KDC_ERR_S_PRINCIPAL_UNKNOWN
                    614167
                    614167 Dec 19, 2007 12:21 AM (in response to 436586)
                    Did you ever get SSO and WNA to work? I am having similar problems to you.
                    • 7. Re: SSO + wna falls into KDC_ERR_S_PRINCIPAL_UNKNOWN
                      614382
                      614382 Dec 20, 2007 8:35 AM (in response to 614167)
                      I did
                      Your mistake is probably that you ran kinit from infrastructure
                      You should run from middle-tier