Client not found in Kerberos database while getting initial credentials
985385Apr 2 2013 — edited Apr 2 2013I am using Windows server 2008 to host my Active directory
Version: 6.0 (Build 6001: Service Pack 1)
OID - training3.subhajit.com training3
OAM - training6.subhajit.com training6
AD - WIN-WYIN8UCKRZI.SUBHAJITPC.COM
AD is well integrated with OID 11.1.1.6, OAM 11.1.2 and Oracle Apps E-Business Suite R12.1
Creating users in AD, they travel to OID and then to E-Business.
Microsoft Active Directory External Authentication Plug-in is also configured and works great.
Now I am trying to configure WNA for this.
AD principal user details:
cn=Supratim Sarkar
userPrincipalName=HTTP/training6.subhajit.com@SUBHAJITPC.COM
servicePrincipalName=HTTP/training6.subhajit.com
ktpass:
C:\Users\Administrator>ktpass -princ HTTP/training6.subhajit.com@SUBHAJITPC.COM
-mapuser sarkar@subhajitpc.com -pass **** -out oam.keytab -mapOp set -pT
ype KRB5_NT_PRINCIPAL
Targeting domain controller: WIN-WYIN8UCKRZI.subhajitpc.com
Using legacy password setting method
Successfully mapped HTTP/training6.subhajit.com to sarkar.
Key created.
Output keytab to oam.keytab:
Keytab version: 0x502
keysize 77 HTTP/training6.subhajit.com@SUBHAJITPC.COM ptype 1 (KRB5_NT_PRINCIPAL
) vno 7 etype 0x17 (RC4-HMAC) keylength 16 (0x989645e64a275ea59e2b97ffbf643e77)
C:\Users\Administrator>
SPN details:
C:\Users\Administrator>setspn -Q HTTP/training6.subhajit.com
CN=Supratim Sarkar,CN=Users,DC=subhajitpc,DC=com
HTTP/training6.subhajit.com
Existing SPN found!
C:\Users\Administrator>
No duplicate SPN found:
C:\Users\Administrator>setspn -X
Processing entry 0
found 0 group of duplicate SPNs.
C:\Users\Administrator>
Copied the oam.keytab file to oam server from AD server.
I am facing an issue with kinit when trying to autheticate the principal user:
# kinit -V HTTP/training6.subhajit.com@SUBHAJITPC.COM -k -t /root/oam.keytab
kinit(v5): Client not found in Kerberos database while getting initial credentials
klist output :
[root@training6 ~]# klist -ke /root/oam.keytab
Keytab name: FILE:/root/oam.keytab
KVNO Principal
---- --------------------------------------------------------------------------
7 HTTP/training6.subhajit.com@SUBHAJITPC.COM (ArcFour with HMAC/md5)
If I try out the authentication for normal user 'sarkar@SUBHAJITPC.COM' , it works. So it seems like principal names with '/' symbol do not work.
[root@training6 ~]# kinit -V sarkar@SUBHAJITPC.COM
Password for sarkar@SUBHAJITPC.COM:
Authenticated to Kerberos v5
[root@training6 ~]#
[oracle1@training6 logs]$ klist
Ticket cache: FILE:/tmp/krb5cc_501
Default principal: sarkar@SUBHAJITPC.COM
Valid starting Expires Service principal
03/31/13 08:03:35 03/31/13 18:03:40 krbtgt/SUBHAJITPC.COM@SUBHAJITPC.COM
renew until 04/01/13 08:03:35
Kerberos 4 ticket cache: /tmp/tkt501
klist: You have no tickets cached
[oracle1@training6 logs]$
== krb5.conf file in OAM server training 6
[oracle1@training6 wna]$ cat /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = SUBHAJITPC.COM
ticket_lifetime = 600
default_tkt_enctypes = RC4-HMAC
default_tgs_enctypes = RC4-HMAC
[realms]
SUBHAJITPC.COM = {
kdc = WIN-WYIN8UCKRZI.SUBHAJITPC.COM
admin_server = WIN-WYIN8UCKRZI.SUBHAJITPC.COM
default_domain = SUBHAJITPC.COM
}
[domain_realm]
.subhajitpc.com = SUBHAJITPC.COM
subhajitpc.com = SUBHAJITPC.COM
[oracle1@training6 wna]$
ldapbind commands :
[oracle1@training3 bin]$ ldapbind -h WIN-WYIN8UCKRZI.SUBHAJITPC.COM -p 389
bind successful
[oracle1@training3 bin]$
[oracle1@training3 bin]$ ldapbind -h WIN-WYIN8UCKRZI.SUBHAJITPC.COM -p 389 -D "cn=Supratim Sarkar,cn=Users,dc=subhajitpc,dc=com" -w ******
bind successful
[oracle1@training3 bin]$
== ldapbind for same user with userprincipalname fails :
[oracle1@training3 bin]$ ldapbind -h WIN-WYIN8UCKRZI.SUBHAJITPC.COM -p 389 -D "userPrincipalName=HTTP/training6.subhajit.com@SUBHAJITPC.COM,cn=Users,dc=subhajitpc,dc=com" -w ******
ldap_bind: Invalid credentials
ldap_bind: additional info: 80090308: LdapErr: DSID-0C0903AA, comment: AcceptSecurityContext error, data 525, v1771
[oracle1@training3 bin]$
ldapsearch for the principal user:
[oracle1@training3 bin]$ ldapsearch -h WIN-WYIN8UCKRZI.SUBHAJITPC.COM -p 389 -D Administrator@subhajitpc.com -w ****** -b "dc=subhajitpc,dc=com" -s sub "userPrincipalName=HTTP/training6.subhajit.com@SUBHAJITPC.COM" cn servicePrincipalName userPrincipalName -R
CN=Supratim Sarkar,CN=Users,DC=subhajitpc,DC=com
cn=Supratim Sarkar
userPrincipalName=HTTP/training6.subhajit.com@SUBHAJITPC.COM
servicePrincipalName=HTTP/training6.subhajit.com
Unfollowed reference(s)
ref: ldap://ForestDnsZones.subhajitpc.com/DC=ForestDnsZones,DC=subhajitpc,DC=com
Unfollowed reference(s)
ref: ldap://DomainDnsZones.subhajitpc.com/DC=DomainDnsZones,DC=subhajitpc,DC=com
Unfollowed reference(s)
ref: ldap://subhajitpc.com/CN=Configuration,DC=subhajitpc,DC=com
[oracle1@training3 bin]$
So, mainly I want kinit to work, which will resolve WNA issues with Ebisuness login where I get error "An incorrect Username or Password was specified"
If you can help.
Edited by: Subhajit C on Apr 2, 2013 3:09 PM