Skip to main content
Question

Windows Integrated Authentication Not Working - APPS9

T
Do Gooder (Partner)
Forum|alt.badge.img+3

Hi All,

 

Please be informed that we have enabled the SSO authentication for an APPS9 customer. However, the customer is not able to login into the IFS Application via the “Connect with your current Windows Credentials” option,

 

 

But the customer can log into the IFS Application by providing the login details manually. But once they tried with the above option, they got the error as follows,

 

 

So we had gone through the Managed Server logs and noticed that the following error was reported,

 

####<Apr 11, 2023 11:58:17 AM CEST> <Debug> <SecurityAtn> <s-idevs-ifssap1.verwaltung.kec.dom> <ManagedServer1> <[ACTIVE] ExecuteThread: '5' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <aa629c2c-c6c9-403c-bdc5-1b372d064851-00000040> <1681207097306> <BEA-000000> <Exception when asserting ChallengeIdentity
javax.security.auth.login.LoginException: weblogic.security.spi.IdentityAssertionException: com.bea.security.utils.kerberos.KerberosException: Failure unspecified at GSS-API level (Mechanism level: AES256 CTS mode with HMAC SHA1-96 encryption type not in permitted_enctypes list)

 

According to the error, it's saying that "AES256 CTS mode with HMAC SHA1-96 encryption type not in permitted_enctypes list". Is there something we missed regarding the encryption during the configurations?


I would appreciate it if someone from your technical support team could help me to resolve this issue.

6 replies

C
Hero (Employee)
Forum|alt.badge.img+14

Hi @Thilanka Perera,

Did you able to find an answer for above mentioned issue?

Thank You,

Chamath
T
1 person likes this
  • T
    Thilanka Perera
T
Do Gooder (Partner)
Forum|alt.badge.img+3
  • Thilanka Perera
  • Author
  • Do Gooder (Partner)
  • 10 replies
  • June 21, 2023

Hi @Chamath Dhammearachchi,

 

Not yet. The customer still facing the issue, and the error is as follows that is reported in the Managed Server logs,

 

Caused By: GSSException: Failure unspecified at GSS-API level (Mechanism level: AES256 CTS mode with HMAC SHA1-96 encryption type not in permitted_enctypes list)

 

Do you have any idea about this error?

 

Thanks,

Thilanka

roklde
Superhero (Employee)
Forum|alt.badge.img+27
  • roklde
  • Superhero (Employee)
  • 779 replies
  • June 29, 2023

Hi Thilanka,

as the exception suggests, I assume the encryption type “AES256 CTS mode with HMAC SHA1-96” isn’t trusted in the Azure AD Domain Services. See this article at Microsoft for example:
 

https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/unsupported-etype-error-accessing-trusted-domain

 

It needs to be trusted in Kerberos. I would recommend that you report this to customers IT department to check.

 

Best regards
Roman

 

T
1 person likes this
  • T
    Thilanka Perera
T
Do Gooder (Partner)
Forum|alt.badge.img+3
  • Thilanka Perera
  • Author
  • Do Gooder (Partner)
  • 10 replies
  • July 18, 2023

Hi @roklde ,

 

This is noted and thanks for the provided details. I just klist the keytab file which I got from the customer end and it shows as follows,

 

 

Encryption is shows as arcfour-hmac instead of RC4-HMAC. Do you see any issues with that?

 

Thanks,

Thilanka

roklde
Superhero (Employee)
Forum|alt.badge.img+27
  • roklde
  • Superhero (Employee)
  • 779 replies
  • July 18, 2023
Thilanka Perera wrote:

Hi @roklde ,

 

This is noted and thanks for the provided details. I just klist the keytab file which I got from the customer end and it shows as follows,

 

 

Encryption is shows as arcfour-hmac instead of RC4-HMAC. Do you see any issues with that?

 

Thanks,

Thilanka


RC4 should be the short form of “Arcfour”. However, I’m not sure what your point is. Wasn’t the issue regarding  “AES256 CTS mode with HMAC SHA1-96” encryption not trusted?

Best regards
Roman

T
Do Gooder (Partner)
Forum|alt.badge.img+3
  • Thilanka Perera
  • Author
  • Do Gooder (Partner)
  • 10 replies
  • July 21, 2023

Hi @roklde,

 

The Managed Server error log shows as "Mechanism level: AES256 CTS mode with HMAC SHA1-96 encryption type not in permitted_enctypes list". I'm seeking information on where to find the definition for using a specific encryption method. Anyway, I asked the customer to check the link where you shared with me.

 

Thanks,

Thilanka

Reply


Terms & ConditionsCookie settingsAccessibility statement

Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings