After Setting Up SSO Managed Server Won't Start
dirktMar 17 2013 — edited Mar 22 2013I am using the Oracle supplied white paper to set up SSO using Active Directory. Following those instructions everything was working and testing correctly until I added the NegotiateIdentityAsserter provider to the list of WLS providers. Now the managed server won't start. The admin server starts without any errors and goes to the RUNNING state. But the Start BI Services command window gets to the wls.alive: prompt and hangs. And hangs. Eventually the window goes away and it may throw an error but I've never seen it. You can login to the WLS console and EM without a problem. Remove the new provider and everything comes up normally. I have looked at the krb5.ini and krb5login.conf files and even rewritten them from scratch without any change in behavior.
While looking for answers I ran into the SPNEGOCheck webapp that Oracle makes available to diagnose problems. It says everything is OK until it parses the krb5login.conf and then complains that the Username associated with SPN in AD is blank and so doesn't match the SPN specified in the krblogin config. But I can't see anything wrong in the files themselves.
from the log:
-------------------------------------------------
In section 'libdefaults'
LSA: Found Ticket
LSA: Made NewWeakGlobalRef
LSA: Found PrincipalName
LSA: Made NewWeakGlobalRef
LSA: Found DerValue
LSA: Made NewWeakGlobalRef
LSA: Found EncryptionKey
LSA: Made NewWeakGlobalRef
LSA: Found TicketFlags
LSA: Made NewWeakGlobalRef
LSA: Found KerberosTime
LSA: Made NewWeakGlobalRef
LSA: Found String
LSA: Made NewWeakGlobalRef
LSA: Found DerValue constructor
LSA: Found Ticket constructor
LSA: Found PrincipalName constructor
LSA: Found EncryptionKey constructor
LSA: Found TicketFlags constructor
LSA: Found KerberosTime constructor
LSA: Finished OnLoad processing
Config name: C:\Windows\krb5.ini
KdcAccessibility: reset
KdcAccessibility: reset
Reachable? true
Connection seems to have succeeded.
Parsing section contents 'com.sun.security.jgss.krb5.accept { com.sun.security.auth.module.Krb5LoginModule required principal="bi_kerb_prin@SRS1.COM" keyTab=biwhse1a.keytab useKeyTab=true storeKey=true debug=true;};'
Section name: 'com.sun.security.jgss.krb5.accept'
Getting next NV pair beginning at 'principal="bi_kerb_prin@SRS1.COM" keyTab=biwhse1a.keytab useKeyTab=true storeKey=true debug=true'
NVPair name: 'principal' value: 'bi_kerb_prin@SRS1.COM'
NVPair name: 'keyTab' value: 'biwhse1a.keytab'
NVPair name: 'useKeyTab' value: 'true'
NVPair name: 'storeKey' value: 'true'
Got back 4 name/value pairs.
section com.sun.security.jgss.krb5.accept should probably contain a setting for debug=true
Section com.sun.security.jgss.krb5.accept seems OK
-------------------------------------------------
The krb5.ini file:
--------------------------------------------------
[libdefaults]
default_realm = SRS1.COM
default_tkt_enctypes = des-cbc-crc
default_tgs_enctypes = des-cbc-crc
ticket_lifetime = 600
[realms]
SRS1.COM = {
kdc = 129.58.120.200
admin_server = adc01.srs1.com
default_domain = SRS1.COM
}
[domain_realm]
.srs1.com = SRS1.COM
[appdefaults]
autologin = true
forward = true
forwardable = true
encrypt = true
--------------------------------------------------
The krb5login.conf file:
--------------------------------------------------
com.sun.security.jgss.krb5.accept {
com.sun.security.auth.module.Krb5LoginModule required
principal="bi_kerb_prin@SRS1.COM"
keyTab=biwhse1a.keytab
useKeyTab=true
storeKey=true
debug=true;
};
--------------------------------------------------
[D:\] setspn -L bi_kerb_prin
Registered ServicePrincipalNames for CN=bi_kerb_prin,OU=Non-Person Users,OU=WRC Users,DC=srs1,DC=com:
HTTP/biwhse1a.srs1.com
HTTP/biwhse1a
[D:\]
--------------------------------------------------
OBIEE 11.1.1.6.2 BP2
Windows Server 2008 SP1