Problems unwrapping SPNEGO token for Single Signon (SSO) in WebLogic Server
843810Jan 1 2009 — edited Feb 23 2009First of all, a quick description of our issue. Weve tried many different things, but cannot get WebLogic to unwrap the SPNEGO token so it authenticates using Kerberos. We received several errors while trying to debug, heres the one we see most:
KDC has no support for encryption type (14)
But we doubt it has anything to do with the encryption type, as these are set correctly everywhere.
Weve tried following some of the instructions on the BEA website (which contain several errors).
One of them was also adding a host/ SPN (in krb5login.conf) but then, when using HTTP/ SPN we get the following error (it seems with multiple SPNs it only takes the first or last SPN that was set):
Client not found in Kerberos database (6)
Next try was using the host/ SPN but that results in the following error:
Integrity check on decrypted field failed (31)
Weve tried changing the default_enctypes in KRB5.INI (Weve removed the entries, and also tried only DESCBC_MD5 and DES_CBC_CRC) but that did not change the behaviour.
Weve tried adding the AllowTGTSessionKey registry key on client and server, but that didnt change it either.
To be continued in next post (max. 5000 characters allowed)....