Skip to main content

Hi All,

 

Please be informed that we have enabled the SSO authentication for an APPS9 customer. However, the customer is not able to login into the IFS Application via the “Connect with your current Windows Credentials” option,

 

 

But the customer can log into the IFS Application by providing the login details manually. But once they tried with the above option, they got the error as follows,

 

 

So we had gone through the Managed Server logs and noticed that the following error was reported,

 

####<Apr 11, 2023 11:58:17 AM CEST> <Debug> <SecurityAtn> <s-idevs-ifssap1.verwaltung.kec.dom> <ManagedServer1> <1ACTIVE] ExecuteThread: '5' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <aa629c2c-c6c9-403c-bdc5-1b372d064851-00000040> <1681207097306> <BEA-000000> <Exception when asserting ChallengeIdentity
javax.security.auth.login.LoginException: weblogic.security.spi.IdentityAssertionException: com.bea.security.utils.kerberos.KerberosException: Failure unspecified at GSS-API level (Mechanism level: AES256 CTS mode with HMAC SHA1-96 encryption type not in permitted_enctypes list)

 

According to the error, it's saying that "AES256 CTS mode with HMAC SHA1-96 encryption type not in permitted_enctypes list". Is there something we missed regarding the encryption during the configurations?


I would appreciate it if someone from your technical support team could help me to resolve this issue.

Hi @Thilanka Perera,

Did you able to find an answer for above mentioned issue?

Thank You,

Hi @Chamath Dhammearachchi,

 

Not yet. The customer still facing the issue, and the error is as follows that is reported in the Managed Server logs,

 

Caused By: GSSException: Failure unspecified at GSS-API level (Mechanism level: AES256 CTS mode with HMAC SHA1-96 encryption type not in permitted_enctypes list)

 

Do you have any idea about this error?

 

Thanks,

Thilanka

Hi Thilanka,

as the exception suggests, I assume the encryption type “AES256 CTS mode with HMAC SHA1-96” isn’t trusted in the Azure AD Domain Services. See this article at Microsoft for example:
 

https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/unsupported-etype-error-accessing-trusted-domain

 

It needs to be trusted in Kerberos. I would recommend that you report this to customers IT department to check.

 

Best regards
Roman

 

Hi @roklde ,

 

This is noted and thanks for the provided details. I just klist the keytab file which I got from the customer end and it shows as follows,

 

 

Encryption is shows as arcfour-hmac instead of RC4-HMAC. Do you see any issues with that?

 

Thanks,

Thilanka

Hi @roklde ,

 

This is noted and thanks for the provided details. I just klist the keytab file which I got from the customer end and it shows as follows,

 

 

Encryption is shows as arcfour-hmac instead of RC4-HMAC. Do you see any issues with that?

 

Thanks,

Thilanka


RC4 should be the short form of “Arcfour”. However, I’m not sure what your point is. Wasn’t the issue regarding  “AES256 CTS mode with HMAC SHA1-96” encryption not trusted?

Best regards
Roman

Hi @roklde,

 

The Managed Server error log shows as "Mechanism level: AES256 CTS mode with HMAC SHA1-96 encryption type not in permitted_enctypes list". I'm seeking information on where to find the definition for using a specific encryption method. Anyway, I asked the customer to check the link where you shared with me.

 

Thanks,

Thilanka

Reply


Terms & ConditionsCookie settings