OAS, OHS, and Kerberos -- An unsupported mechanism was requested

Question

I am attempting to set up SSO via OHS for Oracle Analytics Server using this guide:

https://support.oracle.com/epmos/faces/DocumentDisplay?_afrLoop=94745917947156&id=2941776.1&_afrWindowMode=0&_adf.ctrl-state=111qxmxuvw_102

This is the principal error revealed in ohs1.log when logging is set to 32:

GSS ERROR In Negotiate Auth: gss_accept_sec_context() failed: [An unsupported mechanism was requested (Unknown error)

When logging is more granular, I also see these entries in the log:

AH01626: authorization result of Require valid-user : denied (no authenticated user yet
AH01626: authorization result of : denied (no authenticated user yet)
Sessions not available, no cookies!
NO AUTH DATA Client did not send any authentication headers
AH01503: headers: ap_headers_error_filter()
AH01964: Connection to child 192 established (server :4443)
OHS:2079 Client SSL handshake error, nzos_Handshake returned 28864(server :4443)
SSL IO error [Hint: the client stopped the connection unexpectedly]
Connection closed to child 192 with standard shutdown (server server:4443)
AH01382: Request header read timeout
70007)The timeout specified has expired: OHS:2067 SSL IO error, nzos_Read returned 28857
OHS:2171 NZ Library Error: Unknown error

The analytics.conf file consists of Location sections, each of which is configured like this:


    ProxyPass "/analytics"
    ProxyPassReverse "/analytics"
    #SSLRequireSSL
    AuthType GSSAPI
    AuthName ""
    GssapiCredStore keytab:/krb5.keytab
    GssapiUseSessions On
    GssapiAllowedMech krb5
    GssapiAcceptorName      HTTP
    GssapiBasicAuth         On
    GssapiNegotiateOnce     On
    GssapiSSLonly           On
    GssapiLocalName         On
    # Use a cookie to keep the session, avoid reauthenticate user on each page
    # (facultative)
    GssapiUseSessions       On
    GssapiDelegCcacheDir    /clientcaches
    
        Session on
    
    
        SessionCookieName gssapi_session path=/;httponly;secure;
    
    Require valid-user
    RewriteCond %{LA-U:REMOTE_USER} (.+)
    RewriteRule .* - [E=RU:%1]
    RequestHeader unset Authorization
    RequestHeader set OAM_REMOTE_USER %{REMOTE_USER}s

SPN registration validation:

setspn -L 
Registered ServicePrincipalNames for CN=,OU=Service_Accounts,OU=User_A
ccounts,DC=<...>,DC=<...>,DC=com:
https://
        HTTP/

The keytab was generated in PowerShell thus:

ktpass -princ HTTP/ -mapuser  -pass  -crypto aes256-cts-hmac-sha1-96 -ptype KRB5_NT_PRINCIPAL -out  -kvno 0

Authenticating the keytab using kinit:

$ kinit -k -t krb5.keytab HTTP/prinicpal@REALM -V
Using default cache: /tmp/krb5cc_1343958938
Using principal: HTTP/prinicpal@REALM
Using keytab: krb5.keytab
Authenticated to Kerberos v5

The Analytics URL using OHS (https://hostname:4443/analytics) works fine when analytics.conf is not included in httpd.conf, but once it is enabled, the page presents a popup requesting user credentials. All valid credentials are rejected and the popup reappears. Hitting 'Cancel' displays:

Unauthorized

This server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad password), or your browser doesn't understand how to supply the credentials required.

on the page.

Could this be the result of Kerberos picking up /etc/krb5.conf by default (which in my setup is not the correct krb5.config file) rather than the custom one in a different location which has the correct KDC and realm information?

EDIT 1: Generated ticket with kinit and ran curl command on Win client. Output is here: https://ctxt.io/2/AAB4XibyFw

EDIT 2: curl command run on client: https://ctxt.io/2/AAB4cjWtFQ

klist run on client: https://ctxt.io/2/AAB4cVVREQ

OAS, OHS, and Kerberos -- An unsupported mechanism was requested

Answers (0)

Related Questions