Skip to Main Content
Forums

Database Software

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

Active Directory errors with Keberos

499250Mar 17 2006 — edited Nov 21 2006
I encountered this problem described below. Anyone has any ideas how to resolve this problem:

1. We have set up AD->OID sync and it syncs fine (Can see the users from AD synced in the OID )



2. OC4J~OC4J_SECURITY~default_island~1 logs shows the following on startup


KrbKdcReq send: kdc=CHILD1.SSOTEST.COM UDP:88, timeout=30000, number of retries =3, #bytes=268
06/03/16 12:56:52 >>> KDCCommunication: kdc=CHILD1.SSOTEST.COM UDP:88, timeout=30000,Attempt =1, #bytes=268

06/03/16 12:56:52 >>> KrbKdcReq send: #bytes read=201

06/03/16 12:56:52 >>> KrbKdcReq send: #bytes read=201

06/03/16 12:56:52 >>> KDCRep: init() encoding tag is 126 req type is 11

06/03/16 12:56:52 >>>KRBError:

06/03/16 12:56:52 sTime is Thu Mar 16 12:56:50 SGT 2006 1142485010000

06/03/16 12:56:52 suSec is 195882

06/03/16 12:56:52 error code is 24

06/03/16 12:56:52 error Message is Pre-authentication information was invalid

06/03/16 12:56:52 realm is CHILD1.SSOTEST.COM

06/03/16 12:56:52 sname is krbtgt/CHILD1.SSOTEST.COM

06/03/16 12:56:52 eData provided.

06/03/16 12:56:52 [Krb5LoginModule] authentication failed

Pre-authentication information was invalid (24)

06/03/16 12:56:52 KerberosAuthenticator: GSSException raised in constructor - No valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT credentials failed!)

06/03/16 12:56:52 GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT credentials failed!)

06/03/16 12:56:52 at sun.security.jgss.krb5.Krb5AcceptCredential.getKeyFromSubject(Krb5AcceptCredential.java:189)

06/03/16 12:56:52 at sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:80)

06/03/16 12:56:52 at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:75)

06/03/16 12:56:52 at sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:149)





3. Trying to do a kinit as part of troubleshooting





kinit HTTP/sgiasu2.sg.statschippac.com

Password for HTTP/sgiasu2.sg.statschippac.com@CHILD1.SSOTEST.COM:mypassword



Gives the following error, which seems to the same as that in the SECURITY log



Exception: krb_error 24 Pre-authentication information was invalid (24) Pre-authentication information was invalid

KrbException: Pre-authentication information was invalid (24)

at sun.security.krb5.KrbAsRep.<init>(DashoA12275:67)

at sun.security.krb5.KrbAsReq.getReply(DashoA12275:315)

at sun.security.krb5.KrbAsReq.getReply(DashoA12275:276)

at sun.security.krb5.internal.tools.Kinit.<init>(DashoA12275:271)

at sun.security.krb5.internal.tools.Kinit.main(DashoA12275:109)

Caused by: KrbException: Identifier doesn't match expected value (906)

at sun.security.krb5.internal.af.a(DashoA12275:134)

at sun.security.krb5.internal.at.a(DashoA12275:63)

at sun.security.krb5.internal.at.<init>(DashoA12275:58)

at sun.security.krb5.KrbAsRep.<init>(DashoA12275:53)

... 4 more





4. The users/Principals/keytab /etc have been set up as specified in Oracle documentation (For integrating with AD)
Comments
Locked Post
New comments cannot be posted to this locked post.
Post Details
Locked on Dec 19 2006
Added on Mar 17 2006
#database-security, #database-security-general
4 comments
14,849 views