Skip to Main Content
Forums

ORDS, SODA & JSON in the Database

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

Kerberos Auth (to Active directory) with ORDS/APEX and tomcat still giving me a 401

aladenJul 27 2016 — edited Aug 11 2016

Hi All.

Following the famous Windows Integrated Authentication - HOWTO But keep getting a HTTP 401 Requires authentication error.

Apache tomcat 7.0.70

Apex 5.0.3

Ords 3.0.6

Solaris 11 zone.

After lots of acrobatics with keytab files. (The doc should mention that the realm name needs to be capitalized in the principal in step 5 when creating the keytab file. to avoid a "KDC reply did not match expectations for client ...  lower-case detected in realm 'company.lan' while getting initial credentials)

I made it past the checkpoints in step 7 and 8. (note, to test with a krb5.conf file in a non-default location, you can set the environment variable KRB5_CONFIG to the full path to the file you want to use. So you can test with the same krb5.conf file that you will be creating in step 10.) We use centrify for authentication on the server itself, so I didnt want to mess with the centrify created. krb5.conf file.

Turned up logging in tomcat. As far as I can tell, it is making the connection to the KDC. The logs ends with a message about finding a ticket for my principal and entered STATE_NEW, which given no other hints looks ok to me.

Looking for keys for: HTTP/testhost.company.lan@COMPANY.LAN

Added key: 23version: 5

>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType

>>> KrbAsRep cons in KrbAsReq.getReply HTTP/testhost.company.lan

Search Subject for SPNEGO ACCEPT cred (<<DEF>>, sun.security.jgss.spnego.SpNegoCredElement)

Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>, sun.security.jgss.krb5.Krb5AcceptCredential)

Found KeyTab /opt/tomcat/tomcat/tomcat.keytab for HTTP/testhost.company.lan@COMPANY.LAN

Found KeyTab /opt/tomcat/tomcat/tomcat.keytab for HTTP/testhost.company.lan@COMPANY.LAN

Found ticket for HTTP/testhost.company.lan@COMPANY.LAN to go to krbtgt/COMPANY.LAN@COMPANY.LAN expiring on Wed Jul 27 19:38:14 EDT 2016

Entered Krb5Context.acceptSecContext with state=STATE_NEW

Looking for keys for: HTTP/testhost.company.lan@COMPANY.LAN

Added key: 23version: 5

Then nothing else in the logs. I assume it fails the kerberos auth, then gives me the form and then the basic auth pop-up windows. try my login on all of them, then get the 401 screen.

Am I making the connection to the KDC correctly? Any other ideas of where I should look? @"VANJ" ?

Thanks

Andrew

Side note, Why doesn't the "About" page show up on the Internal workspace. Its annoying to have to change workspaces to see the REMOTE_USER value.
Comments
Locked Post
New comments cannot be posted to this locked post.
Post Details
Locked on Sep 8 2016
Added on Jul 27 2016
#apex
1 comment
1,596 views