Skip to Main Content

Security Software

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

Client not found in Kerberos database while getting initial credentials

985385Apr 2 2013 — edited Apr 2 2013
I am using Windows server 2008 to host my Active directory
Version: 6.0 (Build 6001: Service Pack 1)

OID - training3.subhajit.com training3
OAM - training6.subhajit.com training6
AD - WIN-WYIN8UCKRZI.SUBHAJITPC.COM

AD is well integrated with OID 11.1.1.6, OAM 11.1.2 and Oracle Apps E-Business Suite R12.1

Creating users in AD, they travel to OID and then to E-Business.
Microsoft Active Directory External Authentication Plug-in is also configured and works great.


Now I am trying to configure WNA for this.

AD principal user details:

cn=Supratim Sarkar
userPrincipalName=HTTP/training6.subhajit.com@SUBHAJITPC.COM
servicePrincipalName=HTTP/training6.subhajit.com

ktpass:

C:\Users\Administrator>ktpass -princ HTTP/training6.subhajit.com@SUBHAJITPC.COM
-mapuser sarkar@subhajitpc.com -pass **** -out oam.keytab -mapOp set -pT
ype KRB5_NT_PRINCIPAL
Targeting domain controller: WIN-WYIN8UCKRZI.subhajitpc.com
Using legacy password setting method
Successfully mapped HTTP/training6.subhajit.com to sarkar.
Key created.
Output keytab to oam.keytab:
Keytab version: 0x502
keysize 77 HTTP/training6.subhajit.com@SUBHAJITPC.COM ptype 1 (KRB5_NT_PRINCIPAL
) vno 7 etype 0x17 (RC4-HMAC) keylength 16 (0x989645e64a275ea59e2b97ffbf643e77)

C:\Users\Administrator>

SPN details:

C:\Users\Administrator>setspn -Q HTTP/training6.subhajit.com
CN=Supratim Sarkar,CN=Users,DC=subhajitpc,DC=com
HTTP/training6.subhajit.com

Existing SPN found!

C:\Users\Administrator>

No duplicate SPN found:

C:\Users\Administrator>setspn -X
Processing entry 0
found 0 group of duplicate SPNs.


C:\Users\Administrator>

Copied the oam.keytab file to oam server from AD server.

I am facing an issue with kinit when trying to autheticate the principal user:

# kinit -V HTTP/training6.subhajit.com@SUBHAJITPC.COM -k -t /root/oam.keytab
kinit(v5): Client not found in Kerberos database while getting initial credentials

klist output :

[root@training6 ~]# klist -ke /root/oam.keytab
Keytab name: FILE:/root/oam.keytab
KVNO Principal
---- --------------------------------------------------------------------------
7 HTTP/training6.subhajit.com@SUBHAJITPC.COM (ArcFour with HMAC/md5)


If I try out the authentication for normal user 'sarkar@SUBHAJITPC.COM' , it works. So it seems like principal names with '/' symbol do not work.

[root@training6 ~]# kinit -V sarkar@SUBHAJITPC.COM
Password for sarkar@SUBHAJITPC.COM:
Authenticated to Kerberos v5
[root@training6 ~]#

[oracle1@training6 logs]$ klist
Ticket cache: FILE:/tmp/krb5cc_501
Default principal: sarkar@SUBHAJITPC.COM

Valid starting Expires Service principal
03/31/13 08:03:35 03/31/13 18:03:40 krbtgt/SUBHAJITPC.COM@SUBHAJITPC.COM
renew until 04/01/13 08:03:35


Kerberos 4 ticket cache: /tmp/tkt501
klist: You have no tickets cached
[oracle1@training6 logs]$



== krb5.conf file in OAM server training 6

[oracle1@training6 wna]$ cat /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = SUBHAJITPC.COM
ticket_lifetime = 600
default_tkt_enctypes = RC4-HMAC
default_tgs_enctypes = RC4-HMAC

[realms]
SUBHAJITPC.COM = {
kdc = WIN-WYIN8UCKRZI.SUBHAJITPC.COM
admin_server = WIN-WYIN8UCKRZI.SUBHAJITPC.COM
default_domain = SUBHAJITPC.COM
}

[domain_realm]
.subhajitpc.com = SUBHAJITPC.COM
subhajitpc.com = SUBHAJITPC.COM
[oracle1@training6 wna]$

ldapbind commands :

[oracle1@training3 bin]$ ldapbind -h WIN-WYIN8UCKRZI.SUBHAJITPC.COM -p 389
bind successful
[oracle1@training3 bin]$

[oracle1@training3 bin]$ ldapbind -h WIN-WYIN8UCKRZI.SUBHAJITPC.COM -p 389 -D "cn=Supratim Sarkar,cn=Users,dc=subhajitpc,dc=com" -w ******
bind successful
[oracle1@training3 bin]$

== ldapbind for same user with userprincipalname fails :

[oracle1@training3 bin]$ ldapbind -h WIN-WYIN8UCKRZI.SUBHAJITPC.COM -p 389 -D "userPrincipalName=HTTP/training6.subhajit.com@SUBHAJITPC.COM,cn=Users,dc=subhajitpc,dc=com" -w ******
ldap_bind: Invalid credentials
ldap_bind: additional info: 80090308: LdapErr: DSID-0C0903AA, comment: AcceptSecurityContext error, data 525, v1771
[oracle1@training3 bin]$


ldapsearch for the principal user:

[oracle1@training3 bin]$ ldapsearch -h WIN-WYIN8UCKRZI.SUBHAJITPC.COM -p 389 -D Administrator@subhajitpc.com -w ****** -b "dc=subhajitpc,dc=com" -s sub "userPrincipalName=HTTP/training6.subhajit.com@SUBHAJITPC.COM" cn servicePrincipalName userPrincipalName -R
CN=Supratim Sarkar,CN=Users,DC=subhajitpc,DC=com
cn=Supratim Sarkar
userPrincipalName=HTTP/training6.subhajit.com@SUBHAJITPC.COM
servicePrincipalName=HTTP/training6.subhajit.com

Unfollowed reference(s)
ref: ldap://ForestDnsZones.subhajitpc.com/DC=ForestDnsZones,DC=subhajitpc,DC=com

Unfollowed reference(s)
ref: ldap://DomainDnsZones.subhajitpc.com/DC=DomainDnsZones,DC=subhajitpc,DC=com

Unfollowed reference(s)
ref: ldap://subhajitpc.com/CN=Configuration,DC=subhajitpc,DC=com
[oracle1@training3 bin]$

So, mainly I want kinit to work, which will resolve WNA issues with Ebisuness login where I get error "An incorrect Username or Password was specified"

If you can help.

Edited by: Subhajit C on Apr 2, 2013 3:09 PM
Comments
Locked Post
New comments cannot be posted to this locked post.
Post Details
Locked on Apr 30 2013
Added on Apr 2 2013
2 comments
3,458 views