Hi, I'm trying to help a Weblogic admin trying to enable SSO using IPA as a backend in AD trust, and I'm not anywhere near a Java or Weblogic man.
The ticket looks OK, and I can kinit it. Klist shows: # klist -ke sso.keytab Keytab name: FILE:sso.keytab KVNO Principal ---- -------------------------------------------------------------------------- 3 HTTP/ssotst01pack.lx.dr...@lx.dr.dk (aes256-cts-hmac-sha1-96) 3 HTTP/ssotst01pack.lx.dr...@lx.dr.dk (aes128-cts-hmac-sha1-96) 3 HTTP/ssotst01pack.lx.dr...@lx.dr.dk (des3-cbc-sha1) 3 HTTP/ssotst01pack.lx.dr...@lx.dr.dk (arcfour-hmac) Ticket is exported without the need for pre-auth. I have made a pretty basic krb5.conf for use with Weblogic: [libdefaults] default_realm = LX.DR.DK permitted_enctypes = aes256-cts-hmac-sha1-96 aes256-cts default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes256-cts default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes256-cts dns_lookup_realm = false dns_lookup_kdc = false noaddresses = true [realms] LX.DR.DK = { kdc = ipa01.lx.dr.dk } [domain_realm] .lx.dr.dk = LX.DR.DK lx.dr.dk = LX.DR.DK When trying to authenticate on web-ui I see: krb5kdc.log on IPA server shows: Feb 27 11:06:44 ipa01.lx.dr.dk krb5kdc[3349](info): AS_REQ (2 etypes {18 18}) 10.80.17.50: ISSUE: authtime 1488190004, etypes {rep=18 tkt=18 ses=18}, HTTP/ssotst01pack.lx.dr...@lx.dr.dk for krbtgt/lx.dr...@lx.dr.dk Feb 27 11:06:44 ipa01.lx.dr.dk krb5kdc[3349](info): AS_REQ (2 etypes {18 18}) 10.80.17.50: ISSUE: authtime 1488190004, etypes {rep=18 tkt=18 ses=18}, HTTP/ssotst01pack.lx.dr...@lx.dr.dk for krbtgt/lx.dr...@lx.dr.dk Feb 27 11:06:44 ipa01.lx.dr.dk krb5kdc[3353](info): AS_REQ (2 etypes {18 18}) 10.80.17.50: ISSUE: authtime 1488190004, etypes {rep=18 tkt=18 ses=18}, HTTP/ssotst01pack.lx.dr...@lx.dr.dk for krbtgt/lx.dr...@lx.dr.dk Feb 27 11:06:44 ipa01.lx.dr.dk krb5kdc[3353](info): AS_REQ (2 etypes {18 18}) 10.80.17.50: ISSUE: authtime 1488190004, etypes {rep=18 tkt=18 ses=18}, HTTP/ssotst01pack.lx.dr...@lx.dr.dk for krbtgt/lx.dr...@lx.dr.dk Feb 27 11:06:44 ipa01.lx.dr.dk krb5kdc[3353](info): AS_REQ (2 etypes {18 18}) 10.80.17.50: ISSUE: authtime 1488190004, etypes {rep=18 tkt=18 ses=18}, HTTP/ssotst01pack.lx.dr...@lx.dr.dk for krbtgt/lx.dr...@lx.dr.dk Java shows: [2017-02-22T14:17:06.666+01:00] [oam_server1] [ERROR] [] [oracle.oam.engine.authn] [tid: [ACTIVE].ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: <anonymous>] [ecid: 236b75b1bd93b747:4e356648:15a65f5a492:-8000-00000000000000db,0] [APP: oam_server#11.1.2.0.0] Failure unspecified at GSS-API level (Mechanism level: Specified version of key is not available (44))[[ GSSException: Failure unspecified at GSS-API level (Mechanism level: Specified version of key is not available (44)) (Not same time, I know. Log files from different days). >From what I can see on the krb5 log it tries to make 5 auth requests, but >fails with "Specified version of key is not available", however, they are.... >I have already verified this and tried exporting new ones just to make sure. The unlimited encryption package have been added to Java. Does these errors mean anything for some expert on this list, as i'm starting to run out of ideas...... -- Med venlig hilsen Troels Hansen Systemkonsulent Casalogic A/S T (+45) 70 20 10 63 M (+45) 22 43 71 57 Red Hat, SUSE, VMware, Citrix, Novell, Yellowfin BI, EnterpriseDB, Sophos og meget mere.
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project